Why Sophos is bullish on managed security services

Working in cyber security is a difficult endeavour – security teams often deal with a hodgepodge of security tools and streams of security alerts, contributing to fatigue and stress, which is further exacerbated by increasingly sophisticated cyber threats.

Kris Hagerman, CEO of Sophos, believes organisations shouldn’t even try to manage the problem on their own, given how complicated and difficult it can be. Just like how organisations have embraced cloud infrastructure services, doing away with operating their own datacentres, they should leave cyber security to the experts.

Indeed, more organisations are already doing that, with managed security services expected to account for almost half of Asia-Pacific’s cyber security market by 2023, according to IDC estimates. Sophos has been a beneficiary of that trend, growing its managed detection and response (MDR) business from zero to over $100m in the past three years.

In an exclusive interview with Computer Weekly, Hagerman explains why Sophos is bullish on cyber security as a service, how the company’s MDR service can support customers and partners with varying levels of cyber security expertise, and its commitment to openness, transparency and flexibility in designing its offerings.

Sophos has a broad portfolio and is pretty strong in endpoint security, but in recent years the company has focused a lot more on managed security services, particularly MDR. What is Sophos’s sweet spot in the crowded cyber security market?

Hagerman: Let me first start with a quick snapshot of Sophos as a company. Today, we’re one of the top 10 independent, pure-play cyber security vendors in the world. We are over $1bn in revenue and we continue to grow. We have over 530,000 customers around the world and over 4,500 employees. But I believe that despite our scale, we’re just getting started.

What we’re most excited about right now is around this whole concept of cyber security as a service. Our view is that today, cyber security is so complex, difficult and moving so fast that the vast majority of organisations around the world simply cannot manage it effectively on their own. And, in our view, they shouldn’t even try any more.

What they should be doing is identifying strategic partners to work with to help deliver cyber security as a service. If you think about it, when Amazon Web Services, Microsoft Azure and Google Cloud came to the forefront, a lot of organisations were running their own datacentres. But those companies found out that it’s expensive to run their own datacentre. It’s complicated and they have to hire dedicated experts for it. The space is changing all the time and very few of those organisations wanted to become world-class experts at running datacentres.

Instead, they rely on infrastructure as a service from public cloud providers and we think exactly the same thing is going to happen with cyber security. We also believe that support is right at the front of the innovation wave to help make that happen.

So, why is that happening to begin with? Well, it starts with the security landscape. First and foremost, cyber security is important and it’s the top priority for IT teams at organisations of every size. It’s a board-level requirement but it’s a really difficult problem. There are more sophisticated attacks, and they come faster.

Meanwhile, even if you adopt advanced products, there are just too many products that are too complicated. They produce too many alerts and they have too many siloed consoles. They’re hard to manage and deploy, and it’s hard to determine which alert is meaningful and which one isn’t. And if all of that wasn’t challenging enough, there is a global shortage of cyber security talent.

At this point, it’s clear that if you want to address the cyber security challenge, products alone just won’t do it. You need to combine world-class advanced products with comprehensive world-class threat intelligence, all managed by expert threat researchers and threat hunters at the top of their game.

Now, there are organisations like JPMorgan with many people who do cyber security all day long that are up for that challenge. And if you spend a billion dollars a year on cyber security, then you’re probably up for that challenge. But the vast majority of the other 30 to 50 million organisations in the world don’t look anything like JPMorgan. They face the same kinds of threats, but for all the reasons I mentioned, they don’t have the resources, budgets, staff, experience or the desire to be world-class security experts. And yet they face the same kinds of threats.

The result of all that is that they are just utterly overwhelmed and exhausted, which means they are poorly protected. That’s bad news for them and for society as a whole. The good news is that we have made some advances in key technologies over the last several years that now allow us to do something we’ve never even been able to do before, that is to deliver cyber security as a service at scale for any size organisation.

The enabling technologies are things like cloud computing, artificial intelligence and machine learning, threat intelligence and automation. All of these technologies, and several more, allow us to do something at scale where we can deliver a 24/7 security operations centre (SOC) to protect your company with better security outcomes and at a lower cost than if you were to do it on your own.

You also get immense flexibility. You can use Sophos tools, but if you want to bring your own technologies, we’ll work with those as well. We take the information from our own products and third-party products and put them into a single cloud-based data lake. We run data science and analytics against it, and we have an internal team of over 500 threat researchers and security operations professionals and data scientists.

We think that’s a game-changer, and just as you’ve seen with infrastructure as a service, our view is that all organisations will ultimately be consuming cyber security as a service in the next five to 10 years. We think that’s a massive new opportunity.

For the likes of JPMorgan that run their own SOCs, what sorts of additional support do they need from Sophos?

Hagerman: This is a very timely question because Gartner came out with a study recently where they surveyed enterprise IT organisations, of which 70% said they don’t have enough people in their SOC. And 50% of them said that even if they have the right number of people, they don’t have enough time to do their jobs properly.

One of the things about the Sophos MDR opportunity is that we believe it is relevant to any organisation in any industry, whether it’s a public sector organisation or a private sector company in manufacturing, finance, retail or healthcare. It’s also relevant to organisations of any size – whether it’s 10 people or 100,000 people – and with different levels of security expertise.

For example, some customers without a SOC and don’t want to be an expert in security want to work with us as a strategic vendor to keep them protected and have their backs if anything bad happens. We then run the SOC on their behalf. If we ever identify an incident, then they give us the authority to go out and act on their behalf.

On the other end of the spectrum, there are more sophisticated companies that have a SOC and a dedicated security team. They want to make sure that the team is using their time effectively and not doing a lot of manual work, such as going through streams of alerts that aren’t important.

They want their teams to focus on things that matter and try to automate the more mundane and manual tasks. And so, they use the Sophos MDR service to notify them of threats and potential incidents, prioritise those based on the telemetry that we see across 500,000 customers and be able to make their security team better, more efficient and more effective.

In fact, we can even make them happier and improve their morale and motivation, because we can help them focus on things that are more interesting and really leverage their skills, as opposed to spending a lot of time dealing with rote administrative tasks.

Cyber security is highly contextual, with different companies having different operating environments and security postures, even for different parts of their organisations. How does Sophos grapple with all of that to make sure your customers are successful?

Hagerman: Well, of course, every situation is different. Part of a successful engagement is working with the customer to understand how they architected their IT and security environment and making sure that we’re adapting to the way they operate. But keep in mind that we have already established Sophos as a leader in the MDR space. We have over 12,000 customers in MDR today working with Sophos products.

The big new announcement we’ve made is we’ve now extended that to other vendors’ products as well, so that’s really the big advance here. But we believe we have more MDR customers than any other vendor in the world, and so we have a track record of knowing how to work with customers and adapt our approach in a way that’s flexible and meets the customer’s needs.

A big part of that is that we’re really committed to be one of the industry leaders when it comes to openness, transparency and flexibility. We have a rich set of open APIs [application programming interfaces]. When we do data science and artificial intelligence work, we publish that research so that the industry can benefit from it.

We are also one of the very few MDR vendors that publish our response times, which are industry-leading. We take a minute to investigate, 25 minutes to detect and then 12 minutes to respond. That’s a total 38 minutes from incident to remediation. That compares with the industry average for a SOC team, which can be four to 30 hours.

Speed is everything when you’re considering a cyber security incident. If something happens, you want to make sure you operate very quickly to find it, isolate it, get rid of it, and then remediate before it can do damage.

How are you working with your partners then, given that some of them might be offering managed security services that leverage Sophos products as well?

Hagerman: That’s a great question. Just as we look to be flexible and adaptable to what a customer needs, the same thing is true with our partner community. What we tell our channel partners is that we’ve designed the Sophos MDR offerings to meet them where they are, and no matter how big or small or sophisticated they are in security.

So, if you’re a Sophos partner and you don’t have a SOC, then we can be your SOC. You can take the Sophos MDR service, sell a 24/7 SOC to your customer and we will take care of the security. On the other hand, we have partners who are already security experts. They have their own SOC and sell their own branded managed security service. We can make their team more efficient, effective and improve their morale because we can bring the benefits of massive amounts of telemetry coming from across our entire customer base, leveraging data science and advanced detection techniques at scale.

And we can bring all of those benefits to our partners, and we can deliver it all under their brand. So rather than being in the driver’s seat, we can be in the passenger’s seat, providing notifications, prioritising alerts, take action and then provide the service under their own brand.

Could you give me a sense of how well the MDR business is doing vis-a-vis the rest of the business?

Hagerman: We introduced MDR about three years ago and it’s gone from zero to over $100m, growing at more than 40-50% year over year. We now have over 12,000 customers and we think that’s a larger customer base than any other security vendor that we’re aware of. It’s one of the largest and fastest-growing new offerings we’ve ever introduced.

Sophos is perceived in the industry as more of a mid-market player. Do you have any challenges in penetrating deeper into the largest enterprises?

Hagerman: Well, our view, as I mentioned, is that almost no matter what size an organisation is, they need help in security. So, we’re really excited about the opportunity for MDR and cyber security as a service and how flexible it is to add value for smaller organisations that may not have their own SOC. We can also add value for larger organisations that have their own SOC, which we can help to make better, faster and more effective. So anywhere along that spectrum, we think we have pretty substantial value to pitch in and help.