Capsule8, a pioneer in runtime visibility, detection, and response for Linux production servers and containers supporting on-premise and cloud workloads, has been acquired by cybersecurity company Sophos. Capsule8 is a privately held company based in New York, NY, that was founded in 2016.

Listen to the news story

Capsule8 is entirely focused on the development of Linux security. Linux is a popular operating system for server workloads thanks to the rapid expansion of cloud platforms. Financial terms of this acquisition were not disclosed.

“Sophos already protects more than two million servers for over 85,000 customers worldwide, and the Sophos server security business is growing at more than 20% per year,” said Dan Schiappa, Chief Product Officer, Sophos. “Comprehensive server protection is a crucial component of any effective cybersecurity strategy that organizations of all sizes are increasingly focused on, especially as more workloads move to the cloud. With Capsule8, Sophos is delivering advanced, differentiated solutions to protect server environments, and expanding its position as a leading global cybersecurity provider.”

Linux Servers

The high-performance, low-impact architecture of Capsule8 would be ideal for Linux servers, particularly those that are utilized for high-scale workloads, production infrastructure, and storing sensitive corporate data.

“The main idea behind Capsule8 is that providing enterprise-grade security for Linux server systems requires deploying components that are designed specifically for that environment. These components are more adept at making the trade-offs between security and performance when needed, to achieve the desired levels of resilience and protection,” said Fernando Montenegro, principal research analyst with 451 Research, part of S&P Global Market Intelligence, in reference to Capsule8’s solutions. “As organizations move to embrace concepts such as cloud-based delivery and DevOps, the underlying compute environments shift noticeably toward Linux as a frequent execution environment. For security teams, often more familiar with Windows-centric concepts, this represents a potential challenge – there are different demands, concepts and practices for Linux. This is the space that Capsule8 aims to address with its endpoint security offering, combining an architecture optimized for Linux with more features aimed at enterprise security and IT operations teams.”

Sophos Adaptive Cybersecurity Ecosystem

Photo Dan Schiappa, Chief Product Officer, Sophos
“Comprehensive server protection is a crucial component of any effective cybersecurity strategy that organizations of all sizes are increasingly focused on, especially as more workloads move to the cloud,” said Dan Schiappa, Chief Product Officer, Sophos.

Sophos is integrating Capsule8 technology into its Adaptive Cybersecurity Ecosystem (ACE), which provides lightweight Linux server and cloud container protection inside an open platform. Sophos’ Extended Detection and Response (XDR) solutions, Intercept X server protection products, and Sophos Managed Threat Response (MTR) and Rapid Response services will all use Capsule8 technology.

Sophos’ data lake will be expanded and enhanced, delivering continuous, fresh insight for advanced threat hunting, security operations, and client protection procedures.

“Capsule8 is the premiere purpose-built detection and response platform for Linux. We provide security teams with the crucial visibility they need to protect Linux production infrastructure against unwanted behavior, while at the same time addressing cost, performance and reliability concerns,” said John Viega, Chief Executive Officer (CEO) at Capsule8. “We’ve innovated new approaches to deliver runtime security in a much safer and more cost-effective way than anyone else in the industry. With Capsule8’s technology, organizations are no longer forced to choose between system stability and security risk. Given the growth and mission-critical nature of Linux environments, and the fast-changing, targeted threat landscape, organizations must be confident that their Linux environments are both performant and secure.”

Attacks on Linux Server Systems

According to SophosLabs threat intelligence, attackers are developing designing tactics, techniques and procedures (TTPs) geared particularly against Linux server systems, with server software serving as a common entry point. After getting a footing, attackers frequently use scripts to carry out more automated tasks. These might include the following:

  • Dropping Secure Shell protocol (SSH) keys to gain direct access
  • Attempting to remove existing security services
  • Disabling Mandatory Access Control (MAC) frameworks, such as AppArmor and SELinux
  • Adjusting or disabling server firewall rules (iptables)
  • Installing post-exploit malware and configuration files
  • Moving laterally via existing infrastructure with living off the land tools, such as SSH, Chef, Ansible, Salt, and Puppet

According to Sophos, compromised Linux servers are used by attackers as cryptomining botnets or as high-end infrastructure for launching attacks on other platforms, such as hosting malicious websites or sending malicious emails. Because Linux servers frequently store sensitive information, they are frequently targeted by hackers for data theft and ransomware.

“Attackers today are incredibly aggressive and nimble as they adapt their TTPs to focus on the easiest, largest or fastest-growing opportunities. As more organizations shift to Linux servers, adversaries have noticed, and they are adapting and customizing their approaches to attack these systems,” added Dan Schiappa. “To stay protected, organizations must factor in a strong, but lightweight layer of Linux security that automatically integrates and shares intelligence with endpoint, network and other security layers and platforms within an estate. We will provide this industry-leading capability and strategically important visibility and detection by combining Capsule8 with our Adaptive Cybersecurity Ecosystem products and services, greatly enhancing the ability to find and eliminate suspicious activity before it becomes malicious.”

Sophos plans to launch early access programs for its Capsule8-powered products and services later this fiscal year.