The Sophos Shake Up

It’s not often I do a write up about a vendor rather than a specific piece of software or kit but my recent experiences with Sophos (both personally and at work) have made a lasting impression I wanted to share. For those that know me, I’ve been disappearing further down the cyber security rabbit-hole training for CEH and OSCP certifications and so anything that helps protect systems / users is of great interest.

Sophos at Home

Despite my place of work becoming a Sophos partner, my first recent hands-on experience of Sophos actually came at home when I was looking for a decently priced security solution. During the recent WannaCry outbreak (and some of the similar malware that followed), I heard that Sophos’ Intercept-X product was one of the only solutions that blocked the outbreak immediately because it doesn’t rely on signatures.

Given this, I contacted Sophos to ask if Intercept-X was available to home users and their support confirmed that while it was not, many of the features of Intercept-X have been baked-in to Home Premium – great news. The next thing that struck me was the pricing – ￡40 per year for 10 devices – that’s an incredible deal and perfect for a family as I have to protect kids laptops and my collection of devices, etc.

Performance

The real test of any security software is obviously down to its ability to detect and counter threats and without a test rig, this is more difficult to to evaluate. What I can confirm is that a week before I bought Sophos, I’d recovered a lot of data for a family member from a problem drive and copied this via my PC.

My AV solution didn’t bat an eyelid as I copied the files and the AV of the host Apple computer the drive had come from hadn’t noticed anything either. When it came to copy these files to an external drive, multiple files were quarantined – the only difference being I now had Sophos protecting my machine.

Management

Sophos Home is managed via a central web console that lets you see all of your devices, their status, etc. In a former life I used to do a lot of web development and one my bug-bears is interface design.

Despite interfaces being the primary touchpoint for people to control and interrogate systems, they are so often an afterthought.

What struck me with all of Sophos’ control panels, web dashboards and interfaces is how intuitive and easy to use they are – no digging around to find information and the info most users want is summarised on the Dashboard.

In terms of the functionality of Sophos Home, I can easily see all of my devices, their last update status, details of any potentially unwanted programs (PUPs) and even start a scan remotely.

The only improvement I would love to see is for my mobile device to be able to be added to Sophos Home for central management (even though it would cost me a license and is currently free).

Sophos for Business

As well as switching to Sophos at Perfect Image and having first hand experience of it there, I was also lucky enough to be able to attend a Sophos event in Manchester this week as part of the Sophos Partner Tour.

There was a lot covered but the key takeaways for me were not only what functionality future developments were bringing but also what the pace and breadth of development says about Sophos as business. To quote The Pharcyde: It’s all good.

Interface Design

I mentioned above how impressed I’ve been with the simplicity and usability of the Sophos interfaces and I’m happy to say this extends over the full product range from basic management to reporting and Root Cause Analysis.

As partners, I love the fact that we were specifically encouraged to send feedback directly to UX designers to help them make the product more usable – I’ve found this sort of openness and interaction unusual with enterprise vendors.

Heartbeat & Synchronised Security

For those that don’t know, a key feature that sets Sophos apart from competitors is how well their security products are integrated, most notably EPP (End Point Protection) and the Sophos firewalls. When a machine is compromised or even if its status is just ‘unknown’ (its not reporting as ‘OK’), the firewall will shut off its access to the internet, revoke any encryption keys on it (if the user is using SafeGuard) and generally quarantine the entire system.

Sophos have now extended this functionality so not only does the firewall quarantine the suspicious machine, it will also tell all of the other machines on the network to refuse any connections from that machine, preventing the sort of lateral movement across a networks that we’ve seen in newer malware, often leveraging government leaked exploits like ‘Eternal Blue‘

True Centralised Management

Sophos Central is now no longer regarded as a product or feature by Sophos but rather a hub around which all its products are built, providing a consistent intuitive solution to manage your security all in one place.

This ‘drawing together’ of the products has also facilitated improved reporting which – Sophos openly acknowledge – has been a weak area in the past. This central reporting provides some of the basic functionality of a SIEM in that you can view reports and alerts based on the logs of traditionally disparate systems.

Endpoint Detect and Response (EDR)

At the event we also got to see some of the Endpoint Detect and Response functionality and heard that this was another area of continuous improvement for Sophos.

A great demonstration was given of an Endpoint being ‘infected’ and subsequently shunned by the whole network (not just the firewall).

The presenter showed the detailed information about the breach and the path it took including computer processes involved, data touched and how long between detection to lock-down in a Root Cause Analysis diagram.

With just a few clicks, he was able to tell the Sophos to scan all other workstations in the example company for dormant versions of the infected file.

Its the little things

As well as the above, I like the little things ‘baked in’ to Sophos, for example when I plug in one of my ‘hacking toys’ (my kids’ term) called a RubberDucky, Sophos is the first EPP software I’ve seen that has ever kicked up an alert.

It helpfully warns the user that something has been plugged in claiming to be a keyboard (because the RubberDucky displays itself as a keyboard which is inherently trusted by Windows and installed without a prompt). Its a little thing but that could be the difference between a user having their passwords snatched with Mimikatz or not.

Sophos even warns you when programs running try and access your webcam to help prevent nefarious recording/viewing by malware.

Summary

I’m very impressed with what Sophos has created so far but more excited to see what they deliver in the next 6 to 12 months.

Sophos seem intent not only on pushing the boundaries of what a ‘joined-up’ security solution can do but doing so with a real-world focus, so instead of telling the IT world what features we want, they are instead working with us and creating the tools we need.