Sandstorm: Frequently asked questions. May August 2016 Page 1 of 7

Similar documents
Synchronized Security

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

File Reputation Filtering and File Analysis

Viewing Capture ATP Status

Symantec Ransomware Protection

Sophos. Allan Widell Channel Account Executive. 24. August 2017

Endpoint web control overview guide

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

County of El Paso Purchasing Department 800 E. Overland Room 300 El Paso, Texas (915) / Fax: (915)

Cisco s Appliance-based Content Security: IronPort and Web Security

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

EXECUTIVE BRIEF: WHY NETWORK SANDBOXING IS REQUIRED TO STOP RANSOMWARE

Juniper Sky Advanced Threat Prevention

Dell SonicWALL Capture Advanced Threat Protection Beta Feature Guide

Sophos Central Admin. help

Security Made Simple by Sophos

Securing Your Business Against the Diversifying Targeted Attacks Leonard Sim

#1 Enterprise File Share, Sync, Backup and Mobile Access for Business

Synchronized Security In Action

JUNIPER SKY ADVANCED THREAT PREVENTION

File Policies and AMP for Firepower

Barracuda Advanced Threat Protection. Bringing a New Layer of Security for . White Paper

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Threat Control Solutions. Version: Demo

Venusense UTM Introduction

Content for Sophos- Theory and lab session

Securing the Modern Data Center with Trend Micro Deep Security

How to Configure Antivirus Scanning in the Firewall

ClientNet. Portal Admin Guide

PROTECT WORKLOADS IN THE HYBRID CLOUD

File Policies and Advanced Malware Protection

Network. Arcstar Universal One

MX Sizing Guide. 4Gon Tel: +44 (0) Fax: +44 (0)

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Contents. Introduction. WSA WebBase Network Participation

Sophos Endpoint Detection and Response

Next Generation Enduser Protection

Synchronized Security

Comprehensive datacenter protection

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

Compliance of Panda Products with General Data Protection Regulation (GDPR) Panda Security

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

What is Zemana AntiLogger?

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Maintain Data Control and Work Productivity

Comodo cwatch Web Security Software Version 1.1

Cisco AMP Solution. Rene Straube CSE, Cisco Germany January 2017

Getting Started with the Cisco Cloud Security

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model:

Centralized Policy, Virus, and Outbreak Quarantines

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Magento Commerce Architecture and Security Model Last updated: Aug 2017

Lastline Breach Detection Platform

Business Strategy Theatre

McAfee Network Security Platform

FIREWALL BEST PRACTICES TO BLOCK

#1 Enterprise File Share, Sync, Backup and Mobile Access for Business

Australian Signals Directorate (ASD) Top 35 Reference Card

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

McAfee Web Gateway Administration

rat Comodo Valkyrie Software Version 1.1 Administrator Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Seamless Security in the Age of Cloud Services: Securing SaaS Applications & Cloud Workloads

Amazon Web Services 101 April 17 th, 2014 Joel Williams Solutions Architect. Amazon.com, Inc. and its affiliates. All rights reserved.

Secure Managed Firewall

Sophos Central Admin. help

Firefly Perimeter ( vsrx ) Technical information 12.1 X47 D10.2. Tuncay Seyran

SandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees

MOVE AntiVirus page-level reference

What is an Endpoint Protection Platform?

WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System

Network Security Platform 8.1

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

MaaS360 Secure Productivity Suite

Cisco Security Enterprise License Agreement

All-in one security for large and medium-sized businesses.

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

MYOB Advanced SaaS. Why choose MYOB Advanced? Fact Sheet. What is MYOB Advanced SaaS?

NetBackup Collection Quick Start Guide

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

How to Configure ATP in the Firewall

F5 SSL Orchestrator: Setup. Version

Safeguarding Cardholder Account Data

Policing The Borderless Network: Integrating Web Security

Sophos Secure Gateway Comparison

AccessEnforcer Version 4.0 Features List

Deployment Scenarios Microsoft TMG Standard, TMG Enterprise, TMG Branch Office series Appliances

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training


Endpoint Security. powered by HEAT Software. AntiVirus Best Practice Guide. Version 8.5 Update 2

Annexure E Technical Bid Format

PineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO

Securing Your Amazon Web Services Virtual Networks

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Securing Your Microsoft Azure Virtual Networks

Security Guide SAP Supplier InfoNet

Transcription:

Sandstorm: Frequently asked questions May 2017 August 2016 Page 1 of 7

Licensing 1. What licenses do customers need to use Sophos Sandstorm functionality? Product and Competitive 2. Can we compare Sophos Sandstorm product with a solution as FireEye or other vendors in terms of technology and effectiveness? 3. Do we have plans for local Sandboxes as well (virtual and physical)? 4. What appliance hardware is Sophos Sandstorm compatible with? 5. Do we plan to add Sophos Sandstorm functionality to other products in the Sophos portfolio? 6. Will Sophos Sandstorm be added to Endpoint? 7. In past Gartner Magic Quadrant reports, Sophos was noted for lack of Sandbox technology. Will this assist Sophos in future reports? Operation 8. What are the steps before a file is sent for analysis to Sophos Sandstorm? 9. Does Sophos Sandstorm scan files received in both directions inbound/outbound and refer for sandboxing? 10. Can the administrator create exclusions? 11. What file types are supported by Sophos Sandstorm? 13. How do administrators know if Sophos Sandstorm connectivity is lost/restored? 14. Which port/protocol is used to send files/hash values to the Sandstorm server? 15. Is there a local cache so there is no need to submit hashes of files inspected before? 16. What is the expected latency for Sophos Sandstorm cloud based sandboxing? 17. Can we see a running history of how many times a suspicious file was seen and allowed or blocked? Security and Privacy 18. How are documents kept secure in transit from Sophos products to Sophos Sandstorm? 19. Are documents encrypted when they are temporarily stored? How strong is this encryption and who has the encryption keys? 20. Are documents stored or processed by any 3rd parties? 21. In which countries or regions are files processed by Sandstorm? 22. When documents and files are executed in the sandbox, where does all the captured activity data go? 23. How long does Sophos or its affiliates keep documents? 24. Can Sophos Staff access documents or the data on them? 25. Besides documents is any other customer data sent to Sandstorm? 26. What happens if a datacenter is unavailable for processing files? August 2016 Page 2 of 7

Licensing 1. What licenses do customers need to use Sophos Sandstorm functionality? The Sandstorm license is purchased in addition to the customers existing XG, SWA, SEA or UTM license. Details can be found in the current price list. Please note that with both XG and UTM: 1. The Web Protection license is required to enable Sandstorm to inspect suspicious Web downloads. 2. The Email Protection license is required to enable Sandstorm to inspect suspicious emails. Product and Competitive 2. Can we compare Sophos Sandstorm product with a solution as FireEye or other vendors in terms of technology and effectiveness? Yes. We are using both the Sophos Labs expertise and tools alongside leading 3rd party solutions. We are very confident that our solution is as effective if not better than our competitors. 3. Do we have plans for local Sandboxes as well (virtual and physical)? A local sandbox solution is not planned at this time. 4. What appliance hardware is Sophos Sandstorm compatible with? Secure Web Appliance (SWA) hardware running version 4.2 or later Secure Email Appliance (SEA) hardware running version 4.0 or later UTM hardware running version 9.4 or later XG hardware running version 16.05 or later 5. Do we plan to add Sophos Sandstorm functionality to other products in the Sophos portfolio? Yes. Integration in other products is planned and will be published in the future. 6. Will Sophos Sandstorm be added to Endpoint? Currently, there are no plans to add Sandstorm technology to Endpoint. 7. In past Gartner Magic Quadrant reports, Sophos was noted for lack of Sandbox technology. Will this assist Sophos in future reports? Yes. The addition of sandboxing technology to our products has been welcomed by Gartner and will assist us in all future Gartner MQs. August 2016 Page 3 of 7

Operation 8. What are the steps before a file is sent for analysis to Sophos Sandstorm? Not all files are sent to the Sandstorm sandbox. There are multiple decision steps taken before a file is uploaded for analysis: 1. Anti virus engine(s) scan files using multiple technologies to determine if there is already knowledge about the file. 2. The file is determined as known good, known bad or unknown. 3. Known bad files are blocked, known good files are released to the end user. 4. For unknown files, depending on the file type (determined using true file type detection) Sophos anti virus will determine if the file has any active content (e.g. Macros in Office documents or JavaScript in pdfs). 5. If there is no active content the file is considered safe and released to the end user. 6. If active content is detected, a hash value of the file is sent to Sandstorm to check if this file has previously been analyzed. 7. If the file has previously been analyzed a result is sent back. If it is malicious, the file will be blocked. If safe, the file is released to the end user. 8. If the file is unknown by Sandstorm, the file type is supported by Sophos Sandstorm (determined using true file type detection) and there is active content, the file will be uploaded to Sophos Sandstorm and detonated (executed in the sandbox environment) for further analysis. If the file is malicious, the file will be blocked. If safe, the file is released to the enduser. 9. Does Sophos Sandstorm scan files received in both directions inbound/outbound and refer for sandboxing? For SWA, UTM and XG Web proxy, only downloaded files will be scanned and possibly sent to Sandstorm. For SEA, XG and UTM Email Protection both received and sent emails file attachments will be inspected by Sandstorm if suspicious. 10. Can the administrator create exclusions? The existing AV exclusion options in XG, SWA and UTM will also apply to Sandstorm. There are no AV exclusions available in SEA. 11. What file types are supported by Sophos Sandstorm? Sandstorm supports the file types listed below, determined by true filetype detection. If there is a specific file type you are looking for, which isn t on the list please open a ticket with support. PE and EXE files, including 32 or 64 bit programs, and 32 and 64 bit DLLs Microsoft Office Word Documents with file extensions of.doc,.docx,.docm, or.rtf Microsoft Office Excel Documents with file extensions of.xls,.xlsx, or.xlsm Microsoft Office PowerPoint documents with file extensions of.ppt,.pptx, or.pptm PDF documents (.pdf) March 2017 Page 4 of 7

PDF XML documents (.xpf) ActiveMime Archives (ZIP, BZIP, GZIP, RAR, TAR, LHA/LZH, XZ) 12. What operating system environments does Sandstorm emulate? Sandstorm emulates Windows environments. 13. How do administrators know if Sophos Sandstorm connectivity is lost/restored? Connection issues are logged in the sandstorm activity log, which administrators can search. There is no connectivity status indicator or automatic alerting at this time. 14. Which port/protocol is used to send files/hash values to the Sandstorm server? By default the product uses port 443 to communicate with the Sandstorm server. If an upstream proxy is defined, the proxy settings will be used. Please make sure that your appliance can reach sandbox.sophos.com. 15. Is there a local cache so there is no need to submit hashes of files inspected before? Yes. The sandbox results for files that have been seen in the previous 24 hours are kept in the local cache on the appliance, reducing traffic and improving performance. In addition the sandbox servers keep a cache of hashes seen before, so files are only analyzed once. 16. What is the expected latency for Sophos Sandstorm cloud based sandboxing? For files that are present in the cache or have been previously analyzed this will be seconds. Files, which will need to be uploaded and fully analyzed, will take up to 20 minutes with an average of 5 minutes. 17. Can we see a running history of how many times a suspicious file was seen and allowed or blocked? There is a counter of files submitted and reporting on the number deemed malicious or clean. The malicious files report also shows if we needed to submit the file or if Sophos Labs had previously identified the threat. Security and Privacy 18. How are documents kept secure in transit from Sophos products to Sophos Sandstorm? Samples are submitted to Sophos servers running on Amazon hosted cloud servers over standard HTTPS protocol. The files are asymmetrically encrypted by the servers before being written to Amazon hosted storage, transferred to Sophos hosts infrastructure where the decryption key is held. At this point they are decrypted for processing. March 2017 Page 5 of 7

19. Are documents encrypted when they are temporarily stored? How strong is this encryption and who has the encryption keys? When samples are not being processed, such as when in transit or in temporary storage, they are encrypted with industry standard asymmetric encryption with the private key held on physical Sophos infrastructure. 20. Are documents stored or processed by any 3rd parties? The Sophos Sandstorm sandbox solution uses a combination of Sophos and a select 3rd party for sample processing. For security reasons, Sophos do not disclose information about the technology partners. All 3rd party technology partners used by Sophos are vetted and contractually obliged to apply the same security and privacy polices used by Sophos in the handling of sandbox samples. For 3rd parties used for temporary cloud storage, samples are stored encrypted with the private key held by Sophos. 21. In which countries or regions are files processed by Sandstorm? This depends on the features or location of your Sophos product. Currently (April 2017): Sandstorm data centers are located in the European Union and in the USA. For Sophos XG Firewall and Sophos Web Appliance the data center location is configurable. The administrator of the device can specify that either the European Union data center or the USA data center processes suspicious files. Files are sent SSL encrypted to Sandstorm. If the administrator chooses automatic selection, the device uses Latency Based Routing (LBR) (see point 3 below) to direct suspicious customer files to the appropriate data center. For Sophos UTM and Sophos Email Appliance: 1. If the Sophos Appliance is located in Europe, SSL encrypted files are sent to the European Union Sandstorm data center (see point 3). 2. If the Sophos Appliance is located in the USA, SSL encrypted files are sent to the USA Sandstorm data center. For all other appliance locations, files are sent to the Sandstorm data center that is closest to the appliance location (see point 3). 3. Sophos uses Latency Based Routing (LBR) to direct suspicious customer files to the appropriate data center. This relies on the latency between the customer DNS resolver and Amazon name servers. In order to ensure suspicious files are sent to the correct data center it is important to configure your Sophos appliance to use an appropriate DNS server. Sophos appliances configured to use a Europe DNS server sends files to the European Union Sandstorm data center. Sophos appliances configured to use a US DNS server direct files to the to the US Sandstorm data center. Appliances configured with DNS servers in other locations direct files to the LBR derived closest location of the two data centers. 22. When documents and files are executed in the sandbox, where does all the captured activity data go? The file copy is detonated in the safe confines of Sandstorm and monitored for malicious behavior. All processing is done in RAM. All suspicious files are cleared from memory after analysis is complete. March 2017 Page 6 of 7

The only exception is where malicious files are discovered. In this case, these files are retained and are further analyzed. This analysis is then used to update other protection technologies. A decision to allow or block the file will be sent to the security solution once the analysis is complete. If the file copy is benign, the original file will be released to the end user. Malicious files attached to emails will remain in quarantine until further action is taken by an administrator. Malicious files intercepted by web filtering will be deleted immediately. Sophos Sandstorm also stores file hash values and results for faster overall responses. Files are only uploaded once. No filename or other meta data is stored for this purpose. 23. How long does Sophos or its affiliates keep documents? If no malicious activity is detected, the encrypted Sandbox sample file and analysis report are retained for 30 days. If the file is malicious, the Sandbox sample file and analysis report are stored for an unlimited amount of time in order to support global protection efforts. 24. Can Sophos Staff access documents or the data on them? No, general Sophos staff has no access to sandbox samples. In some rare and specific cases, sandbox service engineers and or security researchers assigned to the sandbox services may require access to a sample in order to trouble shoot or enhance the service. This access is done within a secure, isolated area. No samples are copied or removed from this isolated area. 25. Besides documents is any other customer data sent to Sandstorm? For authentication purposes the device serial number is sent to Sandstorm. In addition, for Web downloads, the URL of the download is sent, excluding possible parameters which might contain private information. 26. What happens if a datacenter is unavailable for processing files? If the EU or US datacenter is unavailable there is no failover to the alternative data center location. For example, if the Sophos Appliance is located in Europe and the EU Sandstorm data center is unavailable, the Sophos Appliance will not send files to the US data center. March 2017 Page 7 of 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback