During their presentation, Lars Putteneers and Jerco Veltjen showed the audience some "unknown" but very cool and potential tools of Sophos such as Sophos Sandstorm, Email security and wireless protection.
4. What’s coming
4
• Feature parity for management via Sophos Central vs. on-prem
• Revised console user interface
• Android for Work support (native container/“work mode”)
• Usability improvements
5. Admin UI updates (draft)
5
New
Central
Sophos
Mobile
Control
Dashboard
6. Self Service Portal updates (draft)
6
Sophos Central Self Service Sophos Mobile Control Self Service Portal (on-prem)
9. XG Firewall
Wireless Protection
Sophos UTM
Wireless Protection
Sophos Wireless Solution Porfolio
Sophos Wireless
Mgd in Sophos Central
Sophos Wireless Solutions
Sophos Wireless
Mgd in Sophos Central
Sophos UTM
Wireless Protection
XG Firewall
Wireless Protection
Common Access Points
10. How Sophos Wireless Works
Sophos Central Admin
(Anywhere)
Sophos Central
(Public Cloud)
Sophos
Access Points
(on-prem)
Wi-Fi Network
(your site)
How Sophos Wireless Works
• Single Sophos security platform
• Communicates through the cloud
Purchase Sophos Access Points
License for Sophos Central
Create a wireless network
Register APs, assign to your network
Create a site, add APs to your site
Go online
11. Wireless in Sophos Central: Features
11
Configuration and
management
Cloud Dashboard
with all Key Data
Scheduled
Firmware Updates
Rogue AP
Detection
Basic Network
Planning
Sophos Central
managed
Guest Access and
Hotspots
Usage Visibility
Sophos Wireless Community
13. Sophos Email
Sophos Secure Email Gateway Solutions
Email ApplianceUTM/Firewall
Looking to
consolidate
Purpose built
dedicated solution
Seeking SaaS
email security
PureMessage
Exchange and
Unix
14. Sophos Email
Centralized
management and
reporting
Global with
Frankfurt, Dublin and
US Data Centers
Quick trial from
Sophos Central:
Admin
Cloud-based Email anti-spam & anti-malware
Fully integrated
into Sophos Central
Roadmap:
Email Archive, Data Protection and Advanced Protection
15. Who is Sophos Email for?
21
Compatible with both on-premise servers and cloud services including but not limited to:
2003
and later
all
versions
all
versions
Businesses of all sizes
Designed for
ease of use
Highly scalable
No limitations on
user numbers
Available Globally
English, German, French,
Spanish and Japanese
16. Smart Email Continuity:
• Alert if we can’t deliver mail to server/service
• Spooling for delivery ensures no mail is lost
• Emergency inbox for business continuity
Proven Security from Sophos:
• Proven, award-winning AV engine
• SophosLabs continuous insights and updates
• Advanced Protection with CX Mail
There’s a need for better,
specialist threat protection
Peace of mind for when
the worst happens
Easy to set-up and use
• Simple, fast setup
• Active Directory synchronization
• End User Self-Service Portal
Lower operating costs and
productivity gains
21. Introducing Sophos Central Device Encryption
Sophos Central Device Encryption is the easiest way to centrally
manage Windows BitLocker full disk encryption, using the simple,
web-based, Sophos Central Admin console
28
22. Introducing Sophos Central Device Encryption
The easiest way to centrally manage Windows BitLocker full disk
encryption!
• Manage encryption status
and recovery from the Sophos
Central Admin console
• No backend infrastructure or
servers required
• Setup and deploy with a
few clicks
29
23. Introducing Sophos Central Device Encryption
The easiest way to centrally manage Windows BitLocker full disk
encryption!
• Three-click policy setup
• Automatic client configuration,
no manual GPO settings
• Encryption keys not
stored by Sophos (only
encrypted recovery keys)
• Common client agent
30
24. Introducing Sophos Central Device Encryption
The easiest way to centrally manage Windows BitLocker full disk
encryption!
• Sophos Central Self Service
portal for user self-help
recovery
• Compliance and reporting
• Windows 7 or later
(versions with BitLocker)
o Mac FileVault support coming
early 2017
31
Editor's Notes
So how does Sophos Wireless work when managed in Sophos Central?
Sophos Central provides a single Sophos platform to manage a number of security solutions. From the beginnings with Cloud Endpoint, we now also offer Mobile, Server and Web and will soon be adding Email too.
The brains of Sophos Central are hosted in the cloud. Once access points have been registered in Sophos Central, the management of the APs through the Admin console is established and so the wireless network can be managed from any location using just a browser. There is no further hardware needed to deploy our solution. AP firmware and software updates are provided in the same way. And even if a customer has more than one site, they can be managed from the same console.
In the future, (*click*) we plan to add more intelligence into our APs which will allow us to provide advanced features which are not possible today.
Since the release of Sophos Wireless, we have rapidly introduced a broad set of features for the configuration and management of Wireless Networks. Current features include usage insight, management and control of guest access and hotspots, the phased introduction of Rogue Access Point detection, a basic network planner and other tools for administration and monitoring.
Sophos Wireless is quite different to most of our other solutions in that we introduce new releases every three weeks (and in future possibly even more frequently than that), so we cannot mention every single feature in this training. Also, as we plan features on a quarterly basis, those mentioned here will either be already in the product or scheduled for release in the very near future (think weeks rather than months).
The Sophos Wireless community provides full details of each release under the link shown here. https://community.sophos.com/sophoswireless/b/sophos_wireless_blog
Please also check Sophos Hub or the Partner Portal for further information on very new features such as rogue AP detection and guest access.
Let‘s take a look at some of the key features in a little more detail...
The dashboard will be the main source of information for any admin.
It not only provides an overview of the ‚health‘ of any access points which have been set up, there is also information about the general status of networks and firmware updates.
Without leaving this first view, it is possible to look into the client status to identify when there were connectivity issues and to get a better insight into traffic patterns, for example, to check for inappropriate usage.
The usage insights tab provides a deep dive into Wireless traffic with Web categorization where you can drill-down into the detail and see which domains were visited. This allows your customers to identify inappropriate use or other issues.
We have plans to add much more functionality in this area in the future.
Within the sites section, a customer can create multiple sites, assign APs to them and upload their own floor plans.
The floor plans can be used as a first-order approximation of how the wireless network could be set up.
This area also provides the possibility to see other networks in your neighbourhood.
These are just a few of the features supported by Sophos Wireless in Sophos Central – why not take a look yourself by signing up for a free trail. Visit sophos.com/wireless for further details or simply click on the icon displayed here on the screen.
Time-based SSIDs allow you to limit the availability of a wireless network. This may be because it is for specific use or because you only want it to be available during works hours. We will start out with one schedule but will later add the possibility to add multiple time slots on the same day.
A hotspot can be set up in the SSIDs section of Sophos Wireless. Here you can do some customization such as adding a name, welcome text and terms of service. You can also select backend authentication which at the moment is RADIUS.
The access portal which users will see provides a very seamless user experience. The design will differ to the screenshot shown here.
These features are being added over a number of releases and will be complete by mid to late November.
Rogue AP Detection uses the visibility provided by an access point to detect potentially unwanted or harmful SSIDs/APs in your neighborhood.
APs will be classified according to their status:
Trusted
Neighbor
Untrusted
Etc.
Whereas most vendors offer 2-3 categories for this feature, we will roll this our in phases and eventually have ~10 different categories giving much more granular detection (later also other actions)
This is where Sophos, as a security vendor, can add real value over and above what other vendors can do
Our UTM is great for anyone looking to manage email as part of a consolidated solution it has an impressive array of features from threat protection to data protection.
Sophos Email Appliance is a purpose built solution that’s ideal for those admins who are dedicated to email. If a buyer takes email protection really seriously they’ll love the policy wizards and simple workflows that let admins get the best out of the advanced and granular feature set – and of course it's a managed appliance which means we monitor over 50 vital signs and alert customers if we spot something out of the ordinary.
And then we have PureMessage great for protecting on-premise Exchange servers and our PureMessage for Unix platform a highly customizable solution that’s popular with larger enterprises, telcos and ISPs.
So why do you need Sophos Email? The answer is simple – it fills a cloud-shaped gap in our portfolio.
As the name suggests Sophos Email is fully intergra
So who is Sophos Email targeted at?
The product is designed, as with all Sophos products, to to be easy to use - in this mature market buyers of all sizes are looking to simplify this business critical service - and really the Sophos Email product will appeal to anyone looking for a simple solution
Because it’s a cloud-based platform it really is highly scalable solution with no real limitations on user numbers – so you can feel comfortable pitching this solution to the very smallest businesses and much larger organisations too.
Now of course larger organisation are likely to be looking for advanced and granular features and so our first release is unlikely to meet all their requirements – but Jamie will talk a little more about how we are adding these features over time. And of course you have the dedicated Sophos Email Appliance that can help wih more complex requirements – and in the US you can ask your sales team about how the Reflexion Networks product line may be able to help in the interim.
The product will be available globally - this is not a release limited by region – and it comes in all the regular Sophos Central languages - English, German, French, Spanish and Japanese
In terms of platforms supported these are the three core platforms – MS Exchange 2003 and later, O365 and Google Apps. So it supports both on-premise and cloud email services.
So that’s who it is for but how does it help them? Lets take a look at the customer needs Sophos Email is helping address.
Proven security:
Our core competency, powered by core products/technologies – Award winning AV, our Anti-Spam engine, the continuous insights and updates from Sophos Labs.
We don’t sell shaky operating systems; Security is what we do -- 24/7/365. It isn’t an add-on to our product; it is our product.
Office 365 integration:
Deliver clean mail to Office 365 with a quick configuration. Pull users from AD with our user synchronization. Federate authentication with for SSP with AD/Azure
Continuity:
I don’t think any business can afford to have email go down. Office 365 had 3 outages in Europe between December ‘15 and January ‘16. Sophos Email ensures business continuity with our ‘always on’ Emergency Inbox capability.
First of all we send a hash of the file to Sophos. If Sandstorm has seen the file before, as it has done in 98% of cases, the answer is immediate and SWA blocks or allows the file.
If sandstorm hasn’t seen the file before, we detonate the file in sandstorm. Now some malware are able to detect that they are being analysed in a sandbox, so don’t execute, and passed safe by the sandbox. Not Sandstorm. Sandstorm uses a Full System Emulation approach. This means that, unlike other solutions, the malicious code cannot tell it is being analysed in a sandbox.
If your appliance is in Europe a copy of your suspicious file is sent to a Sandstorm datacentre in Europe (Germany)
If your appliance is in the US the file is sent to a US Sandstorm datacentre.
Anywhere else in the world the file is sent to one of these datacentres, whichever one will process the file faster at that point.
Sandstorm will detonate and analyse the files in memory. Nothing is ever written to disk. All documents are destroyed after analysis whether malicious or benign.
The only exception is malicious executables that remain in SophosLabs for further analysis.
If the file is safe we return the cached original file which has not left the appliance.
In today’s presentation we’re going to talk about Sophos Central Device Encryption, which provides a solution for the most basic of all encryption needs: Full Disk Encryption. Thousands of laptops are stolen, misplaced, or lost every day – in airports, cafes, taxis and so on – and many of these contain sensitive information. Full disk encryption is the essential first line of defense for protecting data in case of a device being lost or stolen and, plainly speaking, it should be used for *all* business computers. Simplified, the way Full Disk Encryption works is that the entire disk or device is protected by strong encryption, and access is granted at the startup of the device for users that have the appropriate encryption key. In modern operating systems, this means authentication by passwords, PIN, hardware, or a combination of these. Full Disk Encryption is most efficient when it’s used together with a TPM - a “Trusted Platform Module”, included in most laptops today. The TPM will tie the hard disk to a computer and greatly simplified, it’s basically a dedicated chip that keeps the encryption keys secure. This means that full disk encryption provides protection for your data when the computer or device is off, also referred to as “at rest”. It is the primary protection against the risk of leaking data or sensitive information from a lost or stolen computer. Worth noting again, as mentioned on the previous slide, Full Disk Encryption does *not* protect your data once the disk is “unlocked”, i.e. when the computer is running. It also does not protect data in transit – when it’s sent to another user, copied off the device, to external storage, or to the cloud etc.
Luckily, to make this easier for everybody, Microsoft and Apple already included full disk encryption - built right into the operating system – over the last few releases: BitLocker for Windows and FileVault for macOS. So, with full disk encryption technology readily available in the OS we have another challenge - and this is the really BIG challenge: how do we best manage the encryption on all computers in a company? For example, you need an efficient way to manage data protection policies making sure all computers are encrypted, that you can help users get going again when they lose their PIN/passwords, and so on. Also, in the case of a missing computer, you are in many cases likely to be asked to prove that the lost computer was sufficiently protected by encryption. Management basically becomes the critical factor for any full disk encryption solution.
[So - this is why we decided to bring the award-winning SafeGuard Encryption technology to Sophos Central…]
So - this is why we decided to bring the award-winning SafeGuard Encryption technology to Sophos Central: We believe that it is the easiest way to centrally manage BitLocker in the world today. By using the integrated, simple, web-based, Sophos Central Admin interface, it means that it only takes minutes for the admin to configure policies and deploy full disk encryption across all computers in a company.
Let’s look a bit closer!
[As I said, Sophos Central Device Encryption uses Sophos Central to manage the encryption status and recovery…]
As I said, Sophos Central Device Encryption uses Sophos Central to manage the encryption status and recovery, right there in the Sophos Central Admin console.
And, since it’s a 100% cloud-based solution, there are no database or key management servers or any backend infrastructure needed. You can simply set up and deploy encryption with a few clicks in the console to get going in minutes.
[In fact, configuring an encryption policy is done in just three clicks…]
In fact, configuring an encryption policy is done in just three clicks, and I’ll show you how it’s done in the interface in a minute. All the client settings that anybody who has done this before usually associate with deploying encryption: running scripts, applying group policy objects etc., they are all done automatically.
Important to note is also that Sophos does not store any actual encryption keys, only the BitLocker recovery keys. These are stored in a separate encrypted area in Sophos Central, and only accessible from the relevant Central account.
An additional benefit is also that Central Device Encryption uses the same client agent as Sophos Endpoint products, including the new Intercept, meaning that for Sophos Central Endpoint customers there is no need to install additional client software - configuration can be done over the air.
[When users forget their PIN or passwords, or lock themselves out…]
When users forget their PIN or passwords, or lock themselves out (which they inevitably will do), the Admin can either call up the recovery password from the console in the traditional way, or the users can go themselves to the Sophos Central Self Service portal for recovery and self-help, taking up zero time from IT.
As we touched on earlier about compliance: when a device is stolen, Sophos Central will be able to produce the reports needed that can prove that a computer was encrypted. This often means that you can avoid to make a public disclosure or take expensive remediating actions. This of course can turn a potential disaster into a trivial non-event.
In this first version of Sophos Central Device Encryption we support all Windows versions that include BitLocker, starting from Windows 7 or later. With Windows 7, BitLocker was included in the Enterprise and Ultimate versions, and with Windows 10 it’s included in all versions except for Windows 10 Home.
We are also following up with support for macOS FileVault in a few months, and it’s due to launch in the first quarter of next year.
Although we feel that Sophos Central Device Encryption is a really strong product that should need very little convincing to get users to buy, of course there will be the odd inevitable arguments. We’ve put together a few examples over the next few slides:
“We already have BitLocker so we don’t need Sophos Central Device Encryption!”
A suitable answer could be along the lines of:
[CLICK] “Great that you have BitLocker already. However, managing encryption is critical - you need to handle policy, status, recovery, and compliance reporting. Central Device Encryption is the easiest way to manage Windows BitLocker compared to any other solution in the market: you set up policies with a few clicks and users can even help themselves with the Sophos Central Self Service portal when they lock themselves out of their machines - with zero involvement from IT.”
[Next objection …]
Next objection:
“I want to use the Microsoft tools and MBAM to manage BitLocker encryption instead!”
For this one you can of course go into a lot of detail with how time-consuming it actually is to set up MBAM effectively; that it needs multiple servers and a pretty heavy IT investment to get going. It’s probably easiest to keep it simple however, with something like:
[CLICK] “MBAM requires a significant backend infrastructure and it is a major IT project to configure and maintain. Again, Sophos Central Device Encryption is the easiest way to centrally manage BitLocker. You get started in minutes: no backend servers needed, you create a policy with three clicks, and users can even help themselves when they get locked out.”
[Finally, and there’s always somebody that comes along with an argument like…]
Finally, and there’s always somebody that comes along with an argument like:
“But, I don’t need to manage BitLocker – I tell my users to write their recovery keys on a Post-it note!”
[CLICK] Well, hopefully we won’t run into too many of these – needless to say, the manual Post-it approach is not a good idea. More seriously, any manual management of recovery keys is bound to be flawed, as keys should rotate whenever a recovery is made – making the stack of Post-its obsolete. Also any scale is of course not possible with a manual system.
[To close off, let’s go through the details before we take a quick look at the product …]
To close off, let’s go through the details before we take a quick look at the product:
Sophos Central Device Encryption is available now, and it’s priced at USD20 per user per year at a 100 users (or the equivalent in other currencies).
The product is a great cross- / add-on sale together with other Sophos Central products of course, but it can also be sold on its own.
Migrating to Central Device Encryption is very simple. If you have computers that are already protected by BitLocker, there is no need to decrypt and re-encrypt when you install Central Device Encryption – we simply take control of the BitLocker management when first deployed; A process that literally takes seconds.
It’s also very simple to take Central Device Encryption for a spin: It’s part of the standard Sophos Central trial process. Anybody who signs up for a new Central trial will also have the opportunity to try Central Device Encryption. The new ability for existing Sophos Central customers to try another component is about to be added very soon - I think it may actually be this week. This means that if you have a Central account already, you can start a 30-day trial for any Sophos Central product you don’t have.
Again, support for Apple macOS FileVault is coming in the first quarter of next calendar year.
Finally, please keep an eye out for Sophos Central File Encryption that is coming next calendar year. This will bring the new, cool, next-generation, Synchronized Encryption experience of SafeGuard 8 to Sophos Central. Being able to provide both file encryption and full disk encryption, managed in Sophos Central, will make the story so much stronger.
[Right, we have a few minutes left so let’s take a quick look at how to manage Full Disk Encryption in Sophos Central…]
Right, we have a few minutes left so let’s take a quick look at how to manage Full Disk Encryption in Sophos Central. [DEMO]
[This slide contains a few further technical details that you can use as a take-away and read in the comfort of your own armchair…]
This slide contains a few further technical details that you can use as a take-away and read in the comfort of your own armchair. Further information is also available on the Partner Portal and on Sophos.com/encryption, so check this out as well. More will be coming shortly. There are a couple of short minute-long videos available on the partner portal and on Sophos.com that I really recommend you check out as they give a great overview of exactly how easy it is to get going with Sophos Device Encryption.
[Thanks to everyone for attending today’s session….]