Sophos Endpoint Security and Data Protection 9.7
£11,250 for 500 users, one-year subscription (exc VAT)
Strengths: Extensive endpoint security features, main components integrated well into a single management console, controls for applications, data and removable devices
Weaknesses: NAC and disk encryption are separate components
Verdict: Sophos is offering a big bundle of endpoint security measures that looks good overall value, although NAC and disk encryption are managed separately
Endpoint protection products tend to have a high price tag, but Sophos' latest Endpoint Security and Data Protection (ESDP) 9.7 looks comparatively good value. It brings together a wide range of security measures including anti-virus, anti-malware, firewall, application and data controls, intrusion prevention, NAC, disk encryption and removable device management.
All except NAC and disk encryption are integrated into a central enterprise console, which opens with a dashboard showing the status of managed systems, virus alerts, suspicious behaviour, policy issues and systems with errors. The bottom half of the dashboard is where all the action takes place, with the left pane handling groups and policy management. Alongside you have lists of group members where you can view individual systems and see their installed OS and service packs, the status of the ESDP components, detected threats and whether they are up to date.
Policies are used to control each component and ESDP is provided with a default set that is applied to all groups as they are created. These should cover most requirements, but you can create custom policies for each individual component if required and assign these to selected groups instead.
After the console has been installed, a wizard pops up, asks for registration details and then updates itself, which we found took only a few minutes. Next up is an import wizard that provides a number of methods to search for computers on the network.
We opted to use the Active Directory option where we selected the computers container and imported all our Windows XP, 7, Server 2003 and Server 2008 R2 systems straight into the console in a new group. Sophos also provides a computer and network subnet search, or you can add systems manually.
Our next job was to select the protect computer option, which deploys the agent to each system using AD credentials. However, some work on our Windows 7 clients was required prior to this, as you must turn off UAC completely, enable the remote registry service and change the advanced share settings.
An update policy is active by default and defines how often group members receive software updates. Other active policies are anti-virus, intrusion prevention and the firewall. Policies for application, device and data control and tamper protection are disabled by default.
The device control component is far more basic than specialist products such as DeviceLock, but it can control access to floppy, optical and USB removable storage, plus wireless and Bluetooth. For each device type you can block or allow read-only or full access and set the policy to passively monitor them and just send device usage details back to the console.
The dashboard shows if a device policy has been triggered and clicking on this entry brings up the offending system in the main pane below. Usefully, this applies to any component in the dashboard so you can quickly see which system has caused the alert.
Application control is extensive, with Sophos providing a large list of predefined applications grouped tidily into different categories. We were able to block access to a wide range of applications including FTP and file sharing utilities, although for Microsoft Office we could block only the entire suite and not individual members.
Data control policies offer two options where file matching rules can be used to stop file types or specific file names from being copied or emailed. Alternatively, ESDP can check file contents for phrases and patterns. An extensive list of patterns includes many required by HIPAA, PCI DSS and PII standards.
NAC is a separate server component installed on the console server or another system, and all clients need an extra NAC agent loaded. It scans endpoints for required software components and can block network access if they aren't present.
Each NAC policy combines various profiles to identify OSs, service packs, patches, anti-virus and firewall, and can remediate endpoints if required. However, apart from policy lists, it isn't integrated into the ESDP console and we found it complex to use.
ESDP is further complicated by the SafeGuard disk encryption module as this is totally separate, requires yet another endpoint agent installed and no deployment tools are provided.
Sophos is offering an impressive package for the price and we found the main ESDP components easy to deploy and use. However, although the NAC and SafeGuard encryption components add extra value, they increase management overheads.