Sophos has recently introduced a new feature called Active Threat Response for their network access layer products, Sophos Switch, and Sophos Wireless (AP6 Series only). This new functionality aims to address the growing challenge of managing corporate networks, which are now filled with a variety of managed and unmanaged devices, both wired and wireless. It is no longer sufficient to only monitor the status of managed devices, as the need to block connectivity for potentially suspicious unmanaged hosts, such as IoT devices, has become imperative to prevent them from becoming targets for botnets.
A recent report conducted on behalf of Sophos, called the MSP Perspectives 2024 report, highlighted that Managed Service Providers (MSPs) view insecure wireless networking and a shortage of cybersecurity skills/expertise as the biggest cybersecurity risks they currently face. In response to these concerns, Active Threat Response and Sophos’ single-platform approach have been introduced to make security management more efficient and extend network security beyond the capabilities of traditional network infrastructure products.
One key feature of Active Threat Response is its rogue device detection capability. While rogue device detection is commonly found in wireless solutions, it often comes with the risk of false positives. With Active Threat Response, access points and switches receive verified threat information from trusted sources, instead of relying solely on detecting rogue devices connected to rogue access points.
The functionality of Active Threat Response involves receiving an API-triggered threat feed containing MAC addresses of potentially compromised hosts, which is automatically propagated across the network to update all Sophos switches and AP6 access points. In response, compromised devices are isolated by cutting off communication for them. Although MAC-based filtering cannot prevent MAC spoofing, it can delay lateral movement, which is a common goal when unmanaged devices are targeted.
The threat feed can originate from various Sophos solutions, such as Sophos MDR, Sophos XDR, or Sophos NDR, and can also be integrated with third-party security solutions through a public API. This flexibility allows customers to leverage their existing security infrastructure while benefiting from Active Threat Response’s capabilities.
Some of the benefits of Active Threat Response include isolating both wired and wireless, managed, and unmanaged hosts, preventing lateral movement, and allowing for detections from multiple sources. It is important to note that the functionality of Active Threat Response for Sophos Switch and Sophos Wireless differs from that of Sophos Firewall, as each offers unique response actions tailored to their specific capabilities.
Overall, the introduction of Active Threat Response strengthens the Sophos ecosystem by showcasing the advantages of consolidating security with a single vendor and using a unified management platform. This not only enhances customers’ security posture but also empowers channel partners to offer a broader range of solutions and services.
To use Active Threat Response, customers must have a valid support subscription for each AP6 access point and/or Sophos switch in their Sophos Central account. Additionally, customers must own a supported Sophos solution/service or a third-party solution capable of providing threat information through the public API.
In conclusion, Active Threat Response is now available for all Sophos AP6 Series and Switch customers managing their devices in Sophos Central. For more information on this new feature, customers can visit the Sophos website dedicated to Wireless and Switch products.