Copyright © 2024 Sophos Ltd

Introduction to Sophos
Synchronized Security

Sophos Central Endpoint Protection

Version: 5.0v1

[Additional Information]

Sophos Central Endpoint Protection

EP0515: Introduction to Sophos Synchronized Security

April 2024
Version: 5.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Introduction to Sophos Synchronized Security - 1

Copyright © 2024 Sophos Ltd

Introduction to Sophos Synchronized Security

In this chapter you will learn how Sophos RECOMMENDED KNOWLEDGE AND EXPERIENCE
Synchronized Security allows Sophos products
to communicate with each other intelligently ✓ An understanding of what Sophos Central is
to respond to threats. ✓ The protection features included in Sophos Central
endpoint protection

DURATION 10 minutes

In this chapter you will learn how Sophos Synchronized Security allows Sophos products to
communicate with each other intelligently to respond to threats.

Introduction to Sophos Synchronized Security - 2

Copyright © 2024 Sophos Ltd

What is Synchronized Security?

Workload
Firewall Cloud Wireless Email Sophos Endpoint Encryption Mobile
Protection
Optix Central

Respond Adaptive policy, automated enforcement Analyze Correlation and analysis of events

Continuous discovery of devices,

Discover networks, apps, data, and workloads
Identify Who wants access to my environment

Sophos Synchronized Security is cybersecurity as a system. Security products working together in real-
time. Traditionally, cybersecurity makes use of separate protection products to identify malicious files
and to detect and stop malicious traffic. These products work well in isolation, however, are
disconnected from each other. This approach results in an IT team manually correlating data between
systems which can take time and often means threats are missed.

Sophos Synchronized Security automates detection, isolation, and remediation results which means
attacks are neutralized quickly. It creates new ways to connect security products that protect your
organization.

Introduction to Sophos Synchronized Security - 3

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Why Synchronized Security?
Synchronized security enables Sophos products to work together to protect against multiple attack
elements
% of organizations that experienced this type of threat
Threat type

Data exfiltration 41%

Phishing (including spear phishing) 40%
Ransomware 35%
Cyber extortion 33%
Denial of Service (DDoS) attacks 32%
Business email compromise 31%
Active adversaries 30%
Mobile malware 30%
Cryptominers 22%
Wipers 16%

Cyber-attacks often include multiple elements, for example, a phishing email could install malicious
code that takes advantage of a software exploit to install ransomware. To help understand the types of
threats being initiated, we asked organizations who had been victims of cyber-attacks what types of
threats they experienced. The key findings were that data exfiltration was the number once security
concern.

When added up, these numbers add up to more than 100% which demonstrates that attacks typically
use multiple attack elements. Synchronized Security takes a full system approach. Security products
connect with each other in real-time, working together to combat advanced threats.

[Additional Information]
This information was taken from our white paper about the state of cyber-security which is available
here: https://www.sophos.com/en-us/whitepaper/state-of-cybersecurity

Introduction to Sophos Synchronized Security - 4

Copyright © 2024 Sophos Ltd

Synchronized Security Overview

Discover Analyze Respond

▪ Identify unknown threats ▪ Real-time incident analysis ▪ Automatically respond to

▪ See ALL network traffic ▪ Cross-estate reporting infections and incidents
▪ Identify risky users, apps and ▪ See the full chain of events for ▪ Isolate compromised endpoints
malicious traffic an incident ▪ Restrict access on trusted
▪ Correlate network traffic networks for non-compliant
devices
▪ Initiate endpoint scans

There are three pillars to the synchronized security system; Discover. Sophos Central products
automatically share information to reveal hidden risks and unknown threats. It enables administrators
to see all network traffic, the identification of risky applications, and the correlating behaviour across
multiple activities.

Analyze. Real-time incident analysis and cross-estate reporting delivers instant insights. This allows
administrators to view the full chain of events for an incident.

Respond. Sophos Central automatically responds to incidents allowing compromised devices to be

isolated protecting the entire estate and allowing time for threats to be investigated and cleaned-up.

Introduction to Sophos Synchronized Security - 5

Copyright © 2024 Sophos Ltd

Synchronized Security Heartbeat

Communication between protected devices and Sophos Central

▪ A regular heartbeat. A few bytes every 15 seconds

▪ Event information
▪ Device health status
▪ Threat source information

Communication between Sophos Central products is facilitated by the Sophos Security Heartbeat
which creates a secure two-way tunnel of communication.

The Security Heartbeat allows for intelligent communication between Sophos products allowing for a
coordinated response to threats. The Security Heartbeat includes a regular heartbeat (a few bytes
every 15 seconds) that identifies the device and communicates that the device is active and protected.
It communicates event information, the device health status, and threat information.

Introduction to Sophos Synchronized Security - 6

Copyright © 2024 Sophos Ltd

Security Heartbeat Status

GREEN Endpoint agent is running. No risk and no action required.

YELLOW Endpoint agent is running. Medium risk and action may be required.

RED Endpoint agent may not be running, and devices may not be protected. High risk and
action is required.

Here you can see what each heartbeat status means.

If a computer has a GREEN status, this means that the endpoint agent is running, and the computer is
protected. No potentially unwanted applications, active, or inactive malware has been detected.

If the computer has a YELLOW status, the endpoint agent is running so the computer is protected,
however, inactive malware or a PUA has been detected. It can also indicate that the endpoint agent is
out of date.

When a computer has a RED status, it can indicate that the endpoint agent may not be running, so the
computer may not be protected. Alternatively, it could mean that active malware has been detected
or malware has not been cleaned up. It could also mean that malicious network traffic has been
detected, or communication to a known bad host has been identified.

Introduction to Sophos Synchronized Security - 7

Copyright © 2024 Sophos Ltd

Synchronized Security Examples

Sophos Synchronized Security integrates with all

Sophos Central products

Let’s have a look at some examples

Sophos Synchronized Security integrates with all Sophos Central products, let’s have a look at some
examples.

Introduction to Sophos Synchronized Security - 8

Copyright © 2024 Sophos Ltd

Security Heartbeat with Sophos Firewall

Cannot drop traffic based on MAC address and not
protected by Sophos Firewall Sophos Firewall blocks access to other networks and
shares the MAC address of the device with a red
health status with healthy devices

Malware
detected
Protected

Protected

What would happen if malware was detected on a device that is part of a network protected with
Sophos Firewall and Synchronized Security is enabled?

If malware is detected, the Security Heartbeat sends event information along with the device health
status to the Sophos Firewall, which shares the MAC address of the device with other devices on the
network. Healthy devices drop traffic from the device with the red health status. This will only work on
local network segments. If traffic is passing through a router, traffic will not be dropped. When traffic
passes through the Sophos Firewall, it can prevent the device with a red health status from connecting
to other devices which protects healthy devices from a possible infection. The Sophos Firewall will
only block traffic from a red health status device, all other devices will have network access.

Once the endpoint agent has cleaned up malware on the device, the Security Heartbeat sends the
updated health status to the Sophos Firewall which then allows the device to access hosts and
networks as normal. It also updates all devices removing the MAC address of the compromised device
from the list of devices with a red health status.

Introduction to Sophos Synchronized Security - 9

Copyright © 2024 Sophos Ltd

Endpoint and Sophos Firewall

1. Malware Detection 2. Cross Estate Communication 3. Device Isolation
Sophos Endpoint detects a Device status shared with the Sophos Firewall
malware attack Sophos Firewall isolates the device

Security Heartbeat

6. Access Restored 5. Status Update 4. Clean-up

Sophos Firewall restores Clean status communicated Automatic clean-up
network access via Security Heartbeat on the device

This diagram shows what happens when a device is protected with Sophos Central endpoint
protection and a Sophos Firewall is in use.

The endpoint protection agent detects malware, and the device health status is communicated via
Security Heartbeat with the Sophos Firewall which isolates the device on the network.

Automatic remediation of the device ensures that the threat is cleaned up and once the device is
clean, the health status is updated and reported via the Security Heartbeat to the Sophos Firewall
which restores network access.

This automatic incident response takes seconds with no human interaction required.

Introduction to Sophos Synchronized Security - 10

Copyright © 2024 Sophos Ltd

Server and Sophos Firewall

1. Malware Detection 2. Cross Estate Communication 3. Device Isolation
Sophos Workload Protection Device status shared with the Sophos Firewall
detects a malware attack Sophos Firewall isolates the device

Security Heartbeat

6. Access Restored 5. Status Update 4. Clean-up

Sophos Firewall restores Clean status communicated Automatic clean-up
network access via Security Heartbeat on the device

The same process happens if malware is detected on a protected server.

Please note that for servers, an administrator will need to provide approval for any actions taken.

Introduction to Sophos Synchronized Security - 11

Copyright © 2024 Sophos Ltd

Endpoint Protection and Sophos Email

1. Malware Detection 2. Mailbox Isolation 3. Cross estate
Sophos Email detects a The mailbox is isolated communication
compromised mailbox Isolation status shared
with the Sophos
Central

Security Heartbeat

6. Mailbox Restored 5. Clean-up 4. Device Scan

Mailbox sender The detection is All known devices of
privileges restored automatically cleaned up the mailbox are
scanned

Here we can see a scenario where a device is using Sophos Email.

Sophos Email detects a compromised mailbox which is being used to send outbound spam emails and
automatically isolates the mailbox. The isolation status is shared with Sophos Central via the Security
Heartbeat.

The endpoint protection agent identifies and scans all known devices associated with the mailbox for
malware and automatically cleans up any malware found. The mailbox is then restored.

Introduction to Sophos Synchronized Security - 12

Copyright © 2024 Sophos Ltd

Zero-Touch Lateral Movement Protection

1. Malware Detection 2. Cross Estate Communication
Sophos Endpoint Protection Device status shared with
detects a malware attack, and Sophos Central
the health status of the device
is set to RED

Security Heartbeat

An attacker will typically want to move across your network to gain better access to your data. This is
called lateral movement. Synchronized Security provides lateral movement protection.

If a protected device detects a threat, the health status of that device is set to red and shared with the
Sophos Firewall via Security Heartbeat.

Introduction to Sophos Synchronized Security - 13

Copyright © 2024 Sophos Ltd

Zero-Touch Lateral Movement Protection

1. Malware Detection 2. Cross Estate Communication 3. Infected device isolated
Sophos Endpoint Protection Device status shared with from the network and LAN
detects a malware attack, and Sophos Central Isolation status shared with
the health status of the device the network
is set to RED

Security Heartbeat

5. Device health status updated 4. Infection cleaned up

The device shares the Endpoint protection
healthy status with the automatically cleans up the
Sophos Firewall threat

The Sophos Firewall isolates the device from both the network and the LAN, and the endpoint
protection agent automatically cleans up the threat.

The now healthy device shares the updated health status with Sophos Firewall.

Introduction to Sophos Synchronized Security - 14

Copyright © 2024 Sophos Ltd

Zero-Touch Lateral Movement Protection

1. Malware Detection 2. Cross Estate Communication 3. Infected device isolated
Sophos Endpoint Protection Device status shared with from the network and LAN
detects a malware attack, and Sophos Central Isolation status shared with
the health status of the device the network
is set to RED

Security Heartbeat

5. Device health status updated 4. Infection cleaned up

The device shares the Endpoint protection
healthy status with the automatically cleans up the
Sophos Firewall threat

The connection to the network and the LAN is then restored. This process happens in seconds by
sharing information and using dynamic policies that respond to incidents and events.

Introduction to Sophos Synchronized Security - 15

Copyright © 2024 Sophos Ltd

Chapter Review

Sophos Synchronized Security automates detection, isolation and remediation results which means
attacks can be neutralized quickly.

There are three pillars to the Synchronized Security system; discover, analyze, and respond.

Communication between Sophos Central products is facilitated by the Sophos Security Heartbeat which
creates a secure two-way tunnel of communication.

Here are the three main things you learned in this chapter.

Sophos Synchronized Security automates detection, isolation and remediation results which means
attacks can be neutralized quickly.

There are three pillars to the Synchronized Security system; discover, analyze, and respond.

Communication between Sophos Central products is facilitated by the Sophos Security Heartbeat
which creates a secure two-way tunnel of communication.

Introduction to Sophos Synchronized Security - 19

Copyright © 2024 Sophos Ltd

Introduction to Sophos Synchronized Security - 20