During his keynote, Matt Fairbanks (CMO of Sophos) showed the audience the mission and vision of Sophos to bring the market Sophos' perception of Synchronized Security. What does it mean when you bring the worlds of Network Security and Endpoint Security together and what has this meant for the developments at Sophos this last year?
2. Founded and HQ near Oxford, UK
Over 230,000 customers and over 100 million protected endpoints
Largest software IPO in London Stock Exchange (LSE) history
Growing at 15-20% per year, 2x+ the rate of the market
3,000+ employees and 20,000+ partners
Sophos Snapshot
3. Synchronized Security
Linking network and endpoint security
to deliver unparalleled protection by
accelerating and automating
threat discovery, analysis, and response.
4. “No other company is close to delivering
this type of synchronized and integrated
communication between endpoint and
network security products.”
Chris Christiansen, VP of Security Products, IDC
6. Cloud Intelligence
Sophos Labs
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
| 24x7x365, multi-continent operation |
URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules
Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
Sophos Central
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
In Cloud On Prem
Synchronized Security Platform and Strategy
Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
UTM/Next-Gen Firewall
Wireless
Email
Web
7. Allows Partners to manage
multiple customer installations
Endpoint Protection
Email Security
Web Gateway
Server Protection
Encryption
Mobile Protection
Wireless Allows users to customize security
status and notifications
Sophos Central
Partner Dashboard Admin Self Service
8. Sophos Central
Cloud Intelligence
Sophos Labs
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
| 24x7x365, multi-continent operation |
URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules
Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Mobile
Server
Encryption
Wireless
Email
Web
In Cloud On Prem
Endpoint/Next-Gen EndpointUTM/Next-Gen Firewall
Synchronized Security Platform and Strategy
Heartbeat
9. Cloud Intelligence
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
Sophos Labs | 24x7x365, multi-continent operation |
URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules
Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
UTM/Next-Gen Firewall
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Wireless
Email
Web
Synchronized Security Platform and Strategy
Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
Sophos Central
In Cloud On Prem
Synchronized
Encryption
10. Sophos Central
Cloud Intelligence
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Mobile
Server
Encryption
Wireless
Email
Web
In Cloud On Prem
Endpoint/Next-Gen EndpointUTM/Next-Gen Firewall
Synchronized Security Platform and Strategy
Sophos Labs | 24x7x365, multi-continent operation |
URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules
Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
Unknown App ID
11. Encryption
Cloud Intelligence
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
Sophos Labs | 24x7x365, multi-continent operation |
URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules
Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
Sophos Central
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Email
Web
In Cloud On Prem
Synchronized Security Platform and Strategy
UTM/Next-Gen Firewall
Wireless
Endpoint/Next-Gen Endpoint
Mobile
Server
Lateral Movement
Protection
12. THE 99%
Off the
shelf
Exploit
Kits
Executable
Malware
Doc / Script
Malware
Data
Leakage
THREATS
0days
Long dwell
Campaigns
Injection
Attacks
Targeted
Phishing
Bespoke
Malware
SIEM
Threat Intel
CONTROLS
Endpoint AV URL Filtering
Email Security
WAF
Encryption
CASB
NextGen Firewall
Sandboxing
NextGen
EP
DLP
User Behavior
Analytics
Security
Automation / Risk
Quantification
1%
Critical
Infrastructure /
Nation-State
Attacks
Supply Chain
Integrity
Compromises
Insider movement
PTH, Skeleton Key,
Golden Ticket
Deception
Networks /
DDW monitoring
COMPLEXITY
RISK BASED ROI
13. TIME
User Behavior
Analytics
Security
Automation / Risk
Quantification
1%
Critical
Infrastructure /
Nation-State
Attacks
Supply Chain
Integrity
Compromises
Insider movement
PTH, Skeleton Key,
Golden Ticket
Deception
Networks /
DDW monitoring
Off the
shelf
Exploit
Kits
Executable
Malware
Doc / Script
Malware
SIEM
Data
Leakage
Threat Intel
THREATSCONTROLS
Endpoint AV
THE 99%
URL Filtering
Email Security
WAF
Encryption
CASB
NextGen Firewall
0days
Long dwell
Campaigns
Injection
Attacks
Targeted
Phishing
Bespoke
Malware
Sandboxing
NextGen
EP
COMPLEXITY
RISK BASED ROI
CompleteSimple System
14. Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
UTM/Next-Gen Firewall
Wireless
Email
Web
Synchronized Security Platform and Strategy
Highlights
• Sophos SG UTM 9.4 adds Sophos Sandstorm
• Sophos XG Firewall 16 now available
• New Synchronized Security use cases
• Sophos Firewall Manager 16 shipping this month
• XG Firewall 16.5 with Sandstorm
• Sophos UTM 9.5 comes early 2017
• Additional Synchronized Security use cases
15. UTM/Firewalls: Two Platforms with Competitive Advantage
Trusted platform
getting stronger
New platform
for an exciting future
SG UTM XG Firewall
• Combined platform best of SG UTM and Cyberoam
• Feature superset of Sophos SG UTM
• Simplified user experience
• Comprehensive central management solution
on-prem and in the cloud
• Enhanced Synchronized Security
• Solid, stable platform customers and
partners know and love
• Sophos Sandstorm in v9.4
• WAF and VPN enhancements in v9.5
• Future-proofed and ready for SF-OS
whenever customers/partners choose
16. Synchronized Security
XG Firewall with SFOS v16: The Next Thing in Next-Gen
User Experience Feature Enhancement
Intuitive experience
across all areas
of the product from
navigation to policy to
logging and more
Over 100 new features and
adding 35 most-wanted
features with UTM 9 across
web, email, OTP and many
other areas
Adding new Synchronized
Security features to the
arsenal to improve
protection, enforcement
and reporting
17. Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
Email
Web
Synchronized Security Platform and Strategy
Highlights
• Sophos Wireless added to Sophos Central
• Uses Sophos Secure Access Points
• Provides usage insight to identify inappropriate behavior
• Sophos Wireless enhancements released every 3 weeks
• New Sophos Secure Access Points
• New XG 1x Series Wireless Appliances
UTM/Next-Gen Firewall
Wireless
18. Endpoint/Next-Gen Endpoint
Mobile
Server
EncryptionWeb
Synchronized Security Platform and Strategy
Highlights
• Sophos Email added to Sophos Central
• Sophos Email Appliance:
• Sophos Sandstorm
• Time-of-Click Protection
• New Anti-Spam Engine
• New Sophos Email Appliances
• Sophos Email Advanced:
• Sophos Sandstorm
• Time-of-Click Protection
UTM/Next-Gen Firewall
Wireless
Email
19. Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
Synchronized Security Platform and Strategy
Highlights
• Sophos Web Gateway in Sophos Central:
• Protection up and running in 5 minutes
• Protects PCs, Macs, Chromebooks, and Apple iOS
• Sophos Web Appliance adds Sophos Sandstorm
• Next-Gen Web Protection
• Hybrid On-Prem and Cloud Model
• Simplified licensing and pricing
UTM/Next-Gen Firewall
Wireless
Email
Web
25. Sophos Home
25
Accounts Created
NPS Score
45
Industry
Average
19500,000
EXCELLENT
0
100,000
200,000
300,000
400,000
500,000
600,000
NOV
DEC
JAN
FEB
MAR
APR
MAY
JUN
JUL
AUG
SEP
Over
26. “
“I've found it to be easy to use, reliable, and not heavy on
system resources. It's also picked up on every bit of malware
that I've been able to throw at it. ZD Net Review
There are zero reasons for a home user to pay for AV now ...
and per-machine web-filters are a huge bonus for us
parents!!
Very unobtrusive program, doesn't have constant nag
windows trying to get me to upgrade. If I wanted to be
nagged to death I would go talk to my ex-wife.
Brad, Internal I.T. Ltd.
Anonymous User
“
“
“
“
27. Complete and intelligent security – made simple
Designed for IT organizations of any size
Integrated and synchronized technology
Managed and delivered through the cloud
‘Channel First’ sales model
Sophos Strategy
· Introduced Synchronized Security last year with the launch of SFOSv15
· Security Heartbeat – the mechanism to allow the firewall and endpoint to work together for the first time
· Rather than having a limited IP-centric view of the world, the firewall now had insight into users and even processes on the endpoint
· Massive improvement to operating efficiency: what used to take hours or days of manual investigation became fully automated
· This was just the beginning…
· Until now, encryption solutions have relied on a single dimension, user-identity, to control access to encrypted files
· While this is certainly necessary, it isn’t sufficient because it offers no defense against hosts becoming compromised, and attackers merely piggybacking on the authenticated user’s credentials
· With Safeguard 8, we introduced Synchronized Encryption. Now our endpoint protection software exchanges information with the data protection software
· This adds the dimensions of System integrity (has this machine been compromised?) and App integrity (is this instance of an application trustworthy?) to the key revocation and restoration processes
· One of the features that made NGFW so popular was their ability to see beyond Layer4 all the way up to Layer7, and to report on applications
· Without exception, some amount of traffic remains un-classifiable by NGFWs, resulting in the catch-all “Unknown” class
· With our next SyncSec enhancement, when SFOS sees a flow that it’s deep packet inspection engine cannot classify, it will ask the endpoint, which will respond with process and related information, virtually eliminating “unknown” flows
· It is a common MO for sophisticated attackers to establish footholds at easier-to-breach, lower-value targets, and to then move laterally through the network to higher value targets (like domain controllers)
· There have been very few security controls focused on this kind of activity within a network, and those that do tend to be retrospective, offering no real-time defenses
· This next example from our SyncSec roadmap will be a real-time defense against lateral movement
· Based on information gathered from Sophos-protected endpoints, mobile devices, and servers, our firewalls and even our wireless access points, we will not only identify behaviors characteristic of lateral movement, but we will arrest bad actors in their tracks by isolating infected hosts from the rest of the network
Innovation has a many meanings, but for our purposes, I’ll define it as “a materially positive change”. This could be an improvement to a previous solution, a new solution to a known problem, or a solution that completely anticipates a need. Proliferation is simply “the rate of adoption and diffusion of those innovations.”
The size of the bubbles is meant to represent the rate of proliferation, the bigger the bubble, the more diffuse the threat, or the more widely adopted the control. For example, on the left side we have exploit kits and executable malware, and the associated controls endpoint AV, email security, and URL filtering. While on the right we have less proliferated threats like 0days and associated controls like NextGen Endpoint. It is incumbent upon us as an industry to keep these roughly in balance to help manage asymmetries.
Recall also when I was discussing asymmetries, I mentioned that in addition to needing better defender synchronization, that we also need a way to accelerate the adoption of innovations. Looking at this chart, we do see some relatively new technologies like NGEP that understandably haven’t yet proliferated, but we also see some older technologies like 3rd party threat intel and SIEM.
Why haven’t these been more widely adopted yet, and how should we think about the most cutting edge threats and controls that we’re starting to see?
UXNew Left Nav
Tabs for 2nd Level Nav(still a WIP)
Enhanced Control Center Widgets
Redesigned Web Policy
Direct access to live log viewer from any screen(via magnifying glass)
New network and device features
Firewall Hostname
Cloning of rules, objects, and policies
Per-rule routing
Policy routes
Firewall-to-Firewall RED Tunnels
Country filtering improvements
Improved NAT Business Rule Creation
New email features
Per domain routing
Full MTA – store and forward
Enhanced anti-spam
SPX Reply Portal
New Sync Sec
Missing Security Heartbeat
Real-time App Visibility
Destination-basedSecurity Heartbeat
7.4 is the average amount of internet enabled devices per household in the UK: https://www.theguardian.com/technology/2015/apr/09/online-all-the-time-average-british-household-owns-74-internet-devices
Industry Average NPS is for Software and Apps: https://www.netpromoter.com/compare/