My role within Sophos is quite unusual because I help to shape innovation across the whole company.
Normally a Distinguished Engineer would focus on a particular specialism. However, I work to co-ordinate all our teams and business units and make sure their plans line up to make a coherent whole that works together for our customers.
In any given day, that might see me working with the firewall and endpoint product teams, the researchers at SophosLabs, or the threat hunters in Sophos Managed Threat Response (MTR).
Each team has their own objectives, and vision for the future—and it’s my job to help them align, and set the overall direction of Sophos as a whole.
That means my days are very varied. I could be sketching out a new product feature, or helping to design how our underlying architecture will develop to meet changing IT needs over the next few years.
I also work with our head of IP to decide which innovations should be patented first—and with our marketing team, who have the tough task of communicating our overall vision and all the amazing things our products can do.
An exciting time—Sophos XDR early access launch
It’s a very exciting time at Sophos. We’re preparing a major new product which is now available in our early access program—the first chance for customers to use it and tell us what they think.
The launch is for Sophos XDR, our new Extended Detection and Response solution. I can’t wait to see how people use it.
That’s a rare feeling. Usually, feedback from our early access users tends to confirm that the software does the job we designed it for, or report known issues.
But occasionally, we get a real star moment. An early access customer can surprise us by using the product in a way we never expected. I’m delighted when it happens—and XDR is such a flexible and versatile tool, it’s very possible we could see that this time.
The next step in our Synchronized Security journey
In 2015 we enabled our firewalls and endpoint protection to work together, sharing information and responding automatically to threats—we called it Synchronized Security.
Three years later we introduced our Endpoint Detection and Response (EDR) offering which gives IT teams powerful tools to hunt for threats and identify IT hygiene issues.
Sophos XDR is the next step in this journey. Sophos sensors take the most important security information from your endpoints—and other connected solutions—and we store it in a data lake on your behalf. You can run then pre-defined queries on that data to find threats, or write your own to gain insight into any aspect of your IT environment.
And the more solutions you plug into it, the more detailed the picture becomes. Sophos XDR can reveal patterns across endpoints, firewall, email, and cloud workloads, without any complicated plumbing; it’s already there in Sophos Central, ready to be enabled.
The other interesting part is that the data is so versatile. It’s a cybersecurity tool, but you could easily use it to measure wider IT health—for example, to find all your machines that are close to running out of memory. That’s why I’m so excited to see how the early access customers will use it.
We can’t predict the future—but we can be ready to adapt
Part of my role is to help Sophos decide what direction our innovation should go, and what we’ll need to protect our customers in the future. That’s difficult because long-term planning in cybersecurity is unlike any other industry.
We have to navigate the evolving technology landscape—with new trends, services, and devices becoming popular all the time.
But uniquely in our industry we also have to deal with adversaries, the cybercriminals who are always trying to evade our security measures and working on new kinds of attacks. And that means things can change quickly.
For example, our role was once only to intercept viruses and malware; if we could spot and stop a malicious program, our job was done. But the attack on RSA Security in 2011 changed everything.
First, instead of relying solely on installing malware, RSA’s attackers used the company’s own existing installed software to progress their attack—what we now call a “living off the land” attack. Suddenly, instead of just needing to find software on a machine, we also needed to track how its own software was being used.
But just as importantly, the sophisticated tools used to breach RSA were published online soon after the attack. It began a pattern where novel attack techniques quickly spread through the cybercriminal population. That made it increasingly difficult to predict important vulnerabilities in advance.
So instead, we now focus on making our products adaptable—so whatever the future holds, they’re ready.
Being ready for what’s next
There’s a principle when you’re developing new cybersecurity products and features: if you want to build it next year, it needs to be on a whiteboard now. And for it to be on the whiteboard now, you need to have had the idea a year ago.
Although we can’t predict the future, we can make some educated guesses about what it might have in store.
We know technology—and the way our customers use it—will always evolve. If we can understand new capabilities and anticipate how they might be used, we can also imagine how adversaries could seek to exploit those changes, and the security help our customers will likely need.
For example, as long ago as 2012, it became clear to us that technology would soon make remote working more common. We had no idea how world events would accelerate matters—only that remote working was a case of “when” rather than “if”.
We also knew, when that happened, the same IT teams who had been used to securing a network perimeter on premises would be faced with the task of providing security for devices, connections, and data everywhere.
That’s one of the reasons why we worked so hard on Sophos EDR, and now Sophos XDR.
It’s part of a broader project I lead at Sophos—internally we call it Project Darwin because it’s about being adaptable to change. As new kinds of attack emerge, we simply need to reconfigure the data sensors in our software to send the most relevant data to analyze and stop the threat.
My job is to coordinate that evolution.