We realize that security incidents are inevitable, so properly preparing for such incidents is a big part of what makes for good security. Powered by SophosLabs – a global threat intelligence and data science team – Sophos’ cloud-native and AI-powered solutions secures the company against cyberattacks.

At Sophos we are one of the 600,000 organizations protected by Sophos products. Our plans focus on how we communicate securely and reliably during an incident, what roles we need in order to respond effectively, how we will respond to various types of incidents, analyzing severity levels, and notifying customers and regulatory bodies as appropriate.

We have developed our plans with guidance from the NIST 800-61 Computer Security Incident Handling Guide and we frequently review these plans for compliance with industry standards.

Our highly-skilled cybersecurity professionals develop and operate world-class incident response capabilities, including comprehensive monitoring, advanced detections, response automation, incident management, forensic analysis, and access to external experts. We believe that by being the first and most frequent users of Sophos products, coupled with our access to the product teams and SophosLabs, we are in a uniquely effective position to respond to cybersecurity incidents.

Overview of our incident response program

Our mission at Sophos is to protect people from cybercrime by developing powerful and intuitive products and services that provide the world’s most effective cybersecurity for organizations of any size. Effectively responding to a broad range of potential security incidents is critical to the success of the Sophos mission. Simply put: to protect our customers, our incident response program needs to protect our products and our company as well.

Sophos uses the NIST 800-61 definition of a security incident: “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” This is an intentionally broad definition so that we can optimize for rapid response time, identifying areas for improvement and customer transparency. This definition also supports identifying any data leaks, which might not be included in a definition focused on confirmed attacks.

How we identify incidents

There are many ways Sophos identifies or becomes aware of security incidents. These include:

  • Security monitoring capabilities, often in our products, or complimentary methods we have developed
  • Bug-bounty reports
  • Penetration test findings
  • Vulnerability analysis
  • Code and application analysis
  • Research and threat intelligence analysis
  • Customer notifications

To report a potential security incident, please see our Responsible Disclosure Program.

Investigation and analysis

Following the detection or verified report of an incident, we initially leverage established communications channels to facilitate information-sharing among the incident response team.

A standard minimum agenda for an incident response investigation and analysis meeting is as follows:

  • Establish current facts
  • Update on action status
  • Agree upon next actions
  • Confirm assessment of the incident severity status: Sev1/2/3
  • Agree on the timing of the next meeting
  • Document minutes on the incident timeline, including actions and decisions

Severity assessment

We have four incident severity levels.

Incident Severity Levels

0Critical incident with maximum impact
1Very serious incident with very high impact
2Major incident with significant impact
3Minor incident with low impact

Our incident response managers set the severity of an incident based on the potential impact to the company and customers. We use various threat assessment criteria in determining the severity of an incident, including customer impact, functional impact, information impact, recoverability, data quantity and classification, threat actor, and business impact. Incident severity is reassessed at key points throughout the response process and severity is adjusted as necessary.

Roles and responsibilities

At the outset of an incident, a single incident response manager is identified based on the incident’s assigned severity level. This role can be rotated when 24/7 coverage is required. A single incident response manager gives us clear direction so we can take immediate action and communicate effectively.

Depending upon the nature of the incident we have varying roles required. Some of the most common roles include:

Incident Roles and Responsibilities

IR ManagerMake decisions on severity rating, escalation, composition of full incident response team as well as initiate and run investigation.
Executive SponsorCommunicate with Senior Management Team (SMT) as necessary and approve Sev 0/1 incident response decisions.
IR TeamCross-functional team responsible for investigating, analyzing, and containing cybersecurity incidents.
IR Program OwnerAccountable for the incident response plan and cross-functional team preparedness, keeping IR plan and documentation up to date, and regular reviews.
Data Protection and Customer CommunicationsMake decisions about customer and other external notifications.

Containment, eradication, and recovery

The purpose of containment is to stop the effects of an incident before it can cause further damage. Once an incident is contained, we can take the time necessary to comprehensively address the issue.

After an incident has been contained, eradication may be necessary to eliminate components and side effects of the incident. For Sophos-targeted security incidents, we need to think about our corporate assets as well as our product assets, including our cloud offerings.

Common eradication tasks include:

  • Configuration or code changes/hot fixes
  • Replacing or disabling systems
  • Removing functionality
  • Data quality cleanup
  • Disabling breached user accounts
  • Identifying and mitigating all vulnerabilities that were exploited

In recovery, Sophos engineers restore systems to normal operation, confirm that the systems are functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents. Our culture and approach to innovation as a security and cloud company helps us to recover quickly. We rely on continuous integration and deployment capabilities across our businesses. We are constantly re-deploying systems at scale and with speed.

Customer notification

Authenticity is a one of our company values at Sophos. This value, reinforced by our company mission to protect, means we will notify customers as soon as possible if their data is involved in a confirmed incident or breach.

Post-incident activity

Once an incident has been addressed and resolved, we focus on learning from the incident. We hold post-mortem sessions to discuss how we handled the incident and the root cause of the incident. Based on these discussions, we adjust and improve our incident handling procedures and make improvements to our security profile in order to prevent and more quickly detect similar incidents in the future.

How we use our own tools to respond to incidents

The Sophos Global Security Operations Center (GSOC) constantly monitors alerts from our infrastructure and hunts for anomalies across the estate. We do this by deploying and monitoring various detection tools, including the full suite of Sophos next-gen products.

  • Sophos Intercept X Advanced with EDR combines the capabilities of Intercept X with Endpoint Detection and Response (EDR) into a single-agent solution to help us deal with a wide range of threats. With Live Discover and Live Response, we are able to quickly identify threats, respond to them within minutes, remotely take forensic snapshots, and contain issues by isolating affected endpoints. We are able to use the forensic snapshot feature to identify any further IOCs and artefacts. Network artefacts are then blocked by our Sophos Firewall. To learn more about how we utilize the threat data provided by Intercept X, see https://news.sophos.com/en-us/2018/12/03/hunting-for-threats-with-intercept-x-and-the-windows-event-collector/
  • Sophos Firewall leverages intrusion prevention to help prevent and detect against the latest network exploits. Our firewalls allow us to block malicious domains, URLs, and IP addresses as well as to analyze suspicious files transferred over the network via SophosLabs’ safe cloud environment. In certain places on the network, we also deploy Discover mode, where the firewall acts a network sensor for IDS events and network activity reporting.
  • With more and more of our workloads moving to the cloud, we needed a tool that gives us visibility. We use Sophos Optix to help us identify and asses the cloud services that are risks to the business and proactively notify us about suspicious behavior. It allows us to quickly answer key questions such as: Who owns it? With whom does it communicate? What are the roles and permissions being used? What rules and security groups are being used? The ability to quickly visualize the network and the roles utilized by its resources allows for efficient identification of any issues.
  • Sophos depends on a wide range of systems and we are able to collect data from various Sophos and non-Sophos products alike. While it can quickly become challenging to get contextual information about certain systems, during the detection and analysis phase of an incident, it is imperative that we get the right information as quickly and efficiently as possible in order to allow us to make educated decisions. Sophos Central APIs give us the power to leverage Sophos Central and its integration partners: https://news.sophos.com/en-us/2019/12/19/unlocking-the-power-of-sophos-central-api/