Veeam Sophos Integration

I recently helped a partner integrate their Veeam solution with Sophos so I thought I would provide some details and information around these processes.

Sophos is a global cybersecurity company that provides a range of solutions to protect organizations from various digital threats. Their offerings include:

1. Endpoint Protection: Safeguards individual devices such as computers and smartphones from malware, ransomware, and other threats.
2. Network Security: Includes firewalls and intrusion prevention systems to protect network traffic and prevent unauthorized access.
3. Cloud Security: Protects data and applications in cloud environments from security breaches and data loss.
4. Email Security: Filters and scans email traffic to prevent phishing attacks, spam, and malicious attachments.
5. Unified Threat Management (UTM): Combines multiple security functions into a single appliance or service to simplify security management.
6. Sophos Central: A centralized management platform that provides a unified interface for monitoring and managing Sophos security products.

Sophos is known for its innovative approach to cybersecurity, leveraging artificial intelligence and machine learning to enhance threat detection and response.

Integrating Sophos with Veeam Backup & Replication: A Quick Guide

Integrating Sophos Central with Veeam Backup & Replication enhances your security by sending backup events to Sophos for advanced analysis. This integration requires an on-premises setup with a log collector hosted on a virtual machine (VM), known as an appliance.

Steps to Integrate:

1. Set Up Integration: Begin by configuring Veeam integration in Sophos Central.
2. Configure Veeam Instances: After the initial setup, configure your Veeam instances to forward logs to the designated Sophos appliance. You only need to set up Sophos Central once for this process.

This streamlined setup ensures comprehensive security monitoring without duplicating configuration efforts.

Benefits of Integrating Veeam Backup & Replication with Sophos Central

1. Enhanced Security Monitoring: The integration allows Sophos to analyze backup events from Veeam, improving threat detection and response.
2. Unified Visibility: Centralizes backup and security data, giving you a holistic view of your IT environment and enhancing incident management.
3. Advanced Threat Detection: Sophos's advanced analytics and threat intelligence can identify potential security risks within your backup data.
4. Streamlined Management: Simplifies the setup and management of backup security by sending logs directly to Sophos without redundant configuration.
5. Proactive Protection: Enables real-time monitoring and alerts, helping you proactively address potential issues before they impact your operations.
6. Efficient Incident Response: Facilitates quicker and more informed responses to security incidents by integrating backup and security data.

By integrating Veeam with Sophos Central, you leverage advanced security features to safeguard your backup infrastructure and enhance overall protection.

Detailed steps to integrate.

*You must have the Sophos Backup and recovery integrations license pack to use this feature.*

*You must have Veeam Backup & Replication version 12.1 or later.*

You can integrate Veeam Backup & Replication with Sophos Central for event analysis using an on-premises setup. This involves a log collector appliance on a VM that sends data to the Sophos Data Lake. Multiple Veeam instances can be configured to send logs to the same appliance, with the initial setup in Sophos Central being a one-time requirement.

The key steps to add an integration are as follows:

• Add an integration for this product. This configures an image to use on a VM.
• Download and deploy the image on your VM. This becomes your appliance.
• Configure Veeam to send data to the appliance.
• Get additional data from Veeam. This uses the "four-eyes" feature and is optional.

Requirements

Sophos appliances have system and network access requirements. To check that you meet them, see Appliance requirements.

Add an integration.

To integrate Veeam with Sophos Central, do as follows:

1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
2. Click Veeam Backup & Replication.

The Veeam Backup & Replication page opens. You can configure integrations here and see a list of any you've already configured.

3. In Data Ingest (Security Alerts), click Add Configuration.

Note

If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

Integration setup steps appear.

Configure the VM

In Integration setup steps, you configure a VM as an appliance to receive data from Veeam. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

1. Add a name and description for the new integration.
2. Enter a name and description for the appliance.

If you've already set up a Sophos appliance, you can select it from a list.

3. Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.
4. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the VM.
   • Select DHCP to assign the IP address automatically.

Note

If you select DHCP, you must reserve the IP address.

4. • Select Manual to specify network settings.
5. Select the Syslog IP version and enter the Syslog IP address.

You'll need this syslog IP address later, when you configure Veeam to send data to your appliance.

6. Select a Protocol.

You must use the same protocol when you configure Veeam to send data to your appliance.

7. Click Save.

We create the integration, and it appears in your list.

In the integration details, you can see the port number for the appliance. You'll need this later when you configure Veeam to send data to it.

It might take a few minutes for the VM image to be ready.

Deploy the VM

Restriction:

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the VM image to deploy the VM. To do this, do as follows:

1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
2. When the image download finishes, deploy it on your VM. See Deploy a VM for integrations.

Configure Veeam

You now configure Veeam Backup & Replication to send data to us.

To set up event forwarding via syslog, do as follows:

1. Open the Veeam Backup & Replication console.
2. From the main menu, select Options.
3. On the Options page, select the Event Forwarding tab.

4. In the Syslog servers section, click Add.

5. In Add Syslog server, do as follows:
   1. In Server, enter the server IP and port (Default is 514).
   2. In Transport, enter the network transport protocol: UDP, TCP, or TLS.
   3. Click OK.

You must enter the same IP address and protocol that you entered in Sophos Central when you added the integration.

6. On the Event Forwarding tab, click OK.

Get additional data from Veeam

To get data about additional Veeam events, we recommend that you turn on Veeam's four-eyes authorization.

Four-eyes authorization requires you to get additional authorization from other administrators for actions that could affect sensitive data, for example deleting backups. If you turn the feature on, details of these authorization events are sent to Sophos for analysis.

Before you turn on four-eyes authorization, check that you meet the requirements:

• You need at least two users with the Veeam Backup Administrator role. The role can be assigned to the users or to a group they're members of.
• You must configure email notifications for administrators. Veeam can then send administrators requests to approve actions. See Configuring Global Email Notification Settings.

To turn on four-eyes authorization, do as follows:

1. Open the Veeam Backup & Replication console.
2. From the main menu, select Users and Roles.
3. Go to the Authorization tab and do as follows:
   1. Select Require additional approval for sensitive operations.
   2. Specify the time period during which the requested operation must be approved or rejected (minimum 1 day, maximum 30).
   3. Click OK.

Overall, though the process involves several steps, it is straightforward with clear guidance from Veeam and Sophos documentation. I recommend exploring this integration as a valuable option to enhance your defenses against potential cyber threats.