Sophos ramps up hardware acceleration for TLS inspection in XGS Series firewalls

Sophos says its improvement in the protection its firewall appliance hardware provides for Transport Layer Security Inspection, added to last year’s software TLS upgrades, gives them a huge competitive advantage against encrypted threats.

Cybersecurity vendor Sophos has unveiled updated XGS Series firewall appliances. The big news here is improvements to the Transport Layer Security [TLS] to allow faster inspection of encrypted traffic, which is critical given the increased rise in the use of TLS by cybercriminals to avoid detection and launch attacks. Sophos also released new research which documented that rise in TLS as a tool being used for these purposes.

This year’s hardware refresh of TLS capabilities complements the one done in the refresh a year ago to the software to improve TLS protection there.

“Last year we rearchitected our software firmware, and built a new data plane on there,” said Dan Schiappa, chief product officer at Sophos. “It does a quick cursory inspection of the traffic and pushes it through either a trusted fast path for known traffic like Netflix, or a deep packet inspection engine for stuff you want to inspect, and we built a package for that. This year, we have created a new hardware platform to leverage the Xstream flow processor to the hardware and  accelerate that. So last year it was all about software acceleration. This year, it’s all about hardware acceleration. It was a two-step approach, with firmware first and hardware second.”

Schiappa emphasized that these hardware enhancements to the XGS Series appliances are Sophos’ most significant hardware upgrade ever, because they give customers the ability to inspect their encrypted traffic at speed. In contrast, he said that customers still turn off the encrypted inspection capabilities of competitors because they have not resolved a longstanding problem that the inspection has such severe consequences for system efficiency that customers think it’s more trouble than it is worth.

The Sophos XGS appliances

“Most of the market has some ability to do a degree of encrypted inspection, but it is very resource intensive – and grinds the firewall to a halt,” he said. “Many people won’t turn that protection on because it slows the whole network down. So while competitors can ‘tick the box,’ because they can’t do it at the speed that we can, which is wire speed or near wire speed, they are not effective.” That’s critical, Schiappa said, because this year 98% of traffic is encrypted – up 25% from last year.

Concurrent with the new firewall release – but clearly not coincidentally – Sophos released a new research report entitled “Nearly Half of Malware Now Use TLS to Conceal Communications.” identifying a surge in cybercriminals using TLS in their attacks. The report found that 45% of malware detected by Sophos from January through March 2021 used TLS to conceal malicious communications – way up from the 23% Sophos reported a year ago. Sophos has also seen an increase in the use of TLS to carry out ransomware attacks in the past year, particularly with manually-deployed ransomware. The majority of malicious TLS traffic that Sophos has detected includes initial-compromise malware, such as loaders, droppers and document-based installers like BazarLoader, GoDrop and ZLoader.

“They like to use the same tools IT staff do – such as code repositories like Github – and then they use the encrypted communicated path to communicate with that,” Schiappa noted. “All this is happening because if they use TLS traffic to hide activity, finding them is like finding a needle in a stack of needles. They can hide in plain sight with a protocol, and this also effectively hides what’s in the payload. These attackers have very much moved away from spray and pray, toward much more systematic national state-like tactics. There’s also an extortion element to it. If they steal your corporate data, and you refuse to pay a ransom because you have a safe backup of the data, they threaten to make the data public if you don’t pay. This all can happen if you don’t have a firewall that can keep up with encrypted inspection and traffic.”

Schiappa also said that unlike ransomware, where different types of vendors can offer some protection, the ability to secure TLS is much more limited.

“The only way to protect TLS is to inspect it at the network layer – or before it reaches the network at the endpoint,” he said. “Protecting it at the endpoint is hard, because there’s so much endpoint communication, they will find a route in. It all boils down to the ability to do it effectively at the network layer at scale.”

The new firewalls have some additional enhancements beyond the hardware TLS upgrades.

“We now have models with even more FleXi ports, and with high availability capabilities,” Schiappa said. “We also continue to improve our management with Sophos Central, adding new capabilities there, and around reporting, and synchronized security.”

Schiappa concluded by emphasized that the kind of breakthrough innovation found in the new firewalls has become absolute table stakes in IT security.

“This is an industry where you cannot sit still for long, and that’s one of the reasons I love this industry,” he said. “You can become irrelevant so quickly. Our adversaries, not industry competitors drive this pace. Our firewalls, in both hardware and software, barely resemble what they did three years ago. And less than one year after a massive leap ahead in EDR, we are doing the same on the network side.”