Active Threat Response for Sophos Switches and Access Points
With the new Active Threat Response feature, Sophos extends the capabilities of Sophos Access Points (AP6 series only) and Sophos Switches. This feature enables an automatic real-time response to threats, especially in combination with Sophos MDR, Sophos XDR, or third-party solutions. Recently, the Sophos Firewall received new protection features with the update to Version 20, and now Sophos Switches and Access Points also benefit from this improved threat defense.
How Active Threat Response Works
Sophos already offers effective protection against attackers’ lateral movement on endpoints. Lateral movement refers to an attacker spreading within a network after compromising an initial entry point. The attacker then tries to move from one device to the next to steal sensitive data or infect additional systems.
However, not every device in the network is equipped with Sophos Endpoint, and precisely these unprotected devices are often targeted by attackers. This is where Network Detection and Response (NDR) comes into play. NDR continuously monitors network traffic and analyzes data packets for anomalies that could indicate suspicious activity. This enables threats to be detected before they can cause serious damage.
Access Points and Switches are often the first points of contact in endpoint network communication. This makes them an ideal platform for quickly detecting threats and responding to them. With Active Threat Response, compromised systems can be isolated in real time using threat feeds controlled via an API. This prevents attackers from moving laterally through the network and enables targeted countermeasures.
- Sophos Knowledge Base - Active Threat Response Switches
- Sophos Knowledge Base - Active Threat Response Access Points
Threat Feeds and Isolation
Threat feeds are obtained from trusted sources (Sophos or third-party providers) and include the MAC addresses of compromised devices. This information is forwarded to all AP6 Access Points and Sophos Switches on the network that are managed in the same Sophos Central account. As soon as a compromised device is identified, it is immediately isolated and loses network access. This prevents attackers from spreading further and provides valuable time for countermeasures and cleanup processes.
Advantages of the Sophos Ecosystem
Active Threat Response extends the unique capabilities of the Sophos ecosystem with several key advantages:
- Host isolation: Wired and wireless devices, including managed hosts (clients and servers with Sophos Endpoint) and unmanaged devices (such as printers).
- Prevention of lateral movement: Immediate isolation of compromised systems prevents attackers from spreading further within the network, providing more time for incident cleanup.
- Use of threat feeds: Threat feeds from multiple trusted sources are used to ensure comprehensive and up-to-date threat detection.
Availability and Licenses
Active Threat Response is now available via Sophos Central for Sophos Wireless (AP6 series only) and Sophos Switch. A valid support subscription is required for each AP6 Access Point or Switch.
Integration with Sophos Firewall
While a Sophos Firewall is not required to use Active Threat Response, combining Sophos Wireless, Sophos Switch, and Sophos Firewall provides comprehensive protection across all network layers. This combination enables different response measures and advanced automations that support faster cleanup of security incidents.
Overview and Assessment
Switches
After a wait of more than two years, Sophos is finally introducing a feature with Active Threat Response that truly sets Sophos Switches apart from others. Until now, Sophos Switches have hardly differed from those of other manufacturers, apart from management via Sophos Central, and still with a reduced feature set.
Nevertheless, Active Threat Response represents a significant step forward in threat defense. Through integration with Sophos MDR, Sophos XDR, and third-party solutions, it enables a fast and effective response to threats. This not only improves protection, but also helps manage security incidents more efficiently and preserve network integrity.
Access Points
Sophos AP6 Access Points have only been on the market for six months, but with Wi-Fi 6 they are already no longer fully up to date technologically. In addition, Sophos Central, the controller for the Access Points, still lacks features that were available on the older APX models and are only expected to be implemented toward the end of the year.
In addition, various customers report problems with the Access Points, particularly regarding range. Only the introduction of Active Threat Response brings a significant new capability back into play.
However, it remains to be seen whether this is sufficient to compete with the extensive offerings of other manufacturers.
In summary, Sophos Switches and Access Points have become more valuable with the introduction of Active Threat Response. Nevertheless, the decision about whether to invest in Sophos network hardware depends heavily on specific requirements and the existing IT infrastructure.
FAQ
For which products is Active Threat Response available?
Do I need a special license or subscription to use Active Threat Response?
Which devices support Active Threat Response?
What is Sophos Active Threat Response?
Can Active Threat Response be used without Sophos Firewall?
Why are unprotected devices in the network a risk?
How does host isolation work?
Do I need MDR and XDR for Active Threat Response?
