Sophos launches cross-operational task force X-Ops

Sophos Wednesday launched a new task force within the company that combines the security vendor's threat response, research and AI teams into a comprehensive unit.

According to the company, Sophos X-Ops "leverages the predictive, real-time, real-world and deeply researched threat intelligence from each group, which, in turn, collaborate to deliver stronger, more innovative protection, detection and response capabilities." The SophosLabs, Sophos SecOps and Sophos AI teams making up X-Ops will continue to exist as independent entities.

Sophos CTO Joe Levy described the team as a "meta organization" and a task force during an interview with SearchSecurity, explaining that X-Ops was formed in part to enhance information sharing between the three business units.

"One of the well-known friction points within not just cybersecurity but any kind of intelligence operation is that sometimes you can possess the right intelligence, but if you can't get it to the right people who then put it to the right use, it doesn't really do you any good," he said.

"Something that was very important to us was that these teams would work together without any kind of data or process silos," Levy continued. "This is effectively the culmination of a few years of us bringing these three teams together and developing those sorts of communication organizational paradigms."

The ultimate longer-term goal of the Sophos X-Ops team is to create an AI-assisted security operations center that takes data generated by SophosLabs and analyzes it via a combination of AI and human defenders on the threat response team. The AI aspect specifically will, Levy said, make it easier to process large amounts of threat information and use it to more quickly make threat response decisions.

Craig Robinson, research vice president at analyst firm IDC, said he saw X-Ops as a "silo-busting endeavor" that encourages different parts of Sophos to work together and foster an environment that is proactive against threats rather than reactive. He also emphasized Sophos' AI push.

"Speed really does matter in the security space," Robinson told SearchSecurity. "Being able to utilize AI to proactively recognize actions an analyst is going to take will speed things up, and that requires a lot of investment."

Levy discussed a shift in recent years from pure incident response services to broader cybersecurity triages that respond to attacks while strengthening overall security posture. He said the shift is "a manifestation of an ounce of prevention being worth a pound of cure."

"If you find bad things earlier, you reduce the cost of the bad thing fundamentally. We're absolutely seeing that occurring now," he said. "Incident response is going to remain necessary for the foreseeable future. We don't see that going away at all. But we do think that it's possible to detect things earlier to reduce the cost of these kinds of incidents by bringing to bear these kinds of advancements that, again, we think can be done more effectively and more efficiently than previous paradigms."

Collaborative efforts to improve threat information sharing have become common in recent years, though such efforts have typically been in the public sector or featured multivendor consortiums like the Cyber Threat Alliance. Last year, the U.S. Department of Justice created the Ransomware and Digital Extortion Task Force, which combined efforts from various DOJ departments to more aggressively address the threat of ransomware gangs.

Also in 2021, the Cybersecurity and Infrastructure Security Agency launched the Joint Cyber Defense Collaborative, which was designed to improve information sharing and cooperation between the public sector and cybersecurity vendors.

Alexander Culafi is a writer, journalist and podcaster based in Boston.