Sophos Buys Startup SOC.OS to Spot Attacker Activity SoonerSOC.OS Ingests Data From Third-Party Platforms to Detect Abnormalities Earlier
Sophos has purchased early-stage vendor SOC.OS to help customers detect abnormalities in their IT environment earlier by ingesting data from third-party platforms.
The Oxford, U.K.-based platform security vendor says its acquisition of London-based SOC.OS will allow customers to extract information sooner from non-Sophos firewalls, network proxies and endpoint security technology, according to Chief Technology and Product Officer Joe Levy. This will provide better protection to Sophos Managed Threat Response customers with heterogeneous IT security ecosystems, he says.
"You want to be able to detect the attacker activity as early as you possibly can," Levy tells Information Security Media Group. "It's great to have a safety net of course, but you don't want to rely on the safety net. You want the earliest warning that you could possibly get so that you can contain the kind of damage the attacker will be able to do if they've managed to make it into your environment."
Terms of the acquisition, which closed Thursday, weren't disclosed, and all 15 SOC.OS employees have joined Sophos, Levy says. SOC.OS was founded in 2020 and led by Dave Mareels, who developed the company within the internal incubator of BAE Systems alliance. Sophos, meanwhile, was purchased in March 2020 by private equity firm Thoma Bravo for $3.9 billion after being publicly traded for several years prior (see: Sophos Patches Critical RCE Bug Exploited in the Wild).
Dealing with Data Doldrums
SOC.OS was founded to make SOC operations more efficient and help organizations deal with the overabundance of information produced from their SOC in a reasonable way that doesn't overwhelm the human beings on the other side of the console, Levy says. The company has developed a method of normalizing the ingestion of data, allowing Sophos to add new data sources in a rapid and efficient way.
The company aligns outside data that it has ingested to the MITRE ATT&CK framework, which Levy says Sophos had already done within its own ecosystem, but SOC.OS allows for that capability to be extended to third-party integration points. Levy says the way in which SOC.OS onboards and reasons with data and how the firm subsequently organizes the data make a client's security operation more efficient.
"We were very impressed with the approach, the solution and the progress that the SOC.OS team was able to make," Levy says. "We felt that SOC.OS gave us a nice advantage over previous means of trying to solve this problem."
Levy says he expects to integrate SOC.OS into the Sophos MTR offering by the end of 2022 and into the company's Extended Detection and Response platform in the first half of 2023. The company's MTR offering has excelled at protecting the parts of the IT ecosystem Sophos controls and manages since it launched in 2019, but always had to contend with areas of the IT ecosystem where Sophos technology isn't present.
"Attackers are always going to go for the shadows within any kind of an organization," Levy says. "You're always going to have elements of your IT systems that are either unknown, unprotected or underprotected."
Harmonizing Heterogeneous Environments
A surprising number of organizations don't have a single endpoint security vendor deployed across their entire estate due either to an in-progress deployment or acquisition activity, Levy says. As a result, he says, Sophos has frequently seen attackers establish a presence on an endpoint that's protected by a different vendor and then use that foothold as a bastion to attack the rest of the network.
"This acquisition gives us a better early warning system," Levy says. "We'll know when these hosts are being targeted by the attacker earlier than just seeing the attack actually come in from the compromised host."
Outside of the network and endpoint, Levy says SOC.OS will help Sophos strengthen its ingestion of data from Amazon Web Services, Microsoft Azure and Google Cloud and expand the capability to other public cloud operators. SOC.OS can also streamline the ingesting of data from identity and access management and privileged access management providers such as Okta and Ping Identity, Levy says.
The SOC-OS acquisition means that CISOs will be able to detect abnormalities earlier with the telemetry data and operate more efficiently due to better organization and prioritization of third-party data, Levy says. And the SOC-OS clustering capabilities offer a more efficient response by allowing CISOs to operate on more than a single instance of something that might have been observed in a company's environment.
From a metrics standpoint, Levy anticipates that SOC.OS will improve Sophos' mean time to detect, investigate and remediate security incidents. That's because Sophos will now be able to get signals from the other areas within the IT system that the company generally wouldn't have seen until they made it over to Sophos' side of the world, according to Levy.
"When you can get those early indicators that an attacker is attempting to get into or maneuver within a network … the better we're going to be able to do with those mean time to detection or investigation figures," he says.