Name: Threat Intelligence Briefing: Is your Firewall as secure as you think?
Uploaded: 2025-10-28T18:49:04.798Z
Duration: 33 min 8 s
Description: Threat Intelligence Briefing: Is your Firewall as secure as you think?

Transcript for "Threat Intelligence Briefing: Is your Firewall as secure as you think?": Thanks for joining this session. Is your firewall as secure as you think? That's a question we'll try to help you answer, or at the very least, give you important questions to ask your firewall vendor. My name's Barbara Hudson, and I'm part of our global product marketing team here at Sophos. As I'm based out of Germany and this webinar is running multiple times today, this session has been prerecorded. But rest assured, we have live colleagues in the background who are ready to answer your questions, so please feel free to keep them busy. In today's session, we'll look at the reason why we're here based on current threat activity. I'll walk you through our approach to secure by design. We'll look at firewall weak spots and how you can avoid them. And last but not least, we'll take a look at Sophos firewall and how you can migrate from your current vendor if you like what you hear today. Before we begin, I do have a disclaimer. This presentation does reference some third party firewall vendors and their products. This information is presented to provide an accurate picture of the current threat landscape. It does not constitute a criticism or security assessment of those vendors. I'll leave that up to you. All data is presented in good faith based on threat activity observed by Sophos ex ops, and unless otherwise stated, it is true as of October 2025. Firewalls are under attack. As you've likely seen from recent headlines, many firewalls are under attack, with some specific vendors being singled out, either due to previous breaches that many customers may have not patched, or non ideal configuration options that leave weak spots that attackers are all too happy to exploit. As will become apparent over the next slides, every vendor has seen some kind of attempt to breach their firewalls. And while media outlets may use sensationalist headlines to get you to read their articles, those shown here are simply stating the facts. Just last week, the Louvre Museum in Paris, France, home to the Mona Lisa and some of the world's most priceless art, was the victim of a robbery. Now the Louvre has multiple layers of security. They have cameras, motion sensors, guards, reinforced glass, and alarm systems, yet someone still found a way to get in. If the louvre can be targeted, what does that say about your firewall? I'd like to take a step back and focus for a moment on the data from our 2025 threat report. Network edge devices were a major contributor to cybercrime incidents throughout 2024. They are the single largest source of initial compromise of networks in intrusion incidents and in ransomware and data exfiltration events. If we fast forward to look at the recent data, you'll see that not much has changed. In their September 2025 ThreatCast, the Sophos XOps team highlighted the current ransomware threat, with the Akira family being particularly prevalent. If we drill down into the top initial access vectors observed by Sophos, as you can see, VPN tops the charts with multiple vendors represented, including Sophos. When we look at the top contributing factors, we see a rather unfortunate picture, with no multi factor authentication leading by far. But this chart reads like a cascading list of security mistakes: no MFA, stolen credentials, your system's unpatched, your assets are unprotected, and somebody downloaded something they shouldn't have. Let's hope that this is not your story. The most recent data shows that the brute force attacks targeting SonicWall VPN are particularly prevalent in The United States, where they obviously have their largest install base. And these are attempting to target valuable service accounts with LDAP integration to get a foothold across the network. The threat actors we've observed show that many of these attacks are ransomware motivated. Over the past months, we've seen a steady increase in attempted ransomware incidents that are targeting SonicWall, and that peaked in August and is now starting to subside. In most cases, those we could prevent benefited from the excellent ransomware defenses that we built into Sophos endpoint solutions. At the height of this activity, affected Sophos MDR customers did receive security advisories from us. If you're wondering where this data comes from, Sophos has more MDR customers than any other vendor globally, and our customers use a wide range of security solutions that we support with our open ecosystem and integrations. As our team is tasked with protecting these customers, no matter which vendor they're using, it provides valuable insights that all of us can benefit from. These slides are not intended to serve as a way to attack SonicWall, but they are a call to action for all firewall vendors and customers. The advice from the Sophos x ops team in this case, use multifactor authentication as we saw from those previous stats, make sure that LDAP account permissions are limited, and validate VPN logging, or maybe use something else. And I'll talk about an alternative approach in just a moment. So what can we collectively do? Building products that are secure by design would be a very good start. As a reaction to the recent f five and SonicWall events, our CSO, Ross McErcher, shared some great insights on LinkedIn and in a Sophos news blog. I've added a QR code here so you can easily access the content later. We need secure products as much as we need security products. But when our adversaries are targeting the tools built to defend us, more than anything else, we need secure security products. The recent events once again shine a light on the long term strategies that some attackers follow. These are not opportunists, but teams willing to put in year long research to achieve their aim. And we speak from experience. Last year, we disclosed our Pacific Rim research that follows the events that began in 2018 with an internal breach on the Cyberam firewall infrastructure and continued in a cat and mouse spiel against Chinese state actors. We worked with other security vendors, law enforcement, and many other organizations and did eventually disrupt those operations at their core. Hardly any vendors have disclosed such internal intrusions in so much detail. I'm somewhat surprised by the level of our transparency in this case. But there's a learning for all of us from this, and that is that the motivation of vendors and buyers can differ greatly. As a buyer, you need to demand better. Vendors who demonstrate commitment to secure by design principles and embrace transparency should be rewarded for doing the right thing, and disclosing breaches is doing the right thing. If you want to find out more about Pacific Rim, there is further reading available on our website, which is also linked from the blog post shown here. But what is Secure by Design? Initiated by the Cybersecurity and Infrastructure Security Agency, Secure by Design is a pledge to support a set of design goals to strengthen product security. At Sophos, your security is our top priority, and you deserve a vendor that takes your security seriously. We were one of the first companies to sign the pledge, and in the meantime, there are over 300 companies that have pledged to demonstrate real progress towards these design goals and best practices, such as integrating MFA into all systems, eliminating default passwords and credentials, implementing automated security patches, and offering rapid and transparent vulnerability disclosure. Make sure that your vendor has not only signed the pledge to support these principles, but is actually delivering on them. If you'd like to find out what progress we've made towards fulfilling our secure by design commitments, I'd encourage you to check the blog post published by our CISO, Ross MacKircher, from late July. Over several releases, we've invested in implementing secure by design principles into all of our products, including Sophos firewall. Sophos firewall has numerous updates in the last few years to aggressively harden the product, making it easier to patch vulnerabilities and to identify when a customer is under attack. We ensure the firewall security posture is optimized right out of the box, so there are no easy targets on the firewall, with an extremely hardened VPN portal and encrypted central management. We're also unique in the industry in offering over the air automated hotfixes, which allow us to patch any new issue quickly without the downtime usually associated with a regular firmware update. In fact, just recently, a customer reached out to thank us for patching an issue before they even knew it existed. And we're also unique in proactively monitoring our customer base for attacks and responding to any signs that a customer is under attack by assisting in shutting it down to prevent it from happening elsewhere. We pride ourselves on being extremely transparent with one of the best bug bounty programs in the industry. The upcoming Sophos Firewall v 22 release that's currently available in early access takes Secure by Design to a whole new level. The new control plane has been rearchitected for increased defense in-depth and scalability. It enables the deeper modularization, isolation, and containerization of services and the separation of privileges for enhanced security. The next gen Xtream architecture in Sophos Firewall OS is built upon a new hardened kernel that provides enhanced security, performance, and scalability for both our current and any future hardware. This new kernel offers tighter process isolation and better mitigation for side channel attacks, as well as mitigations for CPU vulnerabilities. It also offers hardened user copy, stack canaries, and kernel address space layout randomization, or very simply put, all of which are deep rooted security features built into the code to prevent certain categories of exploit. Our remote integrity monitoring in v 22 now integrates with our Sophos XDR Linux sensor that enables real time monitoring of system integrity, including unauthorized configuration, rule exports, malicious program execution attempts, file tampering, and much more. This helps our security teams when they proactively monitor our install base to better identify, investigate, but also respond more quickly to any attack. This is an added security capability that no other firewall vendor currently provides. And the new Sophos firewall health check makes it much easier to evaluate and address the configuration of your firewall by checking dozens of different configuration settings and comparing them with the CIS benchmarks and other best practices, providing immediate insights into areas that may be at risk. As you can see here, the health check control centre widget gives immediate insights into your security compliance, and allows you to click through to verify any issues, showing you the severity, and offering the option to either fix or override an item if it's not relevant for you. This is intended to encourage stronger configurations to improve your security posture whilst also getting the full security benefits of your server's firewall with all of its features. This is a strong capability that helps with one of the major weak spots on firewalls that attackers are currently exploiting. So now we've seen the threat activity, learned about the measures that vendors should take to harden their products, and we've seen the Sophos approach to secure by design. But what can you do as a firewall customer? Just as the Louvre needs to have discreet security that doesn't negatively impact the user experience and accessibility of the museum, network and IT admins in general also have to strike the balance between a secure system and one that's accessible with a good user experience, both for the admin and for end users. The louver robbers didn't try to smash through the front entrance. They looked for the blind spots by using a way in that would not look suspicious to passers by, particularly in broad daylight. And in case you don't know, they used a furniture lift that was mounted on the back of a truck, which is a very common sight in Paris. Attackers targeting your firewall do the same thing. They're not always trying to brute force through your main defenses, although they will do that too. They're looking for the digital equivalent of that unlocked service door or breakable window. The primary weak spots are VPN, which we've seen from the stats, is the number one weakness, Misconfiguration, and here we hope that the health check will help, but I'm using that term very broadly here. It could mean weak rules. It could mean deactivating important security features. It could mean ports open to the Internet for management, and, of course, no multi factor authentication. And unpatched or unsupported systems. As vendors, we can do the best job in the world at building secure systems, but if you're not applying patches or continue to use devices that are either end of life or unsupported, our efforts will be in vain. What can you do to address all of these? We'll start with access, and obviously there is the access the admin needs and the access users need that we'll discuss separately. Many network admins no longer sit in the same place as their firewall, or have remote locations with firewalls that need to be configured and managed. If you ask yourself, do you really need a port open to the Internet for management?' the answer should always be no. Sophos Central provides a secure cloud console to manage all of your Sophos products and solutions. Access is secured via a passkey in line with Secure by Design principles. We've built this platform over the past ten years to create a highly secure and user friendly console for admins, partners, and managed service providers. When you manage your firewall via Sophos Central, you can also access the console of an individual firewall if required. But the beauty of it is that you can push a configuration to multiple firewalls by working with templates, saving you valuable time. Backup management is also included in Sophos Central, and for obvious reasons, we'll talk about that one in just a moment. Sophos Central brings together multiple products, not only for management, but also for integrations, such as sharing threat intelligence. Using the capabilities of Sophos Firewall, together with Sophos MDR or XDR, allows you to implement health based policies, identify indicators of compromise, and automatically prevent lateral movement by isolating compromised clients without needing to create new firewall rules. Sophos Central is also the hub for centralized reporting, and there are various data storage options available, either included in an Extreme Protection subscription, which most of our customers own, or with longer retention periods as an add on purchase. Now let's look at remote access for users. The problem with VPN is that once you're on the network, you're generally trusted and frequently have access to everything. If a client becomes infected, it can easily spread to other clients in the networks in the same network segment. This implicit trust is not compatible with today's world, where we no longer have a single perimeter. So if you do use VPN, you need to be very smart about how your network is segmented, what access you give, and what other security infrastructure you have within your network to ensure there are extra protections in place. The zero trust network access approach is probably a better choice, as it provides you with the ability to give granular control to resources and apps that can be revoked if a device if the device health changes. The perimeter moves to where you need it to be. This is a very, very different approach to VPN. Sophos offers a VPN client for our firewall customers that is free of charge. It comes with support for Windows and Windows ARM and supports on prem Active Directory and EntraID. You can roll out a single policy for all of your clients using a provisioning file. Sophos' zTNA is fully integrated with Sophos' endpoint. They use the same agent, making deployment really easy, and you can deploy zTNA gateways directly from your firewall at no extra cost. You'll just need the licenses for the users for the devices that you want to protect. In fact, every firewall customer gets to try zTNA free of charge for one year, with activation directly from Software Central. As mentioned, zTNA benefits from policies based on device health to ensure compromised clients do not introduce risk to your network. So as you can see, the solution to your VPN problem could potentially be adopting a zero trust approach, multi factor authentication, more granular access controls, and secure centralized management. The recent SonicWall breach of all cloud backups has led to a lot of customers wondering how secure their backups are, even if they're not using SonicWall. Our approach to backups was built over five years ago and is also based on secure by design principles. When you deploy a brand new firewall, you're required to set a secure storage master key, or SSMK. This is used to protect the most sensitive data on the firewall, such as keys, certificates, and credentials. Now all backups contain the full configuration, and password encryption is mandatory. And within each backup, the sensitive data remains encrypted with the SSMK. So your most sensitive data has double protection. Think of it like keeping your valuables within a safe that is behind the locked door of your house. If you create backups via Sophos Central, a secure password is automatically generated for each backup file, and should you want to download the backup, you will be prompted for a password for re encryption. Local backups are encrypted using a preset password, so no backup can be created or leave the firewall without encryption. That's a really, really important thing to note. Just as a note of caution, you should never set the same password for your SSMK and your backup password, or you'll invalidate the effort we've gone to to keep your data secure. We already spoke about having a strong configuration and following best practices in the previous section, but what about unpatched and unsupported systems? We recently went through an end of life process with our x g series hardware. And while some customers may still have valid licenses and so be fully supported, others let their license lapse and hope to just continue using their appliance unchanged. In an earnings call earlier this year, Fortinet announced that a quarter of its firewall install base will be out of support by 2026. Life cycles are both an opportunity and a risk for the vendor and their competitors, of course, and the customer using the firewall. A firewall upgrade is a great opportunity to rethink your security, whether that means switching to another vendor or just modernizing your network. One of the challenges we face as vendors is the type of lifecycle dialogue we frequently encounter, and maybe some of our partners can also relate to this. Whenever there's a lifecycle event coming up, vendors will contact customers and partners and inform them about the end of life date. They'll usually provide a great update upgrade offer, and this will start years in advance and continue on repeat right through until the life cycle milestone is achieved. Unfortunately, many customers ignore those communications, particularly the ones that come years in advance. So when date x, the end of life, arrives, there's a little bit of a problem because the vendor will remind the customer that the product is no longer receiving updates and that some services may be degraded. Unfortunately, what then often happens, and we experienced this, quite recently, the customers then ask, how dare you change anything on my product? I've added to keep my network safe because that shows how ridiculous that can be. And then they tell us they didn't know it would be end of life and they need more time. It is really important that you as a company have policies in place for life cycle management, and particularly if you are not reading communications that you receive, it does make all of our lives much, much more difficult and introduces risk into your network. The worst case would then be that some months later, you as a customer realise that you've had a breach, and you contact your cyber insurance company. Now it should come as no surprise that your cyber insurance company would respond, your policy doesn't cover unsupported and end of life products. I think there's no better way that I can make it clear how important it is that you are really on top of keeping your products updated, keeping end of life products off your network if you have things that are unprotected off your network, and knowing exactly what you have deployed on your network is extremely important. In October 2024, our CEO, Joe Levy, published an essay titled Digital Detritus, the engine of Pacific Rim and a call to the industry for action. I've added a QR code here as it makes for interesting reading. It is quite a long essay, so if English is not your first language, I've been writing a summary here. Basically, end of life and unpatched systems are like a vortex. It's an ever expanding attack surface, and it becomes more dangerous over time. If you don't patch when there's a vulnerability, you're leaving unforgivable security gaps due to basic negligence. It's a bit like when you don't use multi factor authentication. That could also be seen as basic negligence. Small businesses can be hit hard by cyberattacks, and about 60% may not even survive. Poor software quality costs everyone money, and it's easier for attackers to exploit. And finally, we all share the responsibility. Vendors need to build secure products, and customers must apply patches and stop using unsupported and end of life systems, as that adds risk for all of us. Over the past years, many customers have switched from other vendors to Sophos, and here are just some of the reasons why. Sophos offers a wide range of network security and related products, with switches, Wi Fi, email security, and much more. You may occasionally hear claims that Sophos doesn't have switches. That is, of course, incorrect. But the story is much broader than that. In fact, our firewall goes way beyond the traditional firewall tasks by being an MDR integrated firewall that can ingest threat data from multiple sources to automatically react to security incidents, prevent lateral movement, and ensure it's equipped for today's remote and hybrid cloud connected networks. We describe this as more than a firewall. The MDR integrated firewall approach is one that we are fully embracing both with current and future releases, and you'll hear more about that if you take a look at our website. Over the past ten years, we've built one of the most popular firewalls in the industry. We've added a wealth of features in every release that customers with an Extreme Protection subscription bundle have received at no extra cost. And when it was necessary to harden the firewall in 2018 because of Pacific Rim, we took a step back from new features and allowed our engineering team to focus on making our firewall secure. Have we had vulnerabilities? Of course, every vendor has, and we disclose them if and when they occur, but we also automatically patch them for you, which no other vendor does. As I mentioned, version 22 adds to the feature set and security, and it's available in early access today. And when you receive the recording of this session, do feel free to pause and read through all of the points because there really is a lot coming in this particular release. We have migration assistance available to help you migrate your configuration from either SonicWall or Fortinet to Sophos firewall. These are available via Sophos partners only and help with some of the heavy lifting so you don't need to recreate your configuration from scratch. And you can see an example for SonicWall here of what type of things you can migrate over. Of course, there are scenarios when a fresh installation is better, and your Sophos partner will be happy to provide guidance on that. And maybe in the future, the health check will be a great idea to use as guidance to see areas where your configuration needs improvement. Sophos has a broad portfolio of firewall appliances to suit many scenarios, from the smallish retail outlet to distributed enterprises and larger campus networks. Those of you using SonicWall may find this chart useful to get an idea of the equivalent models. And, of course, there are some SonicWall SMA devices also going end of life at the November that you may also want to take a look at, because they will also need replacing. And they could potentially be replaced with a firewall plus zero trust network access, for example. Unfortunately, there's no PowerPoint slide big enough to show you all of the FortiGates going end of life, but an overview showing the equivalent models is available to our Sophos partners via the partner portal. And deployment doesn't need to be a lot of heavy lifting. Via Sophos Central, you can use zero touch deployment at no extra cost. You start the deployment in Sophos Central by registering the device. You then ship the device to the remote location where somebody needs to ensure it has power and Internet access, and then you can access the firewall remotely without the need for IT staff on-site. Those of you that know our SD RED or preformally RED devices will recognize the simplicity of this deployment approach. If you've generated a file using a migration assistant, you can use that SonicWall file, for example, to turn your fresh new firewall into one that's fully managed in absolutely no time. Partners can even use templates to centralize deployment and save valuable time. And with that, Sophos Central becomes your hub for all management and licensing, for your firewall, and for all of your other solutions. The majority of our customers use the Extreme Protection subscription, as that offers the best value and benefits from the added features with new releases, as we saw on the previous slide. For example, in one of the last releases, we added NDR essentials with two new network detection engines for added security, and we'll continue to enhance this and other features going forward. According to g two, Sophos was voted the number one overall firewall for the eleventh consecutive report. We're also a customer's choice on Gartner Peer Insights, not only for network firewalls, but also for other products. These are customer reviews that are available for you to read, and as they're already verified, they're probably a little bit more trustworthy or targeted than something you'll read on Reddit. And we have other important accolades globally and in various regions, not only for our firewall, but for many of our other solutions and services. So what should be your next steps? If you're not currently a Sophos customer, we and our partners would love to discuss how our integrated extensible platform can help to protect your environment. We have attractive competitive trading offers available to you, or check the videos from the most recent and upcoming releases to find out more, first of all, before reaching out to us. But we would love to hear from you to discuss further how we can increase your security posture and remove those firewall weak spots. And just as a closing thought, the Loomer protects art that is centuries old and irreplaceable. Your firewall protects something equally valuable, your organization's data, your reputation, and your operations. The question is, are you using multilayered museum grade security, or are you leaving the back door unlocked? If your file was so old that it belongs in a museum, you have a slightly bigger problem, but we'd be happy to help you with that too. Thank you for your time today. Thank you for listening.