I run it at home, but I tend to think lately it's largely a waste of time. Mine has never caught anything of value according to stats. I think since I've been running Sophos, I've had it say it caught one virus. Previous to Sophos I ran Untangle for years, and don't think it ever really hit on anything--though it does use an inferior AV engine.
I ran Security Onion for a couple months as a test monitoring my network. It came up with literally thousands of flagged items almost daily. It pretty much takes a dedicated security team to sit and monitor the network and all these errors to determine what's actually a problem and what is OK. Of the thousands of notifications you'd get through Snorby, only a hand full were indicated as high-level alerts--but again it's hard to get the wheat from the chaff sometimes.
I have been reading Richard Bejtlich's book on network security monitoring, and to be effective in stopping things you really have to be dedicated to take the time and actually learn what threats look like. His position is you need to monitor & log everything passively with people monitoring expected threats (IDS instead of IPS). If you can't actively monitor, then IPS is the next step. The problem with IPS is that it has to be so finely tuned to the situation that it's difficult to stay ahead of the curve. Presumably Sophos is doing that tuning themselves, but it's hard to say.
Mostly, Bejtlich says they will get in, so monitoring to find out what they did and controlling it is more effective than trying to play the never-ending game of IPS. Of course, this is a far more serious level than what anyone at home can really achieve. Ultimately though, it's almost impossible to stay ahead of the bad guys. New stuff is coming out constantly. Most of the rules are based on known threats, and all the zero-day type stuff is still going to get through.
Some of the threats are socially-engineered, and no manner of IPS will stop them. I read of a man's challenge to break into his coworker's home network. He didn't have any fancy UTMs, just practiced good security through his devices. The guy couldn't get in, until a craftily-made email sent to his adversary let him right in the front door.
Some security systems are going towards whitelisting, instead of blacklisting. This would allow known good items, instead of trying to identify known problems. You can do this as a home user by implementing security on your Windows systems such as Software Restriction Policy. Basically, it does not allow anything to run that you haven't given explicit permission to do so. There are whitelists for the internet out there.
One of the reasons to go with monitor over intervention, is that intervention often breaks a lot of "good" items. I know I run into issues all the time where the UTM is blocking something that is a good quantity. Sometimes, when things just aren't working, it's difficult to pin down why. Maybe it's the server end, but now you have to sort through logs to determine which of all the features is actually causing the hang-up.
Antivirus as a whole is going that direction as well. There are a lot of people that are starting to move towards the idea of AV being less than stellar for any true protection. You still don't have good zero-day threat protection, and some of these AV systems are just information gathering systems for the AV companies (there was an article about this where a site--maybe Anandtech--asked AV companies about data collection and it was very revealing).
Anyway, this is a long post that is probably more of a wider discussion than you were looking for, but addresses some of the issues as a whole. For a home user, all this stuff is totally unnecessary for the most part. I've actually considered dropping Sophos, or UTMs entirely, at home for some of these reasons. A properly patched OS, with implementations like SRP, and you're going to have a very difficult time compromising the system at all. However, there are a lot of things the UTM does outside of IPS that I do really appreciate (adblocking, outgoing email proxy, file extension blocking). Some of them I just can't seem to get working the way I need it to (like VPN and dynamic DNS).
I run it at home, but I tend to think lately it's largely a waste of time. Mine has never caught anything of value according to stats. I think since I've been running Sophos, I've had it say it caught one virus. Previous to Sophos I ran Untangle for years, and don't think it ever really hit on anything--though it does use an inferior AV engine.
I ran Security Onion for a couple months as a test monitoring my network. It came up with literally thousands of flagged items almost daily. It pretty much takes a dedicated security team to sit and monitor the network and all these errors to determine what's actually a problem and what is OK. Of the thousands of notifications you'd get through Snorby, only a hand full were indicated as high-level alerts--but again it's hard to get the wheat from the chaff sometimes.
I have been reading Richard Bejtlich's book on network security monitoring, and to be effective in stopping things you really have to be dedicated to take the time and actually learn what threats look like. His position is you need to monitor & log everything passively with people monitoring expected threats (IDS instead of IPS). If you can't actively monitor, then IPS is the next step. The problem with IPS is that it has to be so finely tuned to the situation that it's difficult to stay ahead of the curve. Presumably Sophos is doing that tuning themselves, but it's hard to say.
Mostly, Bejtlich says they will get in, so monitoring to find out what they did and controlling it is more effective than trying to play the never-ending game of IPS. Of course, this is a far more serious level than what anyone at home can really achieve. Ultimately though, it's almost impossible to stay ahead of the bad guys. New stuff is coming out constantly. Most of the rules are based on known threats, and all the zero-day type stuff is still going to get through.
Some of the threats are socially-engineered, and no manner of IPS will stop them. I read of a man's challenge to break into his coworker's home network. He didn't have any fancy UTMs, just practiced good security through his devices. The guy couldn't get in, until a craftily-made email sent to his adversary let him right in the front door.
Some security systems are going towards whitelisting, instead of blacklisting. This would allow known good items, instead of trying to identify known problems. You can do this as a home user by implementing security on your Windows systems such as Software Restriction Policy. Basically, it does not allow anything to run that you haven't given explicit permission to do so. There are whitelists for the internet out there.
One of the reasons to go with monitor over intervention, is that intervention often breaks a lot of "good" items. I know I run into issues all the time where the UTM is blocking something that is a good quantity. Sometimes, when things just aren't working, it's difficult to pin down why. Maybe it's the server end, but now you have to sort through logs to determine which of all the features is actually causing the hang-up.
Antivirus as a whole is going that direction as well. There are a lot of people that are starting to move towards the idea of AV being less than stellar for any true protection. You still don't have good zero-day threat protection, and some of these AV systems are just information gathering systems for the AV companies (there was an article about this where a site--maybe Anandtech--asked AV companies about data collection and it was very revealing).
Anyway, this is a long post that is probably more of a wider discussion than you were looking for, but addresses some of the issues as a whole. For a home user, all this stuff is totally unnecessary for the most part. I've actually considered dropping Sophos, or UTMs entirely, at home for some of these reasons. A properly patched OS, with implementations like SRP, and you're going to have a very difficult time compromising the system at all. However, there are a lot of things the UTM does outside of IPS that I do really appreciate (adblocking, outgoing email proxy, file extension blocking). Some of them I just can't seem to get working the way I need it to (like VPN and dynamic DNS).
