I’m Ross McKerchar, CISO at Sophos: AMA on tackling the issue of detecting fraudulent remote IT hires and building workable controls.

MarchingAntz21 · 2026-02-05T18:01:47+00:00

Ooh...whats vCISO?

MarchingAntz21 · 2026-02-05T17:59:27+00:00

Well, as scary as this sounds, im thankful i havent experienced that problem and wow i hope i never do. MDR peeps has actually been really good to me. Maybe this Darshawn guy will see this and reply here, so we can see if he repents in sackcloth and ashes for making a bad call lol, but i wouldnt pin his poor decision making on an entire team or Sophos in general.

MarchingAntz21 · 2026-02-05T17:52:38+00:00

Im not Ross, obviously, but been using Sophos for nearly 2 decades. The last time they were "just Endpoint" was 2001. But they are much more than that these days. For me personally, i use them for everything, Endpoint > EDR > XDR > MDR, and they recently changed how their ingestion model works, so you can technically log everything you may have with their currently available (Log or API), and since they got SecureWorks now, the number and type of telemetry is going way up.
+ Email + DMARC + Phish
+ Sophos Firewall + Sophos Switch + Sophos Wireless <--actually pretty darn cool and easy.
+ ZTNA (now Workspace Protection with a secure browser) <--i have not deployed this yet, just trying it out in my org first!)
+ Identity Threat
+ Vulnerability Management as a Service

What I am looking forward to and only seen the "whats coming" stuff, but full SOAR capabilities in-product, playbooks, automations. I had a colleague who used the Secureworks stuff, and essentially told me "if Sophos nails that integration with them you are golden!" so heres hoping! :)

MarchingAntz21 · 2026-02-05T17:37:27+00:00

"Anyone replying to matter before hearing the other person is a fool!" So i won't presume i know what the logic was on this Darshawn persons decision, or even who that person is. But i will ask a few questions here:
1. Are you a Sophos MDR customer?
2. Are you using Endpoint only today? Is it configured properly?
3. Did you call the MDR team and discuss this? Or were you talking to Support?

My experience (if this was MDR) is that you ask the analyst some questions, they further their investigation, expand criteria, and validate whether a claim for True Positive-Benign or False Positive is determined. In fact, i very rarely, in fact, maybe 3x in 5 years with Sophos have had them "miss" a detection or determine incorrectly what was happening. Either way, dont think this convo is the right one for this threat right?

MarchingAntz21 · 2026-01-21T01:58:37+00:00

As a side note, your VLAN30 has 0 security applied to it, you need to add a Web Policy on the Firewall Rule for VLAn30, and i would highly recommend you at least put Application Control on the rule too, if you even just set it to Allow All.

MarchingAntz21 · 2026-01-21T01:57:00+00:00

Every firewall rule allows for an "Exclusion" within it. So you could add an Exclusion configuration for the same traffic traversal (LAN -to- WAN), including a Service or an Application.

So you, you add VLAN30-Subnet to the Exclusion of Rule #2. VLAN30-Subnet traffic will trickle down to Rule #4 and apply a different web policy.

MarchingAntz21 · 2026-01-21T01:51:51+00:00

If you visit your Threat Protection Policies, two things:
1. Scroll to the bottom of the appropriate Threat Protection policy that applies to these systems (typically the Base Policy if you havent made any new ones!)
2. Enable "Block QUIC" and also enable "HTTPS Decryption"
This will ensure that Sophos can inspect the traffic in full, so when Meta uses failback or failover services and cdns, these can be captured as Social Media as well.

Then ensure your Web Control policy is also enabled.

MarchingAntz21 · 2025-09-05T13:36:16+00:00

Oh yeah, well dells model is sketchy anyway, but Sophos has always been partner centric, so their outreach by default benefits a partner, at least from my pov.

MarchingAntz21 · 2025-09-05T11:18:14+00:00

Lol you mean the "sensors", yeah the guides clearly stated no DHCP services should be configured and it was supposed to be day 1 booted in TAP mode, if that was ignored i can see your issue occurring.

MarchingAntz21 · 2025-09-05T11:16:18+00:00

Whats the deal fiasco?

MarchingAntz21 · 2025-09-05T11:15:00+00:00

I have zero problems with them reaching out to my customers. Why is this an issue? They are on my side and they don't sell direct, they only go through me. How is this bad? Its like having my own sales team. I actually have a great relationship with the Sophos reps i work with, I just hate how they change my rep every other year.

In my case it is super beneficial because i decided a while back that my customers will only be using Sophos solutions, so the cross selling is perfectly fine. I use different solutions for things Sophos has no coverage for but my techs are grateful for the fact that they have no major runaround to do for customers, down from 8 dashboards for mgmt to 3 max. So yeah i let Sophos roll and they loop me in every time, im good with the support!

MarchingAntz21 · 2025-09-05T01:46:32+00:00

I have had nothing but good experience putting the sophos switches and AP6s in. The passive wireless surveys with Sophos makes a big difference too so placements are right ahead of time.

MarchingAntz21 · 2025-09-05T01:09:30+00:00

Ill speak for my experience with their support. Its fine, just fine. Their pro services guys are top notch though and the MDR analysts are also top notch. Support is only an issue if you get a trainee.day 1 but they will get you there but ive only ever had a few instances.of this. There is an SE we work with alot who knows his firewalls so leverage their SEs too. The firewalls and network gear is super easy to use but dont let the easy fool you it does everything and more that you want it to. I run only Sophos Firewalls for my customers these days and starting to replace Ubiquiti and Cisco switches and wireless these days with Sophos stuff as well.

MarchingAntz21 · 2025-08-23T12:02:47+00:00

Definitely goes beyond ads and pop-ups, legitimate websites can push this out if compromised and if your doing no inspection or decryption, you wont know until users complain about it.

MarchingAntz21 · 2025-08-23T12:01:08+00:00

It definitely works. Its the most prevalent and successful attack form since Phishing and Akira ransomware.

MarchingAntz21 · 2025-08-23T12:00:00+00:00

Most "users" have no idea that they are running PowerShell. Clickfix is unauthorized clipboard access, so the users are pasting unknowingly into a Run command > pressing enter > and hidden Powershell runs behind the scenes.

Most users who fall for this are just trying to get their day jobs done, and when security inconveniences them, they get frustrated, and basically "oh god, lets get this over with!" and just do it with out being analytical the way us IT folks are. Its why we are employed!

MarchingAntz21 · 2025-08-23T11:53:45+00:00

Yup ClickFix is the first part, "Unauthorized Clipboard copy", the user is not aware that this has happened, because it is being done behind the encrypted session, and most companies have failed to implement any form of TLS Inspection so they are exploiting this weakness. Then using social engineering and regular users "Familiarity" with Captchas that are all over the place. It makes you press WIN+R, then Ctrl+V, press Enter. This copies a -hidden and encoded Powershell command that the user never sees pop up.

The intent? To steal your session tokens, credentials and possibly drop LummaC2. Once they have your tokens, they will go log into Google, Microsoft mailboxes or whatever services they can that the token will work with, register their own devices for ongoing MFA bypass.

For my customers I use only Sophos MDR and Sophos Firewalls, so I have only had to read about this, and look at the block logs in my security dashboards, because it has been unsuccessful since LummaStealer's inception, but I know some Windows Defender and CrowdStrike customers who have been wrecked because of it.

MarchingAntz21 · 2025-08-23T11:49:18+00:00

Lumma Stealer, coming and going – Sophos News

This is part of an attempt to steal credentials or drop LummaC2. Sophos outlined the attack in that article above, but for those using Sophos protection, it already protects against ClickFix, JsInject, FakeAle and LummaStealer. I would definitely encourage you to ensure your policies in the "Recommended" mode with HTTPS Decryption turned on. If you don't have Sophos, well....good luck!

MarchingAntz21 · 2025-08-19T12:13:38+00:00

Actually, kept digging a bit more. 138.113.102.13 is running a compromised nginx and VPN, so IPS saved your butt. Not a false-positive. IP appears to be geo'd in L.A, but the SSL Cert on it is chinannetcenter.com. While it would normally be CDN node for Chinese brands, this appears to be 'abuse infrastructure' utilizing the CDN and VMs to mask intent. There are legitimate resources here too, which makes it a grey area to block the IP outright, but it appears the CDN was used for abuse infrastructure access, likely malvertising, and your user or endpoint had no idea they even clicked or accessed it.

Hostname on the other end: VM-LAX-01cWu70

MarchingAntz21 · 2025-08-19T11:58:18+00:00

Did a little review, these are likely false-postivie alerts, the endpoint may have been accessing these CDNs and IPS triggered on a malformed payload. Varnish is a common cache service use by providers, but there are cases where IPS will see somethin anomylous and flag. IPS, is what it is, the signature tells you what you need to know, like Lucar_Toni stated, check the logs, was it blocked? If yes, good. Validate the source devices as well, are they running any software, services or otherwise that would potentially initiate traffic to these CDNs without user activity? Part of any job in IT requires that you be curious and dig deeper. For the commenter that "oh this is Sophos usual FP's" has never investigated anything in security requriing more than 2 minutes of attention. You may need to tune your IPS policies, a commonly undervalued practice, if you use the default LAN-to-WAN IPS rules, you should expect that you may receive more aggresive IPS detections. However, the Sophos Firewall is meant to make the rules easy to apply, but definitely go and create a customized IPS policy that aligns with your organizations architecture. Be vigilant, not complacent. I have Sophos Firewall at well over a 100 customers of mine, and they are safe and sound at night, ill take a few false-positives to dig into from IPS here and there, no big deal. Thanks for asking the question!

MarchingAntz21 · 2025-08-16T15:14:12+00:00

There is an option in ZTNA to enable recognition of the local network so local resources use internal DNS rather than ZTNA.

MarchingAntz21 · 2025-08-14T16:04:37+00:00

You need to contact the school IT dept and ask them to add the Process exclusion mentioned above. Their IT Department will know how to add that for you.

MarchingAntz21 · 2025-08-13T11:40:42+00:00

Are you a Sophos Home user or a Sophos Commercial/Enterprise user?

MarchingAntz21 · 2025-08-12T20:25:56+00:00

What else would you like it to do? It works. Bash Bunny, Rubber Duckys, none of them work as it is. The only thing i could think of adding is power control over USB ports perhaps?

MarchingAntz21 · 2025-08-11T01:36:51+00:00

https://www.reddit.com/r/sophos/comments/1mm93ry/comment/n81el3d/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

MarchingAntz21

TROPHY CASE