Sophos X-Ops FAQ

What exactly is Sophos X-Ops? 

Sophos X-Ops is a new, cross-operational (X-Ops) team linking SophosLabs, Sophos SecOps and Sophos AI, three established teams of cybersecurity experts at Sophos, to help organizations better defend against constantly changing and increasingly complex cyberattacks. The unit leverages the predictive, real-time, real-world, and deeply researched threat intelligence from each distinct group, which, in turn, collaborate to deliver stronger and more innovative protection, detection and response capabilities.

This joint-task-force type of model is important because cyberattacks have become too complex for any singular threat intelligence team to go at it alone. Defenders need the breadth and scale of a multidisciplinary, collaborative group, such as X-Ops, to provide multi-faceted, 360-degree views of attacks for optimal defenses.

Does this mean SophosLabs, Sophos SecOps and Sophos AI are going away? 

Behind the scenes, SophosLabs, Sophos SecOps and Sophos AI remain intact. Moving forward, we are using the name Sophos X-Ops to publicly emphasize the benefits of the cross-operational structure and threat intelligence sharing capabilities these groups together provide to defeat attackers.

Are you simply rebranding or renaming groups within Sophos?

Each of the groups within Sophos X-Ops have their own expertise, audience and reporting structure. Linking them within a collaborative unit such as Sophos X-Ops fosters the development of stronger and more innovative protection, detection and response capabilities. Sophos X-Ops models what we believe a modern cybersecurity operation should look like, comprising the essential discrete competencies operating at-scale in a highly orchestrated fashion.

Who is the leader of Sophos X-Ops? What is the organizational structure?

Joe Levy, chief technology and product officer, Sophos, leads Sophos X-Ops. Other key leaders are Simon Reed, senior vice president, who heads up SophosLabs and Sophos AI. Mat Gangwer, vice president, leads Sophos Managed Detection and Response services. Ross McKerchar, CISO, leads Sophos’ own internal security operations.

The Sophos X-Ops unit has more than 500 specialized experts worldwide, including software developers, automation engineers, malware analysts, reverse engineers, cloud infrastructure engineers, incident responders, data engineers and scientists, and numerous others.

Does Sophos X-Ops sell anything? Is the threat intelligence for sale? 

Sophos X-Ops and its threat intelligence is not “for sale” as a line item. The benefits of Sophos X-Ops are inherent in all of Sophos’ products and services, including via Sophos Intelix, AWS Marketplace and feeds we provide through OEM agreements.

All of Sophos’ customers are Sophos X-Ops customers, meaning all Sophos customers benefit from the cross-operational approach of Sophos X-Ops.

How does Sophos X-Ops compete?
Sophos X-Ops furthers Sophos’ position as a cybersecurity leader among large industry players that have threat intelligence units. Additionally, Sophos X-Ops outperforms operations that provide partial components of, for example, threat hunting and analysis. The difference is that Sophos X-Ops has more than 500,000 customers worldwide; Sophos’ “surface area” from telemetry is massive and more diverse. Sophos also provides remediation, which other companies don’t, and remediation is a key component to an effective managed detection and response service. Many businesses, especially those in the sub-1,000 range, need help managing the lifecycle of a cyberattack, from detection, through neutralization, to operationally getting back on their feet.

What are the differentiating factors?

One key differentiator is how we are leveraging the cross-operational foundation of Sophos X-Ops for innovation, an essential component of cybersecurity due to the aggressive advancements in organized cybercrime. By linking the expertise of each group, Sophos is, for example, pioneering the concept of an artificial intelligence (AI) assisted Security Operations Center (SOC). Effective AI requires not only access to massive amounts of data, but also curated or well-labeled data, efficiently and scalably architected data-engineering operations, and continuous feedback loops between models and the operators they’re designed to benefit. An AI-assisted SOC anticipates the intentions of security analysts and provides relevant defensive actions. In the SOC of the future, Sophos believes this approach will dramatically accelerate security workflows and the ability to more quickly and scalably detect and respond to novel and priority indicators of compromise. We intend to innovate in other areas as well. Watch this space.

What problems does Sophos X-Ops solve? 

Improving detection and reaction times is something those in cybersecurity constantly obsess about – and for good reason. We’re against a clock to detect and stop attackers at multiple points along the attack chain, from sly phishing to abusing legitimate tools to move laterally, before the attackers do serious damage, i.e., espionage or ransomware. Collaborative structures and processes provide the best strategy for countering adversaries who, today, are well-organized, persistent, and constantly trying to out-game security systems. Sophos X-Ops allows the teams to make discoveries faster, which ultimately allows us to protect our customers faster.

Sophos X-Ops also provides more comprehensive layers of protection. Sophos X-Ops can more easily identify and then thwart attacks because of its combined deep expertise and knowledge of incidents and ability to jointly analyze them. Together, the teams can share information that makes each of their defensive layers stronger and more expedient.

Are there any unique capabilities Sophos X-Ops introduces to the market? 

Sophos X-Ops is one of a few of its kind in the industry, based on its collections of competencies, the scale at which they operate, and its level of coordination. Even though each team has deep, individual expertise, they are not operating in silos. This cross-collaboration is happening 24/7/365, procedurally enabled by common systems, synchronized methods of program and project management, standups, shared playbooks, and other key elements. The ability to operate nimbly across a breadth of experts and teams is hard to do, but Sophos X-Ops is designed to enable the teams to share knowledge and leverage each other’s unique strengths and point of views. While the three teams already collaborate as a matter of course, the formal creation of Sophos X-Ops drives forward a faster, more streamlined approach necessary to counter equally fast-moving adversaries. We believe this is a more efficient model than the industry has employed in the past, and this will be reflected in the research, technical papers, and intelligence that Sophos X-Ops publishes.

What is different about Sophos X-Ops now (versus what the groups did previously together)? 

The model that Sophos X-Ops follows is a virtuous circle that starts with SophosLabs and protection and continues from there to both feed and gather more intelligence for Sophos SecOps and Sophos AI initiatives. As this endless iteration matures and scales, customers will be better protected, and Sophos products and services will become more intuitive and stronger to defeat attackers. Sophos X-Ops also provides collaboration that inspires innovation, which we all know is critical in cybersecurity. We believe our Sophos X-Ops model is a blueprint for the industry.