Sophos Takes to the Road to Announce New Ransomware Protection, Trends Report

Analysts recognize Sophos as doing significant, and fairly balanced, business in both network and end-user security.

Lorna Garey

November 2, 2017

6 Min Read
Sophos Event in Boston


Lorna Garey

BOSTON — Sophos on Thursday brought 300 customers and partners together at the Revere Hotel for a look at the future of cybersecurity. Dan Schiappa, general manager and SVP of the end user and network security groups, headlined the event and expanded on several announcements.

Sophos is among a select group of suppliers that is recognized by analysts as doing significant, and fairly balanced, business in both network and end-user security.

“Matter of fact, we’re the only one,” said Schiappa, referring to the ability of Sophos’ endpoint and network products to communicate directly and report results in a single dashboard.

On the network side, he called out recent advancements in the XG Firewall, including a policy simulator to test web and firewall rules before pushing them live on a customer site, as well as new hardware options. More on Version 17 here.

On the road map are up to 200 percent better performance, improved SSL inspection, support for IoT security, synchronization across the physical and virtual appliances, ability to scale up for larger enterprises, device provisioning, a CASB and lateral-movement detection.

On the end-user front, Sophos announced Thursday deep-learning-driven detection in its Intercept X Early Access next-generation malware blocker to enable it to better stop both known and unknown ransomware variants. The technology, based on Sophos’ acquisition of Invincea earlier this year, can be controlled through the Sophos Central cloud-based management platform.

Kendra Krause, vice president of global channels, told Channel Partners that Intercept X is Sophos’ fastest-growing product, contributing to a 40 percent Q316 increase in the number of global partners selling its endpoint and network products.

That spend reflects that almost half (47 percent) of all attacks are some version of ransomware, according to Sophos.

“There’s a reason for that,” Schiappa said. “It makes a lot of money.”

One factor driving the continued success of these attacks – along with bitcoin and the ransomware-as-a-service business model – is that ransom malware is constantly morphing and may even be customized on the fly for specific customers.

“Seventy-five percent of all malware is unique and specific to the organization it is targeted to,” said Schiappa.

That means protecting customers requires a more advanced strategy than legacy, signature-based antivirus technology — and it’s where predictive intelligence that can discern intent comes in.

“I don’t care what malware they’re using, I just want to deny the technique,” said Schiappa. “To do that requires AI and machine learning.”

One advantage for defenders is that there are only a few dozen exploit techniques – such as a heap spray or memory corruption – that attackers use to take a nascent intrusion to the next level. Schiappa likened deep learning to how the human brain works, sorting through a range of possibilities to come to a conclusion.

“Is an executable benign or malicious?” he said, “That’s all we want to know.”

Sophos makes that judgment by training systems with large, vetted data sets of both types of executables. Such deep learning is a branch of machine learning and artificial intelligence that leverages an artificial neural network to build a model that can make such predictions with speed. Intercept X is trained on hundreds of millions of samples to detect whether a file is malicious, potentially unwanted or legitimate.

Importantly, those samples are vetted by Sophos Labs.

“Proper labeling of files is critical to beat the ‘garbage in, garbage out’ syndrome,” said Schiappa. “We have the No. 1 detection rate in the industry.” That’s been validated by third-party labs using independent testbeds, an important point.

All Sophos partners have access to …

… the Intercept X early access program, including advanced application lockdown and exploit prevention.

Sophos on Thursday also released its SophosLabs 2018 Malware Forecast report that summarizes ransomware and other cybersecurity trends based on data collected from customer computers worldwide, from April 1 to Oct. 3. One key finding shows that while ransomware predominantly attacked Windows systems in the last six months, Android, Linux and MacOS were far from immune. Schiappa says customers who believe Macs and mobile devices are safer than Windows PCs and thus don’t need the same level of protection are leaving an opening for attackers.

For example, SophosLabs says the number of attacks via Android devices increased almost every month in 2017.

“In September alone, 30.4 percent of malicious Android malware processed by SophosLabs was ransomware. We’re expecting this to jump to approximately 45 percent in October,” said Rowland Yu, a SophosLabs security researcher and contributor to the report, in a statement. There are two main attack methods: locking the phone without encrypting data, and locking the phone while encrypting the data. Either way, the end user loses control of the device. And, as with all ransomware, regular backups are a main line of defense. Partners should be working with customers to ensure all mobile devices are well managed and regularly patched and backed up. (See this Channel Partners report for a guide to doing just that.)

The Sophos report also tracks ransomware growth patterns. WannaCry, which first appeared in May, was the No. 1 exploit observed on customer computers, dethroning Cerber. WannaCry accounted for 45.3 percent of all ransomware tracked through SophosLabs, with Cerber accounting for 44.2 percent. The damaging NotPetya ransomware that wreaked havoc in June has largely fallen off the radar, raising questions about the attackers’ intent.

Nick Beardsley, chief solutions architect at MSP TeamLogicIT, says he approves of where Sophos is taking Intercept X and says the ability to detect based on machine learning is applicable for all customers.

“Even at the SMB level, we’re not dealing with traditional viruses anymore,” said Beardsley. TeamLogic supports a wide range of companies, ranging from two employees to several hundred in all verticals, and consults with enterprises for select outsourcing or help with product choices.

“It’s a testament to Sophos’ platform that it can serve all customers and easily add on tools like encryption, but the single most valuable is syncing of firewall and endpoint security,” Beardsley said.

As to ransomware, he’s getting calls from everyone from nonprofits to financial services — it’s not limited to high-value targets like health-care companies.

Read more about:


About the Author(s)

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like