Sophos has added Amazon Web Services data from its Cloud Optix solution to its extended detection and response (XDR) solution.
The new integration imports telemetry collected by Cloud Optix from sources like Amazon GuardDuty, AWS CloudTrail, and AWS Security Hub into the XDR solution’s data lake, which already contained security-related information from endpoints, firewalls, cloud email applications, and other systems. It supplements existing real-time defenses for online servers and containers provided by the XDR platform’s Cloud Workload Protection component.
“This is the first time you’ll have full visibility into your entire cloud ecosystem,” says Sophos Chief Product Officer Dan Schiappa.
As a result, according to Sophos, technicians can now more easily spot vulnerabilities like multifactor authentication being disabled for an AWS Identity and Access Management user, changes to an Amazon EC2 instance that could allow resources to be copied or moved, and data exfiltration from AWS S3 deployments.
In addition, Schiappa notes, analysts can use the data supplied by Cloud Optix to diagnose issues more quickly and accurately. “We can take the relevant information from Optix, pull it into our data lake, and now it becomes available for security operators not only to react to any real-time alerts that may came up, but to be able to query and do active threat hunting,” he says.
To further streamline investigations, the Cloud Optix integration supports both customizable and pre-written SQL queries associated with the MITRE ATT&CK matrix, including Initial Access, Persistence, Privilege Escalation, and Exfiltration tactics.
According to Schiappa, combining cloud infrastructure telemetry with other XDR data sources in a single interface closes one of the biggest blind spots in security operations. “It’s usually a completely separate thing,” he says. “Now I can bring it all into one investigation.”
That’s important, Schiappa continues, given that hackers often spend weeks or even months studying a compromised environment, including its online elements, before executing an attack. “They’re going to be doing recon in the cloud, and unless you have visibility into that you’re never going to detect that they’re there.”
Introduced in May, Sophos XDR is designed to collect, analyze, and act on data from both Sophos products and third-party platforms, drawing on a cross-vendor architecture also introduced in May called the Adaptive Cybersecurity Ecosystem (ACE). Sophos is currently recruiting ACE alliance partners to exchange information with the XDR data lake. Technicians will also have the ability to perform tasks like closing open ports, for example, on an ACE member’s firewalls via the XDR management console, Schiappa notes.
In parallel with that effort, Sophos is also adding capabilities the company acquired in July along with Capsule8, a maker of detection and response software for Linux servers and containers, to Cloud Workload Protection. “That’ll be coming up early next year,” Schiappa says.
Cloud Optix is a “cloud security posture management” solution, unveiled in 2019, that provides visibility, compliance, and threat monitoring functionality for leading public clouds. The system gained the ability to scan application containers for vulnerabilities in March.
The integration announced today is the first to link Cloud Optix with Sophos XDR. Further integrations that will add support for Microsoft Azure and Google Cloud Platform data sources to the XDR platform are on the roadmap for future release.
According to Schiappa, Sophos will soon incorporate data from its mobile security solution into XDR as well.
“Now that that connective tissue is there, it’s just easier for us to start to create data pipes into over the same kind of roadway that we’ve already paved,” he says. “It’s going to be fast and furious.”