The Sophos Account Health Check enables customers running Sophos Endpoint and Sophos Server Protection to quickly identify and address configuration issues with their Sophos protected devices.
Accessed through the Sophos Central platform, the Health Check performs checks across four areas, with more coming soon:
- Software assignment – do devices have all the right software assigned to them?
- Threat policy – are policies using recommended settings?
- Exclusions – are any exclusions creating significant exposure?
- Tamper protection – has tamper protection been disabled?
Should an issue be identified, the ‘Fix Automatically’ option enables customers to address insecure configurations in just a couple of clicks.
We continue to extend and enhance this hugely popular feature and have recently introduced the ability to ‘snooze’ failing checks, enabling customers to come back and review them later, together with new Health Scores.
Health Scores
This new feature provides a simple, clear numeric security posture score out of 100. It enables customers running Sophos Endpoint and Server Protection to quickly identify configuration that requires attention, and track and report on efforts to improve their security configurations. It includes both an overall score for the customer environment, as well as individual scores for each separate check.
As with other elements of the Sophos Account Health Check, the scores are a useful tool in overall cybersecurity posture management and should be used alongside broader assessments of your wider environment and security technology stack to provide a complete picture of your cyber health.
The screenshot below illustrates the multiple layers of scoring that is provided. This account has an overall health score of 74, which is the result of a protection score of 45, a policies score of 99, a tamper protection score of 45, and an exclusions score of 88.
Score Focus: Protection Installed
The protection installed score of 45 in the above example is a combination of an endpoint protection score of 0 (indicating that none of the 30 devices have all the Sophos protection software that the customer has licensed, installed on them) and a server protection score of 90 (one device out of ten doesn’t have the licensed protection software installed). These two individual scores result in an overall protection score of 45 (0 + 90 / 2).
As this example illustrates, the overall scores are the summed average of the individual scores, not a weighted average or percentage. The score of 45 does not reflect the disparity in the number of server and endpoint devices. This is a deliberate approach to ensure small but critical areas of protection do not get missed.
Consider, for example, an organization with 200 endpoints that are all running up-to-date protection and 10 servers, of which five are unprotected. The weighted average score would be 98 (205 / 210) but the summed average is 75 (100 + 50 / 2). Using the weighted average, it would be easy to overlook the lack of server protection with potentially devastating consequences.
Score Focus: Tamper Protection
Tamper protection is a critical layer of defense, preventing adversaries from disabling Sophos protection. (Read this article to learn how the Tamper Protection capability in Sophos Endpoint thwarted a novel ransomware attack).
While Tamper Protection is always turned on by default, it can be turned off at both a global and individual device level. In the example below, the global tamper protection score of 100 reflects that the feature has been activated at a global level, however the endpoint (0) and server (90) tamper protection scores make clear that it has been disabled on a number of individual machines. The overall score of 45 reflects the average of the endpoint and server scores. This granularity is important in ensuring that gaps in protection are not missed.
Score Focus: Exclusions
The exclusion score leverages real-world insights from the Sophos MDR team to focus on the most common and impactful issues, such as the exclusion of an entire drive.
The Account Health Check assesses the types of exclusions that we have checks for, focusing on the biggest security risks and the issues most seen in the wild.
The score reflects the proportion of assessed exclusions where we have not identified any issues. For example, if an organization has one exclusion that we check for and one that we don’t cover, their score would be based solely on the exclusion that we check for (in this case, 0 or 100). It’s important to note that a score doesn’t mean that it is perfect, rather that we have not identified it as insecure.
Each organization is different and it’s important to be aware that the Exclusions score is not an exhaustive review of all possible exclusions. Should you require an in-depth, personalized review of exclusions in the context of your own organization, our Professional Services team is able to help.
New Snooze Feature
While it may not always possible to rectify an issue straight away, it’s essential to not lose sight of it. The new Snooze feature enables you to defer review to a later date, for example if you’re in a change freeze or if you’re rolling out a fix gradually. When an item is snoozed, it changes to gray in the dashboard to provide an ongoing visual reminder of an outstanding item.
Get Checking!
The Account Health Check is available to all customers running Sophos Endpoint or Sophos Server Protection in the Sophos Central console. We recommend organizations review their posture on, at minimum, a monthly basis.
For more information, check out the Health Check Scores and Snooze Issues pages in Sophos Central Admin.
We are continuing to develop the Account Health Check capability and will be adding further checks and remediation guidance in the coming months. Should you need help running the check, speak to your Sophos distributor or representative, or reach out to the Sophos technical support team.