Active threat response
Active threat response consists of MDR threat feeds, Sophos X-Ops threat feeds, and Third-party threat feeds.
-
MDR threat feeds
Allows a security analyst (part of the Sophos MDR team) to share threat intelligence with the firewall in real-time to respond to active threats on the network.
-
Sophos X-Ops threat feeds
A SophosLabs-managed global threat database that's regularly updated and pushed to the firewall.
-
Third-party threat feeds
Allows the integration of third-party threat intelligence to the firewall for additional protection.
How the firewall implement and log events
The firewall first implements MDR threat feeds followed by Sophos X-Ops and Third-party threat feeds.
If an Indicator of Compromise (IoC) exists in all the three threat feeds, and MDR threat feeds is set to Log and drop, the firewall drops the traffic, logs the event under MDR, and doesn't check further.
If the Action is set to Log only or Monitor, the firewall logs separate events for MDR, Sophos X-Ops, and Third-party threat feeds.
Security Heartbeat
Active threat response implements the same Synchronized Security response for Security Heartbeat conditions, including enforcing firewall rules.
The firewall automatically identifies Sophos-managed endpoints that may be compromised (attempting to communicate with a malicious server) based on a red Security Heartbeat. It queries the device for additional information to provide insights on the host, user, and process that accessed the IoC.
The firewall also coordinates lateral movement protection, which informs all healthy managed endpoints that a compromised host is on the LAN so they will block traffic from that device.
Synchronized Security supports MDR, Sophos X-Ops, and Third-party threat feeds.
See Security Heartbeat overview.
Sophos NDR
If you have Internet of Things (IoT), unmanaged endpoints, or third-party devices, Active threat response protects your network from threats through Sophos Network Detection and Response (NDR) in Sophos Central. See Sophos NDR.