Sophos Atp



Using ATP, you can quickly detect compromised clients in your network and raise an alert or drop the traffic from those clients. To turn on advanced threat protection, click the on/off switch. When you turn it on, the following settings can be configured: General settings. As it got blocked by ATP DNS and the client didn't find a miner (sophos AV is quite good detecting those) there most likely a script was linked in a website for download, and ATP blocked the DNS request. So you're most likely fine, as download was not possible (no DNS resolution, no download) Hope that helps.

In this blog post in our series on UTM 9.2, I’ll explain how the new Advanced Threat Protection (ATP) feature in Sophos UTM protects your organization from targeted attacks with the flick of a switch. We’ll also look at why a multi-layered approach to Advanced Persistent Threats (APT) protection is probably the most effective defense—and why some vendors would rather you didn’t know that.

The lesson of APTs

Some vendors want you to go out and buy a separate new appliance with its amazing threat protection and sandboxing features if you want to avoid becoming the victim of an APT. Also, some vendors more or less tell you that every other technology you thought was protecting you up until now is no good. Not very sound advice, in my opinion.

In our experience, very few small or mid-sized companies have the budget and IT resources to pay for and manage a dedicated ATP appliance, particularly as it doesn’t offer the all-around security they need. So does owning a small-sized business without an ATP appliance automatically mean you will have a security compromise? Definitely not!

The lesson of APTs is that cybercriminals use multi-faceted techniques to find a way into an organization and access the data they want, and we need to take the same approach, defending against their attacks in a multi-layered way. We’d like to think that the crooks are learning from us, but there’s probably something we can learn from them too.

Advanced Threat Protection in UTM Accelerated (9.2)

Advanced Threat Protection in Sophos UTM Accelerated (9.2) is not just a single technology. At its core is a set of diverse traffic analysis mechanisms. These are fed with data from our global network of labs to effectively prevent devices from connecting with command-and-control/botnet host servers outside your network.

In addition, Sophos UTM 9.2 can leverage the data from your intrusion prevention system (IPS)—which you will, of course, have enabled (watch out for our next blog post to find out why)—and your web protection—and consolidate it.

So, your ATP analysis provides you with a single pane of glass—one dashboard, one reporting view. No matter which system reports an incident, you can see information about the source and destination of the traffic, and a description of the threat that links to the SophosLabs Threat Center for full analysis of what has been found and what you need to do to get rid of it.

In addition to that, we’ve introduced cloud-based selective sandboxing to analyze suspicious content. If SophosLabs finds the file to be malicious, they update the threat data—leading to constantly improved protection for the whole Sophos UTM community.

APTs and ATP: Find out what it all means

Everyone’s talking about APTs these days. Not everybody agrees about what they are, and security vendors are sometimes willingly part of the confusion.

If any vendor ever tells you that you don’t need your email protection and antivirus, you should probably show them the door. You still need to ensure you have your “standard” protection in place and kept up to date. That means the technology to protect you from viruses, email spam, web and other malware, phishing attacks, etc. Those are still the most common tools used in the initial stages of a targeted attack.

If you want to find out more about how APTs work and what you can do to protect yourself against them, watch the video below and download our free whitepaper (you will need to register).

Sophos UTM Accelerated (9.2) available now!

Advanced Threat Protection will be included in the Network Protection subscription of your UTM at no extra cost. To activate selective sandboxing, you need the Web Protection module. And if you already have our FullGuard license, then you will just need to upgrade.

With over 100 new features in UTM Accelerated (9.2), read our blog series on Sophos Blog for more details.

The Firewall Management dashboard lets you see firewall activity at a glance.

Go to Firewall Management > Dashboard to see your activity.

Note If you haven't added any firewalls to Sophos Central yet, this page invites you to start a free trial of Sophos XG Firewall.

You can see details of the following:

  • Alerts
  • Firewalls
  • Advanced threat protection
  • Intrusion prevention
  • Web activity

Alerts

The Alerts section shows you statistics for alerts in Sophos Central. This shows all alerts, not just firewall alerts.

To see full details of all alerts, click View All Alerts.

To see a filtered list of alerts, click on the figure for the alert priority (High, Medium or Info).

At the main alerts list, you can investigate and take action against alerts.

Sophos atp origin afcd

Firewalls

Sophos Atp Logs

The Firewalls section shows the current status of firewalls. You can see here if firewalls need attention for any of these reasons:

Afcd
  • Not connected
  • Not managed
  • License expiring
  • Health issues

To see the full list of firewalls and resolve issues, click Show All Firewalls.

Sophos Atp C2/generic-a

Advanced Threat Protection

This shows you statistics for threats detected by firewalls in the previous two hours.

Sophos Atp Free

Advanced threat protection (ATP) analyzes incoming and outgoing network traffic (for example, DNS requests, HTTP requests, and IP packets) for threats. Using ATP, you can quickly detect compromised clients in your network and raise an alert or drop the traffic from those clients.

Sophos Atp Vs Ips

ATP also uses cloud-based sandboxing, which analyzes suspicious content, so that you can decide whether files are safe to allow.

Sophos Atp

If an attack starts, ATP can prevent devices from connecting to command-and-control servers outside your network.

Sophos atp protectionSophos Atp

Sophos Atp Utm

Intrusion Attacks

This shows statistics for intrusion prevention.

Intrusion prevention looks for anomalies in network traffic in order to detect and prevent denial of service (DoS) and other spoofing attacks.

Sophos Atp Download

In Sophos XG Firewall you can specify the action to take when anomalies are found.

Web activity

Sophos Atp Protection

The graph shows web activity measured at five-minute intervals for the previous two hours.