Dan's Take

Sophos and Endpoint Protection

New types of access and devices require new ways of approaching security.

• By Dan Kusnetzky
• 01/26/2015

Dan Schiappa, senior VP and general manager at Sophos, came by to discuss how enterprises are struggling maintain levels of security, and his company's response: the Sophos Endpoint Protector.

Only a small percentage of enterprises really understand how to protect their IT assets from attacks, Schiappa said; staff, consultants and customers are accessing enterprise data and networks remotely using an ever-changing world of smartphones, tables, laptops and other endpoint devices.

He asserted that protection against malware and advanced threats can be best addressed through a combination of endpoint, mobile and encryption technologies.  While antivirus products were once thought to be enough protection, that no longer holds true. A bewildering array of mobile devices are in use today, and some of them are not well protected.

What can an enterprise do when an application appears to do nothing threatening while executing offsite, but acts quite differently when it senses that it's executing on the enterprise network? Tools must look for applications unexpectedly reaching out to initiate network connections, and then protect the enterprise network. Sophos believes that its approach of delivering real-time protection can help.

The Sophos Solution
The company believes that a combination of strategies are necessary to create a safe environment. These include making the endpoint devices secure, securing the network between those devices and the enterprise network, and making sure uploaded data and applications are also secure. The company has developed products to address each of these needs. Here's some of Sophos' verbiage about its approach:

New to Sophos' Endpoint Protection product is Malicious Traffic Detection which detects communications between a compromised endpoint and an attacker's servers … the endpoint-based Malicious Traffic Detection will automatically identify offending software and stop it from running to prevent potential damage or data loss.

Also in this release is an updated endpoint agent architecture powered by the new Sophos System Protector. This service acts like a “brain,” collecting and analyzing information gathered by Malicious Traffic Detection and other components, such as HIPS runtime protection.

Also part of the Next-Generation Enduser Protection vision, Sophos released SafeGuard Encryption 7 and Sophos Mobile Encryption 3, advancing the ability for businesses to securely create, access and edit encrypted data from any device.

SafeGuard Encryption 7 provides data protection across multiple platforms and devices, whether the data resides on a laptop or a mobile device, or is shared via the cloud or network. Safeguard Encryption is built to match an organization's workflow and processes without slowing down productivity.

SafeGuard Encryption also integrates with Sophos Mobile Encryption 3, which makes it possible for users to create and edit encrypted documents from their mobile devices and to manage multiple keys right within the app.

Dan's Take: A Reasonable Response to Security Challenges
Every security software supplier talks about the growing level of network threats. Most discuss how the trend toward making staff, consultants and customers provide their own endpoint devices can appear to reduce endpoint hardware expenditures, at the cost of greater levels of complexity, increased difficulties in maintaining proper security controls and larger opportunities for a security breach. They point out that the threat is becoming ever more sophisticated, making yesterday's static approaches less useful.

Some have approached the problem by offering technology that moves critical endpoint applications into their own separate virtual machine (VM). This makes it possible to carefully watch what's happening, and shut down an attack before it has a chance to do any harm.

Sophos believes this approach, while appealing at first glance, would cause users to experience poor performance. It would also increase the complexity and, quite possibly, the reliability of endpoint computing environments. Furthermore, this approach, by itself, might not address the challenge presented by malware designed to sense when it's been placed into a VM and change its behavior. The malware might change its behavior only after it has entered the enterprise environment.

Sophos suggests that ongoing monitoring of application and network activity is needed. Network traffic should be encrypted so that even if a network conversation is being monitored, only limited information could be captured.

It appears to me that Sophos has thought through the threat and is offering a reasonable set of tools to help enterprises.