Lorna Garey

Sophos on Tuesday released an in-depth report on the latest evolution in ransomware: delivery of an executable in an “as a service” model. By following the path of the Philadelphia ransomware service from productization to sale on the dark web for $389, the report offers an eye-opening case study.

Malware distributor Rainmaker Labs even created a 13-page marketing brochure explaining Philadelphia’s feature set, which includes unlimited malware samples, a one-time purchase fee that includes all upgrades and the ability to play Russian roulette, deleting some files after a set period of time.

Sophos’ Dan Schiappa

Dan Schiappa, SVP & GM of Sophos’ end user and network security group, says the lowered bar is bad news for customers.

“Fifty-seven percent of data leakage actually comes from hacking and malicious code,” said Schiappa in an interview at Sophos’ Boston-area offices. “Now with things like malware and ransomware as a service, you don’t even have to be technically advanced.”

Sophos is bucking two trends in the security industry.

First, while many providers are pulling together consortia to help partners assemble multi-vendor security bundles, Sophos is focusing on making its full suite of endpoint and network security products communicate and quickly learn from one another. Schiappa cites a Forrester survey where enterprise IT respondents overwhelmingly said they prefer to buy an integrated suite from one vendor versus best of breed.

Schiappa says partners approve of that strategy as well because it lets them “land and expand” within customer sites.

“We’ve blended all the products into a common interface,” he said. “Our partners love that because it matches with our other big innovation, which is Synchronized Security. The benefit there for partners is, I can get in with one product. And if I sell them another Sophos product, I didn’t just didn’t sell additional product, I actually made the previous product smarter because now it has another product to talk to and get insight from.”

The Synchronized Security ecosystem covers endpoints, mobile devices and servers with integration into the Sophos Central platform.

Schiappa also stressed the expansiveness of the company’s partner program, in contrast to suppliers limiting the number of resellers and demanding, if not monogamy, then a certain level of exclusivity. Sophos now has more than 30,000 partners, and Schiappa credits them with driving about a 90-plus percent renewal rate among current customers and generating $632.1 million in FY17 billings, more than 24 percent growth, with 81 percent of that recurring subscriptions.

The company does have a “Blue Chip” designation for partners that transact five or more deals in a six-month period. This top partner tier has grown from 4,721 in FY16 to 8,524 this year.

“We’re all about the partners,” he says. “I think we’re probably the only security vendor that has in our mission statement our loyalty to the channel community.”

What does Schiappa see those partners tackling as we move into 2018?

Distributing ransomware in an inexpensive SaaS model lowers the cost of …

… entry dramatically, thus the deep dive into Philadelphia. With no command-and-control servers to maintain, for example, attackers can take a shotgun approach and more widely target individuals and SMBs. He also expects more attacks on mobile devices, a continued shortage of security experts and more use of machine learning to categorize cloud-based and niche applications that may not be recognized by firewalls.

“One of the biggest challenges around firewalls is, I want to create a policy around certain categories of applications, whether it’s a productivity app or in the browser or whatever,” he said. “And the largest category is ‘other’ — I don’t know what an application is. And so with us sitting at the endpoint, we know exactly what the application is, and we can share that with the network and it can create a proper policy.”

He sees encryption becoming an easier sell as GDPR comes online in May and the technology becomes more transparent for end users.

“We’re seeing people starting to actually look at this and go, ‘OK, I got server, I got endpoint, I got mobile, I’ll get to the encryption part next,’” he says. “That’s the harder part.”

Another area of focus for Sophos is lateral-movement detection, to keep sophisticated attackers from getting into a network through a weak point and then traveling.

“We’ll cover that both in firewall and our wireless access points,” he said. “Now if I get a compromised endpoint it will actually cut off the internal network.”

For partners that want to do deeper integrations, Sophos does expose its APIs and is seeing some larger partners hook its software into third-party management consoles. “We’re wide open to that,” said Schiappa. “Our goal is to enable the partner community,” including encouraging professional services.

Schiappa says partners can expect continued innovation coupled with enablement, including more training, and a customer message centered around Sophos’ maturity coupled with the speed of new releases and innovation driven by acquisitions Invincea, PhishThreat and Barricade — what he calls “next-gen technology without next-gen risk.”

“I’ve had some partners come to me and say, ‘Slow the innovation down a little, you’re going too fast,’” he says. “And I said, ‘We’ll find ways to help you keep up, like better training, and we’ll find ways to enable you better, because I don’t want to slow down.’ You just can’t.”

Ransomware: Prevent, Recover, Understand is the is the focus of a half-day learning opportunity at Channel Partners Evolution. Register now!