- AWS Elasticsearch Inventory: In the Storage Inventory, you can now see a list of Elasticsearch instances that your organization is using in your AWS environments.
- AWS RDS Inventory Enhancement: The RDS (Relational Database Service) Inventory has been updated to now include the Database Size and Instance Type information for each RDS instance.
- User Experience Improvement - Alerts Page: The Alerts page now shows the list of Alerts without filters applied when clicking through to the page from a metric on the dashboard, or from the search. Previously any filters formerly applied were retained. This could result in a different list of Alerts being shown and required an extra step to clear the applied filter, which is now no longer necessary.
- New API for Container Image Scanning: The Cloud Optix REST API can now be used to obtain the vulnerability details from the last scan result for an image which has completed a scan. See https://optix.sophos.com/apiDocumentation
- Update to policy AWS - ISO 27001: The rule “Ensure access keys are rotated every 180 days" has been removed from this policy as the rule “Ensure access keys are rotated every 90 days or less” is already present in the policy, which is more secure.
SophosLabs Intelix Anomaly Alerts Improvement
- In the alert details for a SophosLabs Intelix Anomaly Alert, clicking the destination IP address now searches the flow logs page for both the destination IP address and the source IP address, to assist with investigating the traffic that created that alert.
- Applies to Cloud Optix Advanced customers only.
Azure Network Security Groups Report Improvement
- From the Inventory, exporting a list of Azure NSGs in Excel format will now include details of the security rules for each NSG.
Filter Cloud Optix Admin Users by Role
- On the Settings > Users page, you can now filter the list of users by role (e.g. Super Admin, Admin, Read-only). This is helpful if you have a large number of Cloud Optix administrators and need to see access permissions at a glance.
- Applies to Cloud Optix Advanced customers only.
Container Image Scanning UI enhancements
- On the Fargate Container Definitions page in the Inventory, container images in the list that have failed the security policy, are now shown in red and provide a link to the results of the latest scan results for the image.
- Container image scanning checks are now provided in two separate out-of-the-box policy templates:
- Container Images - Sophos Cloud Optix Best Practices (configuration rules)
- Container Images - Vulnerabilities
- Applies to Cloud Optix Advanced customers only.
Container Image Scanning V2
- Cloud Optix can now identify certain insecure settings in container images (in addition to vulnerabilities).
- The following new rules have been added to the Container Images - Sophos Cloud Optix Best Practices out-of-the box policy:
- IS_7011: Ensure setuid and setgid permissions are removed in container images (Severity: Medium)
- IS_7012: Ensure secrets are not stored in Dockerfiles (Severity: Critical)
- IS_7013: Ensure that only needed ports are open on the container (Severity: High)
- IS_7014: Ensure update instructions are not used alone in Dockerfiles (Severity: High)
- IS_7015: Ensure that HEALTHCHECK instructions have been added to container images (Severity: Medium)
- IS_7017: Ensure that a user for the container has been created (Severity: Medium)
- IS_7019: Ensure images are scanned and rebuilt to include security patches (Severity: High)
- New custom rules can be configured and added to custom policies, based on:
- Vulnerability Severity level
- Vulnerability CVSS Score
- Blocklisted Vulnerabilities (specific CVEs)
- Blocklisted Packages
- Effective User
- Exposed Ports
- On the 'Scanned Images' page, you can now select a Security Policy (Container Image Scanning policy - either the Sophos best practices policy, or a custom policy that you create) and see at-a-glance whether each container image passes or fails the rules in that policy. Clicking the 'Passed' or 'Failed' result in the Security Policy column will provide information about which rule has passed or failed for a particular container image.
- The 'Scanned Images' page has also been enhanced to show the time when the next scheduled scan will be run for each image.
AWS Redshift Inventory
- In the Storage inventory, you can now see a list of Redshift clusters created in your AWS environments.
- You can see at a high level how many Redshift clusters are public and how many are not encrypted.
Sophos XDR Live Discover integration
- To help you investigate potentially suspicious activity in your cloud environments, Cloud Optix can upload activity log data (e.g. from AWS CloudTrail logs) to the Sophos Data Lake.
- Live Discover in the Threat Analysis Center can then be used to run queries on the data. A set of pre-prepared queries are provided based on cloud services in which common attack tactics often originate. This can help to identify risky activity that could indicate a potential compromise.
- To use Sophos XDR Live Discover integration, you need to turn on data lake uploads in Cloud Optix user Settings > Advanced > XDR Data Lake Upload.
- A Cloud Optix Advanced license in Sophos Central is required to use Cloud Optix data in Sophos XDR.
- Improvement to Last Interaction Timestamp in SophosLabs Intelix Malicious Traffic Alerts: The last interaction timestamp is now displayed in the standard date time format.
- Improvement to Anomaly Alerts for AWS Environments: The VPC Id and Instance Id details are now shown in the anomaly alerts. N.B. This feature requires the Cloud Optix Flow Logs to be upgraded to the latest version on each AWS environment.
- Onboarding Improvement for AWS, Azure, and Kubernetes Environments: The location of the execution log file is now shown during onboarding to make it easier to find the information needed to diagnose an issue during environment onboarding.
- Activity Logs Search: The Activity Logs for AWS, Azure, and GCP environments can now be searched from the search bar.
- Export Container Inventory to CSV: You can now export the list of containers for all container types (EKS, AKS, GKE, K8S) in the Inventory to a CSV file.
AWS Security Hub Integration
- You can now generate Cloud Optix alerts from AWS native security services by consuming findings from AWS Security Hub. The AWS security services covered by the integration are as follows, and you can choose which of these services should create alerts in Cloud Optix:
- Amazon Inspector
- Amazon Macie
- Amazon GuardDuty
- AWS Systems Manager Patch Manager
- AWS Firewall Manager
- IAM Access Analyzer
- Instructions to set up the integration are provided in Settings > Integrations > AWS Security Hub.
- A new alert-type has been added, to enable Security Hub alerts to be identified and filtered in the alerts list.
- The summary for each AWS Security Hub alert includes the name of the AWS service that provided the finding, for example Amazon Macie.
- The information provided in these alerts, including severity, is provided by AWS and isn't controlled by Sophos.
- Online help: https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/IntegrateAWSSecHub.html
- Host Inventory enhancement: The host inventory information for AWS and GCP now includes the Operating System (Windows or Linux) for each EC2 instance/ Virtual Machine.
- Activity and Flow Logs UI enhancement: The Activity Logs and Flow Logs pages now indicate if one or more of your cloud environments is not sending data to Sophos Cloud Optix. You can see which environments are not sending log data on the Environments page in Settings.
- A list of sample searches is now included under Discover > Search.
- The included set of sample searches comprises searches commonly used, such as finding over-privileged IAM users created over a month ago that have been inactive.
- Integrations page enhancement: The Integrations page now has a new look and feel to make it easier to see the integrations you have enabled.
- Rule AR-1075 now considers Sophos Firewall deployments on AWS EC2 instances: Rule AR-1075, which recommends installation of Sophos server workload protection agents on all EC2 instances, will no longer raise an alert Sophos Firewall instances.
- CIS Microsoft Azure Foundations Benchmark v1.3.0: Cloud Optix has now achieved CIS (Center for Internet Security) certification for the Microsoft Azure Foundations Benchmark v1.3.0. A new policy template will be available in Cloud Optix from the 17th August 2021.
New security assessment rules for Azure: The following security rules have been added for Azure environments as part of the new Microsoft Azure Foundations Benchmark v1.3.0 policy. You may notice new alerts in Cloud Optix, generated by these new rules, from 17th August 2021.
- AZ-2501: Ensure guest users are reviewed on a monthly basis
- AZ-2502: Ensure that Azure Defender is set to On for Servers
- AZ-2503: Ensure that Azure Defender is set to On for App Service
- AZ-2504: Ensure that Azure Defender is set to On for Azure SQL database servers
- AZ-2505: Ensure that Azure Defender is set to On for SQL servers on machines
- AZ-2506: Ensure that Azure Defender is set to On for Storage
- AZ-2507: Ensure that Azure Defender is set to On for Kubernetes
- AZ-2508: Ensure that Azure Defender is set to On for Container Registries
- AZ-2509: Ensure that Azure Defender is set to On for Key Vault
- AZ-2510: Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected
- AZ-2511: Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected
- AZ-2513: Ensure any of the ASC Default policy setting is not set to "Disabled"
- AZ-2517: Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
- AZ-2518: Ensure soft delete is enabled for Azure Storage
- AZ-2519: Ensure storage for critical data are encrypted with Customer Managed Key
- AZ-2520: Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
- AZ-2521: Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- AZ-2522: Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
- AZ-2523: Ensure that VA setting Send scan reports to is configured for a SQL server
- AZ-2524: Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
- AZ-2525: Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- AZ-2527: Ensure that a 'Diagnostics Setting' exists
- AZ-2528: Ensure Diagnostic Setting captures appropriate categories
- AZ-2530: Ensure that Activity Log Alert exists for Delete Policy Assignment
- AZ-2538: Ensure that Diagnostic Logs are enabled for all services which support it
- AZ-2540: Ensure that UDP Services are restricted from the Internet
- AZ-2541: Ensure Virtual Machines are utilizing Managed Disks
- AZ-2542: Ensure that 'OS and Data' disks are encrypted with CMK
- AZ-2543: Ensure that 'Unattached disks' are encrypted with CMK
- AZ-2544: Ensure that the latest OS Patches for all Virtual Machines are applied
- AZ-2545: Ensure that the endpoint protection for all Virtual Machines is installed
- AZ-2547: Ensure that 'PHP version' is the latest, if used to run the web app
- AZ-2548: Ensure that 'Python version' is the latest, if used to run the web app
- AZ-2549: Ensure that 'Java version' is the latest, if used to run the web app
- AZ-2550: Ensure that 'HTTP Version' is the latest, if used to run the web app
- AZ-2551: Ensure FTP deployments are disabled
- AZ-2552: Ensure Custom Role is assigned for Administering Resource Locks
- AZ-2553: Ensure that 'All users with the following roles' is set to 'Owner'
- AWS ECS Fargate Inventory: In the Containers inventory, you can now see a list of Task Definitions and Container Definitions that your organization is using for the Amazon Elastic Container Service (Amazon ECS) on Fargate.
New Rules and Alerts for AWS: The following additional rules have been added to Sophos Cloud Optix.
- AR-1078: Ensure that Termination protection feature is enabled for preventing your EC2 instance from being accidentally terminated. (Severity: Medium | Policies: AWS - Sophos Cloud Optix Best Practices)
- Improvement to Alert Suppression: Suppressing multiple alerts in the console is now easier. You can now select up to 10 alerts at once and suppress them with a single reason for audit purposes in one operation.
- Environments list now identifies GKE/AKS/EKS Clusters: You can now see the GKE/AKS/EKS Clusters listed more clearly distinguished from their 'parent' environments in the Cloud Environments list.
Enhancements to Policy Reports
- A Severity column has been added to the Detailed Policy Reports.
- You can now export a Detailed Policy Report to a PDF. Please note this feature requires a Cloud Optix Advanced Licence.
New Rules and Alerts for AWS: The following additional rules will be added to Sophos Cloud Optix. You may see new alerts generated by these new rules.
- AR-1079: Review AWS scheduled events for your EC2 instances. (Severity: Medium | Policies: AWS - Sophos Cloud Optix Best Practices)
- AWS can schedule events for your EC2 instances, such as a reboot, stop/start, or retirement. These events do not occur frequently. Depending on the event, you might be able to take action to control the timing of the event. Find out more about scheduled events at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instances-status-check_sched.html
- Sophos Best Practices policies and rules are included with the Cloud Optix Advanced license.
AWS AMI Inventory
- In the Hosts inventory, you can now see a list of the AMIs (Amazon Machine Images) that your organization is using in your AWS environments.
- You can see which EC2 instances are using each AMI, and whether the AMI is owned by your organization, provided by Amazon, or shared with you by a third party.
EBS Volume Inventory
- In the EBS Volume inventory, you can now see a list of the EBS (Elastic Block Store) Volumes created in your AWS environments.
- You can see at a high level how many EBS volumes are not attached to any instance, and how many volumes are not encrypted.
- The list of EBS volumes shows which EC2 instance a volume is attached to. This list can be filtered to show which volumes are not attached and not encrypted.
- Export Environments to CSV: You can now export the list of Cloud and IaC Environments to a CSV file from Settings > Environments.
- Access Network Visualization directly from Hosts Inventory for Azure and GCP Hosts: You can now go to a Host in the Network Visualization directly from the Hosts Inventory list by using the Diagram link in the view column.
New System Alerts for API Synchronization Failures
- API synchronization between Sophos Cloud Optix and cloud environments can fail for different reasons. Cloud Optix will raise alerts if an authorization problem causes a synchronization failure that you need to solve.
- You may start to see synchronization failure alerts in Cloud Optix from week beginning July 12, 2021.
Automatic Agent Removal: Now available as an 'opt-in' feature
- Automatic Agent Removal, to remove 'dangling' server agents from Sophos Central for terminated AWS EC2 instances and Azure VMs, is now available with significant improvements.
- This feature is off by default and can only be turned on by a Super Admin. In Cloud Optix, go to Settings > Advanced > Automatic Agent Removal.
- Cloud Optix records terminated servers by frequently checking your cloud environments for AWS EC2 instance "terminate" events and Microsoft Azure VM "delete" events. A scheduled batch job, run several times a day, then removes the associated server agent information from Sophos Central console, freeing-up Intercept X for Server licenses.
- Performing an on-demand sync/scan for a cloud environment in Cloud Optix will also request removal of servers that have been recorded as terminated.
- You can now see details of server agents that have been requested for removal. In Cloud Optix, go to Settings > Audit logs. You can see the EC2 instance or Azure VM ID, the server agent ID, and the processing time of the deletion request.
- Serverless inventory enhancement: The execution role for AWS Lambda functions on the Serverless inventory page now provides a direct link to the role details in the IAM inventory.
- Custom policy CSV export enhancement: You can export custom policy templates in CSV format, and import them into other Cloud Optix tenants. The CSV export file has now been enhanced to include the description of each rule in the policy.
- Azure IAM inventory enhancement: You can now see the Azure AD tenant ID for each User and Group in the inventory, and filter the information using the tenant ID. This is useful if you have added subscriptions from multiple Azure AD tenants to Sophos Cloud Optix.
Cloud Optix Standard customers now have access to Advanced Settings
- Customers with Cloud Optix Standard (included with Intercept X Advanced for Server term licenses) now have access to "Advanced" settings, from the left hand menu. This provides the ability to specify an IP Allow List for user login anomaly alerts, and Report Settings.
10-June-2021: Auto-removal of server agents is currently disabled
- The ability to automatically remove Sophos server protection agents from Sophos Central for terminated instances is currently disabled. An enhanced version of this feature will be released shortly.
Weekly Summary Report Email (from June 14, 2021)
- Cloud Optix can now send a weekly summary report as a PDF attachment via email, to registered users.
- The report email is sent automatically to configured recipients each Monday (starting Monday June 14, 2021), comprising summary data from the previous 7 days.
- The report also includes a second page that provides a snapshot of the latest content from the Cloud Optix release notes (this page), enabling you to more easily keep up to date with the latest enhancements to Sophos Cloud Optix.
- By default, the earliest registered Super Admin user on your Cloud Optix account will receive the report automatically. Users with Super Admin and Admin roles can change/add/remove additional email recipients in Report Settings. Enterprise Dashboard Admins and Partner Admins can also be configured to receive the report.
- Find out more about the weekly report in the online help: https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/WeeklySummaryReport.html
- On the Alerts page, you can now see the total number of affected resources for each severity level of alert (e.g. X total affected resources for Critical severity level alerts). For each alert, you can now see the total number of affected resources.
- Environment Tags are now displayed on the Alert details popup.
- Environment Tags are now included in Jira tickets as Labels.
On-boarding support for AWS CloudShell
- The Sophos Cloud Optix on-boarding script for AWS can now be used with the new AWS CloudShell. AWS CloudShell is a browser-based shell that makes it easy to securely manage, explore, and interact with your AWS resources. CloudShell is pre-authenticated with your console credentials and you can use CloudShell from your browser at no additional cost.
SophosLabs Intelix Malicious Traffic Alerts
- Using VPC Flow Logs from your cloud environments, Sophos Cloud Optix Advanced identifies outbound network traffic to known 'bad' IP addresses. Such traffic may be a sign of connectivity to command and control servers, an early indicator that malware may be present on your cloud resources. Powered by SophosLabs Intelix, Cloud Optix raises Anomaly alerts when certain IPs are seen in outbound traffic in your flow logs, enabling you to investigate further.
- No action is required. The new alerts will be enabled automatically from May 27, 2021 for customers with Cloud Optix Advanced.
Cloud Optix Standard and Cloud Optix Advanced
- Sophos Intercept X Advanced for Server customers now benefit from Cloud Optix Standard CSPM capabilities, enabling security teams to focus on and proactively fix their most critical cloud security vulnerabilities before they’re identified and exploited in cyberattacks. By identifying and risk profiling cloud workload security configuration issues, suspicious access events, and unusual network traffic vulnerabilities impacting security posture. Cloud Optix Standard ensures teams respond faster, providing contextual alerts that group affected resources with detailed remediation steps.
- 'Cloud Optix Standard' replaces 'Cloud Optix for EDR'.
- Cloud Optix (the full product) is now also changing to Cloud Optix Advanced. This license update does not alter any of the advanced CSPM features of the previous Cloud Optix license. The update will provide a pathway for organizations using the new Cloud Optix Standard to the full range of security and compliance monitoring capabilities.
Auto-removal of 'dangling' server agents in Sophos Central for terminated instances
- Customers who use Sophos Cloud Optix and Sophos Intercept X for Server in Sophos Central, now benefit from an enhanced integration. When you terminate EC2 instances in AWS or VMs in Azure that have Sophos server agents installed, Cloud Optix will request the removal of the agent from your Sophos Central console. This helps to free up licenses and declutter the console when instances are terminated in your cloud environments.
- No action is required. The integration was enabled on May 10, 2021.
- Online help: https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/ServerAgentIntegration.html
New Compliance policy template for UK Cyber Essentials
- A new policy template is now available for AWS, Azure and GCP for UK Cyber Essentials. The policy template is available to Cloud Optix Advanced customers, but is disabled by default. You can turn the policy on in Policies.
- Cyber Essentials is a simple UK Government backed scheme to help you to protect your organisation against a range of the most common cyber attacks. The policy template maps the security monitoring rules in Cloud Optix to relevent requirements of the Cyber Essential standard to help you with your UK Cyber Essentials self-assessment.
Container Image Scanning enhancements:
- On the 'Scanned Images' list, a new 'Containers' column now shows running containers from the Inventory from each scanned image, and provides a direct link to the inventory page to see details of the container.
- In the Inventory ('Containers' tab), an 'Images' column shows the image that each running container was created from. If the image has been scanned by Cloud Optix for vulnerabilities, the image name provides a direct link to the latest scan results for the image.
- In the Inventory ('Containers' tab), a new "Unscanned" filter enables you to filter the list to show containers from images that have not been scanned by Cloud Optix for vulnerabilities.
- AWS Osaka Region Support: AWS recently expanded the Asia Pacific (Osaka) ap-northeast-3 region from a Local Region to a standard AWS region. Sophos Cloud Optix has been updated to support this new standard region.
- Amazon Detective integration enabled by default: The Amazon Detective integration is now enabled by default for new customers in Cloud Optix. This includes 'Cloud Optix for EDR' customers.
Inventory improvement (S3 buckets): Additional data has been added to the inventory for AWS S3 buckets:
- Logging enabled
- MFA Delete enabled
- Versioning enabled
- Inventory improvement (Unused AWS IAM Roles): A new filter has been added to the IAM Roles inventory page, to enable administrators to quickly see Unused Roles. If a role has not been used in the last 90 days, it is considered as unused. This enables administrators to identify roles that could potentially be removed.
- Ticket creation by Read-only users: Users with the read-only role can now manually create Jira and ServiceNow tickets from alerts in Cloud Optix.
- Custom policies enhancement: When Sophos adds new security monitoring rules to Cloud Optix, these new rules are now automatically available to be used in custom policies.
Container Image Scanning: Sophos Cloud Optix can now scan container images for vulnerabilities to prevent threats from being introduced into your production environment. It can scan container images from Amazon Elastic Container Registry (ECR), Microsoft Azure Container Registry (ACR), Docker Hub registries, and IaC environments (Bitbucket and GitHub). Your can also submit images for scanning via API, to increate with your build pipeline.
Searchable Flow Log data: A new Flow Logs page has been added to the left hand menu in Cloud Optix, providing direct access to a new 'global' Flow Logs page. This displays all flow log data across all of your environments and instances on your Cloud Optix account, in one convenient location. You can also now search flow log data using the following new search fields:
- Source IP address (srcAddr)
- Destination IP address (dstAddr)
- Destination Port (dstPort)
Azure Quick-start Setup option: Administrators can now use a simple two-step process to add Azure environments to Cloud Optix. This enables you to get up and running with core features quickly, without the need to download scripts or create additional resources in the Azure environment.
Webhooks: You can now use webhooks to integrate with systems for remediation, reporting, and other functions. Sophos Cloud Optix provides native integration for a variety of systems, for example Jira, Slack, Teams, and so on. If you're using different system, or want to trigger your own remediation functions, you can use webhooks to send alerts an http endpoint in your environment.
Alert list customization options: You can now customize the Alerts list in the console to suit your own preferences. The following settings are stored for the individual user, and persist during the session and for subsequent logins:
- New: Resize certain columns (drag to increase/decrease column width).
- New: Hide/show all columns (except for Alert ID and Description).
- New: Ability to change the order of the columns (drag and drop the column headings).
- Alert severity filters (setting now persists).
- AWS Inventory enhancement: AWS Security Groups list now includes the description and tags assigned to each Security Group.
- 'Operational Status enhancements: On the 'Environments' page, for each AWS, Azure and GCP environment, you can now see the operational status of Flow Log ingestion and Activity Log ingestion.
- 'Unused' Azure NSG filter enhancement: In the inventory (Azure Network Security Groups page), the 'Unused' filter now considers the following additional Azure services that Security Groups can be assigned to, in addition to VMs: SQL Server, DB Server, CosmosDB, App Service, Function App, Storage Account.
- New date range filter: The date range selector on key screens in the Cloud Optix console, including Dashboard, Alerts and Activity logs, has been replaced with a new, more flexible selector. Choose from a range of 'commonly used' date range options, or select a custom date range using the calendar.
- Compliance policy tags for alerts: Security monitoring alerts from compliance policy rules have an associated 'Compliance Tag' to identify the policies that the rule belongs to. Compliance tags are now included on the Alert details popup modal. You can also now link directly from the alerts list to a policy details page, by clicking on a compliance tag in the list.
- Import/Export custom policies: If you need to share/duplicate a custom policy across multiple Cloud Optix accounts, for example if you are using Sophos Enterprise Dashboard to manage multiple sub-estates, you now export the policy as a CSV file and then import that policy into a different Cloud Optix account.
- Option to sync selected AWS regions: On the 'Edit Environment' page for an AWS account, you can now specify whether Cloud Optix should sync with all AWS regions, or only selected regions.
New rules and alerts - Advance notice: The following alerts will be added to Sophos Cloud Optix soon:
- New System Alerts. Cloud Optix will raise an alert when the service is unable to sync with your cloud environment due to authorization failures that require your attention. (Severity: Critical)
New rules and alerts for AWS and Azure: The following additional rules have been added to Sophos Cloud Optix. You may see new alerts generated by these new rules.
- AR-1074: Ensure that your EBS volumes have recent snapshots available for point-in-time recovery. (Severity: Medium | Policies: AWS - Sophos Cloud Optix Best Practices)
- AR-1075: Recommended installation of Sophos server workload protection agents on all EC2 instances. (Severity: Medium | Policies: AWS - Sophos Cloud Optix Best Practices) Note: this rule will only apply to customers using Cloud Optix in Sophos Central with a Sophos server protection license.
- AZ-2361: Recommended installation of Sophos server workload protection agents on all Azure VMs. (Severity: Medium | Policies: Azure - Sophos Cloud Optix Best Practices) Note: this rule will only apply to customers using Cloud Optix in Sophos Central with a Sophos server protection license.
- AR-1076: Flag EC2 instances with Sophos agents installed with a ‘bad’ security health status. (Severity: High | Policies: AWS - Sophos Cloud Optix Best Practices) Note: this rule will only apply to customers using Cloud Optix in Sophos Central with a Sophos server protection license.
- AZ-2362: Flag Azure VMs with Sophos agents installed with a ‘bad’ security health status. (Severity: High | Policies: Azure - Sophos Cloud Optix Best Practices) Note: this rule will only apply to customers using Cloud Optix in Sophos Central with a Sophos server protection license.
- AR-1077: Flag EC2 instances with Sophos agents installed with a ‘suspicious’ security health status. (Severity: Medium | Policies: AWS - Sophos Cloud Optix Best Practices) Note: this rule will only apply to customers using Cloud Optix in Sophos Central with a Sophos server protection license.
- AZ-2363: Flag Azure VMs with Sophos agents installed with a ‘suspicious’ security health status. (Severity: Medium | Policies: Azure - Sophos Cloud Optix Best Practices) Note: this rule will only apply to customers using Cloud Optix in Sophos Central with a Sophos server protection license.
- AR-1073: Ensure that the total spend for AWS in the last 30 days is not more than 1000 USD (configurable value) higher than the previous 30 days. (Severity: Medium | Policies: AWS - Spend Monitoring)
New EC2 Termination Protection rule (available on request): The following new rule is now available for AWS environments in Cloud Optix. This rule is available on-request only. Please contact your Sophos account manager to have this rule added to your account.
- AR-1078: Ensure that Termination protection feature is enabled for preventing your EC2 instance from being accidentally terminated. (Severity: Medium | Policies: Available for custom policies only)
- Azure Sentinel connector: The Cloud Optix connector for Azure Sentinel has now been published in the Microsoft Azure Sentinel Gallery (Public Preview).
- Audit Logs improvement: Anomaly alert and Amazon GuardDuty alert suppressions are now logged in Cloud Optix Audit Logs.
- Import IP addresses/ranges for IP whitelist: For user login anomaly detection, you can whitelist specific IP addresses to prevent logins from specific locations from generating alerts. You can now import a list of IP addresses from a CSV file (Settings > Advanced > IP whitelist).
- Global environment filter persists for subsequent logins: Administrators can select specific environments (and groups of environments) using the "Environments" filter at the top of the Cloud Optix console, to see only data for those environments. When you log out, this setting will now persist for subsequent logins, negating the need to apply this filter each time you log in.
- Alerts severity multi-selection: On the Alerts page, you can now choose more than one severity level using the filters at the top of the page, e.g. "Critical" and "High".
Cloud Assets current usage breakdown: A breakdown of the resource-types that are currently counted for licensing has been added to the licensing information in the console.
- Sophos Central users: Environments > View Current Usage
- Standalone Cloud Optix console users: Top-right menu > Licensing
- CIS Benchmark for Amazon Web Services Foundations v1.3.0 for 'Cloud Optix for EDR' customers: The new policy template for CIS Benchmark for Amazon Web Services Foundations v1.3.0 has now been added for customers with 'Cloud Optix for EDR'.
- JIRA/ ServiceNow ticket ID on Alerts page: For customers using the JIRA and ServiceNow integrations, the ticket ID for each alert is now displayed on the Alerts list page, with a direct link to the ticket URL.
- Amazon GuardDuty integration enhancement: When Amazon GuardDuty alerts are aggregated from multiple AWS accounts and sent to Cloud Optix from a single AWS account, the alerts are now associated to the individual AWS environments in Cloud Optix, instead of the 'master' AWS environment.
- 'Unused' AWS Security Group filter enhancement: In the inventory (AWS Security Groups page), the 'Unused' filter now considers the following additional AWS services that Security Groups can be assigned to, in addition to EC2 instances: Lambda, RDS, EFS, Redshift, Application Load Balancer, Classic Load Balancer, ElasticSearch, ElastiCache.
- Improved custom policy control: When creating or editing a custom policy template, you can now choose to 'exclude' specific environments (or environment tags) from the policy. The console UI previously provided the ability to apply the policy to specific environments only; you can now choose to apply the policy to all environments except for selected environments.
- Left hand menu improvement: The Inventory section of the left hand menu of the Cloud Optix console is now collapsed by default. This is to provide better visibility of features such as Activity Logs and Spend Monitoring. The inventory pages (hosts, containers, storage, network, IAM, serverless) can still be accessed directly, by expanding the Inventory menu.
Report summary page UI improvements: The 'Reports Summary' page has been improved as follows:
- New tabs to allow easy navigation between the Reports Summary page and Details Reports page.
- Cross-policy compliance summary pie chart (click on the red 'Fails' segment to see a breakdown of severity levels. Filter by platform type.
- Pie chart for each policy, showing the latest percentage of rules that have passed for that policy, across multiple environments. Click the policy name for detailed reports for each environment.
- 6-month historical view for each policy, showing the percentage of rules passed each month.
- GKE inventory enhancement: Cluster details for GKE clusters now include Application-layer Encryption and RBAC Security Group information.
- Azure inventory enhancement: App Service Plans: The Cloud Optix inventory now provides visibility of Azure App Services (Inventory > Serverless > Azure). The inventory provides details of the App Service Plan, app type, state information and more.
CIS Benchmark for AWS Foundations v1.3.0: Cloud Optix has now achieved CIS (Center for Internet Security) certification for the following benchmarks. A new policy template for version 1.3.0 is now available in Cloud Optix for customers with a full COPX license.
- CIS Benchmark for Amazon Web Services Foundations v1.3.0 Level 1
- CIS Benchmark for Amazon Web Services Foundations v1.3.0 Level 2
New security assessment rules for AWS: The following security rules have been added for AWS environments as part of the new CIS Benchmark for AWS Foundations v1.3.0 policy. You may notice new alerts in Cloud Optix, generated by these new rules.
- AR-1061: Ensure IAM Users Receive Permissions Only Through Groups
- AR-1071: Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
- AR-1062: Ensure that S3 Buckets are configured with 'Block public access' bucket settings
- AR-1063: Ensure that IAM Access analyzer is enabled
- AR-1064: Ensure S3 Bucket Policy allows HTTPS requests
- AR-1065: Ensure that Object-level logging for write events is enabled for S3 bucket
- AR-1066: Ensure that Object-level logging for read events is enabled for S3 bucket
- AR-1067: Ensure a log metric filter and alarm exists for AWS Organizations changes
- AR-1068: Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
- JIRA integration improvement: A new "Mark as close" option has been added. Selecting this option will automatically close JIRA tickets when Cloud Optix reports that the issue has been fixed in your cloud environment.
Discover Sophos Cloud Workload Protection agents (Intercept X for Server): Cloud Optix now allows you to discover AWS and Microsoft Azure hosts with Sophos Intercept X for Server agents deployed. Sophos Intercept X for Server protects virtual machines from the latest threats, including ransomware, fileless attacks, and cloud-specific malware. While EDR takes threat hunting and IT security operations to the next level with powerful querying and remote response capabilities.
- Filter the host inventory to identify EC2 instances and Azure VMs with Sophos agents installed, and see the security health reported by the agents.
- See EC2 instances and Azure VMs with Sophos agents installed, on the Cloud Optix network visualization.
- In Activity logs > Host, see EC2 instances in each AWS region with Sophos agents installed, and the security health reported by the agents.
- Note: This integration is available in Cloud Optix accounts that are managed via Sophos Central management with a Sophos Server Protection or Intercept X for Server license.
IAM remediation recommendations: Cloud Optix can now provide 'right-sized' IAM policies for over-privileged AWS IAM users, groups and roles.
- From the IAM Visualization in Cloud Optix, selecting a specific IAM entity now enables administrators to see full details of the services that the IAM entity has access to, and when they last accessed each service. The administrator can then choose services to revoke access to, and create a replacement IAM policy with that access removed. Cloud Optix provides a policy document JSON download, and instructions to apply the policy in AWS.
- Filter alerts using AWS resource tags: Administrators can now filter alerts for specific resources using resource tags in the Cloud Optix Search box. By using "tags.
" in the search (e.g. "tags.CostCenter:Production") Cloud Optix will return alerts for affected resources with the corresponding tags.
Deprecated Azure security benchmark rules: Disk encryption security rules have been updated in line with updated CIS benchmark recommendations. The following Azure security rules have been deprecated:
- AZ-2352 - Ensure that OS Disk is encrypted
- AZ-2353 - Ensure that Data Disks are encrypted
- AZ-2354 - Ensure that 'Unattached disks' are encrypted
Replacement Azure security benchmark rules: Replacement disk encryption rules have been added, as follows:
- AZ-2359 - Ensure that OS Disk is encrypted with 'Customer-managed' or 'Platform-managed and customer-managed' keys (Severity: Medium)
- AZ-2360 - Ensure that Data Disks are encrypted with 'Customer-managed' or 'Platform-managed and customer-managed' keys (Severity: Medium)
- AZ-2358 - Ensure that 'Unattached disks' are encrypted with 'Customer-managed' or 'Platform-managed and customer-managed' keys (Severity: Medium)
New AWS rule: Amazon Elastic File System (EFS) service
- AR-1072: Ensure that Amazon EFS file systems are encrypted (Severity: High). This new rule has been added to the Sophos Best Practices policy template for AWS.
- Filter alert trend graph by alert type: The alert trend graph (optix.sophos.com/#/alerts/trend) can now be filtered to show information for a specific alert type (Spend monitoring alerts, Anomaly (AI) alerts, Security monitoring alerts, IaC alerts, Amazon GuardDuty alerts).
- Alerts for AWS Security Groups now include the region that the Security Group is in, to enable administrators to more efficiently locate the issue for resolution.
- Alerts for AWS EBS volumes now identify volumes that are not attached to EC2 instances. Unattached volumes are listed in yellow in the list of affected resources in the alert details. When instances are attached to an EBS volume, the instance IDs are listed in the alert details.
- The 'Last Seen' label in alerts has been changed to 'Last Updated'. This refers to when the alert was last updated with additional information, for example when new resources are affected by the same issue and added to the alert.
New and improved AWS on-boarding: Currently available for new Cloud Optix accounts from November 17, 2020, and selected existing accounts.
The new on-boarding process for AWS environments provides the following benefits:
- VPC Flow Logs and CloudTrail logs are exported from AWS to Cloud Optix via S3 instead of Cloudwatch (follows the latest recommended approach from AWS and reduces associated costs).
- New on-boarding assistant (wizard) provides step-by-step instructions to on-board AWS environments to Cloud Optix using the CLI script, CloudFormation and Terraform.
- Online help documentation has been updated for the new approach: https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/AddAWS.html
- Note: online help for the previous approach remains available, marked as 'Legacy': https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/lgy_AddAWS.html
New security rules for Amazon Elastic Container Service (ECS): The following security rules have been added to the Sophos Best Practice Policy for AWS:
- AR-1069: Ensure ECS/Fargate container definitions do not contain root user (High severity)
- AR-1070: Ensure ECS container definition does not have elevated privileges (High severity)
- Discover Sophos XG Firewalls on AWS: Administrators can now see Sophos XG Firewall deployments in their AWS environments, on the Network Visualization and Host inventory. EC2 instances are shows as 'Sophos FW' based on the AMI ID of the firewall. The integration covers both Sophos XG and Sophos UTM firewalls.
Spend Monitoring improvements
- Forecast information has been added to the Overview page and Monthly page, for the current calendar month.
- Exec Summary PDF Report. Data on the Exec Summary page can now be exported in a formatted PDF document, for ease of management reporting.
- Descriptions for AWS cost recommendation rules have been updated to describe 'expensive resources'.
- Graphs now support display of very long $ values.
New 'Feedback' button routing menu: When an administrator uses the 'Feedback' button in the bottom-left hand corner of the Cloud Optix console, a new menu is displayed, directing the administrator to choose from three options:
- Request a Feature: Creates a ticket for the Cloud Optix product team for roadmap consideration
- Contact Support: provides a link to the Sophos Support website. This option should be selected if you have a question/request that requires a response from Sophos.
- Report a bug: Creates a ticket for the Cloud Optix engineering team to review and address as needed.
- Sophos Best Practices policy for GCP: A new 'Sophos Best Practices' policy template is now available for GCP, to provide a 'home' for new future security checks from Sophos, that are not covered by CIS Benchmark recommendations or other compliance policy templates.
Enhanced Spend Monitoring
- Daily monitoring visualization with summary of top 10 services incurring cost; filter by date range (up to 3 months), environments, environment tags, services and regions.
- Individual expandable graphs for specific services.
- Monthly visualization with summary of top 10 services incurring cost; filter by time period (up to 12 months), environments, environment tags, services and regions.
- Monthly cost data table, exportable in CSV format.
- Executive Summary of spend for the last full month compared to the prior full month, including top service increases and top service decreases.
New Spend Recommendations (Alerts):
- Sophos rules for AWS, including unused infrastructure and use of expensive instance types.
- Integration with AWS Trusted Advisor (requires AWS Business or Enterprise support plan).
- Integration with Azure Advisor cost recommendations.
- Online help: https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/SpendMonitor.html
- AWS Security Groups inventory CSV export now includes ingress and egress rules for each Security Group.
- GCP inventory pages (Host, Network, Storage, IAM) now include CSV export options.
- Microsoft Teams integration: Send Cloud Optix alerts to a designated MS Teams channel. https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/tasks/IntegrateTeams.html
- Azure Sentinel integration: Send Cloud Optix alerts to an Azure Sentinel (SIEM) workspace. https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/tasks/IntegrateAzureSentinel.html
- Amazon Detective integration: Link to Detective findings pages in the AWS console directly from Cloud Optix, from GuardDuty alerts and EC2 instances in the inventory. Enable the integration from Settings > Integrations.
- Context-sensitive help: The "Help with Sophos Cloud Optix" link in the "Help" menu will now automatically send the user to a help page that is relevant to the page that they are on in the console, where a relevant help page exists. When a corresponding help page does not exist, the 'Getting started' page in the online help will be displayed.
- New AWS rule to detect the use of Instance Metadata Service V1: Detects EC2 instances that have version 1 of the Instance Metadata Service (IMDS) enabled and have IAM roles assigned to them. Use of IMDS v2 is recommended for increased security. The new rule has been added to the Sophos Best Practices policy. Misconfigured-open WAFs, misconfigured-open reverse proxies, unpatched SSRF vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation allow attackers unauthorized access to the network and/or to reach internal resources, including making calls to the EC2 Instance Metadata Service (IMDS) v1 service to discover more about privileges and IAM roles. With the new version (IMDS v2) every request is protected by session authentication.
- Suppression notes displayed for affected resources in alerts: Where an alert has been suppressed for selected resources and the resource names are struck-through in the alert details, a 'note' icon now appears next to each affected resource. Hovering over the note icon will display the reason that was provided for the suppression.
- Inventory enhancement: SAML users are now displayed on the IAM inventory page for AWS, in a new "SSO Users" tab. Inventory information for SAML users includes user, login count, last event time, last API call and ARN.
- IAM Visualization enhancement: Previously Cloud Optix determined whether a service was accessible by an IAM entity on the basis of the 'Actions' policy attribute only. This has now been improved to also take the 'Resources' policy attribute into consideration.
- Updated network visualization legends: The Network Visualization topology diagram legend modals have been updated to include additional icons including EKS/AKS/GKE nodes and databases.
- Audit Log enhancements: Cloud Optix audit logs now include on-boarding of EKS clusters and IaC environments.
- Reasons/notes provided when suppressing alerts are now included in the alerts CSV export. Details are provided for each affected resource (alerts can be suppressed for specific resources).
- Rule ID is now displayed for each alert on the Alerts page, enabling administrators to easily determine the rule that triggered the alert.
- Inventory enhancement: The host inventory now includes Private IP addresses, and private IPs can now be included in search queries. Applies to AWS, Azure and GCP instances/VMs.
- New Alerts export option (By Affected Resources Consolidated): From the Alerts page, a new option has been added to the CSV export options, to export alerts by affected resources in a single worksheet, instead of separated by category tabs/worksheets.
- Alert trend graph improvements: The alert trend graph can now be displayed with logarithmic scale (default setting) to enable administrators to easily see trends for critical/high alerts, when there are a large volume of low severity alerts. The graph can also now be displayed as a stacked bar chart.
- UX improvement - AWS/Azure/GCP preference is retained through the inventory: When the administrator views inventory information for a specific platform (e.g. AWS, Azure, GCP) that preference is now retained through other inventory pages. For example, if the administrator navigates from the Hosts-Azure page to 'Networks', the Azure preference is retained.
Cloud Optix for EDR: Customers with term licenses for 'Intercept X Advanced for Server with EDR' now get access to a set of core Cloud Optix features ('Cloud Optix for EDR') at no additional cost. See online help for details: https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/CloudOptixforEDR.html
- AWS Quick-start Setup option: Administrators can now use a simple CloudFormation template to add AWS environments to Cloud Optix. This is a 'partial deployment' option to get up and running with core features quickly, without the need to run scripts or create resources in the AWS environment. https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/tasks/AWSQuickStart.html
- Amazon SNS integration enhancement: Cloud Optix now sends 'Environment Tags' as Message Attributes with alerts sent to Amazon SNS. This enables alerts to be filtered based on groups of environments (as defined by environment tags) for downstream integrations.
- PagerDuty integration enhancement: When alerts are resolved in Cloud Optix, those issues are now updated (resovled) in PagerDuty automatically. Previously, administrators had to manually resolve the ticket in PagerDuty.
- Save Searches: Administrators can now save search queries to re-run them again later. A new 'Search' page has been added to the console, linked from the left hand menu. The new page allows administrators to enter, run and save a search query, edit saved search queries, and delete saved search queries. Search queries are saved at the customer account level, enabling other administrators on the same account to use queries that are created by other administrators.
Environment Access Control:
- Retrict administrator access to data for specified environments in Cloud Optix.
- Super Admins can now create 'Environment Tags' (groups of environments) and assign those tags to other administrators on the same Cloud Optix account, to control their access.
- Online help: https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/learningContents/EnvironmentAccessControl.html
New Advanced Search capabilities:
- Search functionality in Cloud Optix has been significantly enhanced. Administrators no longer need to select from pre-defined search options.
- Simple search: enter an instance ID, security group name, IP address (etc.) to see results. Cloud Optix will attempt preempt the administrator's search by listing categories that match, and the number of matches for each category. Select one of the categories presented, or simply click Enter to see all results.
- Search for a specific type of entity (e.g. AWS - S3) by selecting it from the dropdown menu in the search bar. When navigating through the inventory pages of the console, the dropdown menu will automatically pre-select the corresponding entity type, enabling the user to search the information on that specific page.
- Advanced search queries: For more specific requirements, administrators can now incorporate multiple parameters, logical operators (and/or/not), wildcards and regular expressions, to create advanced search queries.
- Search capabilities: https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/SearchCapabilities.html
- Search examples: https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/references/SearchExamples.html
- Search field names supported: https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/references/SearchFieldNames.html
IAC Scanning enhancements:
- IaC scanning now supports Terraform 0.12 templates.
- New IaC credential checker policy/rules for Ansible (AWS) - extending the recently introduced credential checks for CFN, ARM, and Terraform.
- New Terraform checks added for AWS:
- Ensure all data stored in launch configuration EBS is securely encrypted
- Ensure S3 Bucket has MFA delete enabled
- Ensure S3 bucket has access logging enabled
- Ensure no S3 bucket has an ACL defined which allows public READ access (Optix previously checked only for public-write and public-read-write)
- Slack integration setup enhancements: The setup workflow and UI for the Slack integration in Cloud Optix has been improved. Administrators now see an "Authorize Slack" landing page in the Cloud Optix console. Administrators now authorize their Slack account, and then return automatically to the Cloud Optix console where they will see a pre-populated list of channels to choose from, in order to activate the integration.
- Instant access to pre-populated demo: The ability to switch to the Cloud Optix read-only demo account from the Cloud Optix console, without having to manually log in.
AWS Activity Logs visualizations: In the Activity Logs area of the Inventory, for AWS, the default views are now visualizations/graphs. Administrators can toggle to see the table view of CloudTrail logs as needed. The new graph views help to visualize pertinent information to help identify potential abnormalities, for example:
- Geolocation of IP addresses from which CloudTrail events have been generated
- Geolocation of IP addresses that are trusted in Security Group rules
- Number of Public S3 buckets over time
- Number of EC2 instances (and Public EC2 instances) over time
- Number of EC2 instances in each AWS region (map view)
- Most active (top 10) IAM Users by number of CloudTrail events
- Top error types and top sources of errors
- IaC scanning for secrets: New "IaC - Sophos Credentials Checker" policies have now been released. The new policies cover assessment of AWS CloudFormation, Terraform (for AWS and Azure) and Azure Resource Manager templates, and detect the existence of embedded secrets/passwords/keys for specific platform services in those templates.
- On-boarding enhancement - Request-ID parameter no longer expires: Where Cloud Optix on-boarding scripts/templates are used within CI/CD pipeline, the previous behaviour whereby the 'request-id' parameter would expire periodically meant that customers would need to regularly download a new version of the command from their console. This has now been changed, so the request-id parameter now uses the customer-id, which does not expire.
- Azure NSG alerts improvement: Previously, alerts that include Azure Network Security Groups (NSGs) did not identify whether the NSGs were in use (attached to VMs). This has now been improved, so that NSGs that are not in use, are identified as such in the alert UI.
- Users with 'Admin' role can now create Jira tickets manually from Alerts: Super Admin users can set up third party integrations including Jira, and previously it was only possible for a Super Admin to create a Jira ticket from the Alerts UI. This has now been improved so that 'Admin' users can now create tickets from alerts (note: the Jira configuration must still be set up by a Super Admin user).
- Multiple API keys for a single Cloud Optix account: Super Admin users can now create multiple keys for the Cloud Optix API for a single Cloud Optix account. The API integration page in the console now provides a list of existing keys with associated details (description, who created the key, expiry date) and the ability to delete keys and generate new keys.
- Jira integration enhancement (test option): The Jira integration page now provides a 'Test configuration' button to enable administrators to test that their settings without waiting for security alerts to generate new tickets.
Email Alerts: Cloud Optix alerts can now be sent to administrators via email. This new capability is available from the 'Integrations' page for Super Admin users, and is off by default. Super Admin users can configure the following:
- Turn email alerts on/off for the account
- Specify which administrators on the account should receive email alerts
- Specify which types of alert to send via email (Security Monitoring, Anomaly detection, GuardDuty, IaC)
- Specify which severity levels to send via email (e.g. only send critical severity alerts of a specified type)
- Note: when administrators have 'environment tags' assigned for Environment Access Control, they will only receive alert emails for environments that they have access to in the console.
- Brandable PDF reports for MSPs: The ability to co-brand the exportable PDF compliance reports is now available for MSP Flex Cloud Optix accounts. This feature can also be enabled for other types of account on-request.
- New left hand menu for standalone console: The 'standalone' Cloud Optix console now has a consistent style left hand menu to Sophos Central.
- Inventory API additions: The Cloud Optix API now includes the ability to pull inventory information for serverless functions and containers.
- Amazon SNS integration enhancement: The Amazon SNS integration now provides the environment's account name and ID as Message Attributes with each alert. This enables downstream filtering of alerts based on the environment (e.g. route alerts for a specific AWS account to a specific ticketing system).
- IAM Visualization enhancement (Lambda service): The IAM Visualization now includes the AWS Lambda service, i.e. now shows users/groups/roles that have access to the AWS Lambda service.
- Visibility of NACLs from Network Visualization: On the AWS Network Visualization, administrators can now see details of NACL rules for a sub-net. Click on the route-table icon for a sub-net; this will show a new Network ACL section in the right hand panel. Click on the NACL ID link to open a modal with the NACL rule details.
Inventory enhancement - Azure IoT Hubs: A new "IoT Hub" tab has been added to the Network section of the Azure inventory. This provides details of IoT Hubs and identifies any hubs that are using legacy TLS 1.0/1.1 encryption (to be deprecated by Azure). Additional security rules have been added:
- AZ-2356: Ensure that all Azure IoT Hubs are configured to only allow client connections that use TLS version 1.2.
- AZ-2357: Ensure that connections to the Azure IoT Hub from the internet are restricted.
- Inventory enhancement - Azure Logic Apps: A new "Logic Apps" tab has been added to the Serverless section of the Azure inventory. This provides details of Logic Apps and identifies any that are public.
- AWS IAM Access Analyzer integration: AWS launched a new service in December 2019, IAM Access Analyzer, that identifies resources (e.g. S3 buckets) that can be accessed externally from outside of an AWS account. Sophos was a launch partner for this service, demonstrating an integration with IAM Access Analyzer in Cloud Optix at the AWS re:Invent 2019 conference. We have now made this integration available in Cloud Optix (Inventory > IAM > External Access). Administrators do not need to enable this integration in Cloud Optix. An analyzer must be created in each AWS region to monitor external access to resources.
- New Get APIs for Environments, Hosts and Users inventory: The Cloud Optix Rest API can now be used to pull inventory data (Environments, Hosts and Users) for AWS, Azure and GCP Platforms. See https://optix.sophos.com/apiDocumentation
- New 'Super Admin' role for standalone Cloud Optix accounts: Customers with Cloud Optix accounts not in Sophos Central (i.e. standalone console) previously had 'Admin' and 'Read-only' user roles in the console. Consistent with Sophos Central, we have added a new 'Super Admin' role for these accounts. Now, only users with the 'Super Admin' role can invite new users to the account and assign roles to users. All existing users with the 'Admin' role have been promoted to the 'Super Admin' role automatically. In addition, when a new user is invited to join an account by a Super Admin, the default role is now 'Read only'. The Super Admin can choose to change this to 'Admin' or 'Super Admin' as required.
- CIS Certification for Azure: Cloud Optix has now been certified by CIS for the Azure CIS benchmark (Level1 and Level2). This means that Cloud Optix is now certified by CIS for all three major platforms (AWS, Azure and GCP).
- Azure on-boarding enhancement: Cloud Optix creates resources (e.g. Azure Function App) in the customer's default Azure region. Now, within 'Custom Settings' on the 'Add your cloud environment' page in the console, administrators can choose to use a different Azure region if they prefer.
- Feature highlight videos on the dashboard: We have introduced feature highlight videos on the Cloud Optix dashboard. By default three video thumbnails are displayed, however if the user's screen resolution is high, a fourth video thumbnail will be displayed. Administrators can hide the video thumbnails if desired; this is a user-level setting.
- Azure AKS support: On-board Azure AKS clusters to cloud Optix to see AKS inventory and topology visualization. Now includes the ability to include AKS clusters while adding an Azure subscription using the on-boarding script.
- Add AWS environments using CloudFormation: As an alternative to running a script using the AWS CLI, or Terraform, administrators can how add AWS environments to Cloud Optix using AWS CloudFormation (either by using the CloudFormation console, or by using the AWS CLI). Includes support for AWS CloudFormation StackSets to add multiple AWS environments to the service.
Amazon Inspector integration: Amazon Inspector findings can now be presented in Cloud Optix for EC2 instances. This includes vulnerabilities, reported by Inspector's Common Vulnerabilities and Exposures rules package.
- On the Host inventory page, there is now an Amazon Inspector filter tab at the top. This will filter the list to show EC2 instances for which there are Amazon Inspector findings. Click the Inspector icon in the "Actions" column to see the findings for the last assessment run for that EC2 instance.
- The findings page can be filtered and data can be exported as CSV.
- On the Network Visualisation page, a new "CVEs" filter at the top allows the customer to highlight EC2 instances that have CVEs discovered by Inspector, based on severity. Further details are presented in the right-hand column (i.e. number of CVEs of each severity level, with links to see details of the CVEs on the findings page for the EC2 instance).
- Configurable tables (UI enhancement): Lists/tables in the Cloud Optix console can now be configured to hide/show columns. Look for the 'cogs' icon at the top of the table. The first four columns are fixed and the user can select other columns to hide/show. The setting is applied for the specific user, and stored for subsequent use of the console.
- IAM Visualization: See relationships between AWS IAM Roles, IAM Users and Services. This innovative and differentiated new feature will allow customers to answer questions, such as:
- Which IAM Users in my AWS account have access to the S3 service, which buckets do they have access to, and what permissions do they have for each S3 bucket?
- How do they have access? I.e. via an IAM role, or as part of a Group, or directly with an in-line policy.
- Which EC2 instances have access to the RDS service?
- Which Lambda functions have access to the EC2 service?
- Spend Monitor: See daily spend across AWS, Azure and GCP, to see spikes that may indicate a security issue. See the top environments and services that are contributing to your cloud spend, and set alert threshold alerts.
- Amazon EKS support: On-board Amazon EKS clusters for inventory, topology and security checks. EKS clusters must be added after the parent AWS account, using a seperate on-boarding script. This is because additional permissions are required for EKS.
CIS Certification for GCP benchmark: Cloud Optix has now achieved CIS (Center for Internet Security) certification for the following benchmarks:
- CIS Benchmark for Google Cloud Platform Foundations v1.0.0 Level 1
- CIS Benchmark for Google Cloud Platform Foundations v1.0.0 Level 2
- Azure Cosmos DB inventory: In the Storage area of the Inventory for Azure, Cloud Optix now has a new page that lists Cosmos DBs. Includes additional security checks for Cosmos DBs. Note: Cosmos DBs are counted as Cloud Assets for licensing.
- CIS Certification for AWS benchmarks: Cloud Optix has now achieved CIS (Center for Internet Security) certification for the following benchmarks:
- CIS Benchmark for Amazon Web Services Foundations Benchmark, v1.2.0, Level 1
- CIS Benchmark for Amazon Web Services Foundations Benchmark, v1.2.0, Level 2
- The intent of the Level 1 profile benchmark is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality. The Level 2 profile is considered to be "defense in depth" and is intended for environments where security is paramount.
- Azure VM Scale Sets inventory: In the Hosts area of of the inventory for Azure, Cloud Optix now includes a new column for "VM Scale Set". This enables administrators to see that hosts are part of Scale Sets, and filter to see hosts within a specific VM Scale Set.
AWS Network traffic visibility enhancements: The outbound traffic report for a selected host now includes the following additional information:
- UDP Port 53 traffic
- Port 0 (wildcard port) traffic
- Traffic where both source and destination ports are ephemeral (in cases where Cloud Optix is not able to deduce traffic direction based on port numbers, the traffic will be shown as outbound, and the port shown as 'Unknown').
- Outbound traffic WHOIS IP lookup: When viewing the list of outbound traffic for a host, administrators can now click on the destination IP address to see information such as ISP, organisation, country, region.
Sophos Central migration: Customers can now migrate from a standalone Cloud Optix account to Sophos Central. Important notes on migration to Central:
- Customer must have a Sophos Central account to migrate to. Migration will be initiated by a Super Admin user, from within their Central Admin console.
- The Sophos Central account must have an active Central Cloud Optix license applied.
- Customer must NOT have already activated Cloud Optix in their Central Admin account. Only one Cloud Optix account can be associated with a Sophos Central account; if the customer has created another Cloud Optix account via Sophos Central already, this account will need to be deleted by Sophos before migration.
- The Super Admin user that performs the migration must have the same email address registered on the Sophos Central account AND the Cloud Optix account that they want to migrate. The user will need to log into their Central Admin account using their email address, to initiate the migration.
- Customer must ensure that all users that require access to Cloud Optix are set up as users on the Central Admin account. Once the migration has completed, users will NOT be able to log into Cloud Optix via optix.sophos.com.
- Links to AWS console from Alerts: For alerts related to EC2 instances, S3 buckets, Security Groups and RDS, deep links are now provided to the AWS console to speed up manual remediation in response to an alert.
- Link the VPC Id in the topology visualization to VPC details in the Inventory.
- Link the EC2 instance Id in the topology to the host details in the Inventory.
- Link the VPC Id on the Security Group Inventory page to the VPC details in the Inventory.
- Node.js 8.10 EOL for AWS Lambda functions: Cloud Optix Lambda function now uses Python runtime (replacing node.js) for newly onboarded AWS environments. Customers who added AWS accounts to Cloud Optix before December 9, 2019, will need to upgrade their Cloud Optix Lambda functions prior to February 3, 2020, due to AWS deprecating support for the node.js 8.10 runtime. A CLI script has been provided, to upgrade deployments, without the need to re-add environments to Cloud Optix.
- Terraform 0.12 on-boarding for AWS accounts: AWS accounts can now be added to Cloud Optix using the latest version of Terraform (v0.12).
- Suppressed reason included in PDF compliance reports: When an administrator suppresses an alert, they enter a reason for that suppression in the console. The reason, along with the suppressed resources, and the user that applied the suppression, is now included in the PDF compliance report. This is displayed at the end of the report in a "Notes" section.
- Sophos Central PSA Integrations (ConnectWise and Autotask): Sophos MSP Partners can now use the Sophos Central PSA integrations for Cloud Optix, i.e. to pull usage data for customer billing.
Sophos Central integration: Cloud Optix is now available in Sophos Central, Sophos' unified management console.
- All new Cloud Optix trial accounts are now in Sophos Central. A migration capability will be provided for existing 'standalone' Cloud Optix account. MSP Flex monthly billing is now available.
- Cloud Optix Audit logs: Cloud Optix administrative actions (e.g. logins, user additions, policy changes/additions/deletions etc.) can now be seen on a new Audit Logs page under "Settings". Includes a date range selector, search field (e.g. search for a specific policy name to see when changes have been made to that policy, and by whom) and CSV export.
Updated CIS Benchmark policies:
- AWS CIS benchmark policy updated to v1.2
- Azure CIS benchmark policy updated to v1.1
- Note: these have been added as new policies. The previous versions are currently still in the product, in case customers are reporting against these policies.
- Custom Policies: Rule Search: When creating a new custom policy or customizing an out-of-the-box policy, you can now search for rules using a free-text search field. E.g. search for "S3" to return all rules that have S3 in the rule summary.
Splunk integration enhancements:
- Cloud Optix now sends additional information to Splunk. The full alert json output is now sent.
- A new setting on the Splunk integration page in the Cloud Optix console, enables administrators to specify the Max JSON length (default 10K characters).
- ML Anomaly alert data sent to Splunk now includes environment name.
RDS inventory CSV export enhancements: The CSV export from the RDS inventory page now includes the following additional information:
- Instance size
- Public y/n
- Extended browser support: We have now added support for Safari, Edge and IE11 web browsers, for the Cloud Optix console.
- New Infrastructure as Code (IaC) Scan API: A new addition to Cloud Optix IaC/DevSecOps capabilities. Use the new Cloud Optix IaC APIs to upload IaC templates for scanning and retrieve scan results. Build IaC scanning into development processes and CI/CD pipelines. https://optix.sophos.com/apiDocumentation.
- Sync on-demand: In addition to scheduled syncs for benchmark scans, administrators can now also initiate a sync at any time for a specific environment. On the Environments list page, in the Actions column, there is now a 'Sync' icon. Click this icon to start a scan.
High-risk AWS CloudTrail events (AI): Cloud Optix now highlights events from AWS CloudTrail logs (on the Activity Logs inventory page) that are considered potentially risky. In short this means "this IAM entity does not usually make this type of change". On the dashboard, you'll see a "High-risk changes" toggle in the "Changes in your environments" area for AWS. This filters the graph view to show only "High-risk" changes. The following types of changes will be labeled as "High-risk" when made by IAM entities that do not usually make such changes:
- Security Group changes
- NACL (Network Access Control List) changes
- Route Table changes
- VPC (Virtual Private Cloud) changes
- Network Gateway changes
- AWS config changes
- CMK (Customer Master Keys) changes
- IAM (Identity and Access Management) policy changes
- S3 bucket policy changes
- Shareable short URLs for inventory pages: Ability for an administrator to create a shareable short URL from an inventory page in the Console. Sharing this link with another user on the same account will enable the other user to see the same data.
- AWS Marketplace Integration: Cloud Optix is now available via AWS Marketplace as PAYG. https://aws.amazon.com/marketplace/pp/B07V59XTDF
- AWS Credential Compromise Detection: Detects and alerts when an IAM role that is assigned to a specific EC2 instance, is used from a different resource. An attacker may have used the AWS metadata API to steal temporary credentials from a compromised resource and then use those credentials to access other services in the environment. This technique was used in a recent highly publicized attack where an attacker leveraged a vulnerability in an application running on an EC2 instance, to access the metadata API.
- Over-privileged AWS IAM Users: In the IAM Users inventory list for AWS, we now have a new column that shows the number of AWS services that each user has access to, and the number of services that they have accessed in the last 12 months. Clicking on the numbers in the column will provide a list of "unused" AWS services, providing an opportunity to reduce privileges to reduce attack surface.
- 7 day reminder email: If a customer has not on-boarded at least one environment to their Cloud Optix account after 7 days from signup, they will now receive a reminder email.
Global search now supports GCP: The search box at the top of the console now supports the following GCP searches:
- GCP Host where name contains...
- GCP Host where tag contains...
- GCP Host where IP contains...
- GCP VPC where name contains...
- GCP VPC where ipv4 contains...
- GCP Users where name contains...
- GCP Storage where name contains...
- GCP Storage where owner contains...
Global search enhanced for AWS: The search box at the top of the console now supports the following additional AWS searches:
- Security groups where egress contains...
- Security groups where tag contains...
- Security groups where port contains...
- Security groups where protocol contains...
- Security groups where ip range contains...
- S3 where owner contains...
- S3 where privileges contain...
- RDS where name contains...
- RDS where DB type contains...
- RDS where region contains...
- RDS where security group contains...
- VPC where NACL contains...
- VPC where NACL Id contains...
- VPC where security group contains...
Global search now supports Azure: The search box at the top of the console now supports the following Azure searches:
- Azure Host where tag contains...
- Azure Host where IP contains...
- Azure DB where name contains...
- Azure DB where DB type contains...
- Azure DB where region contains...
- Azure Users where name contains...
- Azure Security Groups where name contains...
- Azure Security Groups where protocol contains...
- Azure Security Groups where port range contains...
- Azure Storage where name contains...
- Option to include remediation steps in PDF reports: In "Settings" customers can now choose to include remediation instructions in the downloadable PDF compliance reports. This is 'off' by default because it will make the PDF reports notably larger.
- Azure on-boarding script now supports separation of duties: The Azure script can now be run by different Azure users, so the on-boarding can be completed in two stages by different users in the customer's organization with the requisite permissions.
- Stage 1 will create the Cloud Optix enterprise app in the Azure tenant
- Stage 2 will add the subscriptions to Cloud Optix
- GKE support: Option to include GKE clusters when adding a GCP project. A supplementary script is also available to enable GKE clusters to be added to GCP projects that have already been on-boarded to Cloud Optix. Once a GKE cluster is on-boarded, customers benefit from the following:
- GKE nodes are displayed as such on the GCP topology visualization
- GKE inventory: details of Clusters, Nodepools, Nodes, Pods, Containers, Services, and more, with list filters to show where resources may be contravening configuration best practices
- GCP CIS benchmark policy includes a new "Kubernetes Engine" sub-section with 16 new security checks.
- Amazon SNS integration: Push Cloud Optix alerts to an existing Amazon Simple Notification Service (SNS) topic, typically for onward integrations into other systems. Includes options to send only Critical, High, Medium or Low alerts.
- GCP Audit Logs Inventory: The Cloud Optix inventory now includes Google Cloud Platform Audit Logs in the "Activity Logs" section of the console. This is another parity enhancement to align with the offering for AWS and Azure (Cloud Optix includes AWS CloudTrail logs and Azure Activity Logs in the inventory). The "Changes in your environment" component on the dashboard also supports GCP with this enhancement.
- Improvements to "Sophos Cloud Optix Demo" account:
- Demo users can now see the on-boarding instruction screens (placeholder tags are inserted in the commands in the UI)
- Demo users can now see the settings screens for the third party integrations (but cannot make changes)
- Demo users can now see integration options (e.g. Jira) and suppression capabilities from Alerts (but cannot apply suppressions)
- Note: these changes only apply to the demo account, and are not available for customer read-only users.
- New AWS Check: Ensure inbound public IP-address range in Security Group is /24 or stricter (AR-1039): By default, the alert will detect and list Security Groups that have ingress rules with IP range that is less than /24 (SG rules should be as strict as possible). If the CIDR range in the rule has a prefix value of /24 or above then rule will pass. This rule is editable to enable customers to change the prefix value.
- Benchmark checks for Azure App Service: New rules for Azure App Service have been added to the "Azure - Sophos Cloud Optix Best Practices" policy in the App Services (Serverless) Security section.
- Local search now available for the Alerts page: This feature allows customers to perform a local search on the alerts page similar to the inventory pages to quickly find issues based on keywords.
- Compliance policies are now loaded automatically: For an improved trial experience, all Cloud Optix compliance policies are now loaded into the customer's account automatically when the account is created. No need to on-board an environment to see the policies available for that type of environment.
- Improved date-selector for AWS Security Group inventory: UI enhancement. The ability to allow customers to see Security Group changes over a time period is an important feature. We have improved the date picker at the top the page to make this clearer (using the same date picker as used for Alerts).
Azure Functions: Azure Functions are now shown in the Inventory section (Serverless section). Security checks relating to Azure functions now included in the Azure benchmark policy.
- Note: Customers who on-boarded Azure environments before the introduction of this feature, will see AvidActivityLogs and AvidActivityLogs functions (created by Cloud Optix) in the Serverless inventory, labelled as "HTTP Allowed" and "Client Cert Disabled". Whilst this is not a concern from a security perspective due to the nature of these Azure Functions, customers may question why our own functions are shown in this way. We have changed these functions so this will not be the case for new deployments. For existing customers, a 'patch' script is available that customers can run if they wish, to update existing "Avid" functions in their environment.
- Inferred DBs/Apps now detects ELK stack (AWS): The "Inferred DBs" functionality on the AWS topology visualization has now been extended to detect and show Elasticsearch, Logstash and Kibana applications.
- Enable/disable scanning for specific IaC environments (code-repos): Customers can now choose which code repos to enable/disable for Cloud Optix security scanning (on the IaC environments list in Settings). When the customer first sets up their IaC integration, code-repos will be shown as "Pending" until the first code-push is seen. Then the status will change to Enabled, and the customer can choose to disable, if required.
New compliance policies for GCP and Azure:
- GCP: SOC2, GDPR, ISO27001, PCI DSS, HIPAA
- Azure: ISO 27001
- Improved environment on-boarding instructions: The design of the 'Add you cloud environment' screen has been improved, with new tab design, re-written and reformatted instructions. Where there are multiple on-boarding methods (e.g. CLI and Terraform) the instructions use an expand/collapse format.
- AWS on-boarding script now sets CloudWatch retention period: Previously the "CT-Avid-LogGroup" and "Flowlogs-Avid-LogGroup" CloudWatch log groups created by the Cloud Optix on-boarding script did not have a CloudWatch retention period set. Over time, this would incur cost for archival of data. The on-boarding script has now been updated to set a retention period. “logs:PutRetentionPolicy” has been added to the documented minimum permissions required to run the script.
- Additional security checks for IaC Terraform script assessment: Further strengthening the IaC proposition, we have added ten new rules/checks to the Terraform Azure IaC policy.
- IaC now supports Azure ARM templates: Cloud Optix DevSecOps/IaC now includes support for Azure Resource Manager (ARM) templates. A new IaC policy is available in the console (IaC - Sophos Best Practices - Azure Resource Manager) with 25 security checks.
- User Login Anomaly Detection (AI) now supported on GCP: Further extending 'parity' of key functionality across multiple cloud platforms, the User Login Anomaly detection (AI) capability is now supported on GCP.
- "Show Inferred DBs" feature now supported for Azure and GCP: The "Show Inferred DBs" feature on the network topology visualization, is now also supported on Azure and GCP.
- Document minimum permissions to run AWS on-boarding scripts: This information has been added to the online help, including the json required to create a custom role. A link has been added to this information, from the on-boarding instructions page in the console.
- Disable/enable compliance policies en-masse: Providing an easy way to disable policies en-masse rather than one at a time.
- Azure flow logs now uses consumption-based billing: Customer cost saving when using Cloud Optix with Azure. Previously, the Azure Function that Cloud Optix creates in the customer environment to push flow logs and activity logs to the service, used dedicated instances/VMs. This meant the customer was charged continuously by MSFT for the running VM. We have now updated the setup to use consumption based model, so the Azure Function will only be billed based on usage. Note: this is a change to the Azure on-boarding script and does not affect existing deployments.
- GuardDuty integration setup improvements: On the GuardDuty integration screen, Cloud Optix now provides details of the IAM role permissions required to run the setup (and removal) scripts.
- Customizable scanning frequency: Customers can change the scanning period for benchmark/compliance checks, for each environment (Settings > Environments > Edit Environment). Options include 30 minutes / 1 hour / 2 hours / 6 hours / 12 hours / 24 hours. Choose to run scans continuously (at the specified cadence) or only between specified hours of the day. The default setting is now 1 hour for all accounts.
- Sophos UTM in AWS topology visualization: Sophos UTMs from AWS marketplace are now represented with Sophos UTM icon in the AWS topology visualization. Clicking on the icon will display: version, deployment type (standalone, HA, autoscaling) and a link to the default webadmin UI.
Expired accounts now stop syncing automatically: We have changed the behavior so expired accounts will no longer sync with the cloud provider (i.e. security/compliance scanning will stop automatically).
- Trial accounts: Syncing stops immediate when the trial expires
- Full accounts: Syncing stops after a 14 day grace period following subscription expiry
- Syncing automatically resumes if the account becomes active again (e.g. trial extended, full license renewed)
- General Availability of Sophos Cloud Optix.