Global Security Mag: Good afternoon, Michael Veit. Global Security MAG is really delighted to have you with us at it-sa. Can you please introduce yourself and tell us how your professional journey brought you to your current position?

Michael Veit: After school, I studied business informatics, then, I worked for more than 12 years with a system integrator where I was responsible for designing, implementing and managing security for large enterprises and public organizations. After that journey, I joined SOPHOS where I have been working for 15 years now. So, I have been in IT Security for more than 25 years. At SOPHOS, I have been working in Sales Engineering, now being a Manager for the Sales Engineering team in Germany as well as the position of Technology Evangelist for the DACH (Deutschland, Austria, Switzerland or Confoederatio Helvetica_CH) region, which means I am in charge for the Press and TV as the public facing communication to explain technologies to non-technical people and C-Level.

Global Security Mag: Can you please tell us more about SOPHOS, and point out the key elements or differentiators that make SOPHOS unique? We have read the mention of leader in Gartner's Magic Quadrant for 15 years in a row.

Michael Veit: SOPHOS is in the market for more than 35 years now. We started with technologies like antivirus. Now, our portfolio includes all kind of network security products like, firewalls, access points, switches, network detection response. We have got e-mail Security and Cloud Security solutions. So, we basically cover a large part of the enterprise security for typical organizations. Our focus is on the SMB market, even though we, of course, have large enterprise customers. We do concentrate on organizations having the need for a consolidated security management. That is why we provide many of these solutions, which have the specialty that they intercommunicate with each other. So, we have an ecosystem of security solutions with the specialty that we also integrate more than 40 other vendors and solutions into this ecosystem. This includes Microsoft 365, but also endpoint solutions from Microsoft, from Trend Micro, and many others, firewall solutions from Fortinet, Palo Alto, Checkpoint, and so on. Because it's necessary for security today to get a complete picture of everything which is happening in an organization. And this is also where we have been focusing on for the last years. It is not just about providing the technical solutions, which are state-of-the-art. Sophos Endpoint has been in the Gartner Magic Quadrant leaders for more than 15 years, continuously. But nowadays, it is important for organizations to detect hackers in an early phase of an attack for having a complete view of what is happening. That is why we integrate solutions from all kinds, not only from the endpoint, from the network, but also, for example, as already mentioned, Microsoft 365, Identity and Access management systems, backup systems, to be able to cover the complete attack chain, if a hacker is doing the first steps in an organization.

We provide this XDR ecosystem with open interfaces to many other solutions, either for the analyst team of a customer, so if the customer is running their own SOC, they can use our platform, or managed detection and response services, an area which has been the fastest growth in the last years. SOPHOS managed detection response service is currently used by more than 23 000 organizations. This is more than any other MDR solution in the market, and we provide the analysts, the threat hunters, the incident responses, for organizations of all sizes in all areas, so public as well as commercial, as private organizations, and we protect these organizations from cyber-attacks. And since we integrate telemetry from many other solutions, from SOPHOS or from other vendors, we detect attackers in the first steps and prevent that they can do any damage like data theft or like ransomware encryption. We complement these MDR services with other services like vulnerability management, attack surface management, meaning we integrate technology, a part of our MDR team also does the attack surface management, so, we don't just produce a report about vulnerabilities, but we also provide the people, the analysts, who talk to the customer to say which security vulnerability, which hole should be fixed in the first place based on intelligence information stating that these vulnerabilities are exploited actively. This is about prioritization. As an example, there was the Microsoft patch Tuesday last week and there is a security hole, which is being exploited actively and this should be fixed right now. And of course, with the MDR services, we continuously monitor and respond. Our response times and a complete remediation are less than 45 minutes. Our analysts take about one to three minutes until there is a red light on the screen showing that there is something to investigate then it takes them about 15 minutes to investigate whether the threat is real or not, or a false positive. Then, if it is a real threat then they need another around 20 minutes to completely remediate this and throw the attacker out of the organization and to investigate if the attacker has spread further in the organization and do the root cause analysis on how the attacker got in and check if other systems are still affected. It is a record time in the industry, and that is why we offer a breach protection warranty as part of the MDR service, which means if you get a successful ransomware attack despite having our MDR service, then we pay up to a million dollar to mitigate the effects of ransomware attack. With 23 000 customers, we never had to pay this breach protection warranty because there was no successful ransomware attack when an organization is protected by SOPHOS' service. This is a proof of how effective we are protecting our customers.

Global Security Mag: As you know, one of the current topics, is NIS 2 (Network Information Security version 2). How could SOPHOS help organizations and enterprises to meet compliance requirements and to be more secure?

Michael Veit: There are some duties, especially related to risk management, involved in NIS 2. And among those things are incident management, for example, is part of what is required to achieve NIS 2 compliance. There are many other duties like patch management, supply chain management, multi-factor authentication. SOPHOS provides those services and SOC services that include the incident management. Of course, many of our technical solutions also provide the technical controls required in risk management for NIS 2. But the most important thing is the part with the incident management, with reporting and other duties for companies needing to comply with NIS 2. It's interesting that NIS 2 is just helping organizations to manage their own lack. It means that organizations should increase the level of security no matter if they need to comply with any compliance like NIS 2 which is just a request to raise the Cybersecurity level effectively. Many organizations directly fall under NIS 2. I think in Germany it is about 30 000 roughly, but many more organizations who are in the supply chains to those organizations will also have to increase their Cybersecurity level. The German automotive industry did something similar, so the automotive vendors have a compliance for their supply chain as they don't want to stop producing cars because one of their suppliers has got a cyber-attack. Keep in mind that last year, about one-third of German organizations had a successful ransomware attack.

NIS 2 has the effect that all organizations must have a higher level of Cybersecurity in order not to be a victim of cyber-attacks.

Global Security Mag: Guessing that SOPHOS uses AI (Artificial Intelligence). Could you tell us a little about that?

Michael Veit: AI is used to identify regularities and anomalies in large data sets and to identify attacker behavior in the events which we collect and analyze and correlate from many sources. For example, log-in events, e-mails or a suspicious execution of system tools which can be used in a good or in a bad way communications. AI, or Machine Learning, is used to identify possible patterns of attacks, but AI is not used to automatically remediate things. So, AI is used to filter and summarize events happening in an organization to human analysts, who then, with a human understanding about how people are working, how organizations are working, could identify if the event is a real threat or a false positive. If the action is malicious, then it is automatically stopped. There are some chains of events where we can identify a bad behavior. For example, you get an email, you open it with Outlook, there is a word attachment with macros, which executes a PowerShell, which downloads a system tool, or whatever. This kind of chain events is automatically terminated. So, we use Large Language Models for helping the analyst summarizing and being more effective. AI saves a lot of analyst time, but it does not replace the analyst, because the analyst is needed to decide which event is good or bad. In the gray area, the analyst decides and with a human understanding the analyst also creates ways to remediate the threat, finding what is the most creative or the most reasonable way to stop the attacker.

Global Security Mag: Please, could you give some key messages to our readers?

Michael Veit: The key messages are that if organizations don't put their IT Cybersecurity to a higher level including specialized humans, specialized analysts operating Cybersecurity solutions, then, they will very likely be the victim of a cyber-attack in the next months or years. So, organizations should not continue to do as usual, just buying technical solutions. You need the specialized humans to operate. IT is probably not capable of handling this Cybersecurity topic, operating and responding in a timely and sensible way. You need specialists for that.

Compliance may be a motivator, but it shouldn't be the first reason to increase the level of Cybersecurity which is not anymore, a cost factor. Cybersecurity has become a kind of insurance that the company should have, to secure the next business year as Cybersecurity prevents data from being stolen and operations from being shut down by ransomware, encryption, or sabotage.