The Gately Report: Sophos Helping MSP Partners Better Secure Themselves, Customers
Plus, a new malicious campaign exploits ChatGPT popularity.
![Managed Security Managed Security](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt1d4da81497f79fe3/6524057635cbee4b268d72fb/shutterstock_784799773.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Sophos is the top-ranked and sole leader in the Omdia Universe Report for XDR. How are partners benefitting from Sophos XDR?
Sophos’ Scott Barlow: We have basically three endpoint products that a partner or a customer can deploy. It starts with Intercept X Advanced, which is the next-generation endpoint protection. And then on top of that, we have XDR, which will have the telemetry that gets integrated into our data lake so that a customer or a partner, or an MSP, can actually run threat hunts and queries on their own right from Sophos Central through the partner dashboard or Sophos Central admin. And then on top of that is managed detection and response (MDR), which is a fully managed 24/7 service that’s delivered by our threat experts who really specialize in the detection and response to these cyberattacks that a lot of technology solutions alone can’t prevent.
CF: Last month, Sophos announced it is sharpening its focus on MDR. What will that mean for partners and are they going to see a shift in channel strategy?
SB: The focus on MDR and really cybersecurity as a service is so exciting. I think when you look at the cybersecurity landscape, it is too complex and too difficult, and it changes so fast to be effectively managed by really most organizations. Look at the complexity of environments, the complexity of security tools, and we all know the security challenge. The attacks are just incredibly sophisticated. When we launched XDR, that was nice for the more mature MSP or MSSP that they can go in and do the active threat hunting. A lot of times the challenge there is 24/7. It’s really hard to also find and retain those cybersecurity experts. So from an MDR perspective, a lot of our MSPs and partners in general have really embraced it. And I think the way that we differentiate is … we’ll look at something and if we see something, we’ll let you know, and then you go and fix it. The hands on keyboard really are designed to help the MSP go and do the remediation.
And we have three different layers we can notify if you as a partner want to go and do the remediation. We can collaborate together and we’ll work on remediation together. So when an MSP is actually looking at an MDR solution … they really just need to make sure that it’s compatible with their environment. If you have identity tools or SaaS applications in the cloud, or maybe not a Sophos firewall, you need to make sure the MDR vendor can actually ingest the telemetry. So that’s one of the things that we recently launched, the ability to ingest third-party vendor telemetry. That’s going to help with event correlation so that you can respond or we can respond in a much more comprehensive fashion. You also need to make sure that it’s compatible with your needs. I don’t think a lot of MSPs realize that they need full incident response and assistance, or do you need full incident response or just assistance. If you just need assistance, you can find 100 vendors out there. If you need the full-scale incident response, there are only a couple of vendors that do that. And then on top of that, we just launched the ability to provide an up to $1 million warranty for both MSPs and for customers. That’s just a massive differentiator. And then lastly, is it compatible with their business? Do they need just XDR? And then we have the open APIs that they can ingest that telemetry into their own data lake, or do they want us to do it for them? And does it integrate into their professional services automation (PSA) and remote monitoriing and management (RMM) tools to help with automated billing and ticketing, and all of that type of stuff.
CF: How can Sophos help MSPs and other partners that are being impacted by economic uncertainty?
SB: I think the economic uncertainty ties directly into the cybersecurity talent shortage. So a lot of these MSPs are doing security or they have a security service that they’re offering to their customers. And a lot of times, if you’re trying to launch your own SOC, that could be a two-year endeavor with millions of dollars and a tremendous amount of resources. We can obviously help by taking that burden off of the MSP. [What I hear] from MSPs is that MDR allows them to sleep at night because they know somebody is paying attention to active threats and across all of their customers.
We also do a lot of education and training on how to sell cybersecurity as a service. When you look at the economics behind it, there are a lot of organizations out there that are looking at co-managed IT. And I guarantee you in 90% of the cases, the MSP can deliver RMM, backup and disaster recovery, and security for cheaper than a full-time employee with the tools all embedded for the cost of what that employee would cost. I think there’s a lot of education that we do with MSPs as well on how to grow their business, but also how to stabilize it from a security perspective.
CF: Does the fact that organizations can’t cut back on security regardless of economic conditions benefit Sophos and its partners?
SB: The threat actors are not going to go away, and ransomware and all the different threats that are out there are not going away. And I think what a lot of MSPs specifically are doing is looking for ways to optimize and run their business. And you might have a lot of these capabilities that can extend beyond what a customer is looking at. You might say, “I need to now buy a new VPN and I have to buy a new server.” Well, these MSPs can educate these customers and say, “No, let’s maybe lift and shift your workloads into the public cloud. We’ll save you money there. Let’s outsource the MDR to Sophos. Let’s leverage ZTNA.” Now you’re securing your users obviously with the remote workforce. So there are a lot of different ways that I think MSPs can help customers pivot to save money. And honestly, as the MSP, you should have a seat at the table. I think as you become more of a virtual CISO, you have a seat at the table, you have a seat in the boardroom, and now you can help advise on what the budget should be for IT next year. So that’s where MSPs over the last couple of years have gone, and just maturing that thought process, but also helping automate a lot of the challenges to help them save money.
CF: What’s the latest with Sophos’ partner program? Are we going to be seeing any expansion or enhancement in the coming months?
SB: On the MSP side, I have a team globally that are out there recruiting net new MSPs, educating them, and helping to do onboarding and enablement. So every month we see acceleration in the number of MSPs we work with on a global scale, and each region is still growing really nicely. I think over the next few months we’re going to be looking at another momentum release with some numbers.
CF: What’s fueling the MSP recruitment surge?
SB: I think it’s cybersecurity in general, but more importantly, the products and services that we’re releasing. We’re listening to our partners; we’re listening to our customers. The MSPs that we work with today and the MSPs that we’re recruiting [say], “Oh, I didn’t even think I needed that.” And we have it. Little things like no longer wanting to run your own SOC and you’re looking for someplace to put it. I think also the adaptive cybersecurity ecosystem is really resonating where you don’t have to manage eight to 10 security vendors for security. We have everything tightly integrated into Sophos Central, from MDR to network detection and response (NDR), ZTNA, switches, firewalls, wireless access points, and then mobile and email, and server protection, and cloud protection. A lot of the education and the webinars that we do for MSPs are really how to work in these disparate environments.
So I think they’re seeing the needs of the customers and we’re paying attention, obviously, to the customer needs. And as the customer needs change, we are quick to change, adapt and pivot to deliver security. But more importantly, we’re building that framework where an MSP can log into what we call the Sophos Central partner dashboard, and they see everything. They see all their customers, the licenses they’re using and the integrations that they have across the board. And because we invest in the partner community and the MSP community, I think they really appreciate that. And we have a community of MSPs that are staunch advocates.
CF: What do you think will be most challenging and worrisome about the threat landscape in 2023?
SB: I don’t think it’s going to change. I think all of the concerns that we’ve had since day one are going to be the concerns moving forward. Nation-state attacks, ransomware and all of these gangs that are out there spinning up new threat vectors, it’s a big challenge. And honestly, I think the mentality that it can’t happen to me is gone for the most part, but it’s still out there. We still hear that every now and again. The funniest thing for me from an MSP standpoint is, “Why do I need all these products? I haven’t had a threat or hit.” Well, you haven’t had a threat or a ransomware attack because of the solutions. So the MSPs continue to sell the value that they’re providing day in and day out to their customers.
CF: What’s the latest feedback from partners in terms of their needs, challenges, etc.?
SB: I think it’s all about simplification. What we try to do is all about simplification and then outcomes. What we want to do is deliver superior outcomes. You can put a stack of 10 security layers in place and then that one user clicks on a link, and now you’re dealing with a ransomware attack or something. MSPs just in general need to also adapt to what their customers are looking for. So when we work with an MSP, they could come in saying, “I just need email,” and then all of a sudden the customer says, “I need ZTNA.” And now we’re obviously tightly integrated with our next-gen endpoint product, which is Intercept X. You can connect those end users with individual applications or data without exposing more data. I wouldn’t say that insider threats are increasing; I don’t know that. But it helps protect the intellectual property in a customer’s environment by leveraging some of these more unique tools.
CF: What do you hope to accomplish in 2023 in terms of Sophos’ channel?
SB: There are pretty high-level goals, but I think that we need to continue to simplify and automate the delivery of security services and the delivery of outcomes to MSPs and their customers. And then we need to continue to be staunch advocates for the MSP community, be the voices for the MSP community. We see a lot of vendors looking at potentially going direct and pivoting… I think as we move forward, having that channel focus is incredibly important, really advocating on behalf of MSPs to make sure that we have the integrations in place with the vendors that they use that will help them increase their revenue. It will help them lower their costs internally, and then it will help them improve their operational efficiency.
In other cybersecurity news this week …
Kaspersky experts have uncovered a malicious campaign exploiting the growing popularity of ChatGPT.
Fraudsters create groups on social networks that convincingly mimic, if not official OpenAI accounts, then at least communities of enthusiasts. These groups publish equally persuasive posts touting ChatGPT’s popularity. At the bottom of the post is a link for supposedly downloading a ChatGPT desktop client. To entice users, it offers $50 that can be spent on using the chatbot.
When clicked, instead of downloading a ChatGPT client, a stealer trojan is installed that steals usernames and passwords. It steals account credentials stored in Chrome, Edge, Firefox and other browsers.
“For starters, note that there’s no official desktop, mobile, or other client for ChatGPT, only the web version,” Kaspersky said. “Amusingly, the chatbot itself makes this very point when asked to write a blog post about this scam campaign.”
Patrick Harr is CEO of SlashNext.
“This is the latest flavor of a Trojan stealer, which is cleverly used to take advantage of users interested in popular events or social culture by offering access for free to streaming, private VPNs or PDF editors,” he said. “The exploit is not using ChatGPT to create the threat, but using its popularity as bait to install a desktop client. Employees are vulnerable to these types of scams because they are potentially offering an easier way to complete job tasks. It is a silent and highly evasive threat because, once installed, and it can view and collect all kinds of data, including credentials and other company information. Organizations must have browser security that utilizes computer vision and virtual browsers to detect and block these exploits in real time.”
Mike Parkin is senior technical engineer at Vulcan Cyber. He said employees are vulnerable and these attacks are effective. Current events are a popular hook for phishing attacks since they are timely and more likely to get a target’s attention.
“So, how could attackers leverage information stolen from victims to hurt their employers?” he said. “It depends on what data is stolen from the victims, but the damage could range from trivial to catastrophic. In many cases, the actual target is user credentials, which the attacker will use to extend their foothold in the target environment. User education is vital. It cannot be overemphasized.”
Cyren, an Israel-based provider of integrated threat detection and intelligence solutions, is ceasing operations and filing for bankruptcy.
The business is shutting down due to challenges associated with obtaining additional capital and its inability to find a buyer for the company. Cyren’s board of directors approved a plan to cease operations and commence insolvency proceedings for the company, and to liquidate its wholly owned subsidiaries under applicable insolvency and other laws.
In response to its planned liquidation, Cyren received written notice from Nasdaq that it plans to delist the company’s stock. The company doesn’t plan to appeal Nasdaq’s determination. Trading will be suspended at the opening of business on March 3.
Cyren had already announced it was reducing its workforce by 121 employees. In addition, the company is selling its Iceland-based assets associated with its anti-malware business, including products, technology and related IP, to Opin Kerfi (OK). The purchase price was not disclosed.
The Cyren GoCloud Program helped partners sell Cyren Inbox Security for Microsoft 365.
We reached out to Cyren to find out how partners will be immediately impacted by the company shutting down. It didn’t respond to requests for comment.
Dole, one of the world’s largest producers and distributors of fruits and vegetables, was recently hit with a ransomware attack that crippled some operations.
According to CNN, the attack temporarily shut down production plants in North America and halted food shipments to grocery stores. Dole has about 250 facilities globally, including approximately five salad manufacturing plants, 12 cold storage facilities, 75 packing houses and 162 distribution and manufacturing facilities.
The company identified the attack as ransomware.
“Upon learning of this incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts, who have been working in partnership with Dole’s internal teams to remediate the issue and secure systems,” the company said. “The company has notified law enforcement about the incident and are cooperating with their investigation. While continuing to investigate the scope of the incident, the impact to Dole operations has been limited.”
Dole provided no further details about the attack.
Morten Gammelgaard is EMEA co-founder of BullWall.
“When ransomware attacks force giant food processing operators like Dole to shut down production, the effects can ripple through the entire economy,” he said. “Threat actors have significantly accelerated their deployment of ransomware, from an average of 60 days per attack in 2019 to less than four days in 2021, according to a recent IBM report. Even for large multinational companies such as Dole, staying on top of network vulnerabilities and updating prevention-based security constantly is very difficult. You will be breached and you’d best be prepared.”
This attack highlights how the just-in-time nature of food supply chains makes them particularly vulnerable to financially-motivated cyberattacks like ransomware, Gammelgaard said.
“As production and distribution are tightly coordinated to minimize waste and cost, any disruption caused by a cyberattack can have a ripple effect throughout the supply chain, leading to shortages and inevitable price increases,” he said. “Should ransomware slip through any of the multitude of potential weaknesses in small and large environments, it is very important to have ransomware containment in place (not the same as ransomware prevention). It acts as a last line of defense against active attacks, i.e. when encryption starts to corrupt your data as a fully automated response. It has saved many well-prepared organizations millions of dollars.”
NCC Group‘s latest monthly report shows ransomware attacks slowed in January, while it was still the most active January for attacks in three years.
Ransomware attacks fell 38% from December, with 165 attacks. However, attacks totaled 120 in January of 2022 and 127 in January 2021. This is an indication of the growing prevalence of ransomware attacks generally as the threat landscape continues to evolve.
Other notable findings include:
Lockbit 3.0 remains the most active threat actor with 50 attacks (30%).
The academic sector overtook technology and government for the first time in 12 months. It was the third-most-targeted industry during the month, representing 11% of ransomware attacks.
Cyber gang Vice Society, believed to be a Russian ransomware-as-a-service (RaaS) group, was the second-most prevalent threat actor
Dylan Gray is threat intelligence consultant at NCC Group.
“Most surprising is the escalation of attacks targeting the academic sector, notably, rising above technology,” he said. “It is too early to definitively state if this is a one-off occurrence or the start of a new trend. However, it is possible that the increase in Vice Society activity against the academic sector, contrasting with the overall decreasing trend in ransomware numbers in January, could be a driving factor. As the year continues and ransomware numbers tick up to their regular levels, it will be enlightening whether the academic sector remains one of the most highly targeted, or whether the technology sector will return to previous levels from its expected and seasonal slump.”
It’s difficult to make predictions about the months ahead based on one month’s data, Gray said.
“However, when we look at previous January reports, a picture of increasing ransomware activity starts to emerge,” he said. “The reduction in attacks between December 2022 and January 2023 was ever so slightly larger than the reduction between December 2021 and January 2022, and yet despite the bigger decrease in activity, January 2023 observed the highest number of ransomware attacks for the month for at least the last three years.”
LockBit 3.0 is likely to continue being the most prominent ransomware group globally, barring any significant law enforcement operations, Gray said. Vice Society may continue to rise in prominence, though it won’t be possible for a few months yet to determine if their climb in the ranks of most active ransomware group in January is anything more than a blip due to the specific circumstances of the expected seasonal decrease in activity from other actors.
“We may also see Europe witness an increase of attacks it observes as a proportion of overall attacks, as was the case in January,” he said. “Were this to be the case, it is likely it would be linked to the ongoing war in Ukraine, with spikes in activity levels in general, or for specific targets, aligned with the conflict i.e. pro-Russian cyber campaigns to support campaigns of troops on the ground, or as retaliation for Ukrainian advances on the ground or Ukrainian cyber campaigns like the recent defacement campaign of CH01 to commemorate the one-year anniversary of the invasion.”
NCC Group‘s latest monthly report shows ransomware attacks slowed in January, while it was still the most active January for attacks in three years.
Ransomware attacks fell 38% from December, with 165 attacks. However, attacks totaled 120 in January of 2022 and 127 in January 2021. This is an indication of the growing prevalence of ransomware attacks generally as the threat landscape continues to evolve.
Other notable findings include:
Lockbit 3.0 remains the most active threat actor with 50 attacks (30%).
The academic sector overtook technology and government for the first time in 12 months. It was the third-most-targeted industry during the month, representing 11% of ransomware attacks.
Cyber gang Vice Society, believed to be a Russian ransomware-as-a-service (RaaS) group, was the second-most prevalent threat actor
Dylan Gray is threat intelligence consultant at NCC Group.
“Most surprising is the escalation of attacks targeting the academic sector, notably, rising above technology,” he said. “It is too early to definitively state if this is a one-off occurrence or the start of a new trend. However, it is possible that the increase in Vice Society activity against the academic sector, contrasting with the overall decreasing trend in ransomware numbers in January, could be a driving factor. As the year continues and ransomware numbers tick up to their regular levels, it will be enlightening whether the academic sector remains one of the most highly targeted, or whether the technology sector will return to previous levels from its expected and seasonal slump.”
It’s difficult to make predictions about the months ahead based on one month’s data, Gray said.
“However, when we look at previous January reports, a picture of increasing ransomware activity starts to emerge,” he said. “The reduction in attacks between December 2022 and January 2023 was ever so slightly larger than the reduction between December 2021 and January 2022, and yet despite the bigger decrease in activity, January 2023 observed the highest number of ransomware attacks for the month for at least the last three years.”
LockBit 3.0 is likely to continue being the most prominent ransomware group globally, barring any significant law enforcement operations, Gray said. Vice Society may continue to rise in prominence, though it won’t be possible for a few months yet to determine if their climb in the ranks of most active ransomware group in January is anything more than a blip due to the specific circumstances of the expected seasonal decrease in activity from other actors.
“We may also see Europe witness an increase of attacks it observes as a proportion of overall attacks, as was the case in January,” he said. “Were this to be the case, it is likely it would be linked to the ongoing war in Ukraine, with spikes in activity levels in general, or for specific targets, aligned with the conflict i.e. pro-Russian cyber campaigns to support campaigns of troops on the ground, or as retaliation for Ukrainian advances on the ground or Ukrainian cyber campaigns like the recent defacement campaign of CH01 to commemorate the one-year anniversary of the invasion.”
Sophos is giving more to MSP partners in 2023 to help them battle cybercrime, including its new Zero Trust Network Access (ZTNA) and breach warranty protection up to $1 million.
That’s according to Scott Barlow, Sophos’ vice president of global MSP and cloud alliances.
Sophos ZTNA is cloud-delivered and cloud-managed, and integrated into Sophos Central, the company’s cybersecurity cloud management and reporting platform. It was made available to MSPs on Feb. 1.
Breach Warranty Protection a First for Sophos
Sophos’ Scott Barlow
“The Sophos breach warranty protection is something that is incredibly unique; it’s really the first,” Barlow said. “It’s a first for Sophos. It covers up to $1 million in response expenses for organizations protected by Sophos MDR Complete. And so that’s a pretty significant differentiation. So you add warranty, incident response, full detection, full protection detection and response, and make it available on a monthly subscription to MSPs based on usage, and I don’t know how you can go wrong with that.”
Also this month, Sophos announced the expansion of its next-generation firewall portfolio with two new high-end, enterprise-grade XGS Series appliances. The new XGS 7500 and 8500 models provide performance and protection for large enterprise and campus deployments, broadening market opportunities for channel partners that serve them.
Next-Generation Firewall Portfolio to Benefit Sophos MSP Partners
“They’re really designed for larger campus environments and larger customers,” Barlow said. “The devices are really purpose-built for networks supporting tens of thousands of end users. So when we look at the partners, we have partners that run the gamut in terms of the size of customer that they work with. So this is going to enable them to actually move up markets so now they can cover all of the customers from SMB up to higher-end enterprise customers. And they really provide best-in-class, price per protected megabit per second. That’s one of the metrics that is tracked. And it’s roughly 50% faster throughput than the industry averages in their class.”
Scroll through our slideshow above for additional thoughts from Barlow; plus, how Sophos is helping its MSP partners, and more.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like