Interview with John Shier from Sophos about the cybersecurity landscape

Sophos logo

Occasionally the VPNoverview team conducts interviews with thought leaders in the cybersecurity industry. Recently, we had the pleasure of talking to John Shier, senior security advisor at Sophos. We discussed the current state of the cybersecurity landscape and what developments Sophos has been focusing on.

Some background on Sophos

John Shier Sophos

John Shier, senior cybersecurity advisor at Sophos

Sophos is a company that does research on ‘all things security’. While Sophos initially focused mainly on providing cybersecurity services for medium to large-sized businesses, the company nowadays also provides cybersecurity solutions for consumers, although this is not the main point of focus. John Shier explains that within Sophos, there are different groups with various fields of expertise and responsibilities. For instance, Sophos Labs is focused largely on protection and threat intelligence. Additionally, Sophos has an AI team doing threat modeling. And there is a separate anti-exploit and anti-ransomware team within Sophos’ ranks. John oversees the developments in all these different departments and ensures that important findings are communicated and conveyed towards clients, partners, and media when required.

An integrated approach to cybersecurity; Sophos’ stance

We asked John what he feels about an integrated approach to cybersecurity, in the sense of having one single service provider for all cybersecurity needs. As the current reality is, that many consumers and companies rely on multiple entities for various cybersecurity solutions. To what extent are we moving to a scenario where consumers can turn to a single party for all their security needs, and is that something we should strive for?

John: “There is a historical view going back decades, that it’s all about finding the best of breed of anything. Finding the best VPN out there and buying that one, finding the best antivirus and buying that one, and finding the best firewall and buying that one. Then you get a situation where nothing works necessarily well together. Vendors have historically started pointing to each other for providing the solution. There has been no collaborative effort for troubleshooting problems that might arise.

Over time though, the general view has changed somewhat into a ‘category’ best of breed. We (Sophos) agrees with the fact that you should have a mix and match, but only where appropriate. Sophos for instance excels in endpoint network and cloud security and does that exceedingly well. Because we control all those pieces, you can see them in one console, they talk to each other, they provide context, and make security easier.”

Investing in the Sophos ecosystem leads to a heightened level of overall security. John states this is illustrated clearly when Sophos is called in for rapid response assignments when companies are being attacked. Sophos helps deter the attack, and also subsequently with figuring out how attackers ‘got in’ and how to prevent attacks from reoccurring in the future.

Threat detection: understanding the normal to identify the abnormal

John tells us about a new threat detection system Sophos is currently developing. A crucial component in threat detection is first gaining an understanding of what a ‘normal’ situation looks like when it comes to observing network activity.

“On a day to day basis, what are the access patterns, what are the data patterns, what are the network spikes, are there lows and highs at certain times? Once you know what a normal situation looks like, then you can apply some policies on top of that to constrain the activity to what is normal, and it becomes easier to see irregular patterns. If all of a sudden you see a 3 terabyte (TB) spike that starts coming from a server that doesn’t normally transfer data, and that 3 TB spike is well above and beyond what we normally transact, then that should be a clue something is going on.”

By completely mapping what is ‘normal’, it becomes far easier to automatically identify when abnormal activities, like a suspicious login or data transfer, are taking place.

What has been the effect of the Covid-19 pandemic on cybercrime?

John mentions some noteworthy trends. He makes a distinction between ‘scammers’ and ‘criminals’. Scammers are the ones that try to get money out of people, for instance by making people donate to a fake relief fund, or by acting as fake pharmacies selling viagra and similar meds. Already in April, over 1700 Covid related domains had been registered that could be classified as scam sites. Scammers started turning to pandemic related themes to scam people.

On the criminal side, the people behind the Trickbot banking trojan started focusing and localizing Italy in March, targetting the country with phishing campaigns, using Covid-19 as a lure. As the coronavirus was spreading and appearing in new geographic areas, the Covid-19 related Trickbot phishing messages followed and started showing up all over Europe.

John says that if history teaches us anything, it is that cybercriminals like most people are lazy by design. If a tactic is working, they are not going to bother giving it up. As long as we are dealing with the pandemic, criminals will keep using it as a lure. And while the specifics of that lure might change, the essence stays the same. A good example is when President Trump tested positive for Covid-19. Cybercriminals started sending phishing messages with supposed inside scoops of a doctor at Walter Reid Hospital on Donald Trump’s health status. This example illustrates that cybercriminals use what is currently in the media regarding the pandemic to lure people into their phishing trap. They abuse the need for people to consume information and to educate themselves about the pandemic, and the criminals abuse human curiosity.

John says we’ll probably start seeing the same thing happening with vaccines. “As certain vaccines are coming closer to actually being ready, we might start seeing phishing messages like ‘fill out this webform to be first in line for the Pfizer vaccine’ or emails with an attachment stating ‘the inside story of the Sanofi vaccine’.”

What current and upcoming developments within Sophos can we expect?

We asked John what current and future developments within the company he is most excited about. One of the developments within Sophos he mentioned is the ‘URL’ model that is being created. This is a model that helps assess whether a URL is malicious or suspicious, simply based on the string. By analyzing millions of URLs, Sophos will be able to predict whether a URL has a high chance of being malicious, purely based on the string.

Sophos is continuously developing and improving similar threat models which help make the working environment safer one step at a time. A model looking at command line input within a system is another good example. Analyzing what users type in at the command line, can provide a lot of information on user intent. Running a binary like outlook.exe, is nothing to worry about normally. However, commands like ‘SysInfo’ and ‘whoami’ are an indication that an unauthorized attacker has infiltrated the system and is exploring how to further breach security. These commands signal a cybercriminal engaged in ‘reconnaissance’ of the system. The models Sophos is working on are aimed at detecting these suspicious commands and stopping attackers in their tracks.

John concludes: “We’ve all been trained to do the right thing at work. We have got all the security bells and whistles at work. But security is really a lifestyle, a 24/7 thing. The good habits you pick up at work, make sure to apply those at home as well. If you think in terms of cybersecurity all the time, you are less likely to be a victim.”

To learn more about John Shier and his role at Sophos, have a look at the Sophos website:

Cybersecurity analyst
David is a cyber security analyst and one of the founders of Interested in the "digital identity" phenomenon, with special attention to the right to privacy and protection of personal data.