What is Synchronized Security?
Mike Parsons, CISSP, PCIP, IAM, IEM, HIPAA Certified Security Engineering/Architecture
Synchronized Security is a best-of-breed security system that enables security solutions to talk to each other, sharing information and responding automatically to threats. Sophos introduced this technology in response to the growing number of data breaches across the country in an effort to help companies outsmart hackers by coordinating defenses. According to the latest Verizon Data Breach Incident Report (2018 VDBIR), Ransomware continues its climb as a percentage of total Malware incidents. Additionally, the percentage of servers involved in Ransomware attacks has grown to over 25% in 2017 showing that Ransomware attacks actively seek out and move laterally across the network looking for systems such as servers that are available for infection and obscurity.
Traditional cyber security defensive controls begin as technology towers that do not typically communicate well with one another. Consequently, many companies have worked diligently to develop and refine technology to produce Security Information and Event Management (SIEM) approach which can accept alerts and events from network and security devices, analyze the incoming data streams in real-time and provide network security managers valuable guidance on how to address and thwart incoming attacks before significant damage to the network or loss of sensitive data occurs.
This strategy has won the acceptance of many technology strategists, auditors and regulators, but it is an expensive path to follow and requires significant human intervention to tune and maintain a well-run SIEM. The biggest argument in its favor is the ability of the SIEM to work in a heterogeneous environment where devices from several manufacturers send their information in the form of events and alerts to a central collection and aggregation point for analysis and archiving. Additionally, a “top shelf” SIEM can receive threat information from numerous outside sources to add context to the incident. The problem, though, is that these “top shelf” SIEMs are pricey, and one generally needs a group of skilled analysts who can quickly triage an event, determine whether it requires escalation, and follow through with a more senior analyst to ensure that a proper transfer of problem ownership has occurred. This continues up the chain until the original alert is either remediated and closed or becomes classified as an incident requiring participation by senior technical staff and management working with the SIEM team to properly remediate the incident and close the action item.
As mentioned earlier, the SIEM approach if properly engineered and administered is effective but pricey. While it can detect a large number of anomalous behaviors that could well be attacks, the incidence of malware in general and ransomware in particular is on the rise, and these attacks, unlike the viruses of years past, are rarely detected by traditional anti-virus. Furthermore, VDBIR reports that 92.4% of the attack vectors for malware were through email and 6.3% were from web usage, indicating that the endpoint, particularly the single user workstation, will likely be “patient 0” in any of these newer attacks. There is, however, at least one solution that leverages technology from a single company to have endpoints talking with firewalls and other shared network services to automatically recognize an active threat like ransomware or data exfiltration, act on it, and remediate the issue in a matter of seconds, thus minimizing any loss of data or other denial of data access such as that provided in a ransomware attack. Many would say that such a single vendor strategy is risky and one runs the risk of being held hostage to a single vendor, proprietary solution.
Sophos Synchronized Security takes its Intercept X product, a next generation endpoint detective and preventive control, and has it actively communicate with the Sophos XG firewall through a security heartbeat. When Intercept X detects a probable exploit, it calls on the XG Firewall to assist in evaluating the application, the resulting data stream and the source and targets involved. Based on the analysis performed by Intercept X coupled with the intelligence available through the XG Firewall’s awareness of the Internet and different threat feeds that it might subscribe to, a decision is made to allow the application to either proceed and execute as programmed or be shut down. Additionally, the XG Firewall can be instructed to take the remediation further by isolating the compromised endpoint which may be a single user workstation or a shared server. This immediately removes the prospect of the malicious code to move laterally through the network. In the case of an infected server, one can quickly imagine the benefit to the rest of the network if the segregation occurs quickly and effectively
Synchronized Security goes beyond the interaction of endpoint (both servers and workstations) with the XG Firewall. Today, Sophos includes its top performing Safeguard Encryption in the mix by helping an organization create an environment where data is encrypted by default, and only trusted applications are allowed to access the unencrypted data. This encryption takes place when the data is created and it stays in place when shared across the organization or uploaded to cloud sites. Finally, it can be optionally password-protected with a single click when shared externally. In the future, Sophos may well consider integrating other members of its solution suite into the Synchronized Security umbrella.
Finally, Synchronized Security, as implemented by Sophos, means that a tremendous wealth of information is created during the process of detection, protection, and automated remediation. Sophos’ Intercept X can provide a graphical root cause analysis for each incident that can help the analyst quickly identify “patient 0” in any remediated attack. This capability helps the organization save time both in identifying how the malware initially entered the network as well as in developing and deploying preventive controls to avoid similar attacks in the future.
To be sure, the current Synchronized Security solution as presented by Sophos is a proprietary one. However, this solution has been demonstrated to effectively coexist with legacy antivirus solutions and each of the components of the current solution can report events into many of today’s SIEM implementations.
To learn more about Synchronized Security from Sophos, we invite you to watch a webinar where you will learn how Synchronized Security:
- Gives you unprecedented protection against advanced threats
- Slashes incident response time by 99.9%
- Saves IT time and effort every day
Want to learn more about Synchronized Security? Read the white paper.
Interested in a free test drive?
Techgardens is an authorized reseller of Sophos products.
Techgardens is a leading systems integrator founded in 2009 and based in NYC. We build customized IT solutions that meet the unique needs of our customers; exceeding their expectations. Techgardens is more than an IT consulting firm. We select the best technology to appropriately match IT solutions that provide efficiency and return on investment.
Techgardens is a leading integrator and authorized reseller of many widely recognized vendor products with over a decade of experience deploying their products. We understand the technology, the products and how they are used today. We will help you design your solution holistically, based on your specific needs taking into consideration your applications, IT requirements, performance requirements and budget.
Our technical team has over 50 years of combined experience working in the financial, healthcare, government, retail and other verticals. We are staffed with CISSPs, Network Engineers and Systems Administrators with offices in New York, Maryland, Pennsylvania and North Carolina.
To learn how we can assist you with any of our vendor products, engineering or integrator services, please contact us or call 646-783-4550.