The primary reason most organisations look at classifying the data they create and handle is to control access to sensitive information, driven by the need to manage security risk and comply with regulations, such as GDPR. However, this scope is too narrow. By focusing solely on these objectives, they’re missing an opportunity to embrace data categorisation and extract greater business value from all of their data assets.

There are two clear schools of thought around the use of data classification; security and data management:

• Data security: Teams in the security domain consider classification as a means-to-an-end approach that involves security labelling of data according to its sensitivity, to help users and tools identify its value and protect it appropriately.
• Data management: Data teams view classification as the categorising of information in order to improve its quality and utility. Business categorisation of data is based around establishing its context and the content, and then considering who has access to it, and how it is organised, stored, used and deleted across its lifecycle. This domain is primarily concerned with how data can be used to raise business performance and efficiency, streamline processes and improve data governance practices.

At Boldon James we see these two domains as inextricably linked – and for an organisation to get the full benefit from data classification they need to ensure both worlds are connected. To do this, you need to go back to the classification policy, and design an approach that goes beyond simple security labelling to one that harnesses data categorisation.

We’re seeing a growing trend for data classification customers to ask broader questions around their information. They’re taking a wider perspective of the problem, moving from ‘we have all this data – we need to protect it’, to ‘we have all this data – we want it to work harder for us’.

Organisations must shift to a business-centric approach to classification, tagging all information used within the business according to what it is, rather than simply according to the impact of its loss. This enables the data management and security tools that locate, organise, protect and remove data to make truly informed and coordinated decisions.

This more granular labelling can be driven by labelling the data according to its category. Categorising data is readily understood by end users as it deals in the information types they work with every day, and it’s easy for them to assign information to a category. Once you know the category, you can automatically assign all the other related tags that reflect the data management, compliance, retention and security needs of that category – as well as apply policy rules specific to those extra tags.

For example, a document might be categorised and labelled as Staff Travel Request. The data classification tool will then automatically add all the tags that relate to that category – for instance a data management tag of HR/Staff Management/Travel, a retention tag of One Year, a compliance tag of EU-GDPR and a security tag of Confidential/PII. This approach hides the additional granularity, and wraps all the required information up into one easily understood term.

To make the most of the business-enabling value of data, organisations must embrace a more holistic approach to classification that embraces data categorisation and goes beyond simple security labelling.

You can read the original article, here.

The new version of Sophos Home brings business-grade cybersecurity to your home. New features added to Sophos Home which bring powerful, business-grade cybersecurity straight to your home.

Cybercrime is big business, but it doesn’t just target big businesses. Individuals are just as vulnerable to malware and other threats as hospitals, banks, retailers, and other organizations. With Sophos Home, you get the same strong security trusted by thousands of IT professionals, and it’s incredibly simple and easy-to-use.

Artificial Intelligence

From today, Sophos Home Premium for PC has the same artificial intelligence (AI) technology that many people are already using in our enterprise product, Intercept X. This technology allows Sophos Home Premium for PC to detect and block both known and unknown malware before it executes.

In addition to this, new enhanced real-time protection against application and OS exploits stops cybercriminals from controlling trusted apps, using unpatched vulnerabilities to gain access to a system, and stealing credentials.

All versions have new features

In addition to the features that are new for Sophos Home Premium for PC, above, all versions of Sophos Home have had an update.

• Scheduled Scan – Users can now setup and administer scheduled file system scans for customized protection.
• Quarantine – More advanced users can now reconcile true and false positive file detections.
• UI Enhancements – Updates to the user interface make it easier to manage multiple devices’ security from one web browser, wherever the device is.

Take it for a test drive

Sophos Home Premium makes cybersecurity simple… Get a free trial and try it out for yourself.

You can read the original article, here.

Sophos, a global leader in network and endpoint security, today announced that it has acquired endpoint security platform company, DarkBytes. DarkBytes offers a unified platform to deliver security operations center services to organizations of all sizes.

Founded with the mission to deliver enterprise-grade endpoint security through lightweight sensors, asset inventorying, managed threat hunting, and automation technologies, DarkBytes launched their first products in March 2018 and have since been gaining traction in this competitive space. DarkBytes brings to Sophos a highly talented team with rich domain experience in managed detection and response (MDR) and Security Orchestration Automation Response (SOAR).

“Sophos predicts that eventually all IT security products will evolve into adaptive, managed services as more organizations realize that they are unable to scale resources fast enough to respond to today’s threats,” commented Joe Levy, chief technology officer at Sophos. “The strength and architecture of the DarkBytes platform will accelerate Sophos’ plans to introduce global managed security services that will eventually span endpoint, firewall, mobile devices, wireless APs, and more. We welcome the DarkBytes team to Sophos and are excited to introduce these services through our partners over the coming months.”

MDR is a managed cybersecurity service designed to detect and respond to intrusions, malware, and malicious activity that often go undetected, enabling a faster response to eliminate and mitigate those threats. MDR augments security capabilities by providing a continuous monitoring service through a trusted third party, delivered through the combined intelligence of automated response and human expertise.

“The endpoint is the new perimeter of cybersecurity. It’s where the attacks happen and where the data lives,” commented Dennis Griffin, founder and former CEO at DarkBytes. “We built our unified platform to simplify high-end security operations using the combination of endpoint sensors and cloud-delivered analytics as the best way to achieve this. Our vision for using cloud-based, next-gen technology to make enterprise-grade cybersecurity simple to use made Sophos a natural home for the next stage of our development. We look forward to delivering the market’s most comprehensive and flexible endpoint security solutions.”

You can read the original article, here.

Protecting sensitive customer data is a huge priority for today’s organizations, which face intensifying regulatory and compliance pressures and unwavering customer expectations. A single data breach can take a tremendous toll on customer loyalty; 70 percent of consumers report they would cease doing business with an organization in the event it experienced one.

Great strides have been made in ensuring data privacy through a diverse (and still growing) set of techniques, from fortifying networks and servers against external cyberattacks, to using artificial intelligence (AI) to identify and redact and/or encrypt sensitive digital data, to implementing strict policies (even at the office printer!) to ensure only authorized employees can print documents containing private information.

However, a truly rigorous and comprehensive approach to customer data privacy cannot exist unless a major source of breaches – privileged insiders – is addressed. A privileged insider is any individual with valid credentials to access internal resources, and who may use this authorized access to negatively impact the integrity of a system or confidentiality of sensitive customer data.

These individuals may not be motivated by malevolence and greed, nor are they necessarily negligent or lacking ethics. The majority are inadvertent actors – those who are blissfully unaware they’re doing anything wrong and don’t understand the potential consequences. Sixty-four percent of enterprises cite careless employees and contractors as the most common cause of insider threats, according to one recent survey.

Regardless of the root cause of an insider threat, the risks to customer data privacy are significant, and the business repercussions can include lost revenues, remediation expenses, damaged brand reputation, service disruption and more. Five best practices for protecting against insider threats including the following:

Monitor insider activity. Some organizations are reticent to implement monitoring, believing employees will view it as intrusive “big brother” behavior. Clearly this must be handled appropriately, but the benefits of insider monitoring – for both the organization, as well as individual workers – vastly outweigh the drawbacks. According to IBM, an estimated 60 percent of breaches are the result of insiders, and proactive monitoring can be the key to eliminating or reducing these. Organizations should consider education and training that explains clearly to workers how such measures actually benefit them, through greater protection and risk insulation.

Be proactive and constantly analyze. The Ponemon Institute’s latest research shows 191 days – more than six months – as the average length of time it now takes organizations to identify a data breach. In the event of malicious insider involvement, this leaves a substantial window of time to wreak havoc by misusing customer data, before the organization is even aware anything is wrong. It is no longer acceptable to passively monitor network and database activity and block access when something doesn’t look right. Rather, organizations must proactively analyze user behavior and act upon trends they see to stay ahead of potential incidents.

Get granular. One reason breaches are so damaging to customer satisfaction and brand reputation is that, in many cases, more customers are notified than may actually be necessary. When in doubt of exactly whose data was accessed, organizations tend to cast the widest net on all customers that may have possibly been impacted. This is especially true in a post-GDPR world, when organizations are now required to report breaches in 72 hours. Achieving this granularity requires more than simply seeing insiders’ session durations, but rather, understanding exactly how, when and what data was accessed. Perhaps a sensitive database was accessed, but only one section within it, as opposed to the whole thing. In the event an insider breach does happen, such granularity can greatly ease reporting and notification efforts while minimizing unnecessary collateral damage.

Manage credentials. Many organizations fail to manage privileged insider user credentials properly – meaning that if a user’s job function changes and they no longer require access to a sensitive data set, that access is not always terminated. Instead, the user accrues access to increasingly more data as their job function evolves, even though such access may no longer be required. Even worse, Osterman Research recently found that 67 percent of organizations couldn’t be sure whether a former employee is still accessing corporate resources. Mismanaged credentials can create significant exposure risks that become exponentially harder to identify, address and contain once employees walk out the door.

Focus on where the most sensitive data lives. A typical enterprise has many data repositories spread throughout it. Determining which data sources need to be monitored for insider threats is essentially a matter of identifying where the most critical data resides. This is often systems of record like the mainframe. An estimated 80 percent of the world’s corporate data continues to reside or originates on the mainframe, making it a prime target for malicious insiders.

Today’s threats to data privacy are always evolving, but one constant is the human element. Even the most seemingly rigorous data privacy initiative cannot be complete unless it addresses the insider threat. Organizations must be on the offensive, especially since these particular threats, unlike those from the outside, are more preventable.

You can read the original article, here.

The US Department for Homeland Security considers Emotet to be one of the most costly and destructive threats to US business right now. Here’s how Sophos deals with it.

Emotet is truly a threat to be reckoned with. In fact, the US Department for Homeland Security considers Emotet to be among the most costly and destructive threats to US business right now. Not that it limits itself to any one country; its reach is global with infections reported on every continent.

Emotet is a very sophisticated threat that, once in, can quickly infect an entire organization. Like other worms, it spreads without the aid of a user, enabling it to wreak widespread damage.

Once on a computer, Emotet has three main goals:

• Spread onto as many machines as possible.
• Send malicious emails to infect other organizations (damaging your sender reputation in the process).
• Download a malware payload. Traditionally the payloads have mostly been banking Trojans, with Trickbot the most prevalent. Its payload injects code into your browser to automatically debit your bank and PayPal accounts when you next login.

In many cases Emotet also tries to steal data, turning a malware infection into a data breach. Some Emotet variants skim email addresses and names from email client data and archives, likely so they can be sold as part of a wider list and used to spread more malicious spam. Others inspect your web browser, stealing histories and saved usernames and passwords.

To compound the pain, Emotet can also be a smokescreen for targeted ransomware attacks. While organizations are dealing with Emotet infections, ransomware like BitPaymer takes advantage of the distraction to hold the organization’s data hostage.

What makes Emotet so dangerous?

Emotet earns its reputation as one of the most costly and destructive threats for several reasons.

• It only needs one computer that’s not fully protected to infect an entire organization. Once it gets in, it quickly spreads laterally across the network.
• It constantly evolves. The cybercrooks behind this threat work 24/7, publishing multiple new variants and call-home addresses every single day.
• It keeps re-infecting. Emotet constantly tries to spread, often re-infecting machines that have been cleaned up.

Stop Emotet in its tracks with Sophos

Sophos’ advanced technologies can help protect your organization against Emotet.

Intercept X Advanced with EDR uses the power of advanced machine learning to identify and block Emotet files, even new variants that have never been seen before.

Cross-estate threat search enables you to hunt for hidden threats, while guided investigations show you exactly how the threat got in, which machines have been impacted, and how the threat is spreading so you can take remedial action.

In the example below you can see how Intercept X gives you full visibility of every step in the attack chain. Note: we had to disable multiple layers of protection to allow the attack to get this far – it would normally be blocked much earlier.

Stopping Emotet with Sophos

Corporate•emotet•Intercept X•Synchronized Security•XG Firewall

The US Department for Homeland Security considers Emotet to be one of the most costly and destructive threats to US business right now. Here’s how Sophos deals with it.

25/01/2019 By: Sally Adam

Emotet is truly a threat to be reckoned with. In fact, the US Department for Homeland Security considers Emotet to be among the most costly and destructive threats to US business right now. Not that it limits itself to any one country; its reach is global with infections reported on every continent.

Emotet is a very sophisticated threat that, once in, can quickly infect an entire organization. Like other worms, it spreads without the aid of a user, enabling it to wreak widespread damage.

Once on a computer, Emotet has three main goals:

• Spread onto as many machines as possible.
• Send malicious emails to infect other organizations (damaging your sender reputation in the process).
• Download a malware payload. Traditionally the payloads have mostly been banking Trojans, with Trickbot the most prevalent. Its payload injects code into your browser to automatically debit your bank and PayPal accounts when you next login.

In many cases Emotet also tries to steal data, turning a malware infection into a data breach. Some Emotet variants skim email addresses and names from email client data and archives, likely so they can be sold as part of a wider list and used to spread more malicious spam. Others inspect your web browser, stealing histories and saved usernames and passwords.

To compound the pain, Emotet can also be a smokescreen for targeted ransomware attacks. While organizations are dealing with Emotet infections, ransomware like BitPaymer takes advantage of the distraction to hold the organization’s data hostage.

What makes Emotet so dangerous?

Emotet earns its reputation as one of the most costly and destructive threats for several reasons.

• It only needs one computer that’s not fully protected to infect an entire organization. Once it gets in, it quickly spreads laterally across the network.
• It constantly evolves. The cybercrooks behind this threat work 24/7, publishing multiple new variants and call-home addresses every single day.
• It keeps re-infecting. Emotet constantly tries to spread, often re-infecting machines that have been cleaned up.

Stop Emotet in its tracks with Sophos

Sophos’ advanced technologies can help protect your organization against Emotet.

Intercept X Advanced with EDR uses the power of advanced machine learning to identify and block Emotet files, even new variants that have never been seen before.

Cross-estate threat search enables you to hunt for hidden threats, while guided investigations show you exactly how the threat got in, which machines have been impacted, and how the threat is spreading so you can take remedial action.

In the example below you can see how Intercept X gives you full visibility of every step in the attack chain. Note: we had to disable multiple layers of protection to allow the attack to get this far – it would normally be blocked much earlier.

Sophos XG Firewall’s advanced sandboxing examines the executable files. The HIPS behavioral monitoring detects Emotet, blocking it from entering the organization. XG also blocks all known IP addresses associated with Emotet.

Email protection (both in XG Firewall and Sophos Email) can also scan outbound emails to detect Emotet spam and identify which machines are sending it.

Join forces against Emotet with Synchronized Security

Intercept X and XG Firewall are powerful tools to stop Emotet on their own – and even better together. They share real-time threat information and automatically respond to incidents. When Intercept X detects Emotet running, it notifies XG Firewall which automatically isolates the infected machines, preventing lateral movement. Intercept X then cleans up the infection, telling the firewall once the malware is removed. At this point, XG Firewall restores network access.

Uniquely, by working together, they stop Emotet from moving across your organization. And the best news? All this happens automatically. Zero-touch. In seconds.

You can read more about what Sophos has learned from dealing with Emotet over on our sister site, Naked Security, in our article Fighting Emotet: lessons from the front line. Sophos has also prepared a Knowledge Base article for its customers: Resolving outbreaks of Emotet and TrickBot malware.

CyberArk, the global leader in privileged access security, today issued a new research report, “The CISO View: Protecting Privileged Access in DevOps and Cloud Environments.” Based on the direct experiences of a panel of Global 1000 CISOs, the report provides advice for security teams to help effectively assess risk, drive developer collaboration, and prioritize steps to protect DevOps processes while maintaining developer velocity.

The report is part of The CISO View industry initiative and features contributions from executives at leading organizations who are adopting DevOps methodologies and tools, including American Express Company, American Financial Group, Asian Development Bank, Carlson Wagonlit Travel, CIBC, GIC Private Limited, ING Bank, Lockheed Martin, NTT Communications, Orange Business Services, Pearson, Rockwell Automation and Starbucks. Sponsored by CyberArk, the initiative brings together leading CISOs for peer-to-peer information sharing to help security teams build effective cyber security programs.

While security strategies should address privileged access and the risk of unsecured secrets and credentials, they should also closely align with DevOps culture and methods to avoid negatively impacting developer velocity and slowing the release of new services. Despite this, 73 percent of organizations surveyed for the 2018 CyberArk Global Advanced Threat Landscape report have no strategy to address privileged access security for DevOps.

The report summarizes five key recommendations based on the real-world experiences of participating CISOs, including:

1. Transform the security team into DevOps partners – Ensure security practitioners and developers have the right skills, make it easy for developers to do the right thing, encourage collaboration and adopt agile DevOps methods within security.
2. Prioritize securing DevOps tools and infrastructure – Set and enforce policies for tools selection and configuration, control access to DevOps tools, ensure least privilege and protect and monitor infrastructure.
3. Establish enterprise requirements for securing credentials and secrets – Mandate the centralized management of secrets, extend auditing and monitoring capabilities, eliminate credentials from tools and applications, and develop reusable code modules.
4. Adapt processes for application testing – Integrate automated testing of code, compel developers to fix security issues using a “break the build” approach and consider a bug bounty program.
5. Evaluate the results of DevOps security programs – Test secrets management solution deployments, measure and promote improvements and educate auditors.

“This CISO View report captures the experiences and recommendations of senior executives who are securely embracing DevOps workflows,” said Marianne Budnik, CMO, CyberArk. “For organizations embarking on digital transformation initiatives, it has never been more important to align security and risk postures across new tools and technologies. In understanding organizational and operational challenges, security teams can more effectively drive productive discussions across executive, security and developer teams.”

This report is the third in The CISO View report series, which was developed in conjunction with independent research firm Robinson Insight and relies on the insights and guidance contributed by The CISO View panel of Global 1000 CISOs, members of the security community and other industry experts.

To download “The CISO View: Protecting Privileged Access in DevOps and Cloud Environments” and other reports in the series, visit https://www.cyberark.com/cisoview/.

Sophos XG Firewall and Synchronized Security continue to innovate and push the envelope of what’s possible with cybersecurity.

If you’ve had a chance to review our latest 2019 Threat Report, you know that threats and attacks are changing, and so is the role your firewall plays in providing a defense.

For most of the past decade, attackers have built up a vast repertoire of automation, coupled with exploitable vulnerabilities, in an attempt to rapidly attack targets and evade security measures or protection at the network and endpoint level.

But now, some sophisticated attackers are turning to more targeted and inherently unpredictable manual network hacks, using brute force to gain a foothold on the network, and strike out from there as if they were a resident network administrator. In some respects, we’ve now come full-circle with modern attacks now taking advantage of age-old security issues like weak passwords.

The role of the firewall in protecting against these hacks and attacks has similarly evolved. Long gone are the days where the firewall was like a medieval moat and castle wall for your protected network. We’re now at a point where you can’t necessarily trust who or what is operating within the proverbial castle walls.

Forrester refers to this situation as “zero-trust”. Essentially it means that devices and users on your network need to establish or prove trust, and if something proves untrustworthy – take action. It’s a great model that’s having widespread positive impacts on IT security. A perfect example is the use of multi-factor authentication as an extremely effective tool in establishing user trust.

On the firewall side, network segmentation or even micro-segmentation is gaining a lot of momentum in response to the evolving threat landscape.

The principle is sound – segment your network into smaller and more granular subnets, and secure them together through your firewall to limit exposure in the event that one segment becomes compromised. In practice, it works great, but in some cases it can add unwanted expense, infrastructure, management overhead, and impact performance.

While the ideal solution would obviously be to firewall every device on the network separately, it’s simply not practical. However, you can get one of the key benefits of that strategy, today.

Introducing Lateral Movement Protection

Sophos XG Firewall v17.5 recently introduced Lateral Movement Protection, a new Synchronized Security feature that effectively provides an adaptive micro-segmentation solution. With Lateral Movement Protection, each individual endpoint is effectively on its own segment – able to be isolated in response to an attack or threat – regardless of the network topology. And without any added cost, infrastructure, overhead, or performance impact.

How do we do it?

By integrating our firewall and endpoint products together, they can share health, status and other important security information through a continuous Security Heartbeat™ connection. That enables both products to use this shared telemetry to respond to an active adversary or threat on the network. When any kind of attack is detected, the endpoint Heartbeat status changes, and triggers an automated response that has the firewall coordinating and synchronizing a defense.

Not only will the firewall cut-off network access for the compromised device at the firewall, it will also advise all the healthy endpoints on the network to isolate and ignore all traffic originating from the compromised host. The combined solution provides an adaptive micro-segmentation – at the individual endpoint level. And it doesn’t require any additional infrastructure or management, and has zero performance impact. It’s the ultimate emergency response strategy, for any network.

How do you get it?

All you need is our award-winning XG Firewall and the world’s best next-gen endpoint, Intercept X. They are both super easy to deploy. In fact, you don’t even need to replace your existing firewall to get all the great benefits of Sophos Synchronized Security.

You can deploy XG Firewall inline with your existing firewall and even deploy Intercept X alongside your existing desktop AV product – it’s easy, risk-free, and brings tremendous visibility, protection and response benefits to your network.

Firewall best practices

Check out our Firewall Best Practices Guide for more information on how to optimize your network protection.

Sophos, a global leader in network and endpoint security, today announced that it has acquired next-generation cloud infrastructure security company, Avid Secure. Avid Secure offers an artificial intelligence-based cloud security analytics, compliance, and DevSecOps platform to provide effective end-to-end protection in public cloud services such as AWS, Azure, and Google.

Founded in 2017 by a team of highly distinguished leaders in IT security, Avid Secure uses artificial intelligence and automation to address the real-world challenges of effective cloud security including lack of workload visibility, and the constant monitoring required to stay ahead of today’s sophisticated attacks. Avid Secure is a small, privately owned company with headquarters in San Francisco, Calif. and engineering operations in Gurgaon, India.

“The accelerated adoption of public cloud environments is presenting new data security challenges to organizations. With the cloud workload protection and the cloud security posture management software from Avid Secure, Sophos will expand its current capabilities in cloud security and drive leadership in this growing space,” commented Dan Schiappa, senior vice president and general manager of Products at Sophos. “We welcome the Avid Secure team to Sophos and are excited to bring their transformational technology into our portfolio, strengthening our ability to offer the best protection for our customers’ data on endpoints and networks, wherever their services are hosted.”

“We built the Avid Secure platform to revolutionize the security of public cloud environments in a process efficient way,” said Nikhil Gupta, CEO and co-founder at Avid Secure. “We are proud of our innovative AI powered technology that provides enterprises with end-to-end continuous security analytics, visibility, and compliance to protect their data and maximize their investments in public cloud services. The opportunity to join Sophos in their mission to evolve cybersecurity into an intelligent, integrated system presented a perfect fit for our engineering vision. I, and the whole team at Avid Secure look forward to what we can achieve together.”

This three-day training program was designed and intended for experienced technical professionals who want to install, configure and support the XG Firewall in production environments and is the result of an in-depth study on the next generation firewall of Sophos.

The program consists of presentations and practical workshops for the enhancement of teaching content. Due to the nature of the traditions and the varied experience of the trainees, open discussion is encouraged during the training.

(3 days Training)

Tuesday 26 February 2019 – Thursday 28 February 2019

Requirement

Participants should have the  Xg Engineer Certification

Recommended Knowledge

Knowledge of networking to a CompTIA N+ level

Knowledge of IT security to a CompTIA S+ level

Experience configuring network security devices

Be able to troubleshoot and resolve issues in Windows networked environments

Experience configuring and administering Linux/UNIX systems

Content

• Module 1: Enterprise Deployment Scenarios
• Module 2: Advanced Firewall
• Module 3: Authentication
• Module 4: Webserver Protection
• Module 5: RED Management
• Module 6: Wireless Protection
• Module 7: Enterprise VPN
• Module 8: High Availability
• Module 9: Troubleshooting
• Module 10: Sizing

Certification

+ exam: Sophos XG Architect

Duration 3 days

Agenda

Trainer: Micheal Eleftheroglou

Day 1 Tuesday 26 February  2019

9:30-10:15 Module 1: Enterprise Deployment Scenarios Part I

• Bridge mode
• Gateway mode
• Mixed mode

10:15-10:30 break

10:30-12:00 Enterprise Deployment Scenarios Part I

• VLAN
• Link Aggregation
• Routing protocols

12:00-12:15 Break

12:15-13:45 Advanced Firewall  Part I

• Stateful inspection
• Strict policy
• Fast path
• Intrusion prevention
• Anti Dos/floofing
• Advanced Threat Protection

13:45-14:45 Break Lunch

14:45-16:15 Advanced Firewall  Part II

• Asymmetric routing
• Local NAT policy
• DHCP options
• Bind to existing DHCP scope
• Country list
• Drop packet capture
• IPS tuning

16:15-16:30 Break

16:30-17:15 Webserver Protection

• Overview
• Web Servers
• Application Protection policies
• Path specific routing
• Authentication policies
• Certificates

Day 2  Wednesday 27 February 2019

9:30-10:15 Module 4: Authentication

• Single sign-on (SSO)
• LDAP integration
• Secure LDAP
• STAS (Sophos Transparent Authentication Suite
• Troubleshooting STAS

10:15-10:30 Διάλειμμα

10:30-12:00 Authentication part II

• Sophos Authentication for Thin clients (SATC)
• Troubleshooting SATC
• NTLM
• Troubleshooting NTLM

12:00-12:15 Break

12:15-13:45 Module 5: Red Management

• Overview
• RED Models
• Deployment
• Adding a RED interface
• Balancing and failover
• VLAN port configuration

13:45-14:45 Break- Lunch

14:45-15:30 Module 6: Wireless Protection

• Overview
• Access Points
• Wireless networks
• Security modes
• Deployment
• Built-in wireless
• Mesh networks
• Radius authentication
• Class Activity

15:30-15:45 Break

15:45-17:15 Module 7: Enterprise VPN

• Huge and spoke topology
• Ipsec VPN configuration
• Ipsec VPN policies
• NAT overlap
• Route precedence
• VPN failover
• Logs
• Troubleshooting

Day 3 Thursday 28 February 2019

9:30-11:00 Module 8: High Availability

• Overview
• Prerequisites
• HA packet flow
• Configuration
• HA status
• Console commands
• Logs
• General Administration

11:00-11:15  Break

11:15-12:00 Module 9: Troubleshooting

• Consolidated Troubleshooting Report
• SF loader
• Tcpdump

12:00-12:15 Break

12:15-13:45 Module 10: Sizing

• Hardware appliance models
• Hardware appliance sizing
• Software and virtual devices
• Sizing scenarios
• Class activity

13:45-14:45 Break – Lunch

14:45-17-15 Labs and Exams

Today, Amazon Web Services (AWS) announced the AWS Security Hub, with Sophos as a launch partner.

Sophos supports this industry-wide effort to consolidate and bring focus to high-priority security alerts on AWS. We believe that visibility is the best defense against today’s threats, highlighting as early as possible any alerts and events that could represent compromise.

We applaud AWS efforts to provide APIs for the AWS Security Hub. This enables sharing of security information across the AWS ecosystem, including that from Sophos, whose products generate and correlate events and alerts.

The approach that AWS has taken with Security Hub parallels the approach that we followed with Sophos Central: collecting security information and presenting it on a single screen for easy viewing, as shown below.

Since AWS is increasingly an extension of customers’ on-premises systems for business-critical applications, protection of AWS applications and data is essential. Now that Sophos integrates with AWS Security Hub, alerts about the AWS environment can be viewed in Sophos Central for easier management. Sophos Central provides visibility not only to events across AWS, but also across on-premises and other environments.

With protection from the industry-leading Sophos Intercept X and XG Firewall products, Sophos Central then correlates that information and automates the response with Synchronized Security.

SHI, a Sophos partner who assists customers migrating to AWS, now recommends use of AWS Security Hub. SHI has tested the connection between AWS Security Hub and Sophos Central, and sees significant benefit from the integration.

“The integration of Sophos Server Protection with the AWS Security Hub provides tremendous confidence for our customers and enables us to help migrate more organizations to the Amazon public cloud” said Chief Cloud Officer, Lee Ziliak

Sophos has also added protection of AWS S3 storage in addition to the current protection for AWS EC2 instances in Sophos Intercept X for Server. Now both EC2 instances and S3 storage buckets are discoverable from customer AWS accounts, easily enabling appropriate security policies to be applied and managed from the map display in Sophos Central, as shown below.

With the efforts of AWS, and the integration and protection that Sophos has added, customers of Sophos Intercept X for Server can now protect business-critical workloads and data stored on AWS, as well as on premises.

You can find out more about the partnership on our website.

For organizations whose cyber defenses may have been going the way of one dimensional, threat hunting has breathed new life into sputtering security programs.

Broadly defined as the manual practice of applying tools, tactics, procedures and intelligence to uncover advanced network attacks that have slipped past existing defenses, threat hunting is surging in popularity.

Able to easily bypass traditional, signature-based security, persistent attackers are using stealthy means to fly under the radar and travel unrestricted across corporate databases, networks and applications – and you need to assume they are already inside yours.

So how do you find them?

While actions such as log and event analysis (automated threat detection) and technologies like endpoint detection and response (EDR) have emerged to help organizations become more proactive at flagging and rebuffing these sophisticated foes, threat hunting pushes the needle even further forward with a human-driven component. Trained personnel pursue attackers while leveraging many of the same capabilities and thought processes that the adversaries use themselves.

Even if your ultimate security goal may be to pre-empt the mega breach, threat hunting is out to discover anything out of the ordinary that could indicate something is amiss in your environment – in the process vastly growing visibility into your network, reducing risk and expanding security maturity. Oftentimes, this means unearthing something that is far less deleterious – and far less thought about – than an advanced persistent threat actor, but critical nonetheless, as non-routine activity of any kind may affect your organization’s operations and bottom line.

What your team may discover on a threat hunt (or via powerful security operations center-backed experts hunting on your behalf) could range from an honest mistake to a spiteful employee to a full-blown hacker incident. As an accountable and responsible security professional, you should want to know about all of them.

1) Hackers “Living off the Land”

As simple as it is to find fault with the current state of security, many businesses are making things more onerous than ever on network intruders to succeed. You may be surprised to learn that this reality has forced miscreants to turn to self-sustainable practices. A tactic known as “living off the land” has grown in popularity in recent years among all types of malicious hackers and typically involves them using tools already approved and installed by your IT team – for instance, PowerShell, a legitimate admin tool used to automate tasks – and using them to run exploits (especially fileless attacks), harvest credentials and traverse the network.

2) Unusual User Behavior

Threat hunts can also turn up anomalous user activity, which may hint at possible threats involving a rogue insider. Actions that could indicate a wayward employee include multiple requests to escalate privileges, large data exfiltration at odd hours, late-night logins and the mass downloading or deletion of files – all of which are uncharacteristic of their normal duties and potentially indicative they are planning, for example, to switch jobs or exact revenge on the business.

3) Old or Unused Machines

In an era of technology sprawl, it may be easy to lose track of active workstations and other systems, which still introduce risk to a company. One of Trustwave’s threat hunters told me about one case in which his team identified IP addresses within a network that were behaving strangely. The hunters turned that information over to the customer, which took three weeks to physically identify the offending machines – they were stored away, apparently unknowingly, in a cabinet somewhere.

4) Policy Breakers Cutting Corners

The insider threat doesn’t always involve malice – sometimes an employee is trying to do the right thing, albeit “overlooking” security policies and ramifications. Going back to the earlier PowerShell example, a worker in accounting may have discovered the tool to be useful for automating reporting but is unaware that attackers may be also able to leverage it to run malicious scripts.

5) Shadow IT

There are plenty of ways to invite malicious content or data-leakage risks into your organization, and the proliferation of web- and cloud-based software has opened that door even wider. While many employees (including C-level executives) are installing applications, often citing their desire to use them to improve productivity, they usually end up being unmanaged and grow a business’ attack surface. Sometimes, a user’s motivation for such a download isn’t as work-focused: Our aforementioned threat hunter recently turned up a “Pokemon Go” mining operation in which a member of the IT team was using several systems to “catch” the animated creatures.

With the knowledge of what a threat hunt helps bring to the surface, you can immediately take risk-reducing actions within your organization. Remember, it’s not always the APT adversary who can bring you down.

You can read the original article, here.

Martin Sugden, CEO of Boldon James, was in Brazil last week and shared a warning that organizations need to comply with LGPD: “companies need to know what kind of information they have, were it is stored and how to deal with it”.

While organizations are increasingly concerned with data protection, many do not have the right tools to protect their information, and do not apply data classification to their data collection, processing, and handling processes. Systems have been designed to view data as belonging to the company not the individual that shared it with the organization. With the arrival of GDPR and LGPD, organizations are having to adapt to the new reality.

Martin Sugden, CEO of Boldon James, was in Brazil last week to meet clients and local partners and on November 29 he met with key members from the local business media to discuss how organizations comply with LGPD: “Companies need to know what kind of information they have, where it is stored and how to deal with it”.

According to Sugden, “Once you understand what information you have, and where the information is held you can make informed decisions about the level of security to be applied from who can access it to should it be encrypted or anonymized to do, I even need to keep it. The current security strategy must take into account that GDPR and LGPD rules are rigid and that any information should be protected wherever it is, including mobile devices, in the supply chain or with advisers. Your users need to be trained and understand your policies”, he commented.

“Recent surveys point out that at least 1/3 of IT executives claim that mobile security is one of their biggest concerns, especially as modern working practices involving mobile devices, social media and BYOD make it easy to lose or inadvertently share data”, said Martin Sugden.

According to the CEO of Boldon James, financial services companies report the most concerns about data security, but it is these companies that invest more in data classification policies and tools. With the GDPR and LGPD, the banking and financial institutions must increase their investments in data security. “Other organizations should follow the same path, so they can better protect their vital business data”, Sugden emphasizes.

Boldon James has been working for 30 years on the development of data classification techniques, being responsible for numerous pioneering data classification projects in large companies in several countries.

The Boldon James Classifier solution allows labels to be filtered to handle, hold, or send documents safely outside of organizations, either to mobile devices, partners or customers.  For example, last year a USB was found on a London street with 76 highly classified files regarding the travel routes taken by Queen Elizabeth when using Heathrow airport, including airport patrol timings  and the identity of personal protection officers who had access to certain secret areas at the airport. This data should not be downloadable and if it was it should be encrypted. A simple classification label using Classifier would have triggered a Rights Management tool to stop this happening.

“Do you know what is critical in your company? If data classification technology were to be applied in conjunction with say a Data Loss Prevention solution or Rights Management, this sensitive data loss would most likely not happen”, said Martin Sugden.

You can read the original article, here.

Sophos is pleased to announce that the early access program (EAP) for XG Firewall management through Sophos Central is now available for you to take a test drive.

As you probably know, Sophos Central is the ultimate cloud-management platform for all of your Sophos products, and it now includes XG Firewall. It makes day-to-day setup, monitoring, and management of your network protection easy. You can quickly and easily add all your XG Firewalls into Sophos Central, giving you secure access to your entire estate from anywhere.

With XG Firewall joining Sophos Central, you can now manage all your Sophos Synchronized Security products from a single cloud console. Intercept X and the rest of the Sophos suite of protection are all there, at your fingertips: mobile, email, wireless, and more.

How to get started in three easy steps:

Check out this step-by-step knowledgebase article for full details, but it’s really as simple as 1, 2, 3:

1. First, you’ll need a Sophos Central account if you don’t already have one. Head on over to cloud.sophos.com to create a trial account or login, and while you’re there, enroll in the Early Access Program by clicking your account in the upper right corner of the console.
2. Next, login into your firewall and add your Sophos Central credentials to the Central Synchronization screen and select the option to Manage from Sophos Central.
3. Then, return to Sophos Central and confirm adding your Firewall. That’s it! Now you can securely access your firewall from anywhere through Sophos Central.

Join the EAP Community Forum to share your feedback with the Sophos team and others.

Additional features coming soon

Over time, additional features will be added to Sophos Central management of your XG Firewall including:

• Backup management and storage for your regularly scheduled firewall backups
• Firmware update management to make multiple firewall updates easy
• Light-touch deployment to enable easy remote setup of a new firewall

And much more!

FAQ

Below are the most frequently asked questions about Sophos Central Management of XG Firewall. You can add your own to the EAP Community Forum where our team will do our best to answer.

Question: Is there a limit on how many firewalls or what type can be managed by Sophos Central?

No, there is no limit. Sophos Central can manage any XG Firewall, hardware, virtual, software or Azure as long as it has a WAN internet connection to connect to Sophos Central.

Question: Is there a charge for Sophos Central management of XG?

No, there is no charge and no special license required for either the EAP or when this capability is generally available. Anyone can setup a Sophos Central account at no charge to manage their XG Firewalls.

Question: Do I need other Sophos products to take advantage of Sophos Central Management of XG Firewall?

No, you don’t need any other Sophos Product to take advantage of Sophos Central Management of your XG Firewalls.

Question: How does the connection and information sharing work between XG and Sophos Central?

XG Firewall initiates a secure TLS encrypted connection with Sophos Central to share information. Since the connection is outbound from the firewall, it is completely secure and a simple way to manage firewall devices remotely without exposing the management interface login on the WAN. No port or other configuration is required. Since there is no storage of the configuration or log or reporting data in Sophos Central, there is no synchronization required – any changes made through Central are taking place on the device as they are made.

Question: Does Sophos Central copy or store any of the data from my Firewall in the cloud?

No, all your Firewall data and configuration information remains on your Firewall.

Question: What version of firmware is required on XG Firewall to manage it from Sophos Central?

XG Firewall v17.5 (or later) is required. This was released in late November and is currently being rolled out in stages to customer systems. If you haven’t already received the automatic update notice in your Firewall console, you can download the firmware update from MySophos.

Question: What are the various central management products that are available for XG Firewall and their differences?

Sophos Central is ideal for Sophos customers who want to monitor and manage their firewalls conveniently alongside their other Sophos products in Sophos Central: It offers a full list of all your firewalls under management along with quick access to manage any of them individually (one-at-a-time). It does not yet offer any policy template tools or alerting and monitoring like Sophos Firewall Manager.

Sophos Firewall Manager (SFM) is our on-premise product that enables rich powerful multi-device management features. It is ideal for organizations managing a large number of devices or those who want to take advantage of the policy template and other multi-device management tools.

You can read the original article, here.

50% of employees admit to clicking links from unknown senders. But which 50%? It’s time for a targeted approach to cybersecurity training.

Teaching users with simulated phishing attacks and training is half the battle in the race against phishing attacks. But what about the real test for users? The phishing emails, the unverified USBs, the ones that cripple the customer database on a Sunday at 1am?

Sophos Phish Threat now offers a breakthrough in cybersecurity training with Sophos Synchronized Security. By connecting Sophos Email and Phish Threat, we’ve taken the guesswork out of finding those riskier users in your organization – those who need a more targeted approach to training.

A breakthrough in cybersecurity training

50% of employees* admit having clicked on an email link from an unknown sender in the last 6 months that turned out to be malware or a scam. Regular attack simulations and security awareness training make all the difference, with existing Phish Threat customers able to reduce susceptibility to attack by 31% in just four tests (that’s opening and still clicking to you and me).

But while you train all users on cyberthreats, how do you find and train the weakest links in your organization?

Sophos Synchronized Security now lets you do that by connecting Sophos Email and Phish Threat. It helps you identify users who regularly click malicious links or violate other security policies, and lets you enroll them directly into targeted training.

Sophos Email and Phish Threat

Available now, Sophos Email Advanced is the first Secure Email Gateway to feed intelligence directly to a security awareness training solution for the best results.

The new Sophos Email Advanced At Risk Users report highlights which users are clicking email links rewritten by Time-of-Click URL protection, and identifies those who have either been warned or blocked from visiting a website due to its risk profile. You can then enroll those users in Phish Threat simulations and security awareness training with one click – increasing their threat awareness and reducing risk.

Take the guesswork out of training today

The greatest risk from attackers is not individual campaigns, but instead connected attacks, where vehicles like phishing are used to first penetrate your defenses.

Sophos is already the only vendor to offer a layered security defense, with protection at every point of the attack chain. Synchronized Security goes beyond that to take the guesswork out of finding those users who need a more targeted approach to training. Find out more about Sophos Email and Sophos Phish Threat today, and take the 30 day free trial.

More than ever, customers understand their right to data privacy. As major brands continue to lose sensitive data to cybercriminals in high-profile cloud security failures, customer trust in companies across industries is fading. Only 25 percent of consumers believe most companies handle their data responsibly, according to PricewaterhouseCoopers (PwC). As a result, secure, transparent data handling practices are more imperative than ever.

New regulations signal that governing bodies are also taking the enterprise’s responsibility for data privacy very seriously. The Brazil Privacy Act and the California Consumer Privacy Act support the consumer’s right to understand how their data is collected and used, and the New York Department of Financial Services (NYDFS) requirements are among the first regulations to address cloud security risks. Proposed rules require financial institutions to conduct vulnerability assessments and practice data classification and safe data management, whether the data resides on-premises or in the cloud.

Misconfigurations Cause Database Security Mayhem

Despite increased pressure to protect customer data, security teams are still struggling to address database security risks. Misconfigured servers, networked backup incidents and other system misconfigurations resulted in the exposure of 2 billion data records in 2017, according to the “IBM X-Force Threat Intelligence Index 2018” — that’s a 424 percent increase in such data breaches over last year’s total.

Cybercriminals are innovating quickly to take advantage of enterprise cloud security challenges. Many are using and creating open source tools to scan the web for unprotected cloud storage and, in some cases, locking these systems for ransom. Results from a Threat Stack study indicated that the majority of cloud databases are unprotected or otherwise misconfigured. Researchers attributed the prevalence of misconfigurations to employee negligence and insufficient IT policies.

Why The Enterprise Cloud Is Vulnerable

Still, it would be unfair to blame the current state of enterprise cloud security on employee negligence — at least, not entirely. Critical misconfigurations are technically the result of inadvertent insider error, but the reality is a bit more complex. Correcting configurations and compliance risks is difficult because security teams lack actionable visibility into cloud risks. There’s a glut of security risk to deal with, and traditional approaches to assessing risk result in an abundance of data with little actionable intelligence.

The enterprise cloud environment is complex and difficult to capture with vulnerability assessment tools designed for physical network and endpoint risk assessments. The unstructured, NoSQL landscape of the big data on cloud evolves on a near-daily basis to accommodate new forms of unstructured data. It’s no wonder that trying to assess database security risk across heterogeneous environments is often compared to finding a needle in a haystack.

Layered vulnerability assessments are crucial to protect against cloud security and compliance risks. Under some recent regulatory requirements, in fact, vulnerability assessments are mandatory. However, the enterprise needs vulnerability solutions that can support the scale of cloud database-as-a-service (DBaaS), traditional on-premises databases, warehouses and big data environments in a meaningful way.

Advanced analytics are necessary to sort through complex event data to correlate patterns and find true outliers that are associated with meaningful risk of data loss or advanced threats. The sheer volume and variety of data in the enterprise cloud requires proactive vulnerability assessment. A vulnerability assessment solution should automate risk prioritization, recommend remediation and simplify complex compliance requirements.

How To Achieve Real-Time Security And Compliance In Cloud Or Hybrid Environments

Reducing risk requires visibility and control with an adaptive, real-time approach to understanding exposure. In a database environment, assessments should actively examine privileges, authentication, configuration, versioning and patching. Finding and remediating advanced threats from insiders, ransomware and data breaches requires advanced analytics. Your vulnerability assessment solution should rank risks based on the importance of data and breach likelihood and recommend remediation actions.

Security and risk are convening in the enterprise, and vulnerability tools should deliver risk intelligence that can be shared with the chief information officer (CIO), chief security officer (CSO) and chief risk officer (CRO). Enterprise cloud environments are complex, but a vulnerability assessment tool can provide a consolidated and actionable view into risk, remediation, compliance and policy. To drive continued value, however, a vulnerability assessment solution must scale to new services as new applications, databases and cloud services are deployed over time.

The cloud has shifted the landscape and created the need for a new approach to assessing risks. If understanding compliance and configurations feels like finding needles in a haystack, it may be time to automate. Data privacy is now a compliance and customer imperative, and understanding the state of your databases is critical, so aim to scale your security assessments with a solution designed for the complexities of the enterprise cloud environment.

You can read the original article, here.

Sophos Intercept X with EDR has been recognized again as an industry leader. Among the winners in Computing’s Security Excellence Awards, Intercept X took home the award for Security Innovation of the Year for the second year in a row.

The Security Excellence Awards, which took place on 21 November in the heart of London, is hosted by UK-based tech magazine Computing as part of its annual Enterprise Security & Risk Management Summit. The ceremony celebrates the industry’s best security companies, solutions, products and personalities across 20 categories.

On the Security Innovation of the Year award, Computing says:

“The security industry and its products are continually evolving, as it keeps pace with the new tricks and tactics developed by hackers to attack corporate networks. This award will be given to the product or service which demonstrates something truly new and original”.

Learn more about our award-winning Intercept X Advanced with EDR or try it for free today.

Today marks a major milestone with the release of the first-ever Gartner 2018 Magic Quadrant for Privileged Access Management.^* CyberArk was named a Leader, positioned highest for ability to execute and furthest for completeness of vision.

As the market pioneer, not only is this a major accomplishment for us as an organization, but it’s also an important milestone for the market at large. According to the report, “Privileged access management is one of the most critical security controls, particularly in today’s increasingly complex IT environment. Security and risk management leaders must use PAM tools in a long-term strategy for comprehensive risk mitigation.”

As the company recognized for establishing the market category, we are extremely proud to be named a Leader. We remain laser-focused on helping organizations to secure the enterprise by delivering innovative solutions that break the attack chain and protect their most valuable assets. We will continue our work to make a quantifiable impact on the security of companies and governmental organizations around the world, enabling them to adopt digital transformation strategies with confidence.

As we celebrate being named a Leader in the Gartner Magic Quadrant for Privileged Access Management, we’d like to thank all of our incredible customers, partners and employees who have been, and will continue to be, the cornerstone of our success.

Read the Full Report

Download the full 2018 Magic Quadrant for Privileged Access Management report here. To learn more about the CyberArk Privileged Access Security Solution or to see what customers and other industry experts say about us, visit our website.

You can read the original article, here.