Sophos Firewall v21 has introduced a new feature that allows the support for third-party threat feeds in their Active Threat Response system. This system was initially introduced in v20, incorporating a new extensible threat feed framework that enables the firewall to automatically respond to active threats. Initially, support was provided for dynamic threat intelligence feeds from Sophos X-Ops and Sophos MDR, allowing the firewall to block access to any threats published through this framework.
While most customers found this feature sufficient, there are specific regions or vertical markets where custom threat feeds are needed or encouraged. Additionally, there has been a demand from the partner community, SoC providers, and many customers for an extensible threat feed capability to support existing or new threat detection and response solutions and services.
With the release of Sophos Firewall v21, the threat feed framework has been extended to include support for third-party threat feeds. This enhancement allows users to easily add additional vertical or custom threat feeds to the firewall, which will be monitored and responded to in the same automatic manner as before, across all security engines (IPS, DNS, Web, and AV), without the need for additional firewall rules.
The utilization of third-party threat feeds and Active Threat Response also triggers the same Synchronized Security response as any other red Security Heartbeat condition. The Sophos Firewall will enforce firewall rules containing red Heartbeat conditions and coordinate Lateral Movement Protection with Sophos Endpoints, informing healthy managed endpoints of any compromised hosts on the LAN to block traffic from that device.
Several specialized and vertical threat feeds are supported, including those provided by security organizations, industry consortiums, and community-based or open-source threat intelligence sources. For example, Greynoise is one of the featured threat feed providers with integration for Sophos Firewall on their website. Other notable examples include Cisco Talos, Abuse.ch / URLhaus, Hakk Solutions, OSINT (Open-source Intelligence) / DigitalSide, CINS Score, CrowdSec, EclicticIQ, Feodo Tracker, and more.
To take advantage of this new capability in Sophos Firewall v21, users can participate in the Early Access Program. By registering for the program, users can download the firmware update package via email and install it on their Sophos Firewall to start benefitting from the enhanced features and support for third-party threat feeds.