Sophos Exec: MSPs Should Use AI To ‘Streamline Operations’

Although there are a lot of unknowns surrounding AI and the threats it poses, Sophos’ Scott Barlow said he is “cautiously optimistic” about the use of it.

“What we leverage AI to do is to filter out the noise,” Barlow, vice president of global cloud and MSP alliances for Abingdon, U.K.-based Sophos, told CRN. “We process 32 billion events or signals a day. We take those signals and allow a security analyst to go and examine to ensure that it’s not a false positive or that it could be a zero day. But if you look at that zero day and you know those signals, AI is absolutely helping us be more efficient and home in on what signals will provide an indicator of compromise.”

And while AI can detect those threats, it still has to be managed by humans.

“It’s still human-fed and human-managed,” he said. “But the capacity for AI to, what they call ‘hallucinate’, is dangerous. I think it was like 99.98 percent accurate in doing basic math problems, but the more humans fed it the worse it got doing math problems. It can filter out right from wrong and correct from incorrect, but it’ll always have a need for humans. It will eventually get rid of some of the more mundane tasks, but it will have implications on what the future composition of workforces looks like.”

Going into 2024, Barlow said Sophos is maintaining its channel-first approach and “doubling down” on its Cybersecurity-as-a-Service model with the help of AI.

“Sophos is continuously working towards delivering cybersecurity outcomes and delivering to customers through our channel,” he said.

Barlow spoke with CRN to talk about AI, how it plays into cybersecurity and what threats MSPs should watch out for this year.

What do you think the opportunity is for AI in regard to cybersecurity, and where do you think the challenges are?

MSPs can absolutely leverage AI to help improve their technician utilization. Everything from an MSP perspective is about profitability, how they can streamline their operations and how they can automate their chat and support systems. But also when you look at utilization, how can AI augment an MSP’s ability to support more customers with fewer technicians? So if your average technician can support 10 or 20 customers, if you can double that you’re actually going to increase your profitability.

From a vendor standpoint, we’re enabling a lot of our customers and partners to control the use of AI. We also see a lot of customers and partners putting acceptable use policies in place for AI. I think that’s really important given the concern we’ve seen about intellectual property being uploaded and then exposed. In general, there is a risk, and the risk is when you look at a phishing attack, humans traditionally have an eye to detect misspellings or grammatical errors. AI is going to remove that identification tool so now, I think, phishing attacks are going to be a little more real. So MSPs should really be looking at security awareness training because the end user is going to be that last line of defense. Security awareness training is going to be a tool that a lot of MSPs need to arm their customers with to ensure that the customer is putting their best foot forward.

What are you focusing on in 2024 when it comes to the MSP community?

When you look at the MSP business, the delivery of security is easy but there’s a lot of cybersecurity challenges that exist out there today. The sophistication of threats is getting so much more complicated. The tools that the vendors provide are often incredibly complex and difficult to manage. And then if you look at the pipeline of security talent, that pipeline is not as robust as it should be. So in 2024, we’re doubling down on services. We look at managed detection and response [MDR] where partners can leverage the Sophos Security Operations Center where we do 24×7 active threat hunting. We have over 500 security analysts that will be watching a customer’s environment. We have 18,000 customers today on our MDR, and it’s growing rapidly. It’s allowing MSPs to offload those 24×7 actions and route it to the experts so they can focus on growing their business and focus on what they are built for, which is managing their SMB customers. Working with vendors like Sophos will allow the MSP to sleep at night because they know somebody is watching 24×7.

I also think that there’s going to be a more significant shift to cloud at the SMB level. There are vendors out there that are lifting and shifting workloads into the public cloud environment, and that exposes a lot of risk. So MSPs will have to look at how to use secure cloud environments in addition to the on-prem environment.

Aside from sophisticated phishing attacks, what else should MSPs be watching out for in terms of security?

We did a survey, The State of Ransomware 2023, that surveyed 3,000 customers. One data point that was fascinating to me was of the breaches that occurred, 36 percent of those breaches happened because of an exploited vulnerability. The second one, at 29 percent, was compromised credentials. Adversaries are not breaking in, they’re logging in to a customer’s environment because they already have your password. So when you look at the reasons why some of these breaches happen in this survey, it’s getting back to fundamentals. Patch your systems, change your password, implement phishing simulation, train your end users and secure every asset within a customer’s environment.

Ransomware is not going away. It is way too profitable for the malware writers, and now we are seeing some double, or dual, exploits. Before they encrypt a machine, they will actually exfiltrate the data and then encrypt the machine. So now you have data exposed on the internet, or in control by a hacker, and then you have the ransomware. You see those dual threats that are out there and that just creates so much more complexity. When you implement an MDR solution, it will detect what’s happening on the local machine, we’ll get those alerts and signals, we’ll be able to stop the exploitation of data and then we can clean the threat before it actually encrypts the environment.

What are your partners’ biggest concerns?

I think the biggest concern would actually be the MSP needs to be good and right 100 percent of the time, and the hacker just has to be right once. Get back to the fundamentals before you actually do the more advanced threat hunting and all that stuff. We even enable an MSP to go do active threat hunting on their own if they want to start running queries and looking at what’s happening within the threat environment. But most MSPs want to outsource that so they don’t have to worry about it. They can authorize Sophos to go and do that remediation for them because time is of the essence. If you can get into an environment and block a threat within 20 seconds versus five minutes, that could be the difference of an encryption event or a data exfiltration. We want to have the fastest possible response time and we work with the MSP to achieve that.

Leave a Reply

Your email address will not be published. Required fields are marked *