Sophos is one of the biggest players in the web security market, and at last week’s Infosec event in London it unveiled, amongst other things, a new version of its Sophos Cloud service specifically targeted at small and medium-sized business (SMBs). CBR sat down with James Lyne, the company’s Global Head of Security Research, to talk cloud, Heartbleed, Mac security, and more.
So what are the main trends that you’re seeing this year at Infosec?
Unsurprisingly, given the amount of media coverage we’ve had over the last 12 months, the major trend is a huge focus on Advanced Persistence Threats (APTs) – there’s been a lot of discussion of how there’s been a significant spike in the number of actors in that space. I think that there’s certainly some truth to that – although a lot of it as well is frankly the delayed marketing hype catching up to what the bad guys have been doing.
There’s also just the continued theme of the fundamental new way that we’re all using technology – and I think this is one of the biggest challenges for the security industry as a whole over the next few years – so lots of focus on the cloud and mobile devices. What’s really different this year is that last year and the year before, everyone was talking about it – this year people are actually doing it. So people are having to find ways to live with the fact that they’ve adopted XYZ cloud application, they’re having to find ways to deal with the fact that they have all these mobile devices on all these different platforms, none of which have the security maturity that Microsoft has with its 20+ years of being compromised.
Big data seems to have died off a little bit, which is interesting, and I wonder if that’s due to a little bit of disillusionment. It was preached as the next big security saviour, the thing that was going to make it easier to deal with the type of threats we’ve discussed, but in reality people have discovered that collecting more data doesn’t solve the right problem – you need the intelligent rules and ways to process that and come up with a more meaningful interpretations.
Sophos is revealing its new cloud platform at Infosec, which is really targeting SMEs – why are you focusing on that specific market?
A cloud infrastructure for managing security is going to be a sensible default for the majority of organisations going forward, given the trends we’ve all talked about over the last four or five years – it just makes sense.
But SMEs are a particularly logical use case – A) they don’t tend to have a huge infrastructure in the first place for security, so it’s easier to transition and it’s easier to build up more security capability with someone like Sophos providing that for them, and B) they are generally more open to the idea of a cloud solution providing integrated, simple policies they can roll out, they’re more comfortable letting control to a security provider to do it for them – whereas larger enterprises might see that as a point of conflict, because they have to give up control.
A lot of these smaller companies don’t have a dedicated CIO or CISO – there’s a lovely phrase that came from one of our customers that is the ‘OIO’ – the Only Information Officer – which I love, because it’s true, even in a fairly moderately-sized SME, often its one or two people who are IT guys keeping the printers on, keeping the network up, as well as doing security. What I love about what we’ve been able to accomplish with the cloud platform is sensible defaults, you can provision the thing in about 2-3 minutes for a large office – I’ve done it in literally two minutes whilst listening to another conversation – which is how it should be for a small organisation, it should be that simple.
What about the human error factor though? How can companies overcome that?
I would absolutely say that good security is a combination of the people process and technology – and if you don’t have all of these, you’re going to fail. You can’t just deploy endless technology and not educate your staff and be successful – we would never deny that. Equally, only educating your staff and not running the right controls is a recipe for disaster – so we absolutely encourage small businesses, as well as frankly any enterprise, to make sure they have a good security awareness program.
Explore the use of videos, be more creative, awareness mechanisms, social engineering and penetration testing in particular – we’ve produced a lot of free assets on our website such as our ‘top tips’ packages for things like mobile and social media to try and help people build those campaigns, and there are of course a number of commercial packages offered by a variety of partners.
A lot of SMEs won’t have used any software like this before though – do you think it’s going to take any attack to make them wake up to these threats?
I think that generally speaking, most people need a breach or a security incident, or even a really close scare, before they really mobilise on dealing with a particular threat. We’ve been massively helped in this industry over the last few years by the media coverage in the mainstream of security issues.
Sometimes that backfires – if you look at Heartbleed for example, where the amount of misinformation about what Heartbleed is and how to handle it in the press was fairly horrifying, but even still, that’s getting the problem onto the mainstream agenda of consumers, small businesses, even my mum asked me what it was!
So we’re definitely finding that SMBs know they need to do more, they’re realistically looking at ways to do it within the cost and resources profile – its often the biggest stumbling block for an SMB, and many of them have done the basics of, I’ve got some AV, I’ve got a password policy, they know they want to go further, and they’re just trying to find a way to do it, as opposed to being pretty oblivious – which was the case a number of years ago for many providers.
All of that said, I still think there’s a lot of work to be done in awareness – I have a lot of hope for the government’s renewed focus on awareness – regulations, as we have new campaigns coming up in Europe that will apply across each of the member states and will be adopted in the UK as well that are discussing things like mandatory breach disclosure – when you have to own up to an attack, that is of course going to make people take their investment more seriously. So I think we’re in a better place than we have been, and we’ve got a few more miles to go, but I see a path.
I would like to see continued investments in those campaigns and upscaling – you need to see security in the reminder of what a good password is, in your everyday life, just like you see posters and adverts about drunk driving when you’re on the tube – so we have a lot more work to do, but I have a good sense that this is on the agenda for the government and we’ll see it coming, so it just needs to keep going.
Moving back to the new version of Sophos Cloud – why does it include a big focus on Macs? Surely everyone knows that Macs don’t get viruses…
This is a myth – it was never true that there were no viruses, but on the Mac platform itself, there used to be a miniscule amount of malware, there were 53 samples, and for years and years and years it was astonishingly difficult to get any of them. But that has not been the case for a number of years. There is a reasonable volume of Mac malware – but it certainly pales into comparison when compared to the PC – so we are talking thousands of samples a month compared to in excess of 250,000 pieces of malware for PC a day.
But although it is only that big, it can be successful. We see ransomware that encrypts information on the Mac that is as mature as the PC, data stealing Trojans, we’ve even seen examples of data breaches in companies where its the CXOs Mac that was responsible. So what I would say today is, yes I love the technology, I love using Apple’s products, but realistically, there is a security issue and you do need to take steps to protect yourself.
You mention mobile devices – iOS, Android especially – does this mean they can all work together as one big happy ecosystem?
Well this is what I see happening – every network I go into, with Android, iOS, some BlackBerry, even some Windows Phone every once in a while, Macs, PCs, Linux servers, Internet of Things devices, multi-function printers running Windows XP, scanners running some bizarre Linux build – combine this with the breakdown of the work perimeter and the average CISO has lost control of the devices in their network.
The security posture of those devices, and where they will be at all times – its elastic, everyone is struggling to put their arms back around it and re-implement the controls meant for measure or basic risk management they had only three or four years ago.
The reason Sophos is going in this direction is that it’s our strong suggestion that these CISOs are never going to get their arms back around the situation, and instead, increasingly we’re all beyond the position of managing every damn device imaginable, using the internet, with maybe a bit of a side policy for the local network.
When you embrace that conclusion, that this isn’t going away, the only logical place to do this is in the cloud, where you can see every device, whether they’re in a hotel or in XYZ, the corporate network and Android all alike. So we’re trying to protect everything from this, from the network, to the cloud, and everything in between, and give it to SMEs in a package where it’s simple and easy to access and simply deploy. That obviously sounds ridiculously hard, and it is hard, otherwise everyone would be doing it, but that’s really what we’re trying to accomplish.
