XG Firewall v18 is here, and with it comes a slew of terrific new features that address the visibility, protection, and performance problems organizations face every day.

One of the more exciting enhancements in v18 adds is Central Firewall Reporting (CFR), Sophos’ new cloud-based reporting tool.

Sophos CFR enables customers to create historical reports on network activity with a great deal of customization. It’s extremely flexible, and it’s included for free on any XG Firewall capable of running the v18 firmware.

Greater insight through analytics

If you are in any way responsible for your organization’s network, here’s a simple question to ask yourself:

Do I have a good understanding of the user activities, applications, network events, risks, and performance in our security environment?

If you don’t or the solution you’re using only scratches the surface, a reporting tool that provides deeper insight in these areas could be just what you need. Armed with deeper analytics, you can implement policy changes to drive efficiencies that enhance productivity while also protecting against cyber threats.

Flexible, customizable reporting

Creating reports on the topics that are important to you should be easy, and with CFR it is.

An integral component of Sophos Central, Central Firewall Reporting provides organizations with a flexible set of options to capture network activity through your Sophos Central account and XG Firewall.

Using the interactive dashboard, you can drill down into the syslog data for a granular view that is presented in a visual format for easy understanding. The data can then be analyzed for trends that could lead to gaps in security, requiring policy changes.

Key features in Central Firewall Reporting

With Central Firewall Reporting, you can create reports to fit your needs using one of the pre-defined report templates and customizing it the way you want. Here are some of the key features:

• Up to seven days of historical reporting
• Rich, granular data organized into easy-to-understand reports
• Pre-defined, out-of-the-box report templates
• Flexible report table and charts allow you to customize each report
• Report Dashboard provides an at-a-glance view from the XG Firewall for network operational health, policy control events, and all security-driven events
• Visual representation of data displayed in graphical form
• Search and retrieval of all log data from the XG Firewall

What’s next for CFR?

Because Central Firewall Reporting is cloud-based, we’ll roll out additional features and report templates without requiring any firmware update to your XG Firewall. Even bigger, however, is a new reporting service with more features and built-in reports.

Complementing the free version of Central Firewall Reporting, CFR Premium is a “for pay” service that unlocks more capabilities and built-in report templates along with historical reporting up to one year.

CFR Premium is designed for organizations with more connected devices that generate larger amounts of syslog data and want the flexibility to add storage capacity as needed. Look out for the launch in the coming months.

In the meantime, try out the free version to see the types of custom reports you can create and the insights you’ll get into network activity. For more information, see the CFR web page on our website.

Sophos

XG Firewall v18 is now available, and it’s sporting the all-new Xstream Architecture, which delivers extreme levels of visibility, protection and performance.

We’ve packed this release with new and enhanced features for you, including:

• Xstream SSL inspection. Get unprecedented visibility into your encrypted traffic flows, support for TLS 1.3 without downgrading, powerful policy tools, and supreme performance.
• AI-powered threat intelligence. Extend your protection against zero-day threats and emerging ransomware variants with multiple best-in-class machine learning models and unmatched insights into suspicious files entering your network.
• Application acceleration. Optimize network performance by putting your important application traffic on the fast path through the firewall and routing it reliably out through your preferred WAN connection.

Watch the overview video to see everything that’s new in XG Firewall v18:

Sophos Central

XG Firewall v18 also includes support for all new central management, reporting, and deployment options launching on Sophos Central next week:

• Group firewall management. Easily keep your full estate of firewalls consistent using groups that automatically keep policies, objects, and settings synchronized.
• Central reporting. Network activity and insights across all your firewalls are now at your fingertips in Sophos Central, with several pre-packaged reports and flexible reporting tools to create your own.
• Zero-touch deployment. Conveniently setup a new firewall in Sophos Central, export the config, load it on a flash drive and have your new firewall automatically connect back to Sophos Central without having to touch it.

And, there’s more!

In addition, there are also a ton of other new features that will enhance your protection, visibility, management experience, and network versatility:

• Synchronized SD-WAN brings the power of Synchronized Security to reliably and accurately route application and user-based traffic over your preferred WAN links
• Firewall, NAT, and SSL Inspection rules and policies are now more powerful, flexible and easier to work with than ever before
• Plug-and-play high-availability (HA) makes it easy to enable business continuity and adds peace-of-mind – simply connect two XG Series appliances together and you’ll be up and running in no time
• Real-time flow monitoring provides at-a-glance insights into active bandwidth consuming hosts, applications, and users
• Expanded notifications and alerts ensure you never miss an important network security event whether it’s related to a threat, service, or important performance metric

How to get XG Firewall v18

As usual, this firmware update comes at no charge for licensed XG Firewall customers.  The firmware will be rolled-out automatically to all systems over the coming weeks, but you can manually update at any time via MySophos.

Head on over to the XG Firewall Community Blog to get the full release notes.

Also check that your current hardware appliance supports v18.

Making the most of your new XG Firewall features

Free online training – available to all XG Firewall customers, our delta training program will help you make the most of the new features in XG Firewall v18.

It walks you through the key enhancements since v17.5 and takes about 90 minutes to complete.  Get started on the XG Firewall training program.

Customer resources and how-to videos – be sure to visit the Customer Resource Center for the latest how-to videos and links to documentation, the community forums, training and other resources.

Take advantage of Partner and Sophos Professional Services:  To augment your local Sophos partner’s services, we offer services to help you getting up and running and make the most of your XG Firewall, including the latest capabilities in v18.

While Sophos Professional Services can help with any task, here are the most common services they provide:

• XG Firewall deployment and setup
• XG Firewall v18 DPI, FastPath and SSL Engine Optimization
• XG Firewall Health Checks

Here are some direct links to helpful resources:

• Customer Training Portal (free Delta Training)
• Customer Resource Center (with how-to videos)
• Community Forum Recommended Reads
• What’s New and Release Notes
• XG Firewall v18 Complete Documentation

New to XG Firewall?

If you’re new to XG Firewall, see how it provides the world’s best network visibility, protection and response on the new XG Firewall website.

Sophos

We have all seen films where the defences of a medieval castle prevent the attackers from gaining entry – the deep moat, unscalable walls and impenetrable portcullis. From within the castle, the firing of arrows, canons and boiling oil poured onto the attackers all help protect the castle residents inside.

In many ways, a lot of the commercial, defence and intelligence organisations have treated their IT networks in the same way – protect the perimeter, and your information inside will remain safe. Unfortunately, today this isn’t the case; the perimeter protecting your information is widening. With the boom of Cloud services, an increasingly mobile workforce and the need to share information, the protection of the perimeter becomes even more difficult when we’re unsure exactly where the perimeter is, and the more opening doors we place in our perimeter, the harder it becomes to protect.

We still need to protect the perimeter using our existing network-centric security tools, but also need to protect the information we store inside our network. An information-centric approach uses classification and encryption to protect the information wherever it moves, placing less importance on where your information resides.

Classification of your information at the point of creation is key to the success of information-centric security; this is very familiar to the defence and intelligence communities but may require an important mindset change to some commercial organisations. Once your information is correctly classified, you begin to understand the sensitivity of your information, and can treat it accordingly – a document containing project plans is more sensitive than a document with today’s restaurant menu, for example.

Metadata is the usual method for storing the classification with your information, but for protection of your information, the classification must be cryptographically bound to your information (this prevents your sensitive document becoming insensitive). Also, to facilitate information sharing, the metadata cannot be bespoke to your organisation; otherwise sharing information is made more difficult with unreadable classification metadata.

With the information classified and protected using a common format, the organisation can now begin to apply access control policies to control the flow of information throughout the entire network. Who needs access to the information, the location of the user, the type of device they are using are all factors that may affect whether a user has access to the sensitive project plan document.

The ability to control the sharing of information is made easier with information-centric security. Ongoing, rights management technology can be applied (using an open standard) to control access to the information after it was shared, as we may only want to share sensitive information externally for a limited time.

Data is the building blocks for information, and it is information we use in our everyday lives. By adopting an information-centric security approach, we can begin to control, protect and monitor our data wherever it resides.

Boldon James

Η νέα αρχιτεκτονική Xstream στο XG Firewall v18 περιλαμβάνει μια ολοκαίνουργια, υψηλής απόδοσης λύση επιθεώρησης SSL που προσφέρει την καλύτερη ορατότητα της βιομηχανίας σε κρυπτογραφημένες ροές κίνησης (δεδομένων), υποστήριξη για TLS 1.3 χωρίς υποβάθμιση και ιδιαίτερα υψηλά επίπεδα απόδοσης.

Με τον όγκο της κρυπτογραφημένης κίνησης να βρίσκεται τώρα κοντά στο 80% και να αυξάνεται σταθερά, η επιθεώρηση SSL αποτελεί κορυφαίο ζήτημα για πολλούς οργανισμούς. Και με το δίκιο τους.

Αυτός ο όγκος κρυπτογράφησης όχι μόνο δημιουργεί ένα τεράστιο τυφλό σημείο, που οι χάκερς εκμεταλλεύονται, αλλά έχει ωθήσει και τα περισσότερα τείχη προστασίας σε σημεία πέρα από τις δυνατότητες τους. Πολλοί οργανισμοί είναι ανίκανοι να κάνουν πολλά για το πρόβλημα με αποτελέσμα τα firewalls τους ουσιαστικά καθίστανται ξεπερασμένα.

Η νέα αρχιτεκτονική Xstream του XG Firewall παρόλα αυτά έχει σχεδιαστεί για το σύγχρονο κρυπτογραφημένο διαδίκτυο.

Εξαιρετική ορατότητα σε κρυπτογραφημένες ροές κίνησης

Το XG Firewall είναι μοναδικό στην παροχή ορατότητας πρωτοφανούς επιπέδου στις κρυπτογραφημένες ροές κίνησης. Μόλις συνδεθείτε, μπορείτε με μια ματιά να έχετε εικόνα για τον όγκο κρυπτογραφημένης κίνησης στο δίκτυό σας, να βλέπετε πόση από αυτή αποκρυπτογραφείται ενεργά αλλά και αν υπάρχουν προβλήματα συμβατότητας.

Με μερικά μόνο κλικ επίσης είστε σε θέση να επιλύσετε τυχόν πιθανά ζητήματα για να εξασφαλίσετε μια εξαιρετική εμπειρία χρήσης.

Εξαιρετική εστίαση στην ασφάλεια και υποστήριξη για TLS 1.3 (χωρίς υποβάθμιση)

Οι περισσότεροι προμηθευτές τειχών προστασίας και UTM θα ισχυριστούν ότι παρέχουν υποστήριξη TLS 1.3 ωστόσο στην πραγματικότητα υποβαθμίζουν τις κρυπτογραφημένες συνεδρίες σε TLS 1.2. Το XG Firewall σχεδιάστηκε για να αναλάβει τις απαιτήσεις του σύγχρονου κρυπτογραφημένου διαδικτύου με πλήρη υποστήριξη του προτύπου TLS 1.3.

Το TLS 1.3 είναι το πιο πρόσφατο πρότυπο για όλους τους καλούς λόγους. Έτσι, επιλύει σημαντικά ζητήματα ασφάλειας και απόδοσης που υπάρχουν με το TLS 1.2. Η υποβάθμιση (downgrading) δημιουργεί ένα άνοιγμα για επιθέσεις και ρίχνει την απόδοση.

Με την υποστήριξη του TLS 1.3 να αυξάνει διαρκώς μεταξύ των μεγάλων web servers και των οργανισμών hosting, κανείς δεν πρέπει να εξετάσει την αγορά ενός τείχους προστασίας σήμερα χωρίς κατάλληλη υποστήριξη για το πρότυπο TLS 1.3.

Το XG Firewall προσφέρει επιπλέον -μεταξύ άλλων- τα καλύτερα controls στην βιομηχανία για την διαχείριση μη ασφαλών και παλαιότερων σουιτών κρυπτογράφησης (cipher) χάρη στις ολοκληρωμένες επιλογές που διαθέτει ως μέρος των νέων προφίλ αποκρυπτογράφησης (Decryption Profiles) που μπορούν να χρησιμοποιηθούν στους κανόνες επιθεώρησης TLS.

Έχετε πλήρη επιχειρησιακού επιπέδου controls  για να επιτύχετε την τέλεια ισορροπία μεταξύ ασφάλειας, ιδιωτικότητας, απόδοσης και συμμόρφωσης για τον οργανισμό και την επιχείρηση σας.

Εκπληκτική απόδοση

Η νέα αρχιτεκτονική Xstream στο XG Firewall v18 προσφέρει εξαιρετική απόδοση σε όλες τις λειτουργίες του τείχους προστασίας, συμπεριλαμβανομένης και της επιθεώρησης SSL.

Η νέα αρχιτεκτονική επεξεργασίας πακέτων συμπεριλαμβάνει μία ολοκαίνουργια μηχανή συνεχούς ροής βαθιάς επιθεώρησης πακέτων, που όχι μόνο παρέχει αποκρυπτογράφηση SSL υψηλής απόδοσης αλλά και hands-off αποκρυπτογράφηση περιεχομένου για IPS, προστασία ιστού, AV (antivirus), αναγνώριση και έλεγχο εφαρμογών και όλα τα παραπάνω από μία μοναδική μηχανή.

Χρησιμοποιώντας τα πλέον σύγχρονα μοντέλα μηχανικής εκμάθησης, η νέα υπηρεσία πληροφοριών απειλών (threat intelligence) αναλύει επίσης τα εισερχόμενα αρχεία με ενεργό κώδικα σε πραγματικό χρόνο, για να εντοπίσει απειλές που είναι άγνωστες και δεν έχουν ακόμα παρατηρηθεί, ώστε να διατηρεί τα τελευταία φορτία ransomware και άλλες απειλές εκτός του εταιρικού δικτύου σας.

Με το νέο χαρακτηριστικό Xstream SSL Inspection στο XG Firewall v18, τα κρυπτογραφημένα αρχεία δεν μπορούν πλέον να «κρύβουν» απειλές που ενδέχεται να περάσουν απαρατήρητες από το τείχος προστασίας του δικτύου σας.

Που να μάθετε περισσότερα

Για περισσότερες πληροφορίες σχετικά με τις προκλήσεις που αντιμετωπίζουν τα περισσότερα τείχη προστασίας όσον αφορά στην σωστή επιθεώρηση της κρυπτογραφημένης κίνησης TLS, το τεράστιο τυφλό σημείο που αυτό δημιουργεί και για το πώς οι χάκερ χρησιμοποιούν όλο και περισσότερο την κρυπτογράφηση προς όφελός τους, μπορείτε να διαβάσετε την πιο πρόσφατη αναφορά της Sophos: Έχει η κρυπτογράφηση καταστήσει το υφιστάμενο τείχος προστασίας σας ασήμαντο;

Αν δεν γνωρίζετε το XG Firewall, ρίξτε μία ματιά σε όλα τα άλλα πλεονεκτήματα που παρέχει όσον αφορά στην ορατότητα, στην προστασία και στην απόδοση του δικτύου σας και ξεκινήσετε άμεσα με ένα online demo.

CRN, a brand of The Channel Company, recently unveiled its 100 Coolest Cloud Companies of 2020, and Sophos has made the list as a top cloud security vendor.

We were selected for our innovation in product development, the quality of our services and partner programs, and our success in helping customers save money and maximize the impact of their cloud computing technology.

We were also recognized for enabling organizations to manage a multi-layered security strategy across the office, data center and cloud from a single console, Sophos Central.

With our cloud tools you can protect AWS, Azure, GCP, Kubernetes and infrastructure as code environments from the latest malware, ransomware and vulnerabilities.

We provide next-gen server workload protection, virtual firewall series and Sophos Cloud Optix, a powerful tool that automates and simplifies the detection and response of cloud security vulnerabilities and misconfigurations to reduce risk exposure.

Among the many differentiators offered by our public cloud security suite is the AI at the heart of Cloud Optix. Instead of inundating teams with massive numbers of undifferentiated alerts, Cloud Optix uses AI to significantly reduce alert fatigue and shrink incident response and resolution times.

It does this by identifying the risk profiling security and compliance risks, with contextual alerts that group affected resources, and providing detailed remediation steps, including direct links to the cloud provider’s console. This ensures teams focus on and fix their most critical security vulnerabilities fast.

In addition, Cloud Optix makes software development fast and secure with API-driven architecture that seamlessly integrates with existing DevOps tools and processes.

It analyzes infrastructure as code templates at any stage of the development pipeline automatically or on-demand, and ensures templates do not introduce vulnerabilities that could be exploited in a cyberattack. This proactive approach helps organizations meet security and compliance standards.

Bob Skelley, CEO of The Channel Company, said of the awards:

“The IT channel relies on cloud services as the foundation for building modern, transformational solutions. CRN’s annual list of 100 Coolest Cloud Companies seeks to honor the top cloud providers, whose mission and actions support innovation in cloud-based technologies. Our team congratulates these honorees and thanks them for their commitment to leading positive change in cloud technology”.

Receiving praise from trusted third parties in cloud security isn’t new for us though. Cloud Computing magazine recently announced us as a winner of the 2019 Cloud Computing Security Excellence Award, and honoured Cloud Optix in two categories: those that most effectively leverage cloud platforms to deliver network security, and those providing security for cloud applications.

We give away free software so you can always stay safe. Check for security risks, remove viruses and protect your network. Try out our free tools below.

Intercept X for Mobile

Device

Intercept X for Mobile continuously monitors for and alerts users and IT administrators to signs of potential compromise so they can rapidly remediate issues and automatically revoke access to corporate resources. Compliance checks detect jailbreaking, rooting, encryption status, and more, informing users and IT administrators of necessary operating system updates. Device health check recommendations further guide security settings.

Network
Intercept X for Mobile monitors network connections for suspicious activity in real time, warning users and IT administrators of potential Man-in-the-Middle (MitM) attacks. Web filtering and URL checking also stop access to known bad sites, and SMS phishing detection spots malicious URLs.

Apps
Intercept X for Mobile detects malicious and potentially unwanted applications installed on devices, protecting against malware, ransomware and fleeceware.

Download Google Play | Apple App Store

 

HitmanPro – Malware Removal Tool

Our malware removal tool for Windows scans your entire computer for any issues, and if anything is found, you’ll have a free 30-day license to remove the threat. Don’t wait until you get infected, you can run it anytime to see how well your current antivirus or endpoint protection software is performing.

• Removes viruses, Trojans, rootkits, spyware, and other malware
• No setup or install needed
• Free second opinion scanner tells you what was missed

Download Business  | Home

Sophos XG Firewall Home Edition

Give your home network a much needed security boost. The Home Edition of the Sophos XG Firewall features full protection for your home network, including anti-malware, web security and URL filtering, application control, IPS, traffic shaping, VPN, reporting and monitoring, and much more.

• Full protection for your home users and your home network
• Integrated, hardened Linux operating system
• Runs on Intel-compatible hardware

Download

 

Virus Removal Tool

Our free Virus Removal Tool is a quick and easy way to find and get rid of any threats lurking on your computer. Our tool identifies and cleans up infections your antivirus might have missed.

• Removes viruses, Conficker, rootkits, and fake antivirus
• Supports Windows XP SP2 and up
• Works alongside your existing antivirus

Download

Sophos UTM Home Edition

This software version of the Sophos UTM Firewall features full network, web, mail and web application security, with VPN functionality, for as many as 50 IP addresses. The Sophos UTM Home Edition contains its own operating system and overwrites all data on the computer during the installation process. Therefore, a separate, dedicated computer is needed.

• Fully-equipped software version of the Sophos UTM appliance
• Full web application security with VPN
• Protects up to 50 IP addresses

Download

 

Sophos Antivirus for Linux Free Edition

Protect your mission critical Linux servers and stops all threats—even those designed for Windows. We keep our antivirus light and easy, so your Linux servers can remain lighting fast. It works quietly in the background with your choice of scanning on-access, on-demand or on a schedule.

• Finds and blocks malware
• Installs easily and runs quietly
• Supports the most popular Linux distributions
• Upgradeable for support and centralized management

Download

The term “classification” has been thrown around progressively by software companies that offer related products like data governance and DLP.  In some cases, the vendor will define “classification” as the ability to discover and protect data, which is a very new and misleading use of the word.  Traditionally “classification” was related to visual and metadata markings, like the control markings used by the intelligence community.  Outside of that community, a full range of standard classifications and their related markings can be found in the CUI (controlled unclassified information) handbook.  CUI is just one of many classification systems that involve markings.  In other words, those systems require that the data is somehow “marked.”  Protecting a file with DLP or encryption is not the same thing as “marking” the file as confidential.

For those who are unfamiliar with classification, it can be confusing when certain terms are thrown around.  For instance, what is the difference (if any) between classifications, values, file properties, metadata markings, visual markings, and marking formats?  Let’s look at a real world example, and put these terms into context.

If a sensitive document is marked with [TOP SECRET] in the header, then we could say that the classification is “top secret”, which in an abstract way is describing an option within a category.  In the Classifier Admin console, those categories are called “selectors” and the options are called “values.”  So the value might be “top_secret”, and there can be alternate values, like “TOP SECRET”.  When those values are written to locations, like the header in MS Word, they can be formatted using any combination of fonts, font sizes, colors, justification, brackets and other punctuation.  In other words, placing [TOP SECRET] in the header requires a marking format that writes the classification value in all caps and encapsulates it in brackets.

Markings that appear in the header are considered to be visual markings (aka visible markings).  Any non-visual marking is called a metadata marking. Classifier, for instance can place metadata in the file properties (document properties and custom document properties) of a Word document.  This metadata may use the same “[TOP SECRET]” marking format that was used for the header.  As an alternative, the metadata can be more encoded, e.g., [xyzTopSecx] or [TS].  The Classifier label detection mechanism (and other software, e.g., DLP and data governance tools) will be configured to equate those markings with the “top secret” level.  If the DLP detects [xyzTopSecx] in the keywords document property, then the file will be protected from leaving the organisation.

“Classification” products must be able to read and write labels in the manner described above.  The alternative is that data is simply discovered and protected.  Fingerprinting might be the closest substitute to classification.  At first glance fingerprinting gives us a way to track and identify specific files.  That is a powerful value add that can be important in certain use cases.  The challenge is that the fingerprint database can be large, and communications can take excessive bandwidth (depending on how it’s used).  Furthermore, fingerprinting is typically on or off.  Either the fingerprint is applied or not.  There is no “public fingerprint” vs. “confidential fingerprint”.  So true classification stands alone as the only solution to complex classification needs, like the categories used in regulatory compliance like CUI.

Contact us today to find out more about protecting your sensitive data using a classification tool that really does classify your data how you need it to.

Today, businesses everywhere are investing in infrastructure to support growth – whether that’s moving to the cloud or automating tasks and processes.  However, the newly introduced devices, application stacks and accounts that come with this modernization all present additional opportunities for attacker exploitation. For any organization – big or small – identifying and addressing security risks across this expanding attack surface can be a formidable challenge.

Privileged access management (PAM) programs that secure pathways to critical business information are foundational to an effective corporate cybersecurity program. Why?  Attackers view privileged accounts as one of the best ways to gain a foothold within an organization’s infrastructure. In fact, the vast majority of cyber attacks involve compromised privileged credentials and PAM solutions provide a critical layer of defense.

But, while securing privileged access consistently tops the lists of projects that can reduce risk and improve operational efficiency, some misconceptions surrounding PAM persist. Today, we’re going to bust five of the most prevalent PAM myths.

Myth #1: Because privileged access exists everywhere, it is impossible to secure.

While the scope of privileged access can be intimidating based on the complexity of your environment, dedicated PAM solutions and related policies can actually shrink the attack surface by shutting down pathways to critical resources.

Leading PAM solutions can automatically map privileged credentials across cloud and hybrid environments, saving security teams significant time and effort. And for those unsure of where privileged accounts exists, there are free tools like CyberArk Discovery & Audit to help organizations gain visibility into their privileged account landscape.

Additionally, modern PAM tools also incorporate automatic rotation of SSH keys and other privileged credentials at regular intervals to eliminate the time-consuming and error-prone manual tasks required for regulatory compliance. Meanwhile, automatic session monitoring capabilities systematically record all privileged account sessions and identify which users are operating privileged accounts.

Finally, the best PAM tools also provide detailed session monitoring recordings that can be sorted into searchable metadata for compliance and incident response teams and leverage user behavior analytics to automatically detect and suspend risky privileged sessions.

The impossible just became achievable.  Between account mapping, automatic credential rotation and detailed session monitoring, privileged access can be uncovered, managed and secured.

Myth #2: Privileged access management tools are challenging for administrators to manage.

That may have been true in the past, but today’s PAM solutions greatly ease and simplify administrator workloads. Collecting all privileged accounts in a centralized vault eliminates the need to manually search for and manage privileged credentials. In increasingly dynamic network environments, centrally locating the necessary tools to appropriately manage users’ privileged access can improve the efficiency and efficacy of IT projects. Automation tools also enable administrators to eliminate time-intensive tasks in favor of more strategic initiatives.

Especially as organizations move to the cloud, PAM tools can be particularly useful to address emerging risks of cloud migration. When adopting a hybrid or public cloud infrastructure, even slight misconfigurations can create new vulnerabilities.  Having holistic tools in place to discover risks associated with privileged access can improve an organization’s security posture.

Myth #3: Identity and Access Management (IAM) solutions are sufficient to protect privileged access.

It’s true that IAM tools and Multi-Factor Authentication (MFA) methods are strategic investments – but they do not replace the value of a PAM solution.  PAM solutions can independently protect privileged accounts with human and non-human identities like application accounts used in robotic process automation (RPA) or DevOps – something IAM solutions simply aren’t designed to do.

Focused on risk reduction, PAM tools can also protect privileged business users from sophisticated social engineering attacks capable of bypassing MFA. Most importantly, IAM tools require direct connection to user databases like Active Directory (AD). These connections are often hosted on-premises. If any on-premises server is compromised, attackers can gain control over AD to implement Kerberos attacks, such as Golden Ticket, and exist undetected in a company’s network. PAM can provide a vital security layer for servers hosting IAM’s direct connection to user databases like AD.

To create a strong enterprise security fabric, IAM systems and PAM solutions should be deployed as collaborative tools.

Myth #4: Privileged Access Management solutions interfere with operational efficiency.

The truth is that the daily tasks of most workers don’t require elevated privileges – and therefore PAM solutions won’t impact them at all.  For those who do require elevated privileges, leading PAM tools offer a variety of user-friendly formats, including RDP, SSH and web-native access, to provide credential vaulting and session management in the background of their daily workflows. Native and transparent access provides organizations with comprehensive privileged session recordings while minimizing disruption for end users.

In fact, using PAM tools to automate time-consuming tasks for IT and security employees can improve productivity by freeing up time for higher-value projects. Audit teams can achieve the same benefits by automating compliance tasks — especially in highly regulated industries like healthcare and banking.  Manually sorting through all sessions that involve privileged credentials to find high-risk activity can be extremely time consuming. PAM solutions can automate these tasks and identify risky behavior for audit teams, freeing them up to spend their time on other critical tasks.

Modern PAM solutions can actually be a boon to operational efficiency – not an impairment.

Myth #5: It’s Difficult to Calculate ROI for Privileged Access Management solutions. 

The average cost of a data breach in 2019 came in at nearly $4 million dollars. Notably, this figure does not include the additional costs of lost business from reputation damage and theft of intellectual property. Privileged access is a focal point for organizations to demonstrate where security solutions can have a high impact.

In any security program, cost-efficiency is key. Organizations must take a risk-based approach, applying finite resources where they can achieve quick wins and long-lasting impact. And it’s in this area where PAM solutions can really shine. PAM is a high-leverage point where modest investments can achieve outsized ROI and risk reduction.

After deploying a PAM solution, organizations can scan their systems to see the decrease in the number of unsecured and unprotected systems. Since any unmanaged privileged account is a potential attack vector, each privileged account that has been discovered, secured and protected by a PAM solution is a direct reduction in the exposed attack surface and proof of ROI.

Effective security starts with protecting an organization’s most valuable information, and as a common target in most cyber attacks, unmanaged and unprotected privileged access represents a significant threat. By locking down privileged credentials, organizations deprive attackers of their preferred routes to critical data and assets. Simultaneously, session monitoring and threat detection capabilities can help teams detect and investigate misuse of privileged credentials — improving an organization’s response time to in-progress attacks.

Furthermore, many PAM solutions can PAM solutions can integrate with other enterprise software  solutions – from IoT device gateways  DevOps tools and network devices to vulnerability management systems – enhancing their value and streamlining security operations on the whole.

Want to learn more?  Check out CyberArk’s approach to Privileged Access Management or visit our resource center to find out more about the efficiency and security benefits of PAM.

CyberArk

Sophos Mobile 9.5 is now available in Sophos Central, bringing a host of exciting improvements. Key enhancements include:

Sophos Intercept X for Mobile

Leveraging deep learning anti-malware technology, Intercept X for Mobile protects users, their devices, and corporate data from known and never-before-seen mobile threats.

Device, network and application protection will be delivered in a completely redesigned interface, which enables easy management and identification of any security holes on users’ devices.

Device Security continuously monitors for potential compromise and sends alerts so IT admins can rapidly and automatically remediate issues and revoke access to corporate resources.

Network Security monitors network connections for suspicious activity in real time, warning IT admins and users of potential Man-in-the-Middle (MitM) attacks. Web filtering and URL checking also stop access to known bad sites, protecting users from unsuitable content, and SMS phishing detection ­spots malicious URLs.

Application Security detects malicious and suspicious applications installed on devices, protecting against malware, ransomware and potentially unwanted apps like Fleeceware.

Intercept X for Mobile can be deployed via Sophos Mobile or 3rd party UEM Products, e.g. Microsoft Intune, allowing administrators to build conditional access policies, restricting access to applications, data and corporate resources when threats are detected.

Chromebook security – education-focused security

With this release we add a great new feature, Chromebook security!

This is ideal when working with schools, as we all know kids are pretty smart when it comes to technology these days and will find ways around security. Let’s help school admins with that task.

• Web protection that’s ideal for education
• On & off-campus web filtering
• Enrolment via Sophos Mobile or G Suite

Sophos Mobile 9.5 updates

Our secure UEM solution in Central lets customers manage, secure and configure mobile and traditional endpoint devices, apps and content. The latest update, Sophos Mobile 9.5, includes device management enhancements:

• Improved task bundle wizard
• Android Enterprise QR code enrollment
• Support for Samsung OEM config
• Enhanced security reporting

How to get Sophos Mobile 9.5

If you’re a current Sophos Central Mobile customer you won’t need to do anything, you’ll automatically get the upgrade. For on premise customers, you’ll need to manually upgrade to 9.5.

And, if you’ve never tried Sophos mobile before, download Intercept X for Mobile for free – on Android or iOS – and test our industry leading mobile protection for yourself!

Don’t take our word for it, have a look at the independent test – we’ve been named a leader in the IDC report and on top of that we aced the Miercom and AVTest tests.

The intuitive management console for all your security solutions.

Sophos Central is an award-winning security platform that lets you manage all your products from a single, intuitive interface.

From next-gen endpoint and encryption to mobile and web security, we have you covered. By moving to Sophos Central you’ll enjoy:

• Easier IT management: Control everything through a single, web-based console.
• Superior protection: Get market-leading products engineered to work together.
• Better security ROI: Save time and money by consolidating into a single platform.

Try it for free and see how our Sophos Central can help you to manage your IT security with a single interface, and benefit from the revolutionary Synchronized Security technology. Learn more, here.

This course provides an in-depth study of Sophos Central, designed for experienced technical professionals who will be planning, installing, configuring and supporting deployments in production environments. It consists of presentations and practical lab exercises to reinforce the taught content, and electronic copies of the supporting documents for the course will be provided to each trainee through the online portal. The course is expected to take 3 days to complete, of which approximately 9 hours will be spent on the practical exercises.

Requirement

Prior to attending this course, trainees should:

• Complete the Sophos Central Endpoint and Server Protection and should have passed the Certified Engineer exam
• Experience with Windows networking and the ability to troubleshoot issues
• A good understanding of IT security
• Experience using the Linux command line for common tasks
• Experience configuring Active Directory Group Policies
• Experience creating and managing virtual servers or desktop

Target audience:

This course is designed for technical professionals who will be planning, installing, configuring and supporting deployments in production environments. And for individuals wishing to obtain the Sophos Central Certified Architect certification.

Objectives:

On completion of this course, trainees will be able to:

• Design an installation considering all variables
• Undertake a multi-site installation appropriate for a customer environment
• Explain the function of core components, how they work, and how to configure them
• Track the source of infections and cleanup infected devices
• Perform preliminary troubleshooting and basic support of customer environments

Certification:

To become a Sophos Certified Architect, trainees must take and pass an online assessment. The assessment tests their knowledge of both the presented and practical content. The pass mark for the assessment is 80%, and is limited to 3 attempts.

Duration: 3 days 

Content

• Module 1: Deployment Scenarios (60 mins)
• Module 2:Client Deployment Methods (65 mins)
• Module 3:Endpoint Protection Policies (80 mins)
• Module 4:Server Protection Policies (30 mins)
• Module 5:Protecting Virtual Servers (60 mins)
• Module 6:Logging and Reporting (45 mins)
• Module 7: Managing Infections (45 mins)
• Module 8: Endpoint Detection and Response (30mins)
• Module 9:Management (65 mins)

Course content

Module 1: Deployment Scenarios (60 mins)

• • Identify some of the common challenges when deploying Central
  • Deploy Update Caches – Set up Message Relays
  • Configure AD Sync Utility
  • Identify where Update Caches and Message Relays should be used
  • Labs (45 mins)
    • Register and activate a Sophos Central evaluation
    • Install Server Protection
    • Install and Configure AD Sync Utility
    • Deploy an Update Cache and Message Relay

Module 2: Client Deployment Methods (65-75 mins)

• Identify the recommended steps for deploying Sophos Central
• Explain the installation process, and identify the different types of installer
• Automate deployment for Windows, Linux and Mac computers
• Migrate endpoints from Enterprise Console
• Locate installation log files
• Remove third-party products as part of a deployment
• Labs (75-90 mins)
  • Enable Server Lockdown
  • Deploy using Active Directory Group Policy
  • Use the Competitor Removal Tool
  • Deploy to a Linux Server using a Script

Module 3: Endpoint Protection Policies (80-90 mins)

• Describe the function and operation of each of the components that make up an Endpoint Protection and Intercept X
• Configure policies to meet a customer’s requirements and follow best practice
• Test and validate Endpoint Protection
• Configure exclusions
• Configure Data Loss Prevention
• Labs (100-120 mins)
  • Test Threat Protection Policies
  • Configure and Test Exclusions
  • Configure Web Control Policies
  • Configure Application Control Policies
  • Data Control Policies
  • Configure and test Tamper Protection

Module 4: Server Protection Policies (30 mins)

• Configure Server Protection Policies
• Configure and Manage Server Lockdown
• Labs (65-75 mins)
  • Configure Sever Groups and Policies
  • Manage Server Lockdown
  • Test Linux Server Protection

Module 5: Protecting Virtual Servers (60 mins)

• Connect AWS and Azure accounts to Sophos Central – Deploy Server Protection to AWS and Azure
• Deploy and Manage Sophos for Virtual Environments
• Labs (60 mins)
  • Download the installer for the Security Virtual Machine
  • Install the Security Virtual Machine (SVM) on a Hyper-V Server
  • Configure Threat Protection policies to apply to the Security VMs and the Guest VMs they protect
  • Perform a manual installation of the Guest VM Agent and view logs
  • Test and configure a script to deploy the GVM Agent
  • Manage Guest VMs from the Central Console
  • Test Guest VM Migration

Module 6: Logging and Reporting (45 mins)

• Explain the types of alert in Sophos Central, and be able to read an RCA
• Use the Sophos Central logs and reports to check the health of your estate
• Export data from Sophos Central into a SIEM application
• Locate client log files on Windows, Mac OS X and Linux
• Labs (55-60 mins)
  • Generate and analyze an RCA
  • Configure SIEM with Splunk

Module 7: Managing Infections (45-60 mins)

• Identify the types of detection and their properties
• Explain how computers might become infected
• Identify and use the tools available to cleanup malware
• Explain how the quarantine works and manage quarantined items
• Cleanup malware on a Linux Server
• Labs (40 mins)
  • Source of Infection Tool
  • Release a File from SafeStore
  • Disinfect a Linux Server

Module 8: Endpoint Detection and Response (30 mins)

• Explain what EDR is and how it works
• Demonstrate how to use threat cases and run threat searches
• Explain how to use endpoint isolation for admin initiated and automatic isolation

• Demonstrate how to create a forensic snapshot and interrogate the database

• Labs (30 mins)

• • Create a forensic snapshot and interrogate the database
  • Run a threat search and generate a threat case

Module 9: Management (65 mins)

• Use the Controlled Updates policies appropriately
• Enable multi-factor authentication
• Use the Enterprise Dashboard to manage multiple sub-estates
• Identify the benefits of the Partner Dashboard
• Identify common licensing requirements
• Labs (25 mins)
  • Enable Manually Controlled Updates
  • Enable Multi-Factor Authentication
    

Agenda

Trainer: Michael Eleftheroglou

Day 1 Tuesday 11  February  2020

9:30-10:30 Deployment Scenarios

10:30-10:45 Break

10:45-11:30 Labs

11:30-11:45 Break

11:45-13:00 Client Deployment Methods I

13:00-14:00 Break Lunch

14:00-15:30 Labs

15:30-15:45 Break

15:45-17:15 End Point Policies

Day 2  Wednesday 12 February  2020

9:30-11:15 Labs

11:15-11:30 Break

11:30-12:00 Server Protection Policies

12:00-12:15 Break

12:15-13:30 Labs

13:30-14:30 Break- Lunch

14:30-15:30 Protecting Virtual servers

15:30-15:45 Break

15:45-16:45 Labs

16:45-17:30 Logging and Reporting

Day 3 Thursday 13 February 2020

9:30-10:30 Labs

10:30-10:45 Break

10:45- 11:30 Managing Infections

11:30-12:00 Labs

12:00-12:10 Break

12:10-12:40 Endpoint Detection and Response

12:40-13:45 Management

13:45-14:45 Break – Lunch

14:45-17-15 Labs and Exams

To better understand the realities of network security today, Sophos commissioned leading research specialist Vanson Bourne to conduct an independent survey of 3,100 IT managers spanning 12 countries and six continents.

The results shed new light onto the practical reality of today’s network security and the challenges IT teams face. It also reveals the Achilles heel of next-gen firewalls: the struggle to balance performance, privacy and protection.

Expect to find a threat on your network

The first takeaway from the survey is that organizations should expect to be hit by a cyberthreat. Over two-thirds (68%) of respondents fell victim to a cyberattack in the last year.

This propensity to fall victim to a threat is not the result of a lack of protection: 91% of affected organizations were running up-to-date cybersecurity protection at the time of the attack. However, good intentions and good practices are clearly not enough: there are still holes in organizations’ defenses that are enabling threats to get through.

Firewall enhancement wish list

Better threat visibility topped the list of improvements that IT managers want from their firewall, with 36% including it in their top three desired enhancements.

The fact that visibility outranked a desire for better protection illustrates just how significant an issue lack of insight is for IT teams.

However, firewall security isn’t the only area in need of improvements, three in ten of the IT managers also wanted better performance.

Overall, a clear picture emerged: it’s no longer a question of one or the other, rather, today’s IT teams require both performance and protection from their firewalls.

The understated risk: encrypted traffic

Encryption keeps network traffic private, but it doesn’t mean the contents can be trusted. In fact, encrypted traffic is a huge security risk because it renders firewalls blind to what is flowing through the network and prevents them from identifying and blocking malicious content.

Hackers are actively exploiting encryption to enable their attacks to enter undetected. SophosLabs research has revealed that 32% of malware uses encryption.

The level of encrypted network traffic is rising rapidly. Data from the Google Transparency Report indicates that over 80% of web sessions are now encrypted across all platforms, up from 60% just two years ago. However, the IT managers surveyed believed that on average only 52% of their network traffic is encrypted.

The discrepancy between perceived and actual levels of encryption together with the widespread use of encryption in cyberattacks suggests that encrypted traffic is an underestimated security risk.

The Achilles heel of network security

While 82% of survey respondents agreed that TLS inspection is necessary, only 3.5% of organizations are decrypting their traffic to properly inspect it.

There are a number of reasons behind this: concerns about firewall performance; a lack of proper policy controls; poor user experience; and complexity.

The reality is that most organizations need to carefully balance performance, privacy and security. However, they lack the tools needed to do so effectively and efficiently. As a result, they are choosing to allow encrypted traffic to pass unchecked and putting themselves at risk from hidden network threats.

This inability to balance performance, privacy and protection is the Achilles heel, the hidden weakness, of many next-gen firewall and UTM solutions.

Sophos XG Firewall: Designed for the modern encrypted internet

The Xstream Architecture in XG Firewall v18 offers a ground-up solution to eliminating the network traffic blind spot without impacting performance.

It delivers:

• High performance, a lightweight streaming engine with high connection capacity
• Unmatched visibility into your encrypted traffic flows and any errors
• Top security that supports TLS 1.3 and all modern cipher suites with robust certificate validation
• Inspection of all traffic, being application and port agnostic
• A great user experience with extensive interoperability to avoid breaking the internet
• Powerful policy tools that offer the perfect balance of performance, privacy and protection

The new Xstream SSL Inspection engine will be available to all XG Firewall customers at no extra charge. Try it now as part of the early access program.

To learn more about Sophos XG Firewall and see it in action, visit the web page or start an instant online demo.

Download a PDF copy of the report to get the full survey results.

Nearly every organization today relies on a variety of remote third party vendors to access, maintain and support critical internal systems and resources. These vendors have come to play a critical role in maintaining modern organizations’ complex and distributed enterprise infrastructures.

Given that third party vendor access has been at the heart of recent breaches, CyberArk recently conducted a survey of IT and security decision makers to learn more about common approaches to managing and securing access to critical internal resources. Here are some of the most eye-opening findings:

Third Party Privileged Access is Everywhere.

It’s probably not a shock to most people that 90% of respondents said that they allow third party vendors to access critical internal resources. What was slightly shocking was that more than a quarter (26%) said that they use over 100 third party vendors! That’s a lot of accounts to account for, manage and secure.

For many organizations, securing third party vendor access is incredibly complex – often requiring a cobbled together solution of products like multi-factor authentication, VPN support, corporate shipped laptops, directory services, agents and more. This has not only led to confusion and overload for security practitioners, but also creates difficult and often insecure routes for third parties to access the systems they need to do their jobs.

Which leads to our next finding….

Third Party Access is a Top 10 Organizational Risk.

Nearly three-quarters (72%) of organizations view third party access as one of their top 10 organization-wide security risks, alongside others like cloud abuse, phishing and insider threats. Third party access is quickly rising in the ranks to become a top priority for organizations and for good reason. These attacks and resulting data breaches can be incredibly costly for organizations, both in terms of reputation and financial losses.

Despite this, the same organizations overwhelmingly aren’t satisfied with how they currently approach managing and securing access for these remote vendors. A whopping 89% of respondents felt that they could do better or were completely dissatisfied with their efforts to secure third party vendor access.

Provisioning and Acute Visibility is a Challenge.

So, if third party access is a top 10 risk, why are so many failing to secure it? We found that 50% of organizations state that provisioning and deprovisioning access was their biggest challenge, while 47% highlighted lack of visibility.

Provisioning and deprovisioning access can feel a lot like Goldilocks and the Three Bears. You can’t allow too much access (where vendors have access to things they don’t need or for longer than they’re needed) or too little (where vendors are forced to create unsafe backdoor routes to critical resources). It has to be just right.

However, currently, legacy solutions dominate. For instance, while 86% of organizations rely on VPNs to secure third party access, they were not designed to manage dynamic privileged access requirements like role-based access protection and session recording. On the visibility front, companies aren’t always aware of what third party vendors are doing once they authenticate – and that is a serious problem. A best practice – one often required for audit and compliance – is to record, log and monitor privileged activities.

As organizations depend more and more on third parties to get the work done, the difficulties they face when it comes to security is getting harder and harder to ignore.

Without a dedicated solution specifically for managing third party privileged access, organizations have been forced to use miscast solutions like VPNs . To remedy this problem, we introduced CyberArk Alero, a truly modern, innovative solution.

CyberArk Alero combines Zero Trust access, biometric multi-factor authentication and just-in-time provisioning into one Software-as-a-Service (SaaS)-based solution. Alero ensures that remote vendors only access what they need by integrating with CyberArk Core Privileged Access Security for full audit, recording and remediation capabilities.

Alero is designed to provide fast, easy and secure privileged access for remote vendors who need access to critical internal systems. By not requiring VPNs, agents or passwords Alero removes operational overhead for administrators and improves security.

To learn more about the challenges of securing third party access, read our eBook “Third Party Privileged Access to Critical Systems.” You can also request a demo to find out more about CyberArk Alero.

Intercept X is the one of the world’s best endpoint protections, and our third-party test scores and analyst reports help prove that claim. But to be the best, you must go beyond just protecting Windows machines.

Our goal is to protect your users regardless of which type of endpoint they are using. This includes desktops, laptops, servers, mobile devices and Mac endpoints.

We are proud to announce that Intercept X was the only Mac endpoint protection that achieved a perfect score in every test conducted by AV-Test in 2019. That means we scored six out of six for protection, performance and usability, every time.

The perfect scores for Intercept X meant that we were awarded the badge of “Approved” corporate endpoint protection for MacOS.

Υou can review the test score details at AV-Test:

• MacOS Mojave June 2019 – perfect score
• MacOS Mojave Dec 2019 – perfect score

Business users can learn more about Intercept X and start a free trial today.

Home users can start a free trial of Sophos Home Premium.

It may have been around for 30 years, but ransomware continues to evolve and bring organizations to their knees. Make sure you’re ready for it.

Thirty years on from the world’s first attack, ransomware is stronger than ever. Cybercriminals continue to evolve their tactics and techniques, taking advantage of changes in technology and society to refine their approach.

The result: highly advanced, highly complex threats that can bring organizations to their knees. When you add together the full costs of remediation, including downtime, people time, device cost, network cost, lost opportunities and ransom paid, the final sums per victim are eye-watering.

What’s next for ransomware?

The one thing we can be sure of is that ransomware is going to keep evolving. Here are three new areas where the tentacles of ransomware are starting to reach.

Public cloud ransomware targets and encrypts data stored in public cloud services like Amazon Web Services (AWS), Microsoft Azure (Azure) and Google Cloud Platform (GCP).

While the public cloud offers lots of advantages, confusion about security responsibilities creates gaps in protection that hackers are quick to exploit.

In addition, weak configuration and open public access to cloud resources (be that storage buckets, databases, user accounts, etc.) make it easier for criminals to breach data storage.

Service provider attacks. As technology and threats become ever more complex, companies are increasingly outsourcing their IT to specialist managed service providers (MSPs).

Cybercriminals have realized that targeting MSPs enables them to hold multiple organizations hostage with a single attack. One attack, many ransoms.

MSPs offer a level of security expertise that is hard to match in many organizations. If you use a MSP, make security one of your selection criteria. A good MSP will be happy to share how it secures both its own and its customers’ organizations.

Encryption-free attacks. The ability to encrypt files was one of the original core capabilities needed to make ransomware a viable cybercrime.

Today cybercriminals no longer need to encrypt your files to hold you hostage. Why? Because they believe you’ll pay up just to stop your data going public.

How to defend against ransomware

Adopt a three-pronged approach to minimize your risk of falling victim to an attack.

1. Threat protection that disrupts the whole attack chain.

As we saw recently with Ryuk, today’s ransomware attacks use multiple techniques and tactics, so focusing your defense on a single technology leaves you very vulnerable.

Instead, deploy a range of technologies to disrupt as many stages in the attack as possible. And integrate the public cloud into your security strategy.

2. Strong security practices.

These include:

• Use multi-factor authentication (MFA)
• Use complex passwords, managed through a password manager
• Limit access rights; give user accounts and admins only the access rights they need
• Make regular backups, and keep them offsite and offline where attackers can’t find them
• Patch early, patch often; ransomware like WannaCry relied on unpatched vulnerabilities to spread
• Lock down your RDP; turn it off if you don’t need it, use rate limiting, 2FA or a VPN if you do
• Ensure tamper protection is enabled – Ryuk and other ransomware strains attempt to disable your endpoint protection, and tamper protection is designed to prevent this from happening

3. Ongoing staff education.

People are invariably the weakest link in cybersecurity, and cybercriminals are experts at exploiting normal human behaviors for nefarious gain. Invest – and keep investing – in staff training.

Learn more

Read our new paper Ransomware: The Cyberthreat that Just Won’t Die for a deeper dive into what’s behind ransomware’s longevity, where it’s going, and how best to defend against it.

How Sophos can help

Sophos offers a range of products and services to help you protect against ransomware:

• Sophos Managed Threat Response (MTR). Many organizations don’t have the expertise, resources, or desire to monitor their network 24/7. The Sophos MTR service is a dedicated, round-the-clock team of threat hunters and response experts who constantly scan for and act on suspicious activity.
• Sophos Intercept X includes advanced protection technologies that stop ransomware on your endpoints and servers at multiple stages of the attack chain, including AI-powered threat protection, exploit protection, credential theft, deep learning and CryptoGuard.
• Sophos XG Firewall is packed with advanced protection to detect and block ransomware attacks, and stop hackers moving laterally around your network to escalate privileges.
• Cloud Optix continuously analyzes public cloud resources to detect, respond and prevent gaps in security across AWS, Azure and GCP public cloud environments that can be exploited in a ransomware attack.
• Synchronized Security. Intercept X and XG Firewall are great on their own, but even better together. If anything triggers a detection, XG Firewall and Intercept X work together to automatically isolate the affected devices – preventing the threat from spreading further.

For the third year in a row Sophos has been recognized as a winner in the CRN Tech Innovators Awards.

In November, CRN, a brand of The Channel Company, named Sophos as the best endpoint security solution, again. This is the third year in a row Sophos has been recognized as a winner for Endpoint Security in the CRN Tech Innovators Awards.

Intercept X Advanced with EDR was chosen from a diverse field of products. It rose above the others thanks to its technological advancements, unique features, and its proven track record of helping customers and partners solve IT and security challenges.

Bob Skelley, CEO of The Channel Company, said of the awards: “CRN’s Tech Innovator Awards honor technology vendors who work tirelessly to craft ground-breaking solutions for end users, matching the speed of the channel’s evolution. The winners in this year’s award categories deserve congratulations for their success in driving IT innovation forward for solution providers and their customers”.

Receiving praise from trusted third parties is nothing new for Intercept X. Recently, it has been ranked #1 by MRG Effitas, SE Labs, AV Comparatives, and NSS Labs. Sophos was named a “Leader” by both Forrester and Gartner for endpoint protection, and Intercept X was named “Editor’s Choice” for best ransomware protection by PC Magazine.

You can read about Intercept X and The Tech Innovator Awards in the December issue of CRN.

As the world rolls into another Cyber Monday, and online shoppers continue their hunt for the best deals, SophosLabs wants to remind you that there’s a metaphorical malware elephant in the room that would like nothing more than to steal financial information, and the use of your computer, for nefarious ends.

The Emotet Ecosystem infographic, produced by experts within SophosLabs, describes the infection process and subsequent behavior commonly displayed by samples in the Emotet malware family. Emotet is routinely among the most problematic and widely distributed malware family that Sophos researchers encounter daily. If there were such a thing as a Most Wanted list for malware, Emotet would surely top the list.

Emotet serves a purpose both as a standalone malware capable of causing significant harm on its own, and as a distribution network for other malware families, whose operators appear to engage with Emotet’s software distribution capabilities as a matter of routine. Part of the payload package may, in fact, be components that assist Emotet in finding and infecting other victims. In this way, Emotet plays a uniquely central role in a wide variety of malware infection scenarios, just a few of which are illustrated here.

You may download a full-resolution version of the infographic either as a PDF or as a .PNG image.

Most Emotet infections begin with a malicious spam email that prompts the recipient to open a malicious Microsoft Office document. The document may be attached to the message, or the message may contain a link to download the document from a website. When someone opens one of these documents, it retrieves the Emotet malware executable and launches it (usually from the %temp% folder) on the victim’s computer.

After establishing persistence (the ability to start itself after a reboot), the malware sends profile information to its operator(s) about the victim and their computer. Knowing about the victim, their computer, and the network on which it is running helps the criminals decide what payloads to deliver. Emotet routinely delivers samples of one or more families of credential-stealing Trojan malware, such as Trickbot, Dridex, Ursnif, or Azorult.

Depending on what the profile information reveals about the target, and the goals or priorities of the attacker, the attacker may leverage the payloads that Emotet distributed to deliver ransomware or other malware payloads. For example, Emotet may deliver Trickbot to the target machine, and then Trickbot may deliver the Ryuk ransomware to that same machine.

The Emotet ecosystem also includes a variety of payloads the malware uses for a variety of ancillary tasks. These payloads may steal and exfiltrate credentials, laterally spread the malware within the network in which the infected machine is located, scrape the target’s hard drive for email addresses, harvest data from the contents of email messages sent to and from the target, or even use the infected machine to send out new spam campaigns to the newly discovered targets.

Some of these additional payloads include legitimate tools for power users that have been publicly available for some time, such as NirSoft’s Mail PassView or Browser PassView. Several of the payloads appear to be specialized for the task, such as the mail scraper/spam bot components. These components extract message text and subject lines from Outlook, which the spam bot component uses to inject a weaponized office document file into the middle of an email thread between the victim and one or more potential targets, using the same subject line as the original message thread.

Such techniques help ensure the Emotet ecosystem continues to grow and flourish, at all of our peril.