I was recently working with knowbe4 and realized that maybe Sophos offers a similar product.
THought I would check.
This thread was automatically locked due to age.
After playing around with RanSim from Knowbe4 I would like to elaborate. I would like to see a application or tool from Sophos that would let us test against a few known attacks, something that could show reasoning for enabling various aspects in the Central settings or to put it better. To make sure admins have things setup right and we are using the product to its full potential. I only say this because I can get this same product from other companies, first I have to do research on the company to make sure they are not a hacker and then I have there sales people hounding me to buy there product, then if the product shows a vulnerability I have to make a case with Sophos to see if there product is reporting a false positive or if Sophos really missed something which can be even harder due to Sophos not knowing there program and the other company not knowing Sophos.
Uggghhh...........
Respectfully,
Badrobot
Hello badrobot,
so you what a comparatively simple tool to verify functioning and settings, similar to EICAR or the Web Control test site, not the "effectiveness" (i.e. that it protects against all past, present and future variants of Flocker, Gransom, and Dr.Ill - I've made these up)? Just CryptoGuard or other aspects of Intercept X as well?
Christian
Hi Christian,
Well honestly, I think it would be nice to get a concept of being able to test Sophos configurations against known or latest attacks and or best practices to help confirm things, think of many simple tools located in one place. The key difference here would be the source, I can find many of these tools online for free or in trials or pay for them, but are they a reliable source. Can I confidently say I am not giving away information that could in turn later be used against me.
Don't get me wrong I know there are vulnerability scans that can do a lot of what I referring too rapid 7, tenable, etc. etc..
Eicar has been helpful in the past but honestly I do not think that does anything more than scanning aspects. Although I will admit even with that in mind it can be useful, however it is so well known at this point I do not think there is an AV product that would miss it or has not been developed with it in mind (not saying that is bad).
A few other examples would be https://www.emailsecuritycheck.net/ which will send different test emails to help tighten up security there.
https://haveibeenpwned.com/ which will all you to monitor all emails within a domain to see if they have been involved in a data breach.
https://scanmyserver.com will allow you to run 100's of multiple attacks on your web server weekly to then let you check a report. SSL Labs will check the security of your encryption and or certificates on your web page.
https://community.spiceworks.com/tools/ip-lookup/ for checking IP's, also Alien Vault has a known one, this one puzzles me because you would think Sophos already has an archive of suspicious or malicious IP's
I really just think it would be a nice compliment to there total solution package if Sophos offered something like all the above from a central point to help ensure what we have setup is as secure as we would like it to be, I know that Sophos is not a stop all but if certain configurations are present along with Sophos the overall security can also be greatly increased, a good example of this would be how SPF, DKIM and DMARC can compliment email security along with Sophos. Or how a WAF rule in a XG with proper certificates, server hardening and encryption can compliment a web server.
Really I am just throwing out a concept here to see what the community would come up with. I think I will add it to Sophos Ideas just to see.
Respectfully,
Badrobot
Hello Badrobot,
I will add it to Sophos Ideas
thought about but in the end decided against mentioning it - albeit it would have advised against it. Ideas is IMO awfully neglected, it's neither moderated nor does it look like the product mangers pay attention - if they do they rarely give feedback.
[EICAR] is so well known
it's purpose is not to test a vendor's ability to come up with an effective scanner/definition/signature but to check 1) that the product is able to detect a "something" in various scenarios, 2) that it is configured as intended, and 3) that the components are actually working.
You can test how "far" a known threat would get in your environment, whether exclusions (I'm not a fan of them) are correctly set up, or to some extent how an application reacts to an access denied. Indeed it's focused on but not restricted to pre-execution scanning. For example you could test whether a process is terminated that writes a threat to disk.
Capability, effectiveness, and functioning are different aspects. What a product can do, how well it does it, and whether it does what it could do.
A vendor should provide tests or tools (like the Sophostest Website for Web Security and Control) for the latter. Standardized means are IMO preferable though. Anyway I wouldn't trust a vendor's test tool for the other two aspects - not because of potential deliberate cheating but because a) the test might not test for features they have not (yet) implemented and b) potential oversights in both the products and consequently the test.
It might not be feasible to perform tests at arbitrary times due to the potential impact on operation. Think of smoke detectors in the CC, might be ok when the power is cut off when they trigger (so you can test your USV at the same time), but you'll likely not want the room flooded with the extinguishing agent.
For the what there should ideally be standards and standard testing methods devised by independent bodies. I fear this is not going to happen any time soon and even if it might fall short of living up to expectations. Products will likely be developed with [the tests] in mind and wasn't software behind "dieselgate".
Finally the how well. It's very hard to assess given that (whether from one vendor or several) you employ a couple of products that provide several layers of protection. It's not meaningful to just poke around somewhere in the middle. Say you test only the USB stick found in the parking lot. There will be a "common path" from some point onwards but you not only have to test other intrusion points but every layer along the path. This is very complex and even with the right tools in a complete tool box you won't be able to do it single-handedly.
Having said this, it's perhaps more expedient to concentrate your attention on the "receiving end", the effect and aftermath of a successful penetration (and, in case of e.g. CryptoGuard, a failed remediation) to a greater extent. No protection is perfect and anyway it's not necessarily an attack that causes a disruption. Ever heard of an inadvertently deleted SAN volume? It'S not really different from the files on the volume held hostage by ransomware.
Just my two cents,
Christian
