Sophos Roadshow 2018 – See the Future

Yesterday (07.03.2018) we attended the Sophos Roadshow 2018 in Dübendorf, Switzerland, and in this article we’re summarizing everything you need to know. In line with the slogan “Ready For Take Off”, the event took place at the Air Force Center Zurich – a very cool venue. Here are a few impressions:

Ready For Take Off

After the welcome session, we were treated to a few horror stories of the kind you rarely read about in the press, simply because no company is eager to publicly admit that something like this happened to them. A security forensics specialist walked us through several attack scenarios that had actually taken place. Ransomware was, of course, a major topic, but so were targeted attacks. What struck us most was how much damage could be done with very little effort, while at the same time attackers are also willing to invest an incredible amount of time and preparation into highly targeted operations.

After that very insightful session, Sophos gave an outlook on the roadmap. To put it diplomatically, it felt as if last year’s roadmap had been rolled out once more. Or, to put it another way, promises from 2016 and 2017 are now finally meant to be delivered in 2018. 😅

Toward the end of the day, just like at last year’s Partner Conference in Lisbon, the focus shifted almost entirely to XG Firewall, Intercept X with Deep Learning, Central, and Synchronized Security.

New Sophos access points

The new access points that were originally supposed to arrive last year are now expected in Q3. The upcoming models will be called APX 320, APX 530, and APX 740, and they will support the new Wave 2 standard.

• APX 320 - 2x2:2 802.11ac (867 Mbps + 300 Mbps), Quad core 717Mhz, Dual 5GHz mode increases max speed up to 1.7Gbps (twice the performance of the AP 55)
• APX 530 - 3x3:3 802.11ac (1.3 Gbps + 450 Mbps), max. speed up to 2.6Gbps @ 160MHz (twice the performance of the AP 100)
• APX 740 - 4x4:4 802.11ac (1.7 Gbps + 450 Mbps), max. speed up to 3.6Gbps @ 160 MHz (three times the performance of the AP 100)

Info: Wave 2 delivers higher data rates and, instead of communicating with only one client at a time, can talk to four different clients simultaneously (MU-MIMO). It also offers wider channels and supports a higher number of clients.

Wave 1 vs. Wave 2

• Channel width: 20, 40, 80 MHz > 20, 40, 80, 160 MHz
• Number of streams: 3 > 4
• MIMO: Single-User > Multi-User
• Throughput: 1.3 Gbit/s > 3.6 Gbit/s

Sophos Firewall roadmap

XG v17.1

XG v17.1 is expected to arrive by April at the latest.

• Synchronized Application Control (SAC) - various improvements and broader software recognition.
• CASB Visibility - even deeper insight into shadow IT.
• Email Protection - blacklist / whitelist on a per-user basis.
• Migration tool from SG to XG (sounds great, but unfortunately it is not there “yet”. A lot still does not carry over.)
• Support for the new hardware models XG85 – XG135 Rev. 3

XG v17.2

• Stonewalling – if an endpoint is infected, the firewall prevents other clients from communicating with it to stop the threat from spreading across the network.
• Central Management & Reporting – cloud-based management and reporting for the firewall.
• Email Protection – BATV/SPF/AD user verification: important features that will finally arrive on XG. The XG MTA will be completely replaced by the one from UTM.
• Support for the new APX access points.
• IPS TALOS classification.

XG v17.3

XG v17.3 is also scheduled for release later this year. Here is a small extract of the planned features; we’ll provide more detailed explanations closer to the release.

• Lateral Movement Detection – leverage the firewall to detect lateral movement attempts from endpoints.
• Device Discovery and IoT – device detection and identification using Deep Learning.
• Email Protection – DKIM protection.
• Air Gap Licensing Support – support for environments where internet access is limited for firewall licensing and synchronization.
• Web & Firewall – support for classroom-wide URL overrides and automatic grouping of firewall rules.

UTM 9.6

• IKEv2 site-to-site VPN support.
• Sandstorm enhancements.
• WAF Let’s Encrypt certificate support.
• New RED firmware with 4G module support.
• Email enhancements.
• New ATP library.

Update 25 July 2018: IKEv2 has been removed from the roadmap.

UTM 9.7

• Sophos Anti Spam Engine.
• DMARC support.
• Email spoof protection.
• Email encryption enhancements.

Sophos Central roadmap

Sophos Central Admin

• Two-factor authentication for the admin dashboard has been available for a few weeks already, but was presented again.
• Tamper Protection Recovery – if a client is deleted from Sophos Central while Endpoint protection is still installed on the device, removing it afterwards used to be very time-consuming. Now, for at least 60 days, you can still view the tamper protection password for deleted devices.

Enterprise Dashboard

For larger customers, there is the Sophos Central Enterprise Dashboard. It lets you manage multiple Central accounts, for example for organisations that operate in several countries and need a local admin with their own Central account in each country. Another example would be a municipality with several schools. You can purchase a large number of licenses centrally, distribute them and reduce costs. For even better management, the following two features have already been announced:

• Master Policy – create a policy once and roll it out across all accounts.
• Improved notification management – individual admins can now be notified about defined events.

Sophos Central Email

• Sophos Central Email will finally receive the “Sandstorm” feature that was originally expected in 2016. On top of that, “Deep Learning technology”, “Outbound Spam” and “virus scanning” are being added.
• Support for multiple DKIM and DMARC policies.

Sophos Intercept X for Server

Intercept X for Server was also not released in 2017 as planned, but is now expected to arrive this year.

Mobile 8 roadmap

With the new version, Windows and macOS devices can now be managed as well. This is ideal for customers who, for example, don’t have Active Directory, have many field workers or a lot of BYOD devices.

• Email, WLAN, certificate and password policies can be distributed centrally.
• Applications from the Windows Store or MSI packages can be rolled out.
• Computer compliance policies can be managed centrally.

Sophos Central Wireless

Synchronized Security is now also coming to Sophos Central Wireless. In practice this means that if a client is infected, it can be isolated so that other devices in the network are not affected.

Sophos Phish Threat

Up to now the product could be ordered, but it wasn’t available in German and was only visible to customers whose account had been created in the US data center. That has now changed, and you can test your users with perfectly crafted phishing emails and train them with regular campaigns. We’ll certainly take a closer look at Sophos Phish Threat, as we’ve grown quite fond of this product ourselves.

Sophos Central File Encryption

The product “File Encryption”, on the other hand, has caused some disappointment. Sophos Central File Encryption was supposed to be launched before 25 May 2018, i.e. before the EU’s General Data Protection Regulation came into force. The release has now been postponed to 2019.

Conclusion

Because we now work with Sophos practically 365 days a year, there weren’t really any announcements that completely surprised us. Even so, Sophos managed to present a few nice features that we didn’t necessarily have on our radar. All in all, it was once again a great event with good conversations and lots of information, which we’ve briefly summarized for you in this article.

If you have any questions, just get in touch. We’ll keep doing our best to keep you as up to date as possible.