Synchronising security devices for faster protection
Sophos’ Managing Director for ASEAN and Korea, Sumit Bansal, has observed that the challenge for the cybersecurity industry today, lies in the fact that there are over 400,000 new malware variants recorded every day. These are just the ones that are recorded, and doesn’t yet take into account the many more which have slipped in or are slipping in under the radar.
Sumit attributed this to signature-based protection technologies, that can only do so much. “We need much more than that,” he said adding that artificial intelligence (AI) techniques like deep learning is helping cybersecurity solutions and practitioners do much more than the past.
“Deep learning, a subset of machine learning, is more like algorithms that mimic the brain. You can train security engines with samples of data and simple ‘yes’ or ‘no’ answers,” he said.
With Sophos’ own AI-based solution, bad files and bad URLs are fed into an engine which is then trained to recognise what is good or bad. “Over time it becomes more efficient and we can compress the data down,” he described.
Sumit claimed that this is to the point that it has the highest accuracy with the lowest false positives when it comes to detecting bad code.
Deep learning’s average rate of one false positive in 10,000 samples compared to machine learning’s typical one false positive in 100 samples, translates to quicker decision making, quicker detection and faster prevention.
The magic happens when it gets to the point of being predictive.
“You don’t have to train the engine anymore. It can stop and will detect as yet unseen threats,” Sumit said.
Artificial intelligence is the basis of predictive technology and it is the basis of Sophos’ Intercept X, an endpoint protection software that recognises attack techniques. It comprises of anti-ransomware, root cause analysis (RCA) and even a malware cleaning solution.
It also recognises that there are many vectors via which a threat may infiltrate a network, putting this realisation to good use when they crafted a solution that addresses the phases of a cyberattack.
“The first phase is the delivery phase whereby hackers use exploits or known technologies to deliver malware payloads to devices.
“And we know there are 24 known techniques that hackers use.” Sophos’ solutions would be able to detect a combination of these techniques used during an attack as well.
There is a single pane of glass to manage protection for mobile devices, servers, firewalls and even WiFi devices, including email, Web and encryption. This cloud-based management console is called Sophos Central and it comes as an OPEX monthly expenditure that is able to scale with the business.
Sumit described, “We put three dimensions on it – total management of all of your devices and protection technologies; you can do deployment, management, and get feeds about the latest threats.
“The second dimension is about making Sophos Central available for partners who want to provide managed services. Partners can let customers manage their security or manage it on their behalf in a multi-tenant model.”
The third dimension of course, is self-service.
Another feature of Sophos’ solutions is Synchronised Security, which addresses the problem of security devices not ‘talking’ to each other. For example, if an organisation is infected with ransomware, and its firewall knew the IP address of the command and control (C&C) server, it could potentially stop Internet traffic from leaving the organisation.
In this instance, a firewall would know what kind of traffic was traversing the network and the IP of device that was transmitting back to the C&C.
Sumit explained, “With Synchronised Security, firewalls and endpoints share threat intelligence and establish a connection called Security Heartbeat. It tells you the health of the system, and during a ransomware attack, a Sophos firewall can ‘interrogate’ the endpoint about its user and apps used.
When the health of network is established the next steps can be determined – if further investigation and clean up is required, the device would be quarantined.
Sumit said, “This is expanded to more devices now; it is built into the product and does not require extra software.”
The automated ability of this feature is extremely useful for SMEs that just want to fix a problem and move on.