Central Endpoint & Intercept X: Getting Started

00:00

Hi I'm Doug from the product team here at Sophos and today we're going to be

00:03

taking a look at how to get started with Endpoint and Intercept X protection.

00:07

Inside Sophos Central now this assumes you have an active Sophos

00:12

Central account and at least one licensed product already. You can click

00:17

your product right here to get started, or exit out of this model and select

00:22

your product from the left-hand navigation bar. You can also check which

00:26

products you have licensed by clicking on your name in the upper right corner

00:29

here, and choosing licensing from the drop-down. Now in this video we'll be

00:34

focusing on Endpoint Protection and Intercept X, which are found in the

00:39

Endpoint Protection section, but Sophos central in and of itself is a

00:43

cloud-based platform where you can manage our server, mobile, full disk

00:48

encryption, wireless, email and anti-phishing products. And whenever you

00:53

like you can visit the free trials link to learn more about each product and

00:57

start a 30-day trial with a few clicks. So let's click into endpoint protection

01:03

and run through a quick overview of policies by clicking the policies link.

01:08

Endpoint protection starts with a base policy for each of the policies you see

01:13

here. Now these base policies automatically apply to every user or

01:18

computer until you create exemption policies that cater to particular users'

01:23

machines and groups. You have a few options for getting users into the

01:28

system: you can add users manually or import them via CSV files by clicking

01:33

the people link here. You can also sync with Active Directory by using our tool

01:38

found in the settings section here. And finally when deploying the endpoint

01:43

agent found in the protect devices section, more on that in a bit, it'll

01:47

simply create users automatically each time it's installed on a machine. So

01:51

let's visit each of these based policies starting with threat protection. Let's

01:55

click into this policy and head to the settings tab.

01:58

Now you notice the settings are greyed out and the 'use recommended settings' box

02:04

is ticked. This is what we at Sophos believe to be the optimal best practice

02:10

settings for just about any or organization. We're also constantly

02:14

adding new features to Sophos Central, and for many of them, we'll roll them out

02:19

in phases, so from time to time you'll notice that right now, for instance at

02:23

the time of this recording we're rolling out our active adversary mitigations. At

02:28

some point this feature will be switched on automatically and added as a

02:33

recommended setting, but for now this account can turn one or more of these

02:38

mitigations on manually by clicking the drop-down, choosing custom and ticking

02:44

the various boxes here. So let's take a closer look at some of the settings in

02:51

this policy by unchecking the 'use recommended settings' box temporarily.

02:56

Let's first talk about our approach to file based. Malware you'll notice here

03:01

that we have Sophos deep learning enabled. Now this is different from

03:05

everyone else's machine learning and that the combination of deep learning

03:08

with our tried and true endpoint protection means greater accuracy and

03:13

far fewer false positives than competing products. And it's enabled by default,

03:17

which is great. There's no training period for a deep learning system, it

03:22

just works right out of the gate for your environment. We have a

03:25

state-of-the-art labs team that constantly trains and tunes our deep

03:29

learning engines you don't have to. So paired with this real-time scanning

03:33

setting that leverages our 30-plus years of industry experience, deep learning is

03:38

made that much more powerful, and accurate. We then get into our behavior

03:42

based detections, starting with real-time scanning features. This block

03:47

access to malicious websites setting for instance, checks against the database of

03:51

known bad websites, that grows by about 6 million URLs each week. This setting

03:57

alone is responsible for stopping about 80% of attacks, and again it's on by

04:02

default. And then taking a look at our run time protection section, this is

04:07

really where the power of Intercept X begins to shine. Our exploit protection

04:12

technology for instance, is the most comprehensive and powerful exploit

04:16

protection of any product on the market today, so it's great for dealing with

04:20

fileless malware and other nasty advanced attacks. Cryptoguard is another

04:25

one of our extremely popular features this protects

04:28

against ransomware that maliciously encrypts user files and demands payment

04:32

to unlock them. So that's a quick look at the threat protection based policy. Let's

04:37

head back up top and recheck the 'use recommended settings' box. Click Save and

04:42

we'll be on our way. Moving right along to peripheral control.

04:46

We'll again click the Settings tab and we'll see that this is disabled by

04:50

default. Now aside from disabling peripheral control, we've got two main

04:55

modes. In monitor mode, we'll allow all peripherals to be used, but we'll just

05:00

audit them to get a good idea of what's going on in our environment. In control

05:05

mode we'll actually control whether peripherals can be allowed, read-only, or

05:10

blocked. Wireless is a slightly different setting. We can allow, block, or block

05:16

bridging, say to a nearby wireless coffee shop network, or a cellphone hotspot

05:20

while them a machine is connected to the wired office network. We can also create

05:25

exemptions here based on the history of log devices. This is a new account so we

05:31

have nothing of note here yet, but if we check back in a week or so there should

05:35

be full of devices that we can exempt from the base peripheral control policy

05:39

if we like. Next up is application control, again click the Settings tab and

05:44

again, this is off by default. With app control we're looking to blacklist apps

05:50

we believe to be malicious or inappropriate, and as with peripheral

05:55

control we've got a sort of monitoring mode that we can use to either let

05:58

controlled apps run in a detection only mode, or outright block them. We can also

06:04

choose whether we want scheduled or full system scans to also detect controlled

06:09

applications. So let's set that to 'yes,' and then get to work building our blacklist

06:14

Now blacklists can be cumbersome to manage so we've got a few tricks up

06:18

our sleeve here. Taking a look at document viewers for example, we've got

06:22

all these versions of Adobe Reader to worry about keeping updated. Well Adobe

06:27

is a big target for exploit based attacks so what we can do is just block

06:31

all older versions of reader to ensure that only the latest version is being

06:36

used across the company. And then let's say we don't want people

06:40

using any file-sharing apps, they're just too risky.

06:44

Well obviously we'll just select all of them by using the master checkbox here,

06:49

but we can also check this bottom box. By doing that every time our labs team here

06:54

at Sophos discovers new file-sharing software,

06:57

it'll get added to our block apps list automatically. Okay let's move on now to

07:02

data loss prevention or DLP. This is actually a pretty advanced policy. What

07:08

we're doing here is we're looking at the contents of files as they leave the

07:13

endpoint. So let's enable these rules and let's take a look at some of the

07:17

controls that we have. Now for starters, we have some built-in region-based

07:22

templates. So choosing the US region here for example, this will let us get started

07:28

quickly with general health care and Finance rules. We can also create a

07:34

custom policy on the right hand side here. I like to first decide if I want to

07:38

message my end users when a file that's being transferred needs to be confirmed,

07:41

or is blocked. We can then choose to add either an existing rule we've already

07:46

created, a rule that controls content found inside files, or a rule that

07:52

controls the transfer of specific file types,or names. So let's choose new

07:58

content rule to track specific content inside files. We'll call this 'financial

08:05

data,' and we can choose to create exclusions based on file type, but let's

08:12

skip those. And then we need to decide what happens. Do we want to allow the

08:16

content to transfer transparently without messaging the user, do we want to

08:21

gently nudge the user to think twice about the transfer, or do we want to

08:25

block it entirely. For now, let's choose to allow it. We'll simply create this as

08:31

an auditing rule. Next we'll choose the type of content. We can and we'll want to

08:36

leverage our filters here. First to choose 'financial data,' and then to choose

08:41

the U.S. region. And let's check these first two rules here. Now by default here,

08:47

this rule will look for 10 routing numbers for instance, before springing

08:51

into action. We can change this to 1 to ensure

08:55

we're logging as much as possible though. And finally let's choose our

08:59

destinations. We want this rule to apply to content detected in the following

09:03

types of applications, or media. We'll click finish, and we've got our custom

09:11

DLP rule all set up. Since this is in our base policy,

09:14

this will start reporting on all connected Windows machines. Now on to Web

09:21

Control. In this first section additional security options for instance. What we're

09:27

doing is kind of extending the features found in our threat protection policy.

09:31

We're blocking certain risky downloads by default. We're letting ads and

09:36

uncategorized sites through while blocking, allowing, or warning about

09:41

various items based on how prevalent they are to attack. So to change settings

09:46

here, we switch to 'let me specify' whenever we want to override the default

09:50

settings of a certain section. So we normally just warn people that Windows

09:55

executables can be risky, but if we're looking for greater control we can just

10:00

block them entirely. So those are the security options, but we've also got

10:05

other protections such as acceptable web usage. We've got some presets here, and

10:10

again we can override individual settings by choosing 'let me specify.' The

10:15

'keep it clean' setting is on by default, which either warns or allows most

10:19

categories with the exception of adult and potentially inappropriate content.

10:23

And then we've got some data loss options when it comes to potential data

10:27

sharing. We can allow, block, or warn our users when they visit web-based email

10:33

sites and download sites. So that's web control, let's head back out to the

10:38

policies list and check out update management. Now with this we can choose

10:43

an update window for our machines. If we don't set this, our machines will check

10:48

for product updates every hour. This option is good for highly controlled

10:52

environments where we only want devices to perform updates during set hours. And

10:57

last but not least, let's take a look at the Windows Firewall management policy.

11:02

What we're doing here is detecting and reporting the state of the Windows

11:06

firewall. By default, we'll monitor only, but let's go ahead and choose monitor

11:11

and configure. From here we can choose a connection type for each of the profiles

11:17

seen here. So let's say we want to block public networks, we want to block private

11:24

networks with exceptions. These are the exceptions set by Microsoft's Group

11:29

Policy Orchestrator. And for domain networks we'll leave those as allowed. So

11:34

that's a quick run-through of end point policies. Once we're happy with those, we

11:38

can go ahead and grab our installers from the protect devices section here.

11:41

We've got a few different options here for Windows and Mac. We can download the

11:45

complete installer, which contains multiple products in a single agent, or

11:49

we can select 'choose components' to mix and match what we want to install. So

11:54

that's a quick tour of endpoint protection and Sophos Central. You set

11:58

your base policies download your installers, and then you either add your

12:03

users manually, use our AD sync tool, or deploy the Installer to automatically

12:08

create them. If you get stuck, help is just a couple clicks away over here in

12:12

the upper right corner.