WIXLIB

Sophos Cloud Optix: Proof of Concept GuideNavigating to the Networks section shows us all the information related to ourcloud networks, in an easy-to-understand view. Again, red color-codinghighlights areas of interest. In the below example, we can see that Cloud Optixhas identified the Security Groups assigned to this network as potentiallycontaining a security issue.Drilling down further, we can see that the problem is that the rules areconfigured to allow all port 22 access from any network (0.0.0.0/0). Now, theremay be valid reasons to have that sensitive port open to the entire internet, but itis something that should be looked at more closely. To help with that, Cloud Optixprovides additional tools, such as a link to the associated network diagram, andthe ability to view any outgoing traffic associated with this network. We’ll talk abit more about how those features can help with security as we continueexploring the functionality.14

Sophos Cloud Optix: Proof of Concept GuideChecklistPlease read the below checklist and ensure that all items have been reviewed.DESCRIPTIONVALUE PROVIDEDReview inventory main page and confirm summaryinfo shows for all connected accounts.Quickly summarizes all deployed cloudassets and resources in single view.Review hosts with public access. Click on 'Public' (ifthere are none, skip); confirm that a list of hosts isdisplayed, showing all metadata.Color coding identifies possiblemisconfigurations and/or securityissues.Select a host and expand ( ) and confirm descriptiondetails are displayed, and any tags.Full detail on resource can be used toprovide context and aid inunderstanding how it may impactsecurity.Click on ‘Stopped’ to identify if any hosts arelaunched but not being used.Stopped hosts may no longer beneeded. Cleaning up can removeattack surface and possibly reducecosts.Select a host, confirm the last icon under View at thefar right is not greyed out. Click on this to reviewoutbound traffic data such as source, outgoing IPaddresses, and port.Easily view outgoing traffic aids withsecurity investigations andtroubleshooting.Click on Inventory Networks Security Groups andclick on Unused Security groups.Unused Security Groups cansometimes become attack vectors.Also, providers by default limit numberof resources allowed. Remove unusedassets to avoid bumping up againstlimits that may impact deployments.Assets/workloads/services with direct connectivityto the internet. Review other assets such as storageaccounts, SQL servers for public connectivity.Quickly identify assets that may bevulnerable to port scans or directattacks to gain full picture of attacksurface across all accounts.Navigate to Inventory IAM AWS Users and confirm ifany users are listed under ‘MFA Disabled’.Identify and control user login behaviorto ensure it is secure and in line withGRC policies.Review IAM Access Key creating information to seeif it’s in line with security standards.Regular key rotation is highlyrecommended to avoid securityissues.Click on Inventory Activity Logs to reviewinformation provided on changes.Aggregated change informationavailable to help with troubleshootingand issue investigation.COMPLETE?15

Sophos Cloud Optix: Proof of Concept GuideTopology sectionIt’s often very difficult for administrators to determine what their cloudarchitecture looks like, how systems interconnect, and what traffic is traversingtheir environments. Without this type of view, it is very challenging tounderstand network traffic flows to determine if you may have assets which areexposed unnecessarily.This type of view can also be useful when trying to determine where it may makesense to install additional security to build protection layers, somethingrecommended by cloud providers depending on the sensitivity of the workload.Examples of a protection layer include third-party security solutions such as webapplication firewalls (WAF), next-gen firewalls, and host security agents.Up-to-date network diagrams are also sometimes required by complianceauditors or internal security teams. Cloud Optix provides this architectural viewof cloud networks and hosts in the Topology section, which can be accesseddirectly from the left side menu, or from the Inventory Diagram icons shown inthe earlier screenshot.Navigating directly to the Topology section will default to showing one of yourAWS environments. This view can be changed by selecting another environmentand/or cloud provider. This default view will show details on the cloud networkname, ID, and indicate if there are running hosts. This view will also show anypeer connections configured between cloud networks. This is a common type ofmisconfiguration or forgotten configuration which is often difficult to spot, butwhich should be addressed as part of proper security hygiene. Unknownconnections between networks can lead to security issues or cause problemsduring security and compliance audits. Below is an example from the defaultAWS environment, but the same options shown are also available for both Azureand GCP.16

Sophos Cloud Optix: Proof of Concept GuideClicking into any shown network provides a visual of the network hosts, trafficflows, resource details, and provides an option to export the image which can beused for audits or for internal documentation purposes.Changing Topology view options is another important capability to explore. Thedefault setting Traffic shows actual traffic flows based on ingested loginformation.Potential traffic flows can be seen by changing the view to the Security Groupsetting. This can be seen by comparing the two views below. On the left, you cansee that we have chosen the Traffic view and made sure to click on the Internal17

Sophos Cloud Optix: Proof of Concept GuideTraffic button. That view then shows various real time traffic flows ashighlighted by the red arrows.Real-time traffic flow info is very useful to have but note that if we then changethe setting to Security Group as shown below, we then have possible trafficflows shown as indicated by the red arrow pointing to the host in the middle ofthe picture. What that is highlighting is that even though there is no currenttraffic, that host has a connection to the public internet, something we wouldwant to get more information on.18

Sophos Cloud Optix: Proof of Concept GuideClicking on the host we’re interested in allows us to drill down further to getmore useful information. In this case, what we can see is that the host isallowing traffic inbound on standard web ports, and the tag info shows that it’san IIS server.This could be an example of how we could determine the need for the additionallevels of protection mentioned earlier. In this case, it may make sense to look atputting a WAF in place to protect this IIS server. Note also that the detailsprovided include information on not only the open ports, but also on anydetected outgoing traffic.As this server is set up to receive traffic, outgoing traffic would be something wewould want to better understand as it could indicate malicious activity, such asdata exfiltration. Of course, any traffic shown may be valid and related tosomething like software updates, in either case it’s something the securityteams would likely be interested in understanding.19

Sophos Cloud Optix: Proof of Concept GuideShow inferred databasesThe Topology feature also has another valuable option which can help identifyhigh-value workloads. This feature is turned on by clicking the button labeled‘Show Inferred DBs’ which is located at the top of the network diagram.Clicking this button will show any hosts which have been identified as runningdatabase applications. Databases are considered high-value targets for attack,and so it is very useful to know which hosts may be potential targets so you canconsider options for providing additional protection. This is another example ofwhere a customer may benefit from installing additional protection layers – inthis case, something like a next-gen firewall could be used to ‘hide’ the databasehost from potential attackers, or an inline IPS could help identify and blockattacks against the known DB ports used by the application.In the screenshots below we can see on the left side that, without this featureenabled, the two hosts shown on the left appear the same, and it would be up tothe administrator to properly tag the resources to help highlight what they do.With the Show Inferred DBs option enabled, we can quickly spot which is thehigh-value host that may benefit from additional protection.20

Sophos Cloud Optix: Proof of Concept GuideChecklistPlease read the below checklist and ensure that all items have been reviewed.DESCRIPTIONVALUE PROVIDEDNavigate to the Topology section and review for anypeer connections between networks. Make sure toreview all environments and cloud providers.Ensuring that all network connectionsare known and validated can helpavoid accidental data exposure andother security incidents.Drill down into each VPC/Vnet; review traffic flowsand compare to Security Group settings to identifyinstances online but not receiving or sending traffic.A proper understanding of actual andpotential traffic flows can help ensureproper security and saves time wheninvestigating issues andtroubleshooting problems.Click ‘Internal Traffic’ radial button and reviewinternal host connections.Understanding how internal hosts areconnecting to each other helps avoideast/west traffic exploits.Drill down into each host and review resourcedetails.Provides an understanding of what IPsand ports each host is connecting toand using.Identify hosts connected to the internet and reviewResource Details to identify potentialmisconfigurations and/or areas where additionalsecurity may be needed.Layered security is oftenrecommended to provide adequateprotection to high-value resources.Click on ‘Show Inferred DBs’ button to identify highvalue instances.Identifying high value instances can bedifficult.Export topology diagram as an image by clicking onthe landscape icon.Always up-to-date network diagramscan be provided on demand toauditors.COMPLETE?21

Sophos Cloud Optix: Proof of Concept GuideContinuous security and complianceSecurity in the cloud is a shared responsibility, with the cloud provider ensuringthe cloud itself is secure, while leaving it up to the customer to ensure that theyhave properly secured anything they put into the cloud, such as data orapplications. The idea is that the customer should provide the level of protectionthey need based on their own governance, risk, and compliance standards. Thecloud providers do provide a range of security options and tools to helpcustomers secure their environments and assets and provide guidance onproper usage via various best practice documents and governance whitepapers.The main problem facing most organizations is that following this guidance canbe difficult due to the amount of information that must be consumed. Andproperly configuring any of the offered services or defining what type of baselinesecurity governance to use often requires some cloud security expertise. On topof that, many if not most organizations today operate in multiple clouds. So evenif a customer has gained security expertise in one cloud, that knowledge oftendoes not directly translate to other clouds as the services and options are often abit different.On top of that, organizations also need to understand how the various cloudsecurity controls and services map to external compliance standards, such asGDPR, HIPAA, and PCI. Altogether cloud security and compliance can be verydaunting, especially as the dynamic nature of the cloud means that things arealways changing, requiring constant attention. Some questions to consider whileexploring the Cloud Optix Continuous Compliance features are:1. What kind of security governance does your organization follow – CISBenchmark, SOC2, ISO 27001, other?2. Do you need to follow any external compliance regulations, such as PCI,HIPAA, or GDPR?3. Does the organization require proof of compliance for internal or externalauditors?4. Do you have the proper tools needed to measure progress over time?5. How do you determine which hosts in your environments are in scope forcompliance regulations?22

Sophos Cloud Optix: Proof of Concept Guide6. How cumbersome is it for your organization to create compliance andsecurity reports that focus on what’s important, such as productionsystems, and filters out extraneous information such as dev/test serversor environments?Compliance summary dashboardThe Report Summary dashboard is displayed when you first click on theCompliance menu option. This section provides a high-level view of thecustomer’s Governance, Risk and Compliance (GRC) status, based on the resultsof all polices enabled on the system. This section is very useful in determiningprogress over time in addressing security and compliance related issuesidentified by Optix. The default view aggregates the results based on allenvironments and cloud providers, but that can be modified as needed toprovide different views to different team members.PoliciesCloud Optix is provided with out-of-the-box security and compliance policiesthat continually asses a customer’s cloud environments. The built-in policiesprovide a customer with an initial assessment of their security and complianceposture, not long after an environment has been configured in the Cloud Optix23

Sophos Cloud Optix: Proof of Concept Guideconsole. They then will be used on a continuous basis unless disabled. Thesebuilt-in policies cover standards such as CIS benchmarks, ISO 27001, and SOC2,as well as compliance standards such as HIPAA, PCI, and GDPR.You can use these policies as a starting point to look at how well they match upto their desired controls. To reduce noise and help focus on what’s important tothe customer, its suggested that you disable any policies that may not beapplicable. For example, below we have filtered on just AWS-related policies, andhave chosen to assess our environments against Sophos best practices, CISBenchmarks, SOC2, GDPR, and PCI. All other policies have been disabled so thatwe can focus our assessment efforts on these standards.Policies map rules to specific provider services, summarizing what needs to bedone to be compliant, and includes supporting information and a default severitylevel which can then be used by teams assigning priority to issue resolution. Thisfunctionality not only helps an organization with their compliance issue handling,but also helps the teams responsible learn more about the provider servicesused. In the example below, we can see how proper AWS security groupconfiguration is needed to ensure that PCI Requirement 1.2 is adhered to.24

Sophos Cloud Optix: Proof of Concept GuideIf unfamiliar with AWS controls you may have a difficult time understandingwhat’s needed, and then may not have an easy way to identify what assets areaffected in order to fix any issues. With Cloud Optix policies, this is all done forthe customer and on a continuous basis to protect against any changes in theenvironment.Custom policies are another important tool which can help administratorsreduce noise so that they can focus on what is important to them. Cloudenvironments offer great flexibility to development and test teams who caneasily deploy applications and hosts as needed. And while it is important toensure that these hosts and the networks they reside in are secure, customersmay want to limit their compliance scope to just the production assets whenrunning reports related to external compliance. To help with that, Cloud Optixincludes the ability to create custom reports which can then be applied tospecific environments, or to specific assets based on tags.Custom policies can be created from scratch, or an out-of-the-box policy can becustomized and saved. In both cases, customers can choose a custom nameand choose an existing compliance tag or create a new one, which can then beused when filtering alerts.25

Sophos Cloud Optix: Proof of Concept GuideChecklistPlease read the below checklist and ensure that all items have been reviewed.DESCRIPTIONVALUE PROVIDEDReview the out-of-the-box policies; note theprovider, total rules, author, updated on, enablestatus, and action values.Out-of-the-box policies provide animmediate assessment of cloudenvironments.Identify any policies that are not applicable anddisable.Ability to enable/disable cuts down onnoise and provides focus based on theindividual organization’s needs.Choose any policy and click on Name to view details;expand sub-sections and rules to view details.Policies map provider controls tostandards requirements, saving timeand effort. Clear rule details provideinformation needed to educate teamson requirements and standards.Return to the list of policies in order to customize thespecific policy; click on the Customize button for thepolicy.Customized policies alloworganizations an easy way to tailor fortheir environment. Customizedpolicies help with incidentprioritization and handling, and canlimit policy scope to only desiredresources (e.g. just production hosts).COMPLETE?26

Sophos Cloud Optix: Proof of Concept GuideReportsEach enabled policy on Cloud Optix will produce corresponding reports which areavailable in the Compliance Reports section. The reports are producedcontinuously as they are created each time a security scan is done.Reports feature a few options that a customer should be aware of. They can beviewed in the Optix console, they can be exported in both PDF and Excel formats,and the entire history of all generated reports can be viewed.Viewing a report provides us with detailed information on which rule checkshave passed and which have failed. In both cases, Optix will group all affectedresources or assets together to help reduce the overall number of issues thatteams must deal with. This focus on reducing ‘noise’ can be very beneficial toteams tasked with resolving issues. Note too that at the bottom of theinformation shown in the ‘Affected Resources’ column, there is a link for ‘moredetails.’27

Sophos Cloud Optix: Proof of Concept GuideClicking on the ‘more details’ link in a report will bring up a screen similar to whatis shown below. As you can see, Cloud Optix provides detail on what the problemis, in wh

Reviewing main dashboard features 9 Checklist 10 VISIBILITY 11 Inventory section 12 Checklist 15 Topology section 16 Show inferred databases 20 Checklist 21 CONTINUOUS SECURITY AND COMPLIANCE 22 Compliance summary dashboard 23 Policies 23 Checklist 26 Reports 27 Checklist 29. Sophos Cloud Optix: Proof of Concept Guide 3 RESPONSE 30 .