Managed.IT - issue56

22 MANAGED.IT 01732 759725 CYBER SECURITY Xstream security Sophos has introduced a new ‘Xstream’ version of the Sophos XG Firewall featuring high performance Transport Layer Security (TLS) traffic decryption capabilities that eliminate the significant security risk associated with encrypted network traffic – an area that the leader in next-generation cybersecurity claims is often overlooked by security teams due to performance and complexity concerns. XG Firewall now also features AI-enhanced threat analysis from SophosLabs and accelerated application performance. According to SophosLabs, 23% of malware families use encrypted communication for Command and Control (C2) or installation, with three common and ever-present Trojans – Trickbot, IcedID and Dridex – leveraging TLS during the course of their attacks. Cybercriminals also use TLS to hide their exploits, payloads and stolen content and to avoid detection. SophosLabs research shows that 44% of prevalent information stealers use encryption to sneak hijacked data, including bank and financial account passwords and other sensitive credentials, out from under organisations. Dan Schiappa, chief product officer at Sophos, said: “As SophosLabs’ research demonstrates, cybercriminals are boldly embracing encryption in an attempt to bypass security products. Unfortunately, most firewalls lack scalable TLS crypto capabilities and are unable to inspect encrypted traffic without causing applications to break or degrade network performance. With the new Xstream architecture in XG Firewall, Sophos is providing critical visibility into an enormous blind spot while eliminating frustrating latency and compatibility issues with full support for the latest TLS 1.3 standard. Sophos’ internal benchmark tests have clocked a two-fold performance boost in the new XG TLS inspection engine as compared to previous XG versions. This is a game changer.” Latency too often deters IT admins from using decryption. In an independent Sophos survey of 3,100 IT managers in 12 countries, 82% of respondents agreed that TLS inspection was necessary. Yet only 3.5% of organisations said they were decrypting their traffic to properly inspect it. Bruce Kneece, CTO of Convergent Information Security Solutions, said Sophos XG Firewall would enable the Columbia, S.C.-based organisation to provide better, faster customer protection, detection and service. He said: “At Convergent Information Security Solutions, we are engaged in the management and monitoring of both perimeter and internal cybersecurity for our customers, and until now we were somewhat limited in our ability to monitor SSL/TLS encrypted data streams. Sophos XG Firewall helps us solve this problem efficiently and affordably with the new accelerated DPI engine in the latest version. This, combined with new automatically- managed custom IPS rule sets, gives us much more visibility into encrypted traffic going through the network than we ever had before. This feature will immensely improve our customers’ security and we consider this to be critical, based on how broadly cybercriminals are capitalising on TLS encryption to cover- up and carry out their attacks.” Sophos XG Firewall is available in the cloud-based Sophos Central platform alongside Sophos’ entire portfolio of next-generation cybersecurity solutions. Sophos’ Synchronized Security approach empowers these solutions to work together for real-time information sharing and threat response. www.sophos.com ...continued system (physical or virtual) to receive and open these documents – a process change. Another is to deploy sandboxing to your email gateway to prevent maldocs arriving in the inbox in the first place – a technological change. In the case of business email compromise (BEC), a simple phone call – a process change – can be the difference between catching a scammer and going out of business. Part of prevention is to reduce your attack surface area. This means reducing the amount of exposed services (e.g. Remote Desktop), unprotected or unpatched systems and applications, and weak authentication (e.g. simple passwords, no multi-factor authentication). Many organisations get attacked by ransomware groups because they fall short in one or more of these areas and are vulnerable. Think of it as a criminal pentest. If you make it harder for the criminals, they will often move on to the next target. After prevention comes detection and remediation. These two go together, as you will want to remediate any threat you discover lurking in your network. Endpoint Detection and Response (EDR) products simplify the task of hunting for existing threats and either advise you on how to clean up the threat or proactively remediate it for you. Tools like EDR, however, are part of a more mature security organisation’s toolbox. If you haven’t addressed prevention, then EDR by itself won’t be nearly as effective. If you don’t have the in-house capabilities for managing an EDR system, there are managed EDR services (i.e. Sophos MTR) that can do it for you. So far, I’ve focused on the endpoint, but you will want to ensure your network is protected as well. Many endpoint protection technologies are also implemented in next-gen firewalls, in addition to bespoke network protections. Better yet, if you integrate your network protection with your endpoint protection (i.e. with Sophos Synchronized Security), you will be able to prevent, detect and remediate threats no matter where they occur in your environment. This advice is by no means exhaustive, as I haven’t touched on things like DevOps, creating a security culture or supply chain integrity. Think of this as a journey and not a destination. You will continually need to test your defences and make adjustments along the way, both technological and process-based. If you don’t, criminals will do it for you and you won’t get a friendly report when they’re done.