In this fourth in our series of articles on making the most of the great new features in XG Firewall v18, we\u2019re going to specifically focus on the new capabilities in XG Firewall v18 designed to protect against the latest zero-day threats such as new ransomware variants.<\/p>\n
Xstream Threat Protection<\/h2>\n
In previous articles, we covered the Xstream Architecture and the new DPI engine, the new TLS inspection solution, and the Network Flow FastPath.\u00a0 These all play a critical role in identifying and stopping the latest zero-day threats.\u00a0 This article highlights the new cloud-based Threat Intelligence and Sandstorm sandboxing technologies which are part of the Sandstorm Protection subscription.<\/p>\n
![\"\"](\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/08\/XG-Firewall-Xstream.png\")
<\/p>\n
How it Works<\/h2>\n
XG Firewall v18 includes new machine learning (ML) based Threat Intelligence and a newly enhanced version of Sandstorm Sandboxing, to catch the latest threats.\u00a0 They work together to identify the latest zero-day threats.\u00a0 Both are powered by SophosLabs Intelix which uses machine learning technology, decades of threat research, and petabytes of intelligence, providing unmatched protection against new and previously unseen threats.<\/p>\n
![\"\"](\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/08\/SophosLabs-Intelix.png\")
<\/p>\n
When XG Firewall\u2019s Xstream DPI engine performs AV analysis on a file entering the network and determines there is active code, it holds the file temporarily and sends it to the SophosLabs Intelix service in the cloud for both static and dynamic (sandbox) analysis.\u00a0 It then provides a detailed overview of the results and only releases the file to the downloader or email recipient if the file is declared safe.<\/p>\n
This last step is important, as many advanced malware solutions on firewalls release a file to the end-user before the analysis is complete, potentially resulting in an extensive and expensive cleanup if the file is then ultimately convicted as a threat once all analysis is finished.<\/p>\n
Let\u2019s take a look at what happens to a file that is scanned in a bit more detail:<\/p>\n
Threat Intelligence Analysis<\/h2>\n
Threat Intelligence uses multiple machine learning models to analyze the characteristics, features, genetics and global reputation of the file. It compares the new file with millions of known good and bad files in the SophosLabs database to render a verdict in seconds without the need to execute it in real-time.\u00a0 This makes it remarkably fast and effective at identifying new threats and new variants of existing threats, particularly with files which are not easily sandboxed, such as password protected documents.<\/p>\n
![\"\"](\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/08\/Feature-Analysis.png\")
<\/p>\n
Sandstorm Sandboxing Analysis<\/h2>\n
At the same time a file is submitted for Threat Intelligence Analysis, it is also submitted for dynamic behavioral analysis in our cloud sandbox environment. Because it\u2019s cloud-based, there\u2019s no additional software or hardware required, and no impact on firewall performance.<\/p>\n
To identify threats based on their behavior, SophosLabs has integrated the latest protection technologies from our industry-leading Intercept X next-gen endpoint product into the Sophos Sandstorm sandbox. This includes deep learning analysis, exploit detection, and CryptoGuard to detect active ransomware encrypting files in real time.\u00a0 The Sandbox also monitors all file, memory, registry and network activity as well as sandbox evasion techniques.\u00a0 No other firewall can offer this kind of run-time analysis with the world\u2019s best threat protection, Intercept X.\u00a0 And no other firewall offers the level of insight and reporting that XG Firewall provides \u2013 including a time-lapse series of screen shots showing events during the file execution.<\/p>\n
![\"\"](\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/08\/Word-2010.png\")
<\/p>\n
Sandboxing is particularly effective at detecting threats that can lurk in normally benign files that may not have any obvious malicious characteristics.\u00a0 Office files with macros, or benign executables and application updates, that have been subverted by hackers, are prime candidates for detection through sandboxing.<\/p>\n
How to Make the Most of this Threat Protection<\/h2>\n
There are three key things you need to enable this critically important protection:<\/p>\n
- \n
- Ensure all your customer XG Firewall licenses include the Web and Sandstorm Protection subscriptions. They need both of these subscriptions active to be protected from the latest threats. The new Threat Intelligence analysis in XG Firewall v18 is part of the Sandstorm license adding tremendous value over the previous version at no extra cost.\u00a0 Log into XG Firewall and go to the Administration<\/strong> menu to see a list of active subscriptions.\u00a0 Be sure to proactively upgrade customers without this important protection.<\/li>\n
- The new threat protection technology in XG Firewall can only inspect and analyze decrypted traffic so ensure that TLS encrypted web traffic is being inspected. With the vast majority of web traffic now encrypted, it\u2019s critical that to decrypt and inspect files being downloaded onto the network to have them analyzed for potential threats.\u00a0 Check our recent article<\/a> on the great high-performance TLS Inspection solution in XG Firewall v18 for full details on how to take advantage of this great new capability.<\/li>\n
- In all Firewall rules governing web traffic, ensure the following two web filtering security options are set to scan web traffic and use the latest zero-day protection technologies as outlined here.<\/li>\n<\/ol>\n
![\"\"](\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/08\/Security-Features.png\")
<\/p>\nThat\u2019s it \u2013 it\u2019s really that easy!<\/p>\n
Check out this video for an in-depth guide on making the most of this new feature and a detailed look at the new and improved threat intelligence reporting and how to interpret the results:<\/p>\n
- The new threat protection technology in XG Firewall can only inspect and analyze decrypted traffic so ensure that TLS encrypted web traffic is being inspected. With the vast majority of web traffic now encrypted, it\u2019s critical that to decrypt and inspect files being downloaded onto the network to have them analyzed for potential threats.\u00a0 Check our recent article<\/a> on the great high-performance TLS Inspection solution in XG Firewall v18 for full details on how to take advantage of this great new capability.<\/li>\n