Thank you for your interest in this webinar!
This webinar focused on Penetration Testing and the new offerings of the Advisory Services team. You can find additional resources, answers to questions, and a copy of the slide deck below.
Webinar
Webinar slide deck (can be found at the bottom of this page)
Resources
Questions & Answers
Due to the number of questions we had, we were only able to provide a copy of the questions answered and the most frequently asked questions from the webinar.
Q: How can we access the Sophos Advisory Tools?
A: You can access the Sophos Advisory Tools directly in Sophos Central. At the top right of the page, select the graduation hat icon and then select Sophos Advisory Services from the drop-down.
Q: What’s available with Sophos Advisory Tools?
A: There are multiple tools and assessments you can use with the Sophos Advisory Tools. This includes an Incident Response Planner, Incident Classification, NIST Assessment, and NIS2 Directive Assessment.
Q: What about continuous testing? Is this included with Penetration testing?
A: So when it comes to the different types of testing, level one, we see a lot of continuous testing models, and they are good. They help you continually see what you're vulnerable at. You know, what we see from the industry is that with level one testing, with those continuous testing, they're very similar to vulnerability scanning or vulnerability assessments, which are great.
You have to understand what's vulnerable, but they don't show how they could be exploited and what could happen past that exploitation. That's where the penetration test or the level two testing comes into play, where we talk about what can be done with this exploit and how far could a could a threat actor take that level of access past that exploit.
Level one testing stops after that initial exploitation, and then it's hands off. Level two keeps going.
Q: Will level two tests, such as Penetration Testing, cause issues with the network that could disrupt the business?
A: We never say that there won't be any kind of interruptions. We don't want to guarantee that, but during the rules of engagement, when we scope the test right before it happens, we talk about what we can and cannot do.
If there are critical servers, systems, or processes that cannot be touched, those are out of scope. Those are out of the rules of engagement, and those cannot be compromised in any way. What we do, and one of the parts I love about our testing model is more often than not, you'll have the direct line to the tester that entire week.
You're able to message the tester who's actually performing the work and talk to them about what they're doing. Confirming the activities you're seeing.
Q: Does Sophos have a solution for automated testing? How in-depth is it?
A: This goes back to continuous testing and other level one types of tests. There's definitely automation in how we test; however, when it comes to real world threats, humans are still doing it. They are still performing it.
They are leveraging tools like AI and other things to help speed up the work. We can absolutely replicate similar types of processes, but we do not offer automated continuous testing today.
We prioritize level two, that in-depth, goal based human led testing. We find the limitations to automated testing is it's just too similar to a vulnerability scan. It's enough to know from a vulnerability scan that things can be exploited, but it's so much more valuable to show how much further a real tester or bad actor could go with that access.
Q: What are the most commonly overlooked vulnerabilities discovered during internal versus external penetration tests?
A: Some of the most commonly overlooked vulnerabilities depends on the organization we're testing.
With that said, we often see multifactor authentication not enabled on VPN. So if anyone does not have MFA turned on their VPN right now, please do so as soon as possible. It is one of the most common ways we see companies get breached and it's very easy for us to test and find a way in if you don't have multifactor authentication on.
Part of our process, we will go look on the dark web for the organization we're testing to see if there are any recent breaches or leaked credentials. We have used credentials we found on the dark web in a test to gain access.
On the internal side, to answer the second part of that question, we still see a lot of unpatched systems. We still see RDP that's still open and available for anyone internally to use. If you don't use RDP, turn it off and only allow the people or the tools that need it to have access to RDP within your networks.
Q: How does a Sophos Penetration Test differentiate from a standard vulnerability scan?
A: Our whole approach to testing is our approach isn't just to scan, find a vulnerability, exploit, and say we did our job. Our approach to penetration testing is to have a goal that we're going to accomplish.
So if the goal is to see how can we access a file system or how can we access critical infrastructure, we will leverage all potential methods to access that system or that file server with the goal you have set.
We commonly will compile different vulnerabilities on the on and top on top of each other to have a higher level of exploitation. We will use logic flaws to really simulate and show how you're vulnerable today. Those are the kind of the things automated tools miss, they perform some automated type of exploitation, and then they stop.
Q: When can we expect new tools and assessments to be available with Sophos Advisory Tools?
A: There should be new tools available soon, while we don’t have an exact date.
Q: If we use Sophos products and services, such as MDR, will there be a conflict of interest if we purchase a Sophos Penetration test?
A: So the easy answer is the testing team is a separate organization within Sophos that does not respond to the MDR team. There are some compliance requirements where the person performing the test cannot be the same person that maintains your systems.
There are some compliance requirements the tester, the person actually performing the test, can't be the same person that maintains and manages the systems they're testing. We can absolutely accommodate that because the testing organization is not the NDR team.They are not the people who build the XDR tools or build the firewalls.
We do a lot of internal testing to identify any potential vulnerabilities before they can be exploited. Our testers will absolutely test our own equipment. They will test your Sophos equipment. The most common things we do see when we are performing tests on Sophos equipment is kind of misconfiguration.
So it's a kind of a great reason to make sure you have everything configured as you should. Like I mentioned, no multifactor authentication on VPN is one of the most commonly, missed gaps in security coverage that we see from an external perspective. And that's gonna be whether you're on a Sophos firewall, SonicWall, Fortinet, Palo Alto.
It's the little things that often get us stripped up.
Q: Are Sophos Advisory Services a one-time cost or is it multiple tests over a time-frame?
A: It is a one time cost and one time service delivery. So you pay for the one test. If you're interested in quarterly testing, we can absolutely set that up.
Sophos recently released our IMR, Incident Management Retainer. Not only is it a retainer for incident response time and hours, but they have a system where you can put those unused hours towards other services like testing services. So the Sophos IMR is a great way if you wanted to schedule those quarterly Penetration tests. It's fantastic because it'll you have those pre-negotiated rates and everything in there.
The best part about it is with our retainer model you can put towards other services as well to ensure you’re getting the full benefit of the retainer.
The best part is with retainers, the thing that no one likes about retainers is if you don't use them, it often feels like it was kind of, a loss. But with our retainer model, you can put the, you know, the cost of the retainer, the, like, the service units, the time that comes with that retainer towards other services to make sure you get the full benefit of that retainer.
Q: What’s the pricing for Penetration testing through Sophos Advisory Services?
A: For information on pricing, please connect with your account manager at Sophos. If you don't know who that is, you can visit this link and leave your information.
Pricing can be provided by our Account Manager.
Q: How does penetration testing differ when targeting cloud infrastructure versus on prem systems?
A: For the different type of tests, it depends on the type of tooling we will use. There's tooling that's better for internal tests, external tests, cloud assets, and infrastructure.
We have over 60 dedicated full time testers with a huge supporting team behind them and our testers specialize in the different types of tests. We have testers prioritize and specialize in wireless testing, internal, external testing, and we also have testers that prioritize cloud infrastructure because that's their background.
Many of them worked, for example, in cloud infrastructure for ten, twenty years, and now they perform testing. If you leverage Azure, AWS, GCP, they are great t finding potential vulnerabilities and potential exploits in those frameworks.
Q: If you have the MDR services, are they able to assist in implementing the recommendations from a Penetration Test or Vulnerability Scan?
A: Managed Detection & Response, or MDR, is our Security Operations Center.
The MDR team specializes in identifying threats and neutralizing those threats while keeping you safe and secure. When it comes to the implementation of recommendations, that is out of scope for what the MDR team does. Situations where, you need to patch a server or update a Firewall, would be the responsibility of of the customer.
If additional support is needed, you know, we do have Sophos Professional Services that can absolutely help with some of the recommendations.
Q: Can a company truly be hardened? I read about breaches every morning, including giant companies.
A: I think for all of us that work in cybersecurity, we know that it is a evolving situation every single day. You may have patched your Firewalls yesterday, but a new identified vulnerability may come out tomorrow. All the work you did to patch and harden your systems yesterday may now need to be continually improved because there's new vulnerabilities. There's new changes, to your infrastructure.
Sometimes these changes are pushed out by the vendor, the manufacturer of the software or hardware you use, which is out of your control. That is where we commonly see the abuse of zero day vulnerabilities, and zero day vulnerabilities means that it's day zero. It's the first time this vulnerability has been seen, and those are where we often see, you know, ramp and compromise.
Most situations where organizations are able to take the time to harden their systems to raise their shields and keep themselves protected do well, but we need to continually be looking for types of vulnerabilities that may pop up, unexpectedly and harden those as quickly as possible.
It's difficult to say that a company can never truly be hardened. It is a continuous and daily process to harden your system and your environments.
