Lateral Movement Protection

When Synchronized Security was first introduced with XG Firewall, Security Heartbeat settings in firewall rules allowed unhealthy endpoints with RED or YELLOW heartbeat status to be denied or blocked by these firewall rules. This effectively ensures compromised systems can be isolated from other parts of the network such as other zones, segments, or even the internet depending on the firewall rule configuration. In this way, Security Heartbeat helps isolate infected endpoints to prevent a threat moving or spreading to other parts of the network or communicating out to the internet. 

In v17.5, this feature is enhanced further with the ability to isolate unhealthy endpoints even from other endpoints on the same broadcast domain or network segment. This is elegantly accomplished by the firewall automatically informing all healthy endpoints to ignore any traffic coming from any unhealthy endpoints, effectively isolating them on the network until they can be cleaned up. Once cleaned up, its Security Heartbeat status will return to GREEN and connectivity with other systems on the network will be automatically restored.

XG Firewall is used as the distribution hub for all information necessary for the endpoint to perform this isolation from other infected endpoints.

Configuration for this feature is available within Sophos Central. Go to Global Settings > Endpoint Protection > Reject Network Connections. This will take you to the configuration page to exclude specific endpoints from the Lateral Movement Protection feature so that they are not being isolated.

In addition, IPS detection from compromised endpoints can now trigger a RED heartbeat condition and lateral movement protection as well, further enhancing protection from threats on the network.

Source and Credits: Sophos

To keep up with cyber-security issues, news highlights, and other stuff, join me on Twitter.

Copyright 2017, TresW