Central Endpoint & Intercept X: Getting Started
Summary
TLDRDoug from Sophos introduces Endpoint and Intercept X protection within Sophos Central, assuming viewers have an active account and licensed products. The tutorial covers accessing the product, managing policies, and syncing with Active Directory. It details setting up threat protection, peripheral control, application control, data loss prevention, web control, and Windows Firewall management. The video also guides users on downloading installers and managing users, with help available for troubleshooting.
Takeaways
- 🔐 **Sophos Central Account Requirement**: To use Endpoint and Intercept X protection, you need an active Sophos Central account and at least one licensed product.
- 👤 **User Management**: Sophos Central allows adding users manually, importing via CSV, syncing with Active Directory, or automatically creating users during endpoint agent deployment.
- 🛡️ **Endpoint Protection Policies**: Base policies are automatically applied to all users or computers unless exemption policies are created for specific groups or machines.
- 💡 **Recommended Settings**: Sophos provides recommended settings for optimal protection, which include features like deep learning for malware detection and real-time scanning.
- 🔎 **Deep Learning Technology**: Sophos utilizes deep learning for file-based malware detection, offering greater accuracy and fewer false positives than traditional machine learning.
- 🚫 **Behavior-Based Detections**: The platform includes real-time scanning and behavior-based detections to block access to malicious websites, which can prevent about 80% of attacks.
- 🛡️ **Exploit Protection and CryptoGuard**: Intercept X features comprehensive exploit protection and CryptoGuard to defend against ransomware and other advanced threats.
- 🔄 **Peripheral Control**: Sophos Central allows monitoring or controlling peripheral devices, with options to allow, block, or restrict wireless connections.
- ⛔ **Application Control**: The platform enables blacklisting of malicious or inappropriate apps and offers monitoring modes to detect or block controlled applications.
- 🚫 **Data Loss Prevention (DLP)**: DLP policies can inspect file contents for sensitive data and enforce rules based on content type, user actions, and file transfer destinations.
- 🌐 **Web Control**: Additional security options extend threat protection by controlling web-based activities, including blocking risky downloads and managing acceptable web usage.
- 🔄 **Update Management**: Sophos Central provides update management policies to schedule updates during specific hours, ensuring minimal disruption in controlled environments.
- 🔒 **Windows Firewall Management**: The platform can monitor and configure the state of the Windows firewall, with options to block or allow connections based on network type.
Q & A
What is required to get started with Endpoint and Intercept X protection in Sophos Central?
-You need an active Sophos Central account and at least one licensed product to get started with Endpoint and Intercept X protection.
Where can you check which products are licensed in Sophos Central?
-You can check which products are licensed by clicking on your name in the upper right corner and selecting 'Licensing' from the drop-down menu.
What is the base policy in Sophos Central, and when is it applied?
-The base policy is a default policy that applies automatically to every user or computer unless specific exemption policies are created for particular users, machines, or groups.
How can you add users to the Sophos Central system?
-Users can be added manually, imported via CSV files, or synced with Active Directory using a tool found in the settings section. Additionally, users are created automatically when the endpoint agent is installed on a machine.
What makes Sophos' deep learning different from other machine learning systems?
-Sophos' deep learning is pre-trained and works immediately in your environment without a training period, offering greater accuracy and fewer false positives compared to competitors.
How does the 'Block access to malicious websites' feature in real-time scanning contribute to security?
-This feature checks against a constantly growing database of known malicious websites, stopping about 80% of attacks, and is enabled by default.
What is Cryptoguard, and how does it protect against ransomware?
-Cryptoguard is a feature in Sophos Central that protects against ransomware by preventing malicious encryption of user files and blocking demands for payment to unlock them.
What are the different modes available for peripheral control in Sophos Central?
-Peripheral control has three modes: disabled, monitor mode (which audits all peripherals), and control mode (which allows peripherals to be allowed, read-only, or blocked).
How does application control work in Sophos Central?
-Application control allows you to blacklist apps that are deemed malicious or inappropriate. It has a monitoring mode for detection or blocking of apps and includes options like automatically blocking older versions of software such as Adobe Reader.
What does the Data Loss Prevention (DLP) feature do, and how can you configure it?
-The DLP feature monitors the content of files as they leave the endpoint. You can use built-in templates for quick setup, create custom rules, and choose to block or audit file transfers based on content or file types.
Outlines
🛠️ Getting Started with Sophos Central
Doug from Sophos introduces the process of setting up Endpoint and Intercept X protection within Sophos Central. It's assumed that the user has an active Sophos Central account and at least one licensed product. The video guides viewers on how to access the product, check licensed products, and navigate the Sophos Central platform. It focuses on Endpoint Protection and Intercept X, explaining the base policies and how they apply to users and computers. The video also covers various ways to add users to the system, such as manually, via CSV, Active Directory sync, or automatic creation during endpoint agent deployment. The threat protection settings are explored, emphasizing Sophos' deep learning technology for malware detection, real-time scanning, and behavior-based detections like exploit protection and Cryptoguard against ransomware. The recommended settings are highlighted as the optimal best practices for organizations, with the option to customize these settings as needed.
🔧 Configuring Endpoint Protection Policies
The video script delves into the configuration of peripheral control, application control, and data loss prevention (DLP) policies within Sophos Central. Peripheral control settings allow for monitoring or controlling peripheral devices, with options to block or allow wireless connections. Application control is used to blacklist malicious or inappropriate apps, with features to monitor or block them. The script also explains how to manage blacklists and automatically update them with new software discovered by Sophos' labs. DLP is discussed as an advanced policy for monitoring the content of files as they leave the endpoint, with options to create custom rules based on content, file types, or names. The script guides viewers on setting up DLP rules, choosing actions for detected content, and configuring rules to apply to specific applications or media. The aim is to provide a comprehensive understanding of how to configure and manage various security policies in Sophos Central.
🔄 Advanced Settings and Installers in Sophos Central
The final paragraph of the video script covers additional settings in Sophos Central, such as Web Control and Update Management. Web Control extends the security features by blocking risky downloads and managing acceptable web usage, with options to customize these settings. The script also touches on data loss options for web-based email and download sites. Update Management allows administrators to set update windows for machines, ensuring updates occur during specified hours. The Windows Firewall management policy is also discussed, with options to monitor and configure the firewall state for different network types. The video concludes with instructions on how to download installers for endpoint protection from the protect devices section, offering choices between complete installers or custom component selection. The script emphasizes the ease of setting base policies and deploying them across the network, with support available for any assistance needed.
Mindmap
Keywords
💡Sophos Central
💡Endpoint Protection
💡Intercept X
💡Policies
💡Deep Learning
💡Active Directory Sync
💡Exploit Protection
💡CryptoGuard
💡Data Loss Prevention (DLP)
💡Application Control
Highlights
Introduction to getting started with Endpoint and Intercept X protection in Sophos Central.
Prerequisite of having an active Sophos Central account and at least one licensed product.
Accessing Endpoint Protection and Intercept X from the product menu or navigation bar.
Overview of Sophos Central as a cloud-based platform for managing various security products.
Option to start free trials for Sophos products to evaluate their features.
Explanation of base policies in Endpoint Protection and their automatic application.
Methods for adding users to the system: manual addition, CSV import, Active Directory sync, and automatic creation during endpoint agent deployment.
Threat Protection policy overview, including the use of recommended settings and deep learning technology.
Sophos' approach to file-based malware detection with deep learning and real-time scanning.
Behavior-based detections, including real-time scanning features and block access to malicious websites.
Exploit Protection technology for dealing with fileless malware and advanced attacks.
CryptoGuard feature for protecting against ransomware that encrypts user files.
Peripheral Control policy with options for monitoring and controlling peripheral device access.
Application Control policy for blacklisting malicious or inappropriate apps and setting detection modes.
Data Loss Prevention (DLP) policy for monitoring and controlling the contents of files as they leave the endpoint.
Web Control policy for extending threat protection features and setting acceptable web usage.
Update Management policy for scheduling product updates during specific hours.
Windows Firewall management policy for detecting and reporting the state of the Windows firewall.
Instructions on downloading installers for endpoint protection from the protect devices section.
Options for downloading complete installers or choosing components for custom installations.
Conclusion of the tutorial with a summary of steps for setting base policies and deploying endpoint protection.
Transcripts
Hi I'm Doug from the product team here at Sophos and today we're going to be
taking a look at how to get started with Endpoint and Intercept X protection.
Inside Sophos Central now this assumes you have an active Sophos
Central account and at least one licensed product already. You can click
your product right here to get started, or exit out of this model and select
your product from the left-hand navigation bar. You can also check which
products you have licensed by clicking on your name in the upper right corner
here, and choosing licensing from the drop-down. Now in this video we'll be
focusing on Endpoint Protection and Intercept X, which are found in the
Endpoint Protection section, but Sophos central in and of itself is a
cloud-based platform where you can manage our server, mobile, full disk
encryption, wireless, email and anti-phishing products. And whenever you
like you can visit the free trials link to learn more about each product and
start a 30-day trial with a few clicks. So let's click into endpoint protection
and run through a quick overview of policies by clicking the policies link.
Endpoint protection starts with a base policy for each of the policies you see
here. Now these base policies automatically apply to every user or
computer until you create exemption policies that cater to particular users'
machines and groups. You have a few options for getting users into the
system: you can add users manually or import them via CSV files by clicking
the people link here. You can also sync with Active Directory by using our tool
found in the settings section here. And finally when deploying the endpoint
agent found in the protect devices section, more on that in a bit, it'll
simply create users automatically each time it's installed on a machine. So
let's visit each of these based policies starting with threat protection. Let's
click into this policy and head to the settings tab.
Now you notice the settings are greyed out and the 'use recommended settings' box
is ticked. This is what we at Sophos believe to be the optimal best practice
settings for just about any or organization. We're also constantly
adding new features to Sophos Central, and for many of them, we'll roll them out
in phases, so from time to time you'll notice that right now, for instance at
the time of this recording we're rolling out our active adversary mitigations. At
some point this feature will be switched on automatically and added as a
recommended setting, but for now this account can turn one or more of these
mitigations on manually by clicking the drop-down, choosing custom and ticking
the various boxes here. So let's take a closer look at some of the settings in
this policy by unchecking the 'use recommended settings' box temporarily.
Let's first talk about our approach to file based. Malware you'll notice here
that we have Sophos deep learning enabled. Now this is different from
everyone else's machine learning and that the combination of deep learning
with our tried and true endpoint protection means greater accuracy and
far fewer false positives than competing products. And it's enabled by default,
which is great. There's no training period for a deep learning system, it
just works right out of the gate for your environment. We have a
state-of-the-art labs team that constantly trains and tunes our deep
learning engines you don't have to. So paired with this real-time scanning
setting that leverages our 30-plus years of industry experience, deep learning is
made that much more powerful, and accurate. We then get into our behavior
based detections, starting with real-time scanning features. This block
access to malicious websites setting for instance, checks against the database of
known bad websites, that grows by about 6 million URLs each week. This setting
alone is responsible for stopping about 80% of attacks, and again it's on by
default. And then taking a look at our run time protection section, this is
really where the power of Intercept X begins to shine. Our exploit protection
technology for instance, is the most comprehensive and powerful exploit
protection of any product on the market today, so it's great for dealing with
fileless malware and other nasty advanced attacks. Cryptoguard is another
one of our extremely popular features this protects
against ransomware that maliciously encrypts user files and demands payment
to unlock them. So that's a quick look at the threat protection based policy. Let's
head back up top and recheck the 'use recommended settings' box. Click Save and
we'll be on our way. Moving right along to peripheral control.
We'll again click the Settings tab and we'll see that this is disabled by
default. Now aside from disabling peripheral control, we've got two main
modes. In monitor mode, we'll allow all peripherals to be used, but we'll just
audit them to get a good idea of what's going on in our environment. In control
mode we'll actually control whether peripherals can be allowed, read-only, or
blocked. Wireless is a slightly different setting. We can allow, block, or block
bridging, say to a nearby wireless coffee shop network, or a cellphone hotspot
while them a machine is connected to the wired office network. We can also create
exemptions here based on the history of log devices. This is a new account so we
have nothing of note here yet, but if we check back in a week or so there should
be full of devices that we can exempt from the base peripheral control policy
if we like. Next up is application control, again click the Settings tab and
again, this is off by default. With app control we're looking to blacklist apps
we believe to be malicious or inappropriate, and as with peripheral
control we've got a sort of monitoring mode that we can use to either let
controlled apps run in a detection only mode, or outright block them. We can also
choose whether we want scheduled or full system scans to also detect controlled
applications. So let's set that to 'yes,' and then get to work building our blacklist
Now blacklists can be cumbersome to manage so we've got a few tricks up
our sleeve here. Taking a look at document viewers for example, we've got
all these versions of Adobe Reader to worry about keeping updated. Well Adobe
is a big target for exploit based attacks so what we can do is just block
all older versions of reader to ensure that only the latest version is being
used across the company. And then let's say we don't want people
using any file-sharing apps, they're just too risky.
Well obviously we'll just select all of them by using the master checkbox here,
but we can also check this bottom box. By doing that every time our labs team here
at Sophos discovers new file-sharing software,
it'll get added to our block apps list automatically. Okay let's move on now to
data loss prevention or DLP. This is actually a pretty advanced policy. What
we're doing here is we're looking at the contents of files as they leave the
endpoint. So let's enable these rules and let's take a look at some of the
controls that we have. Now for starters, we have some built-in region-based
templates. So choosing the US region here for example, this will let us get started
quickly with general health care and Finance rules. We can also create a
custom policy on the right hand side here. I like to first decide if I want to
message my end users when a file that's being transferred needs to be confirmed,
or is blocked. We can then choose to add either an existing rule we've already
created, a rule that controls content found inside files, or a rule that
controls the transfer of specific file types,or names. So let's choose new
content rule to track specific content inside files. We'll call this 'financial
data,' and we can choose to create exclusions based on file type, but let's
skip those. And then we need to decide what happens. Do we want to allow the
content to transfer transparently without messaging the user, do we want to
gently nudge the user to think twice about the transfer, or do we want to
block it entirely. For now, let's choose to allow it. We'll simply create this as
an auditing rule. Next we'll choose the type of content. We can and we'll want to
leverage our filters here. First to choose 'financial data,' and then to choose
the U.S. region. And let's check these first two rules here. Now by default here,
this rule will look for 10 routing numbers for instance, before springing
into action. We can change this to 1 to ensure
we're logging as much as possible though. And finally let's choose our
destinations. We want this rule to apply to content detected in the following
types of applications, or media. We'll click finish, and we've got our custom
DLP rule all set up. Since this is in our base policy,
this will start reporting on all connected Windows machines. Now on to Web
Control. In this first section additional security options for instance. What we're
doing is kind of extending the features found in our threat protection policy.
We're blocking certain risky downloads by default. We're letting ads and
uncategorized sites through while blocking, allowing, or warning about
various items based on how prevalent they are to attack. So to change settings
here, we switch to 'let me specify' whenever we want to override the default
settings of a certain section. So we normally just warn people that Windows
executables can be risky, but if we're looking for greater control we can just
block them entirely. So those are the security options, but we've also got
other protections such as acceptable web usage. We've got some presets here, and
again we can override individual settings by choosing 'let me specify.' The
'keep it clean' setting is on by default, which either warns or allows most
categories with the exception of adult and potentially inappropriate content.
And then we've got some data loss options when it comes to potential data
sharing. We can allow, block, or warn our users when they visit web-based email
sites and download sites. So that's web control, let's head back out to the
policies list and check out update management. Now with this we can choose
an update window for our machines. If we don't set this, our machines will check
for product updates every hour. This option is good for highly controlled
environments where we only want devices to perform updates during set hours. And
last but not least, let's take a look at the Windows Firewall management policy.
What we're doing here is detecting and reporting the state of the Windows
firewall. By default, we'll monitor only, but let's go ahead and choose monitor
and configure. From here we can choose a connection type for each of the profiles
seen here. So let's say we want to block public networks, we want to block private
networks with exceptions. These are the exceptions set by Microsoft's Group
Policy Orchestrator. And for domain networks we'll leave those as allowed. So
that's a quick run-through of end point policies. Once we're happy with those, we
can go ahead and grab our installers from the protect devices section here.
We've got a few different options here for Windows and Mac. We can download the
complete installer, which contains multiple products in a single agent, or
we can select 'choose components' to mix and match what we want to install. So
that's a quick tour of endpoint protection and Sophos Central. You set
your base policies download your installers, and then you either add your
users manually, use our AD sync tool, or deploy the Installer to automatically
create them. If you get stuck, help is just a couple clicks away over here in
the upper right corner.
تصفح المزيد من مقاطع الفيديو ذات الصلة
My new homelab Firewall is insane! // Sophos XGS 2100
Cómo configurar Sophos Email para Google Workspace
Sophos Endpoint Security Overview
VELOCITÁ e PROTEZIONE per i PC Windows 10 e Windows 11 con Glasswire: il firewall IMPERDIBILE!
How To Configure DNS on Windows Server 2019 | Joining Client In Server 2019
Zalora Marketplace Training - Order Processing
5.0 / 5 (0 votes)