Sounds obvious, but this can be surprisingly difficult!
For larger organisations it can be quite difficult to properly manage the full decommissioning of old endpoints from the environment, and especially from the AV console. A consequent problem is that if your console is cluttered with old endpoints that you think are probably no longer on the network, that can mask real endpoints that have become isolated for whatever reason and are no longer up to date.
These need to be found and updated quickly, as threats do get in through improperly protected endpoints.
Part of the issue with large organisations is it can be hard to know what machines are active or not and therefore what machines should have AV installed. Here’s what you can do about that (with a focus on the Sophos Enterprise Console):
Ensure AD is cleaned of old computer objects
This is important as it tells you what does not need to be protected and therefore all that remains needs to have AV installed or a really, really good reason not to.
Now looking at the Enterprise Console we can confirm all machines that don’t have AV installed. Old objects should also be deleted/purged from the Enterprise Console and this will give a clear view of what remains that is unprotected. Ensure AV is installed on all endpoints. You can also use the Scan IP Range feature in the Enterprise Console to confirm if machines are active or not (at the time of scan).
Web Protection
- Ensure Web Protection (in Sophos AV Policies) is enabled on all Workstation like machines. This will help by blocking drive-by malicious web sites.
- Ensure live protection and behaviour monitoring is enabled. These features detect zero-day malicious content.
There will be a new feature that is coming to the Endpoint in April (can be trialled using the preview subscription now) that brings this advanced persistent threat (APT) detection of Command & Control traffic detection direct to the endpoint. This feature is called Malicious Traffic Detection. See more here.
The SWA has a new feature called Sophos Sandstorm that is a subscription based feature. This essentially provides a service where any suspicious files downloaded via the SWA are first sent to Sophos for full sand boxed analysis (i.e. file is executed in sandbox environment that explains exactly what the file will do once executed). This protects against APTs and targeted threats. This can be initialised on a 30 day trial from the SWA directly but is a subscription feature going forward. See more here.
Contact us if you’d like help with any of this.
