Sophos Launches Synchronized Security Strategy

Sophos on Monday announced general availability of its Sophos Security Heartbeat capability, an addition to the company’s XG-series firewalls and UTM systems. By continually exchanging real-time information among endpoints and network security nodes, the system can spot behavior indicative of malicious activity or malware, quickly analyze the threat and instantly trigger a response.

Specifically, endpoints loaded with the Sophos Cloud Endpoint agent share data on user and processes and MAC addresses. If a compromise is detected, the system generates a firewall policy to isolate the endpoint partially or completely, based on the level of risk.

Dan Schiappa, senior VP of Sophos’ end-user security group, told Channel Partners that the new product is in response to the changing nature of malware, including the productization of exploit kits. Attacks are now available in a software-as-a-service model and use multiple entry points to the network.

“We have various products looking at various doors, but they’re not talking,” said Schiappa. Adding more sensors is of limited utility unless they’re connected. Ransomware is an example.

“This is a great solution against CryptoWall because one of the things attackers have to do is go out to the command-and-control server and pull down the keys to start the encryption process, so they make entry points in a variety of different ways,” he said. “On that communication path out, both our endpoint and our network technology have the ability to capture that communication and block it if we determine it’s connecting to a bad site.”

Schiappa calls this synchronized security — the watchers at the doors are talking and can launch an automated and coordinated response in real time. The Heartbeat product is the first entry in the company’s synchronized security strategy, but Schiappa says there’s more to come, and that the more nodes feed into the system, the more intelligence it generates.

“Once we know root cause, we can use that data to proactively protect other endpoints,” he said. The system ties in to SophosLabs to add threat intelligence — advanced big-data analysis vets millions of emails, URLs, files and other data points daily.

Channel Focus

VP of global channels Kendra Krause says Sophos is 100 percent channel, and that the new capabilities are in response to ideas and feedback from partner advisers. “It allows our partners to sell one complete security story and solution,” says Krause. “That’s key to them. It’s one partner program, one point of contact, one management interface. It’s time savings, it’s money savings.”

Krause says an MSP or MSSP could manage multiple sites and customers from the Sophos cloud dashboard, and enablement, integration services and various levels of certification are available based on …

… the partner’s business model. There is certification tied to the product line.

Michelle Drolet, CEO of 22-year-old boutique data security services provider Towerwall, is one of those partner advisers. Drolet says she considers the technology a “game changer,” because it provides seamless integration.

“The more the system talks, the smarter it gets,” said Drolet. “Zero-days are happening — it doesn’t matter what type of technology you have.” The only defense against zero-day attacks, which by definition lack signatures, is the ability to detect abnormal activity and use heuristic analysis to decide if it’s malicious. “This doesn’t look right, it doesn’t smell right, it doesn’t taste right,” said Drolet. “I’m going to cut you off.”

If that sounds a lot like NAC, you’re right. One downfall of network-access control technology was users being quarantined unnecessarily. But Drolet says that the way Sophos is doing heuristics and analysis means false positives should be quite limited.

“It’s only going to lock an endpoint out if it sees something that just doesn’t look right,” she said “That’s a differentiator.”

Schiappa agrees, insisting there also won’t be an endpoint performance hit.

“The beautiful thing about synchronized security is that we’re not asking the endpoint to do anything it wouldn’t normally do,” he says. The firewall performs analysis, and there are no additional agents required on endpoints, besides the Cloud Endpoint agent. The Security Heartbeat functionality is included as part of the Sophos XG firewalls and cloud-managed endpoint protection with no additional licenses.

Making The Sale

The system’s plumbing is straightforward enough that customers should need minimal handholding: When a new endpoint is added to the network, it automatically connects to the local Sophos XG Firewall and starts sharing health status. Right now, only Windows and Mac endpoints are supported, but Schiappa says Android and iOS support will be available “imminently.”

If suspicious traffic is identified by the firewall, or malware is detected on the endpoint, the firewall can automatically isolate the endpoint and trigger actions to prevent data loss. After the threat has been removed, the endpoint uses the Security Heartbeat to communicate updated health status back to the network, which then automatically re-establishes normal service to the endpoint.

The suite offers …

… pre-configured policy templates for popular business applications, user and app risk and threat analysis and centralized management of multiple firewalls, free for Sophos partners and managed service providers. Sophos partners and MSPs can also manage multiple Sophos XG Firewall installations from the cloud via the new Sophos Cloud Firewall Manager.

For onsite deployments, Sophos offers a range of appliance models. Customers can choose to deploy as hardware, software or virtual appliances, and all features are available on every form factor.

From a business standpoint, Drolet says her customers with antivirus, UTM, firewall and other point products with renewals or updates coming due may well opt to jump to the Sophos synchronized suite.

Sophos’ pitch of the superiority of a single-vendor unified security platform versus best of breed, integrated in house or by a partner, echoes arguments by Cisco and others, and Drolet is a convert.

“If you had asked me a couple of years ago, I was right there” in the best-of-breed camp, said Drolet. “But everything’s gotten so complex. We have all these tools, but if they’re not talking to each other, things are going to get lost. We do need to simplify, especially in the SMB and midmarket.”

Follow editor in chief @LornaGarey on Twitter.