Joe Levy Sophos


Joe Levy CTO at Sophos Farmington, Utah 500+ connections. Join to Connect Sophos. Report this profile Activity Huge day for us today. BinaryDefense named a market leader. Joe Levy joined Sophos as Chief Technology Officer (CTO) in February 2015. In this role he leads the company’s technology strategy worldwide, driving product vision and innovation to both enhance and simplify IT security. Joe brings more than 20 years of leadership and development expertise focused on information security.

Lightning-Fast Incident Response Minimizes Attack Damage and Reduces Recovery Time
Sophos Rapid Response Identifies First Use of Buer Malware Dropper
to Deliver Ransomware in New Wave of Ryuk Attacks

Sophos, a global leader in next-generation cybersecurity, today announced the availability of Sophos Rapid Response, an industry-first, fixed-fee remote incident response service that identifies and neutralizes active cybersecurity attacks throughout its entire 45-day term of engagement. Sophos Rapid Response provides organizations with a dedicated 24/7 team of incident responders, threat hunters and threat analysts to quickly stop advanced attacks and remove adversaries from their networks, minimizing damage and costs, and reducing recovery time.

Get citrix receiver. Citrix Workspace app is the easy-to-install client software that provides seamless, secure access to everything you need to get work done. With this free download, you easily and securely get instant access to all applications, desktops and data from any device, including smartphones, tablets, PCs and Macs. The Citrix Workspace app allows for secure, unified access to all of your SaaS apps, web apps, virtual apps, files, and desktops. If your company uses Citrix, simply login with your company credentials to access all of the resources you need to be productive from anywhere. Citrix Receiver is a suite of products that allow client devices to connect to various desktop virtualization services offered by Citrix. This article has instructions to install, configure and use windows receiver.

Sophos Rapid Response has identified the first known use of the Buer malware dropper to deliver ransomware. In new research published today from Sophos Rapid Response and SophosLabs, “Hacks for sale: Inside the Buer Loader Malware-as-a-Service,” Sophos details how Buer compromises Windows PCs, and enables attackers to deliver a payload. Sophos Rapid Response made the discovery while mitigating a recent Ryuk ransomware attack, which was detected and stopped as part of a wave of Ryuk attacks using new tools, techniques and procedures. In this incident, the relentless attackers used a new variant of Buer in an attempt to launch Ryuk ransomware, before expanding their efforts to mix the use of Buer with other types of loader malware.

“When you’re hit with an attack, time is of the essence. Every minute between initial compromise and neutralization counts as adversaries race through the attack lifecycle,” said Joe Levy, chief technology officer at Sophos. “Advanced attacks can quickly halt business operations, and IT managers who have experienced ransomware first hand know this all too well, reporting the need to spend proportionately more time on incident response and less time on threat prevention than those who haven’t been hit. Sophos Rapid Response disrupts active attacks, eliminating the complex and time consuming process of stopping determined attackers, so organizations can get back to their normal operations faster.”

Joe Levy SophosSophos

Sophos Rapid Response neutralizes a wide range of security incidents, including ransomware, network breaches, hands-on keyboard adversaries, and more. The Sophos Rapid Response team can be onboarded and activated within hours, and the majority of attacks triaged within 48 hours.

“This year, devastating ransomware attacks have unfortunately been a gold rush for cybercriminals, and it’s unlike anything the cybersecurity industry has ever experienced. Nearly 85% of the attacks that Sophos Rapid Response has been involved in thus far included ransomware – notably Ryuk, REvil and Maze – and I can say with confidence that most of the other attacks that we were called in to stop would have also resulted in ransomware had we not acted so quickly,” said Peter Mackenzie, incident response manager at Sophos. “Readily accessible tools make it possible for attackers to net bigger pay-outs in one week’s worth of work than most people will make in their lifetime. Criminals infiltrate networks and stealthily plan their attacks in the background, before strategically launching ransomware as the final payload – often during the overnight hours when no one is watching in order to execute on as many machines as possible. Sophos Rapid Response takes immediate action to extinguish the fire, which in the case of a hospital that we helped this month after it was hit by Ryuk ransomware and forced to shut down, meant the difference of life or death.”

Sophos Rapid Response is part of Sophos Managed Threat Response (MTR), a global team that provides proactive, fully-managed threat hunting, detection and response services. As one of the industry’s most widely used managed detection and response (MDR) services with more than 1,400 customers, Sophos MTR stands apart with its ability to proactively take action on an organization’s behalf to mitigate threats in real time.

Once immediate threats are neutralized during a Rapid Response engagement, the Sophos Rapid Response program shifts to continuous monitoring with around-the-clock proactive threat hunting, investigation, detection, and response from the Sophos MTR team. A threat investigation report details discoveries made, actions taken and other remediation recommendations, helping organizations understand attack origination as well as what assets were compromised, and data accessed and exfiltrated.

Sophos Rapid Response is available now to both existing and non-Sophos customers. Unlike traditional incident response and forensic services that require complex and protracted deployments with hourly pricing structures, Sophos Rapid Response is a remote offering with a fixed pricing model based on an organization’s number of users and servers. Sophos Rapid Response is also structured to accommodate businesses of all sizes, including smaller organizations, which until now have not been able to easily leverage a service such as this without requiring a retainer.

What analysts say:
“Cyberattacks are getting worse and more sophisticated. As we’ve seen this year, no one is off limits, even in a time of crisis. Organizations need to ready themselves as more than 85 percent of security professional survey respondents typically tell IDC that they have experienced at least one security breach in the past two years that involved the spending of significant extra resources to rectify,” said Frank Dickson, program vice president at IDC. “Sophos Rapid Response is an offering that no one wants until they need it. Many organizations are simply either not prepared to fight an active attack or want to respond more quickly and aggressively than internal resources alone allow. With predictable, fixed-fee pricing and the ability for same-day activation, Sophos Rapid Response provides certainty when customers want it most.”

Photo: Joe Levy, CTO, Sophos

Earlier this month, CTA was all-hands on deck for the virtual Virus Bulletin conference, aka. ‘vblocalhost,’ where we coordinated and sponsored the Threat Intelligence Practitioners’ Summit (TIPS). TIPS spanned a range of perspectives from different corners of the world and highlighted distinct approaches to threat intelligence.

If you missed the event or haven’t yet had a chance to check it out, don’t worry! TIPS is still available free and on-demand at this link.

We were delighted to welcome Sophos CTO Joe Levy to kick off the summit. Joe gave a fascinating keynote on the challenges of threat intelligence sharing framed using game theory, an approach that models strategic interactions between rational decision-makers.


“The dynamics of threat sharing have much in common with core ideas in game theoretic analysis of cooperation under competition. We can change these dynamics by understanding sharing as a game and finding leverage points that lead to more and better sharing.” — Joe Levy, Sophos

Our concluding keynote from Noortje Henrichs of the Dutch National Cyber Security Center (NCSC) offered a great window onto the work of governments in the threat intelligence space. She described not only the obstacles that NCSC faces in operationalizing and distributing actionable threat intelligence with limited resources and to diverse recipients, but also how NCSC has worked to overcome those obstacles.

“CERTs need to be able to provide threat intelligence across all levels – technical, tactical, operational, strategic – so we have people with different kinds of expertise who work together to meet this need.” — Noortje Henrichs, Dutch NCSC

Also on the menu at the TIPS track?

Of course, virtual conferences abound in 2020. Staying focused on our field and driving turnout through social media, our website, and a virtual CTA booth allowed us to get the message out about threat intelligence (and sharing) to a larger crowd than we would have reached in-person.

Joe Levy Sophos Support

We are extremely grateful to both our individual speakers and panel discussion participants for all of the time and energy that they put into the event. Similarly, we are grateful to the organizers, Virus Bulletin, for their hard work and perseverance through the uncertainty of these past few months.

Joe Levy Sophos Security

Joe Levy Sophos

Sophos Managed Threat Response

CTAintelligence sharingthreat intelligenceVirus Bulletin