Release Notes & News

Changes to Sophos Cloud Optix Standard

2022-05-01T22:59:00Z

Sophos Cloud Optix is available in two licenses, Cloud Optix Advanced and Cloud Optix Standard. Cloud Optix Standard is included in the following Intercept X Advanced for Server licenses: Intercept X Advanced for Server Intercept X Advanced for Serv...(read more)

Cloud Optix Now Available in the EU

2022-04-22T09:07:00Z

We’re delighted to announce that Sophos Cloud Optix is now available from our Sophos Central EU data center in Germany. New customers who choose Germany or Ireland as their hosting region for Sophos Central will now benefit from Cloud Optix in ...(read more)

Google Cloud Platform and Microsoft Azure Support for Sophos XDR now available

2021-12-14T14:50:00Z

Sophos Extended Detection and Response (XDR) now goes even further in the public cloud, adding Microsoft Azure (Azure) and Google Cloud Platform (GCP) activity logs alongside Amazon Web Services (AWS) – helping your security teams see the bigge...(read more)

Expansion of Sophos Cloud Workload Protection

2021-05-07T08:36:00Z

This release brings an exciting expansion to Sophos Cloud Workload Protection that sees Intercept X Advanced for Server incorporate CSPM with new Cloud Optix Standard capabilities. This addition extends protection beyond server workloads running in A...(read more)

Cloud Optix Container Security

2021-03-08T10:07:00Z

The latest release for Sophos Cloud Optix features a range of exciting enhancements, including container image scanning to prevent off-the-shelf container images from public registries introducing Operating System vulnerabilities into ...(read more)

Cloud Optix Latest IAM Security Controls and More

2021-01-25T15:30:00Z

Now identify and correct over-privileged AWS IAM users, groups and roles with Cloud Optix, plus much more with the latest Sophos Cloud Optix updates. January 2021 Azure inventory enhancement: App Service Plans: The Cloud Optix inventory now pr...(read more)

Identify Sophos Firewalls and workload protection on AWS

2020-12-07T11:04:00Z

Monitor Sophos cloud security Amazon Web Services deployments is now easier than ever with the latest enhancements to Sophos Cloud Optix cloud security posture management service. Sophos Firewalls Sophos XG Firewall and Sophos UTM provide web applic...(read more)

Free Tool: Cloud Security Posture Management

2020-10-07T07:14:00Z

Cloud Optix, the Sophos Cloud Security Posture Management tool protects Amazon Web Services, Microsoft Azure, and Google Cloud Platform environments. Continually monitoring cloud service configurations, detecting suspicious activity, insecure deploym...(read more)

Optimize AWS and Azure Spend with Cloud Optix

2020-10-07T06:43:00Z

The latest release for Cloud Optix, cost optimization now allows customers to efficiently monitor Amazon Web Services and Microsoft Azure cloud costs in a single console. Providing organizations with the ability to manage security, compliance, and sp...(read more)

AWS On-boarding: New Quick-start Setup

2020-07-27T10:34:00Z

Cloud Optix Quick-start is the new, and easiest way to get started with the core CSPM features of Cloud Optix to see value in just a few clicks.

This Quick-start setup is a partial deployment option to get you up and running with Cloud Optix quickly, without needing to run scripts or create additional resources in your AWS environment. Launching the new Quick-start CloudFormation template customers simply create a read-only IAM role to authorize Cloud Optix to pull data using AWS APIs.

Advanced features that require Cloud Optix to collect VPC Flow Logs and CloudTrail logs for analysis, are not supported by the Quick-start setup. To enable all features, use one of the full setup options available.

Learn more in the setup guide for Cloud Optix Quick-start for Amazon Web Services.

Cloud Optix new advanced search

2020-06-22T10:38:00Z

Search across Cloud Optix inventory data for hosts, containers, networks, storage services, IAM roles, and serverless functions, to investigate suspicious activity and insecure deployments, like never before.(read more)

Cloud Optix new asset inventory and threat investigation updates

2020-06-08T12:31:00Z

Over the second quarter of 2020, a host of great enhancements have been added to the Cloud Optix service to enable organizations to harden their cloud security posture for AWS, Azure and Google Cloud platform. Check out these latest updates below – all included with your existing Cloud Optix license.

Inventory and topology visualization updates

AWS Activity Logs visualization
In the Activity Logs section of the Inventory, for AWS, new activity logs visualizations allow you to easily analyse CloudTrail logs by geographic location to help investigate high risk events. The new graph views help to visualize pertinent information to help customers identify potential abnormalities:
- Geolocation of IP addresses from which CloudTrail events have been generated
- Geolocation of IP addresses that are trusted in Security Group rules
- Number of Public S3 buckets over time
- Number of EC2 instances (and Public EC2 instances) over time
- Number of EC2 instances in each AWS region (map view)
- Most active (top 10) IAM Users by number of CloudTrail events
- Top error types and top sources of errors
IAM Visualization enhancement (Lambda service)
IAM Visualization now include the AWS Lambda service to show IAM users, groups, and roles that have access to the Lambda service.
Visibility of NACLs from Topology Visualization
From the AWS Topology Visualization, customers can now see details of NACL rules for a sub-net. Click on the route-table icon for a sub-net, this will show a new Network ACL section in the right-hand panel. Click on the NACL ID link to open a modal with the NACL rule details.
Inventory Azure IoT Hubs
New "IoT Hub" tab now available in the Network section of the Azure inventory. This provides details of the customer's IoT Hubs and identifies any hubs that are using legacy TLS 1.0/1.1 encryption (soon to be deprecated by Azure).

Inventory of Azure Logic Apps
New "Logic Apps" tab now available in the Serverless section of the Azure inventory. This provides details of the customer's Logic Apps and identifies any in public mode.

Management and alerts

New email alerts
Customers can optionally choose to have Cloud Optix alerts sent via emails. This new capability is presented at the bottom of the 'Integrations' page. Email Alerts are off by default and can be configured by Super Admin users only.
Brandable reports for MSPs
Sophos Managed Service Provider Partners may now co-brand exportable PDF compliance reports for customers. This can be enabled for other types of account on-request.

Cloud Optix API enhancements

Cloud Optix Inventory API additions
Cloud Optix API now includes the ability to pull inventory information for serverless functions and containers
Multiple API keys for a single Cloud Optix account
Cloud Optix Super Admin users can now create multiple keys for the Cloud Optix API (previously one key per customer account).

Integration enhancements

Amazon SNS integration
Cloud Optix Amazon SNS integration now provides the environment's account name and ID as 'MessageAttributes' with each alert. This enables downstream filtering of alerts based on the environment (e.g. route alerts for a specific AWS account to a specific ticketing system).
Jira integration (test button)
The Jira integration page now provides a 'Test configuration' button to enable customers to test that their settings are correct, without having to wait for security alerts to generate new tickets to determine if the integration is configured correctly.

Cloud Optix April 2020 Feature Round-up

2020-04-02T15:06:00Z

Over the first quarter of 2020, a host of great enhancements have been added to the Cloud Optix service to enable organizations to harden their cloud security posture for AWS, Azure and Google Cloud platform. Check out these latest updates below – all included with your existing Cloud Optix license.

Container Security

Azure AKS support
Support for Azure Kubernetes Service (AKS) has now landed, adding to recent launches of Google’s managed Kubernetes Engine (GKE) in late 2019, and Amazon’s managed Elastic Kubernetes Service (EKS) in February 2020. This allows organizations to track container inventory and view complete topology visualizations.

CIS Certification

CIS Benchmarks certification for AWS, Azure, and GCP
Sophos Cloud Optix has now been certified by CIS (Center for Internet Security) to accurately assess AWS, Azure and GCP environments based on best practices for secure configuration.

Cloud Optix API Enhancements

New GET APIs for environments, hosts and user inventory
The Cloud Optix REST API can now be used to fetch inventory information (Environments, Hosts and Users) for AWS, Azure and GCP Platforms. View Cloud Optix API documentation here

AWS and Azure Integrations

Amazon Inspector integration
Now view Amazon EC2 security findings detected by Amazon Inspector from Cloud Optix, including CVEs.

Starting on the Cloud Optix Host Inventory, a new “Amazon Inspector” filter is now available. This will filter the inventory list to show EC2 instances for which there are Amazon Inspector findings. Click the Inspector icon in the "Actions" column to view findings for the last assessment run for that EC2 instance.

While from the Network Topology Visualization page, a new "CVEs" filter allows customers to highlight EC2 instances that have CVEs discovered by Amazon Inspector, based on severity. Further details are presented in the right-hand column i.e. number of CVEs of each severity level, with links to see details of the CVEs on the findings page for the EC2 instance.
AWS IAM Access Analyzer integration
Visibility of cross-account and external access to AWS resources such as S3 buckets is now available via the cloud Optix console thanks to a new integration with the free AWS IAM Access Analyzer service. Go to Inventory > IAM > External Access (new tab). This further extends Cloud Optix IAM security monitoring announced earlier in 2020.
Change the default region for Azure on-boarding
Cloud Optix creates resources (e.g. Azure Function App) in the customer's default Azure region. Now, within 'Custom Settings' on the 'Add your cloud environment' page, customers can choose to use a different Azure region if they prefer.

Cloud Optix Management Enhancements

Search for instances with outbound traffic to a specified IP or port
Now use the Cloud Optix global search bar to find virtual machines that Cloud Optix has monitored communicating outbound to a specified IP address or port.

Configurable tables
Key lists and tables in the Cloud Optix console can now be configured by the customer to hide/show columns. Look for the 'cogs' icon at the top of the table.

Partner ability to hide Spend Monitoring
Partners now can now hide the Spend Monitor from selected accounts if required. This is a manual setting that should be requested via your Sophos account contact.

Lastly, a change to Admin roles for non-Central accounts
Customers with Cloud Optix accounts not yet managed via Sophos Central previously had 'Admin' and 'Read-only' administrator roles in the Cloud Optix console. Consistent with Sophos Central, we have added a new 'Super Admin' role for these non-Central accounts.

Now, only an administrator with the 'Super Admin' role can invite new users to the account and assign roles to users. All existing users with the 'Admin' role previously, have been promoted to the 'Super Admin' role to avoid any loss of functionality for existing administrators.

In addition, when a new user is invited to join an account, the default role selected is now 'Read only'. However, the administrator (with Super Admin role) can choose to change this to 'Admin' or 'Super Admin' when inviting the user.

Coming Soon!

There’s plenty to get excited about next quarter (spoiler alert!). Here are just a few examples of exciting new features up our sleeve:

Sophos MSPs can soon co-brand Cloud Optix exportable compliance reports with their own company logo. Now in Preview.
IaC scanning detection of secrets in templates. New policies will check for static secrets/credentials in Terraform templates for AWS and Azure. Now in Preview.
Azure Logic Apps in the Serverless area of the inventory for Azure. Details will include: Name, Resource Group, Region, Last Modified, Trigger type, and State. Now in Preview.

Sophos Cloud Optix Awarded CIS Benchmarks Certification for AWS, Azure, and GCP

2020-03-26T11:14:00Z

Sophos Cloud Optix has now been certified by CIS (Center for Internet Security) to accurately assess AWS, Azure and GCP environments based on best practices for secure configuration.

Developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world, CIS Benchmarks are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for Federal Information Security Management Act, PCI, Health Insurance Portability Accountability Act and other security requirements.

By certifying Cloud Optix with CIS, Sophos has demonstrated commitment to actively solve the foundational problem of ensuring secure configurations are used throughout AWS, Azure and GCP environments.

Not all certifications are equal

CIS Benchmark Certification is awarded on two profile levels. The intent of the Level 1 profile is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality. The Level 2 profile is considered "defense in depth" and is intended for environments where security is paramount.

Organizations should investigate whether a vendor offers the level of certification required for their industry, or compliance standard. Sophos has provided evidence that Cloud Optix can accurately report security recommendations in both level 1 and level 2 CIS Benchmark profiles.

Sophos Cloud Optix Release: IAM Visualization and Much More

2020-02-07T14:08:00Z

Today’s Cloud Optix release is packed with several new features to increase security and compliance of customer environments, including a breakthrough in IAM visualization.

Improving security for anyone running workloads on public cloud

Managing user roles, permissions, and role-based access to AWS services is an enormous challenge. The scale and interwoven nature of individual and group access to services means that organizations often a) simply can’t accurately see how their services can be accessed, and b) don’t proactively manage it – creating an endless loop to a).

And here’s the obvious punch line – attackers will exploit that gap in security. We saw this happen in a recent high-profile public cloud attack that exploited overprivileged user access to access 40,000 Social Security numbers and 80,000 bank account numbers.

Breakthrough in IAM visualization

Cloud Optix IAM Visualization is a breakthrough for organizations managing infrastructure on AWS. It enables customers to easily visualize the relationships between IAM roles, IAM users, and services.

This innovative and differentiated new feature will allow customers to identify high risk users who have access to multiple services they rarely or never need. It helps answer questions like: Which IAM users in my AWS account have access to the S3 service, which might contain sensitive data? (either via assuming an IAM role, or directly with an in-line policy)? Which EC2 server instances can access the RDS service – your customer database? And much more. This helps organizations reduce their attack surface in the cloud dramatically.

https://vimeo.com/390561810

Addressing a range of new threats

The latest security enhancements to Sophos Cloud Optix go even further to provide more depth than ever.

Detecting AWS, Azure, and GCP spend anomalies

Sophos Cloud Optix security-focused spend monitoring now makes daily and monthly cloud spend monitoring a breeze, identifying unusual activity indicative of abuse such as cryptojacking in AWS, Azure, and GCP cloud accounts. It highlights top services contributing to spend, allowing for faster decisions on whether increased spend equals malicious activity, and providing customizable spend threshold alerts for visibility.

https://vimeo.com/388250873

Extending container security with Amazon EKS – Managed Kubernetes Service

Cloud Optix has provided automatic discovery of an organization’s assets across AWS, Microsoft Azure and Google Cloud Platform, and Infrastructure as Code environments for some time and added support for Native Kubernetes and Google’s managed Kubernetes Engine (GKE) in late 2019.

And now support for Amazon’s managed Elastic Kubernetes Service (EKS) has landed. Azure AKS managed Kubernetes service hot on its heels and coming soon

Amazon EKS nodes are now included in the topology visualization, as well as real-time inventory views of clusters, node groups, nodes, pods, containers, services, and more. While also enabling organizations to perform additional security benchmark checks on these container environments.

Additional security benchmark checks now included in Sophos Cloud Optix best practice policy for AWS:

AR-1500: Ensure private access is enabled for EKS Cluster
AR-1501: Ensure public access is disabled from EKS Cluster
AR-1502: Ensure EKS cluster Control Plane Security Group is only open to instances in its VPC on port 443
AR-1503: Ensure no two cluster Control Planes share a Security Group
AR-1504: Ensure logging is enabled for Cluster Api Server
AR-1505: Ensure logging is enabled for Cluster Audit
AR-1506: Ensure logging is enabled for Authenticator
AR-1507 Ensure logging is enabled for Controller Manager
AR-1508: Ensure logging is enabled for Cluster Scheduler
AR-1509: Ensure EKS cluster Control Plane Security Group is not open to internet on any port

Important notes:

EKS clusters must be on-boarded to Cloud Optix after the parent AWS account, using a separate on-boarding script. This script is available on the Add Environment > AWS page. Separate on-boarding is required because the standard permissions required to add an AWS account to Cloud Optix do not apply to EKS clusters.
The inventory will show partial information for EKS clusters before the EKS cluster is on-boarded. This is because certain information (i.e. cluster information) is retrieved using the existing API sync. The EKS cluster needs to be on-boarded using the separate script, to complete the population of the EKS inventory.

Additional updates

In addition to the headline updates, today’s Cloud Optix release is packed with several new features to increase security and compliance of customer environments:

Sophos Cloud Optix has been certified by Center for Internet Security (CIS) to accurately assess AWS and GCP system conformance with the security recommendations of the CIS Benchmark profile. By certifying Cloud Optix with CIS, Sophos has demonstrated its commitment to actively solve the foundational problem of ensuring secure standard configurations are used by customers. CIS Certified Security Software Products demonstrate a strong commitment to provide customers with the ability to ensure their assets are secured according to consensus-based best practice standards.
Superior public cloud traffic analysis, helping organizations to analyze outbound traffic anomalies with visibility of destination IP addresses including ISP, organization, country, and region. Watch the video
Azure VM Scale Sets inventory, enabling customers to see that hosts are part of Scale Sets, and filter to see hosts within a specific VM Scale Set.
Add AWS environments using AWS CloudFormation (in preview), as an alternative to running a script using the AWS CLI, or Terraform.