File Reputation "Insight"?

Hello Ricardo,

if you are already tired of this exchange just say so and I'll shut up. :smileywink:

First of all, I'm confident that Sophos takes the rather disappointing detection results serious. Won't speculate what caused them though.

Thanks for explaining your situation - makes it easier to deal with the questions.

SOPHOS way of working is to try to map everything bad on their own

By on their own you mean not letting the customer decide? There's a wide spectrum of possibilities - from SaaS (essentially a black box with more or less guaranteed results) to a framework and the necessary tools to plug in whatever detection, rules and behavior you need (although I'm not aware that something like this exists for "ordinary" users/customers). Or is it (also) not drawing on crowd intelligence? You must be careful how you rate a customer's input and what weight you give. And there's the question who's responsible if the crowd makes a mistake.

SOPHOS has to babysit     

You mention a lot of things in this paragraph and I'm not sure I always understand correctly what you are aiming for (e.g. own groups for DLP). You mention own application fingerprints and high false positive ratio - I'll try to break it down: An FP is either suspicious (in which case you can authorize it which is not more work than fingerprinting and is in effect until the application changes) or malicious (where the only immediate remedy is not exclude it from scanning until Labs have issued an updated detection). FPs are usually seen with new or otherwise "unknown" files or a result of updated detections. The latter doesn't routinely occur - leaves new/unknown files. Can't imagine there's a continuous stream of these and wonder what is it that causes the nightmare.  Arguably the crowd has less latency then sending a sample to Sophos Labs and getting an updated identity (usually some hours).

mapping the bad

The (bemoaned :smileywink:) FPs should suggest that Sophos is not only mapping the bad. Right now something like reputation seems to be the solution to "custom" malware. Do you think that malware writes will stop here and admit defeat? Likely not, maybe start using sleeper agents?

dumbed down for easiness

As said, it's partly philosophy. Too many configuration options might not only distract you from implementing a security strategy, they also make misconfigurations more likely. 

The soon to be released Cloud product introduces a different management, e.g. per-user policies (for device control). This has been requested for a long time. It's not perfect though - sometimes you might want a machine based policy to take precedence, and this is where simple ends.     

Please continue to be critic :smileyhappy:

Christian

Hello Ricardo,

if you are already tired of this exchange just say so and I'll shut up. :smileywink:

First of all, I'm confident that Sophos takes the rather disappointing detection results serious. Won't speculate what caused them though.

Thanks for explaining your situation - makes it easier to deal with the questions.

SOPHOS way of working is to try to map everything bad on their own

By on their own you mean not letting the customer decide? There's a wide spectrum of possibilities - from SaaS (essentially a black box with more or less guaranteed results) to a framework and the necessary tools to plug in whatever detection, rules and behavior you need (although I'm not aware that something like this exists for "ordinary" users/customers). Or is it (also) not drawing on crowd intelligence? You must be careful how you rate a customer's input and what weight you give. And there's the question who's responsible if the crowd makes a mistake.

SOPHOS has to babysit     

You mention a lot of things in this paragraph and I'm not sure I always understand correctly what you are aiming for (e.g. own groups for DLP). You mention own application fingerprints and high false positive ratio - I'll try to break it down: An FP is either suspicious (in which case you can authorize it which is not more work than fingerprinting and is in effect until the application changes) or malicious (where the only immediate remedy is not exclude it from scanning until Labs have issued an updated detection). FPs are usually seen with new or otherwise "unknown" files or a result of updated detections. The latter doesn't routinely occur - leaves new/unknown files. Can't imagine there's a continuous stream of these and wonder what is it that causes the nightmare.  Arguably the crowd has less latency then sending a sample to Sophos Labs and getting an updated identity (usually some hours).

mapping the bad

The (bemoaned :smileywink:) FPs should suggest that Sophos is not only mapping the bad. Right now something like reputation seems to be the solution to "custom" malware. Do you think that malware writes will stop here and admit defeat? Likely not, maybe start using sleeper agents?

dumbed down for easiness

As said, it's partly philosophy. Too many configuration options might not only distract you from implementing a security strategy, they also make misconfigurations more likely. 

The soon to be released Cloud product introduces a different management, e.g. per-user policies (for device control). This has been requested for a long time. It's not perfect though - sometimes you might want a machine based policy to take precedence, and this is where simple ends.     

Please continue to be critic :smileyhappy:

Christian