Sophos acquires SurfRight
Sophos acquires SurfRight

Endpoint security provider Sophos has announced the acquisition of Netherlands based SurfRight to get access to signature-less endpoint threat detection and response (ETDR).

Kris Hagerman, CEO at Sophos
Kris Hagerman, CEO at Sophos

The deal will cost Sophos $31.8 million and it has said that it will be retaining all of SurfRight’s employees and the company offices in Hengelo, Netherlands. This is a refreshing break from most acquisitions where the first action is often to cut the administrative backbone of acquisition targets to try and recoup some of the costs.

Kris Hagerman, CEO at Sophos said: “SurfRight is a growing, profitable business with an established customer base and proven security capabilities. The team has engineered powerful, innovative next generation endpoint technologies that provide multiple advanced protection and mitigation elements, and yet are simple to use.”

What does Sophos get out of this?

SurfRight has over 20 million customers globally. Many of those are not Sophos users but will have purchased SurfRight as part of a bundle that will have included either Bitdefender Internet Security and Emsisoft. While grabbing customers is smart and will hopefully add to the bottom line for Sophos making this a quick recovery time in terms of investment, it is the HitmanPro family of products that they are really after.

HitmanPro is described as a behavioural scan and multi-vendor cloud confirmation anti-malware tool. It’s quite a mouthful and what it really means is that it sits behind your existing end-user security tools and picks up what they have missed. This is something that security teams recognise is required although end-users often misunderstand.

HitmanPro.Alert uses the tools in HitmanPro while combining them with a real-time alerting engine. It doesn’t require any signature based tool to provide a first line cover and SurfRight claim it will provide immediate protection against the most serious malware and even attempts to hack a computer by state-sponsored hackers

It is not clear if HitmanPro will remain a separate product or be assimilated into other Sophos tools. The press release talks about the Sophos Synchronised Security Strategy which went live with the XG Series Firewall. Adding the SurfRight tools to this to detect risk at the edge of the network makes sense and it could also act as a distribution point for new clients joining the network.

Data gathered would automatically be back-loaded into the Sophos SIEM solution enabling it to be analysed across the entire enterprise and highlight potential attacks. This would be very useful in determining how advanced persistent threats (APTs) were targeting the enterprise.

Signature-less and behavioural analytics are the new black

The problem with existing end-user security tools is that they are overly reliant on signatures in order to detect malware. While the majority of malware is created using the kits that are sold on the Internet, there is still a lot of new malware out there. Unless the tools know what to look for they will not detect what is being installed on the end-user computer.

To solve this there is currently an arms race taking place in the security market as vendors rush to add tools that can do behavioural analysis of users and apps. The goal is to detect when something is out of band and therefore potentially dangerous. You can liken it to credit card usage. Don’t use your card for a while and you can expect the next use to be blocked. If your card is suddenly used in Hong Kong expect a call to see where you are and if you still have your card.

The problem with behavioural is that it has to run for a while to be effective. This means that it will be gathering a lot of data around what is normal for a user. This means things such as when do you normally login? Where do you browse? Where is your data? What data do you access regularly? When you step outside of these, flags get raised. To be fair to those companies developing such solutions they are far more sophisticated than the short list above implies.

Non-signature detection is the latest magic bullet. There are a small number of security companies who are beginning to hit the market with tools that use a wide number of detection points to determine the validity of an application. They are to some degree machine-learning or cognitive solutions. While some are updated regularly others sit in the cloud and talk to the end-user device making sure that nothing unexpected gets through.

SurfRight is one of these as is Cylance who we covered recently. There are others but they are often small companies who are likely to end up owned by bigger security vendors soon so expect a rush of acquisitions in 2016 for these companies.


The arms race among security vendors is continue to get stronger. It is no longer sufficient to be targeting just end-user devices, mobile devices or the enterprise servers. Any security company that wants to survive has to deliver as complete a solution as possible. This rush to have everything is driving mergers and acquisitions in the sector and in the long-term this will be good for users as it will mean better products.

In the short-term there is a lot of integration to be done. The big challenge here will be to see how Sophos integrates SurfRight into their existing product line. Will it stay a stand-alone product? Will it become just another feature set? Will Sophos be able to capitalise on the 20 million users out there and recoup it’s investment the next time they upgrade?

While there are a lot of questions left unaddressed by the press release this is a good deal for Sophos and will help it strengthen its security product line.


Please enter your comment!
Please enter your name here