2. What We’re Going to Cover
How the threat landscape is changing
Synchronized Security: a best-of-breed integrated
security system
Synchronized Security In Action
2
Success stories
7. Expanding attack surface
Attack complexity
7
Lack of resources
Uncoordinated defenses
46%
Organizations believe they have
a problematic shortage of
cybersecurity skills
ESG Group
8. What if we could simplify security and
unify our defences?
9. Benefits of an Integrated System
• Simplify IT management
• Increase visibility across environment
• Reduce risk of threats spreading
• Respond faster to potential security incidents
• Maximize IT team by leveraging automation
• Achieve better ROI from security investments
13. 13
No other company is close to delivering this type
of communication between endpoint and network
security products.
“
Chris Christianson, Vice President of Security Programs, IDC
“
14. Proven Technology in Key Areas
Gartner Magic Quadrant
UNIFIED THREAT MANAGEMENT
Magic Quadrant for Unified Threat Management,
Jeremy D'Hoinne, Adam Hils, Rajpreet Kaur, 30 August, 2016
Gartner Magic Quadrant
ENDPOINT PROTECTION
Magic Quadrant for Endpoint Protection Platforms,
Eric Ouellet, Ian McShane, Avivah Litan 30 January, 2017
The Forrester WaveTM
ENDPOINT ENCRYPTION
The Forrester Wave: Endpoint Encryption, Chris Sherman, 16 Jan 2015
15. 15
Automated
Incident Response
Unparalleled
Protection
Real-time Insight
and Control
Synchronized Security Benefits
Best-of-breed products
packed with next-gen
technology actively work
together to detect and
prevent advanced attacks
like ransomware and
botnets.
Security information is
shared and acted on
automatically across the
system, isolating infected
endpoints before the
threat can spread and
slashing incident
response time by 99.9%.
See - and control - what's
happening in real-time
for simpler, better IT
security management.
17. Automated Incident Response
Before Synchronized Security
Minimum 2 hours to identify user,
process, machine and wider impact
Often days, weeks…
After Synchronized Security
Automatic isolation of endpoints at
threat identification < 8 seconds
Results of testing by Analyst ESG
18. 18
“It only took 2 minutes to find out that
everything was under control. Sophos XG Firewall
detected the threat and Security Heartbeat
allowed the infected host to be immediately
identified, isolated and cleaned up. Instead of
going into fire drill mode, we were able relax and
finish our lunch.”
“
“
DJ Anderson, CTO, IronCloud
19. Endpoint communicates to
Sophos Central
Firewall isolates
endpoint
Sharing Information. Automating Response.
Endpoint detects
and blocks malware
!
Heartbeat status
changes to RED
Endpoint
automatically cleans
up malware
Endpoint communicates
to Sophos Central
Heartbeat changes
back to GREEN
Network access
returned
A%b_
@hHJ*
(+
Encryption keys
Revoked
Encryption
keys restored
My
Secret
Data
26. Endpoint requests access
to a compromised system
!
RED Heartbeat
Server Access Heartbeat
Block access to compromised systems
27. Real-time Insight and Control
28
Security Heartbeat Active Threat ID
Machine, Process,
User
Threat chain
visibility
Root Cause Analysis
Infrastructure
visibility
29. Synchronized Security In Action
EndpointMobileEncryptionServerWeb Wireless Email Sophos
Central
Firewall
~5K
Firewalls w/ Security
Heartbeat™
2
Avg. firewalls per customer
450K+
Endpoints w/ Security
Heartbeat™
188
Avg. endpoints per customer
~40K
Servers w/ Security
Heartbeat™
22
Avg. servers per customer
~42K
Encrypted
devices w/
Security
Heartbeat™
~2,500
Organizations w/ Security
Heartbeat™
423
Avg. users per customer
99%
Reduction in
incident response
time
As of March 2017
30. 31
1.5M Members
7000 Employees
187 Parishes
90 Schools
Brooklyn, USA
Quote
“Sophos saves me time because I can identify
threats and remove them quickly.”
1000 Computers
Sophos Central Endpoint
Advanced, Intercept X
50 Servers
Sophos Central Server Advanced
Network
3 XG Firewalls, 5 SG UTM
2000 Reflexion licenses
Visibility
across multiple locations
Threat forensics
with RCA are quick and easy
Unify and simplify
endpoint, FW, and cloud security
Real-time Insight
and Control
“The time we save is equivalent to at least
one part-time person—that’s huge.”
Gus Garcia, Senior Project Manager
31. 32
Cosmetics company
400 Employees
Branch offices WW
€169M Annual Revenue
Quote
“With Sophos Central, the IT system is able to
respond to cyber attacks with a simple click.”
200 Computers
Sophos Central Endpoint
Advanced, Intercept X
40 Servers
Sophos Central Server Advanced
Network
2 XG Firewalls, 1 Web Appliance
Sandstorm license
Real-time
Requirement for global network
protection and real-time response
Automation
Looking for solution to scale security
effectiveness worldwide
“Synchronized Security was able to respond in
real-time to the ever-more aggressive threats.”
Automated
Incident Response
Igor Bovio, IT Manager
32. 33
90 Employees
4 Locations
Orlando, USA
Quote
“Synchronized Security is the reason I bought
Sophos and went with XG Firewalls.”
100 Computers
Sophos Central Endpoint
Advanced, Intercept X
Servers
Sophos Central Server Advanced
Network
4 XG Firewalls (210, 310)
IT Director
looking for automation in order to
scale his effectiveness
XG Firewall
automatically isolating endpoints daily
Automated
Incident Response
35. Get Started with Synchronized Security
36
• Learn more at
www.sophos.com/synchronized
• Watch the videos
• Read the whitepaper
• Start your 30-day trial of Sophos Central at
www.sophos.com/central
• Speak to your Sophos team about how to
move to Synchronized Security
37. 38
1600 Students/Staff
6 buildings
Wyoming, USA
“Synchronized Security has prevented hundreds
of exploits from infecting the systems.”Quote
“RCA speaks for itself, it helps immensely and
saved me a ton of time.”
800 Computers
Sophos Central Endpoint Advanced,
Intercept X, Phish Threat
70 Access Points
Sophos Wireless
30 Servers
Sophos Central Server Protection
Network
3 XG Firewalls, Sophos Email
Intercept X
prevented ransomware attack
XG Firewall
automatically isolated endpoints
RCA
showed complete detection history
Unparalleled
Protection
Dan Russell, CTO, Pine CoveDerrick Morse, Pine Cove
38. 39
Quote
360 Computers
Central Endpoint Advanced,
Phish Threat, Intercept X (150)
100 Servers
Central Server Protection
Network
2 XG Firewalls, 10 Access Points,
3 RED Appliances
“We like Synchronized Security because it
prevents a single infection from spreading to
the rest of the network.”
Robert Glinski, IT Security
Visibility and simplicity
for enterprise-wide management
RCA
discovers threat origin and scope
Proof of Protection
against advanced threats
Real-time Insight
and Control
Local Government
Established in 1890
62,269 residents
Mayor and 13 Councillors
39. 40
4000+ Customers
200 Employees
3 Offices
Rome, Milan, Genoa
Quote
200 Computers
Sophos Central Endpoint
Advanced, Intercept X
40 Servers
Central Server Protection
Network
4 XG FW, 2 Email Appl, 2 RED
Sandstorm license
Protection
against high risk monitoring of
social media and web sites
Control
their continuous technology flux
“In view of the most recent threats such as
ransomware, we moved to Sophos Intercept X”
Gianfranco Cersosimo,
System Administrator
Unparalleled
Protection
“Synchronized Security has solved many of our
problems on our internet-exposed servers”
40. 41
Home Medical Care
60,000 Patients
27 Offices
€100M Annual Revenue
Quote
“Synchronized Security allows us to identify the
cause and origin of threats and blocks the spread
of these threats within the network.”
500 Computers
Sophos Central Endpoint
Advanced, Intercept X
200 Servers
Sophos Central Server Advanced
Network
80+ XG Firewalls
Analytics
discover exactly where the
infection exists
Identify
the necessary countermeasures
to reduce risk
Real-time Insight
and Control
“The Sophos Central console gives us a
complete view from UTM to Endpoint
and Intercept X.”
Oscar Macchi, CTO
41. 42
Dairy Producer
Head office in Sangli
5 Branches across
Maharashtra, India
250 Users
Quote
“Sophos has engineered a simple solution that
can help organizations quickly provide secure
internet access both locally and remotely.”
210 Computers
Central Endpoint Advanced,
Intercept X, Sophos Mobile
65 Servers
Sophos Central Server Protection
Network
14 Firewalls (XG and NG), SFOS
Early Access/Beta Tester
Unify
and simplify management
Improved protection
against mail, web, zero-day attack
Analytics
for better discovery and reporting
Vishwas Chitale, CEO & CTO
Unparalleled
Protection
42. 43
Construction Company
Over 65 years in Taiwan
Offices in Taipei, Hong
Kong, Macau, Gurgaon,
Kuala Lumpur
Quote
1000 Computers
Sophos Central Endpoint
Advanced
2 Servers
Sophos Central Server Advanced
Network
56 XG Firewalls w/Web
Protection, 2 iView Appliances
Real-time
network protection and real-time
response across 50 sites in Taiwan
and 4 in Hong Kong
Automation
Looking for solution to scale
performance and security
Automated
Incident Response
“We use Synchronized Security to protect our
users from ransomware attacks and enhance
our IT security environment.”
Kevin Chueh, CIO
43. Next-Gen Endpoint Protection
44
Synchronized Security
Sophos Central Mgmt.
Root Cause Analysis
Script-based
Malware
Phishing
Attacks
.exe
Malware
Non-.exe
Malware
Malicious
URLs
Removable
Media
Unauthorized
Apps
Exploits
44. Synchronized Security
Sophos Central Mgmt.
Root Cause Analysis
Next-Gen Endpoint + Network Protection
45
Script-based
Malware
Phishing
Attacks
.exe
Malware
Non-.exe
Malware
Malicious
URLs
Removable
Media
Unauthorized
Apps
Exploits
Editor's Notes
Next-gen security with real-time intelligence sharing between your endpoints and firewall.
Cybersecurity keeps getting tougher and organizations are struggling to stay ahead of the threats, which are increasing in both number and sophistication.
Specifically they face four main challenges. Let’s take a quick look.
1. Attack complexity
The growth in complex and coordinated attacks is outpacing many organizations’ ability to protect themselves. This is both a problem of keeping up with the volume, as well as keeping up with attacker sophistication
2. Expanding Attack Surface
IT sprawl is a real challenge. Mobile devices, cloud applications, and IoT devices are being used by employees more and more, and organizations of all sizes are deploying virtual and cloud infrastructure, increasing the so-called “attack surface” dramatically. The average user now has 3 devices. This makes it not only harder to protect all these devices, but also makes it harder to gain the visibility to understand what is happening across your environment
3. Uncoordinated defenses
Most organizations deploy a multitude of devices protected by security products from many different vendors. These point products work in isolation, unlike the coordinated attacks they need to stop, which often touch the firewall, email, endpoints, servers, and data. This creates information silos which makes it harder to detect incidents, harder to respond to incidents, and harder to gauge overall health.
4. Lack of resources
We keep hearing about the shortage of cybersecurity talent. Overstretched IT departments struggle to respond fast enough to threats entering their ever-expanding IT infrastructure. They don’t have the time or resources to manage the complex cross-product correlation needed to identify and stop advanced threats.
This is borne out by research from ESG Group which revealed that 46% of organizations believe they have a problematic shortage of cybersecurity skills. Making matters worse, organizations often have to allocate their cybersecurity team on time consuming tasks… rather than have them focus on the most pressing and hard to solve problems.
Given these challenges what if we could simplify security and unify our defenses into an integrated system?
An integrated security system would have many benefits….
This isn’t just wishful thinking… its real. Introducing Synchronized Security
Synchronized security is a best-of-breed security system where integrated products dynamically share threat, health and security information. The result: faster, better protection against advanced threats.
Sophos delivers award-winning products that protect every point in your network. They’re great on their own – but even better together - thanks to synchronized security.
This best of breed security system enables Sophos products to work together, sharing information via a Security Heartbeat and then automating response.
And it’s all managed through Sophos Central, our award-winning web-based management console.
This communication between end point and network security products is something you can truly only get with Sophos, as mentioned by Chris Christianson, VP of security programs at IDC, a leading analyst firm. Chris said “no other company is close” to what Sophos Synchronized Security can deliver.
First we start with best-of-breed products. We’re listed as Leaders in Gartner’s Unified Threat Management Magic Quadrant, we’re also listed as a leader in the Gartner Endpoint Protection magic quadrant. We also excel in other areas, including encryption where we are the clear leaders in the Forrester Wave.
Synchronized Security transforms your security, enabling you to address all the challenges we previously discussed by delivering:
unparalleled protection - to prevent breaches in the first place
Automated incident response – to reduce breach impact if something does get in
And real-time insight and control to simplify IT management
Lets see it in action
First we will show you how Synchronized Security automates incident response:
Typical environment
Minimum of 2 hours to investigate and determine number of endpoints affected, identification of user, process, machine
Could take days or weeks depending on how extensive the issue is
With Synchronized Security, responses which used to take days or weeks are now automated, and according to testing by leading analyst firm ESG, will take less than 8 seconds
This means your IT and security team is freed up to focus on other tasks, while your organization remains protected
DJ Anderson, CTO of IronCloud, talks about the real benefit of Synchronized Security to his team. Who wouldn’t rather finish lunch instead of going into fire drill mode!
Here we have a laptop running Sophos Endpoint protection, managed by Sophos Central. It’s healthy, so has a green heartbeat.
- Sophos Endpoint Protection detects and blocks a malware attack
It then shares this information with Sophos Central
Sophos Central changes the endpoint’s heartbeat to red, unhealthy status
It shares this information with the rest of the system
The firewall isolates the endpoint on the network, preventing the infection from spreading and stopping the endpoint from communicated with a Command and Control server
Access to corporate resources is also withdrawn to prevent spreading and to keep company data secure
Then the clean-up capabilities in Sophos Endpoint and Sophos Intercept X remove the threat and clean-up all lingering traces of malware
Once this is done, the new health status is shared with Sophos Central.
The Heartbeat changes back to Green, network access is returned, and access to resources is restored.
And all this happens automatically, in seconds. Thanks to Sophos Central and the Security Heartbeat.
Lets dig into a few examples. First, we’ll show you how Synchronized Security blocks access to compromised systems when malicious traffic is detected.
Endpoint send malicious traffic
The firewall recognizes this and changes the heartbeat status
The endpoint now has a “red” heartbeat.
The endpoint’s access is blocked to critical resources
This prevents the attacker from accessing important resources from the compromised system
Let’s see Synchronized Security in action. We’re going to demonstrate how we stop a ransomware attack on a server, but also automatically respond to ensure that the system is safe. In this example you’ll see multiple technologies work together to ensure the machine is safe
First, you can see the admin logging into Sophos XG Firewall. Our Heartbeats are all green, everything is good.
But lets change that. Next we’ll log into our Windows Server. We’re going to attempt to infect this server with HydraCrypt ransomware. As you can see Sophos is able to stop this ransomware attack. That’s good news, because otherwise our entire server would be encrypted and held hostage.
While the endpoint is being cleaned the heartbeat is temporarily changed to red. This means firewall will prevent access to and from this machine.
This coordinated defense system helps us outsmart attackers, and present them with a real challenge
If the attacker launches an attack as they normally would Sophos sees everything they do and stops the attack.
If the attacker attempts to disable Sophos Security a red health heartbeat is sent, and the endpoint is isolated.
If the attacker tries to disable the heartbeat the firewall detects this and isolates the endpoint.
In the case of a missing heartbeat detection the endpoint with automatically be isolated if the firewall detects traffic from the endpoint but the Heartbeat is missing. This would distinguish between, for example, a laptop that was truly offline, vs. one that is online but the Heartbeat was disabled.
The same is true for other machines trying to access the compromised system. If the server has a missing heartbeat, or the heartbeat indicates red health other endpoints wouldn’t be able to access it.
Synchronized Security also aids Sophos real-time insight and control. Included are
Infrastructure visibility, seeing the security heartbeat and automatically responding if the health is in question
Machine, process and user data to gain insight into active threats
And Sophos’ Root Cause Analysis (RCA) shows the entire threat chain to see exactly what happened and determine the source of the attack
Lets dig into some stories from real customers who have had success using Synchronized Security
Our Strategy of an Ensemble of Protection with Synchronized Security is live, and is growing every day. Customers of all different sizes are taking advantage.
It started out with a Security Heartbeat communication between Endpoint and Firewall, but now we’ve expanded far beyond for Unparalleled protection and significantly reduced incident response time because having dozens of technologies working together is much stronger than any point product
Next we have the Diocese of Brooklyn….
Compelling event – looking for better visibility to scale, save costs
1000 Computers – CEA, CIX
50 Servers - Server Advanced
3 XG Firewalls, 5 SG UTM
2000 Reflexion licenses
And finally Mirato, a worldwide cosmetics company.
Compelling event was he is a single point of failure
Looking for automation to scale his effectiveness
100 Computers – CEA, CIX
Servers - Server Advanced
4 XG Firewalls (210, 310)
This best of breed security system enables Sophos products to work together, sharing information via a Security Heartbeat and then automating response.
And it’s all managed through Sophos Central, our award-winning web-based management console.
Thank you!
One customer that uses Synchronized Security is the Washakie County School District
Ransomware attack was compelling event
800 Computers – CEA, CIX, Phish
70 Access Points – Sophos Wireless
30 Servers – Server Advanced
3 XG Firewalls, Sophos Email
“In view of the most recent threats on the market such as Ransomware, we decided to move to Sophos Intercept X”
“It has solved many of our problems on our internet exposed servers”
Sophos also has high quality support in Italy and Globally”
“it is a platform known to, installed by, and supported by all of my partners”
“Chitalay”
Sync Security is broader than Heartbeat
Technologies within the Endpoint work together
One tech spots suspicious, can kick off another tech to scan
ATP finds bad URL, bad traffic, but unknown
Asks endpoint for detail – run a scan, or give me the process info