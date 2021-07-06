Sophos Acquires Capsule8

July 2021 by Marc Jacob

Sophos announced that it has acquired Capsule8, a pioneer and market leader of runtime visibility, detection and response for Linux production servers and containers covering on-premise and cloud workloads. Founded in 2016, Capsule8 is privately held and headquartered in New York, NY.

Capsule8 is dedicated solely to the development of Linux security and has established itself as a technology and thought leader in the market, with marquis customer wins and billings growth of 77% in the year to March 31, 2021. Driven by the dramatic growth in cloud platforms, Linux has become the dominant operating system for server workloads. Capsule8’s high-performance, low-impact design is ideal for Linux servers, especially those used for high-scale workloads, production infrastructure and storing critical business data.

Sophos is integrating Capsule8 technology into its recently launched Adaptive Cybersecurity Ecosystem (ACE), providing powerful and lightweight Linux server and cloud container security within this open platform. Sophos will also feature Capsule8 technology in its Extended Detection and Response (XDR) solutions, Intercept X server protection products, and Sophos Managed Threat Response (MTR) and Rapid Response services. This will further expand and enhance Sophos’ data lake and deliver continuous, fresh intelligence for advanced threat hunting, security operations and customer protection practices.

SophosLabs threat intelligence reveals that adversaries are designing tactics, techniques and procedures (TTPs) aimed specifically at Linux systems, often exploiting server software as an initial entry point. After gaining a foothold, attackers commonly deploy scripts to perform further automated actions. These could include:

• Dropping Secure Shell protocol (SSH) keys to gain direct access

• Attempting to remove existing security services

• Disabling Mandatory Access Control (MAC) frameworks, such as AppArmor and SELinux

• Adjusting or disabling server firewall rules (iptables)

• Installing post-exploit malware and configuration files

• Moving laterally via existing infrastructure with living off the land tools, such as SSH, Chef, Ansible, Salt, and Puppet

Adversaries use compromised Linux servers as cryptomining botnets or as a high-end infrastructure for launching attacks on other platforms, such as hosting malicious websites or sending malicious emails. Given that Linux servers often hold valuable data, attackers also target them for data theft and ransomware.

Sophos expects to begin early access programs with its products and services leveraging the Capsule8 technology later this fiscal year.