NDR Essentials – Sophos News

Posted on by

Sophos Firewall v21 offers an innovative industry first: Network Detection and Response (NDR) integrated with your firewall.

What is NDR?

Network Detection and Response (NDR) is a category of network security products designed to detect abnormal traffic behavior to help identify active adversaries operating on the network.

Skilled attackers are very effective at evading detection, but they ultimately need to move across or communicate out of the network to carry out an attack. NDR typically sits within the network, utilizing sensors that monitor and analyze network traffic to identify this kind of suspicious activity.

NDR products have been around for many years, and Sophos NDR has been part of our MDR/XDR portfolio of products since early 2023. However, with SFOS v21.5, we are integrating NDR with Sophos Firewall – an industry first – at no extra charge for Sophos Firewall customers with Xstream Protection.

Integrating NDR with a Next-Gen Firewall may seem like an obvious choice, but the challenge is doing it in a way that doesn’t impact the performance of the firewall since NDR traffic analysis requires significant processing power. As a result, we’ve taken the novel approach of deploying an NDR solution in the Sophos Cloud to offload the heavy lifting from the firewall.

Sophos NDR Essentials

Sophos Firewall v21.5 introduces our new NDR Essentials cloud-delivered Network Detection and Response platform. It utilizes the latest AI detections to help identify active adversaries and shares that information using the Sophos Firewall threat feeds API as part of Active Threat Response to keep you informed of any detections and their relative risks.

Watch this quick demo video for a look at how it works or read on for full details:

How it works

Sophos Firewall captures meta data from TLS-encrypted traffic and DNS queries and sends that information to NDR Essentials in the Sophos Cloud.

There, the data is analyzed using multiple AI engines. It can detect malicious encrypted payloads without performing TLS decryption as well as new and unusual domains generated through algorithms that are often a key indicator of compromise.

Intel Sources

The meta data extraction is performed by a new lightweight engine implemented on the Xstream FastPath and, as a result, one caveat with this new capability is that it is only available on XGS Series hardware firewalls. Virtual, software, and cloud firewalls may get this NDR integration capability in the future, but not in v21.5.

Set up and monitor your NDR Essentials feed under Active threat response alongside your other threat feeds.

The new NDR Essentials threat feed is managed alongside your other threat feeds (Sophos X-Ops, MDR, and third-party feeds) in the Active Threat Response area of the firewall as shown in the screen shot above. Setup is simple: flip a switch to turn it on, select which internal interfaces to monitor, a minimum threshold for detection risk, and you’re done!

NDR Essentials detections are scored on a range from 1 (low risk) to 10 (highest risk). You decide which risk score sets the threshold for an alert based on your particular environment. The recommended default is high-risk (9-10).

All detections that are scored greater than or equal to 6 are logged but only those meeting or exceeding your threshold trigger notifications and are shown as alerts on the new Control Center dashboard widget.

Detections scored less than 6 may be false positives and are not logged as a result. No NDR Essentials detections are blocked at this time, but this maybe an option in the future. All detections are fully accessible via the Active Threat Response report available both on-box and via Sophos Central Firewall Reporting.

How does NDR Essentials compare to Sophos NDR?

To put it simply, Sophos NDR Essentials is a “lite” version of Sophos NDR.

Sophos NDR is designed to sit deep inside the network so it can effectively monitor and detect suspicious activity and traffic flows heading both north-south (or inside-outside) as well as east-west flows that are traversing the LAN internally.

As you know, a firewall is designed to sit at the network gateway and inspect north-south traffic. Thus, NDR Essentials doesn’t have the same visibility at the network gateway as a full NDR solution sitting inside the network.

Our full Sophos NDR solution has five different AI detection engines. In this initial version of NDR Essentials, we’ve implemented the two engines that have the most relevance and impact at gateway traffic inspection: the Encrypted Payload Analysis engine, and the Domain Generation Algorithm engine. At this point, with its added engines, Sophos NDR provides deeper coverage and greater detection capabilities than NDR Essentials.

In summary, NDR Essentials provides an excellent additional layer of active threat detection to Sophos Firewall, and it does so at no extra charge and no performance impact. However, it is not a replacement for a full Sophos NDR implementation for any of our customers taking advantage of our XDR platform or MDR service.

If you want further detection insights and threat hunting capabilities, you are strongly encouraged to check out Sophos Extended Detection and Response (XDR) with the full implementation of Sophos NDR and the new NDR Investigation Console.

You may also wish to consider our full 24/7 Managed Detection and Response service. All of these products and services work better together with your Sophos Firewalls.

Get started today

Start taking advantage of this great new capability in Sophos Firewall v21.5 by participating in the early access program. Simply register for the program, click the link in your email to download the firmware update package, and install it on your Sophos Firewall.