Introducing Active Threat Response for Sophos Switch/Sophos Wireless (AP6) – Sophos News

With Active Threat Response, we are introducing new functionality for our network access layer products, Sophos Switch and Sophos Wireless (AP6 series only).

Controlling enterprise networks has become more difficult with a wide range of managed and unmanaged, wired and wireless devices connecting to each other. It is no longer enough to just monitor the status of managed devices; when needed, you need to be able to block connectivity to potentially suspicious, unmanaged hosts, such as IoT devices that could be targeted by botnets.

Managed service providers (MSPs) rank unsecured wireless networks and lack of cybersecurity skills/expertise as the greatest perceived cybersecurity threats they currently face, according to the inaugural MSP Perspectives 2024 report commissioned by Sophos.

Proactive threat response and our single-platform approach help solve both of these problems, increasing the efficiency of security management and extending the security of wired and wireless networks beyond what network infrastructure products can see.

Detecting fake devices

The concept of rogue device detection is well known in the wireless world, but in most solutions it goes hand in hand with detecting rogue APs, with a rogue device often defined as a device connected to a rogue AP. Fake device detection can be prone to false positives, so be careful when using automation to avoid disruptions. The active response to a threat is different; Access points and switches collect targeted, verified threat intelligence from separate, trusted sources.

How it’s working

An API-triggered threat feed containing the MAC addresses of potentially infected hosts can be sent to any Sophos Central account. Once launched, the threat stream is automatically propagated throughout the network to update all Sophos switches and AP6 access points.

In response, they isolate the attacked devices, effectively interrupting their communication. While MAC-based filtering cannot prevent MAC spoofing, it saves valuable remediation time and prevents lateral movement, which is often the main goal when unmanaged devices are targeted.

The source of threats may be any of the Sophos solutions; Sophos MDR, Sophos XDR or Sophos NDR. Additionally, our public API makes this feature available to customers using third-party security solutions.

Benefits

• Isolates wired and wireless, managed and unmanaged hosts
• Prevents lateral movement and allows time for repair
• Detections can come from multiple sources (Sophos or third-party solutions)

The Active Threat Response feature for Sophos Switch and Sophos Wireless is different from the functionality offered by Sophos Firewall. The firewall provides a variety of response actions and automation, based in part on synchronized security features combined with endpoints managed by Sophos.

The combined use of Active Threat Response on the Sophos Switch, Sophos Wireless and Sophos Firewall provides the best protection at every network layer.

Strengthening the story of the Sophos ecosystem

Active Threat Response adds a new, unique dimension to the Sophos ecosystem story. This further demonstrates the benefits of consolidating security with a single vendor and using a single management platform, improving the security posture of our customers and empowering our channel partners to sell and support a broader range of solutions and services.

Prerequisites and activation

To use Active Threat Response, the Sophos Central account in which it is activated must have a valid support subscription for each AP6 AP and/or Sophos switch. Customers can activate this feature individually for Sophos Wireless and Sophos Switch.

To receive threat feeds, the customer must also have a supported Sophos solution/service or a third party solution capable of providing threat intelligence via a public API.

API structure

In this first release, customers managing their own Sophos solutions will require some knowledge of APIs. The API is used to obtain data from the threat source and also provides a means to manage and update the list of isolated hosts. In future releases, we plan to add further management and configuration options in Sophos Central, making this feature accessible to network administrators of all skill levels.

Availability

Active Threat Response is now available to all Sophos AP6 Series and Switch customers who manage their devices in Sophos Central (and have a valid support subscription).

For more information about Active Threat Response, please visit our website at Sophos.com/Wireless or Sophos.com/Switch.