Reseller finds itself piggy in the middle in Sophos and Cylance dispute

Rogue employee of mutual reseller supposedly provided Sophos with access to Cylance's products

An unnamed reseller has been caught in the crossfire of a heated dispute between Sophos and end-point security rival Cylance.

A war of words broke out between the two vendors last week after Sophos posted a video showing how both Sophos Endpoint and CylancePROTECT work against malware. The video, which has since been deleted, showed the Sophos solution performing better than the Cylance solution.

Security blogger Graham Cluley said the Sophos video was very similar to videos done by Cylance demonstrating how its products fare against malware compared with other anti-virus products.

"In the Sophos video you see Cylance performing quite poorly and Sophos performing very well. But of course when Cylance gives its own presentations it is the other way around," he explained.

After the video went live, Cylance released a blog post about a "legacy AV vendor" which it says obtained its product to "purposely hobble it in an attempt to discredit our technology".

In the blog it said: "When you go about successfully disrupting an industry, it doesn't take long for the competition to come after you with pitchforks. We're flattered by the attention we receive from legacy AV vendors, and we take these attacks as a sign of respect for what we've accomplished."

The blog claimed that a "rogue employee" of a mutual reseller partner provided Sophos with access to Cylance's product. It also claims that key features were disabled to affect the product's performance.

"Our original intention was simply to check the validity of the claims presented by the competitor," the blog stated. "The video crafted did not obfuscate any of the data. That made it easy for Cylance to retrace their steps, identify the partner, examine the policies applied to the accounts and prove that the resulting video was fraudulent."

In a statement to CRN, Dan Schiappa, general manager of Sophos Enduser Security Group, who featured in the video, said the film was an effort to test Cylance's products after Cylance "failed to participate in virtually any third-party tests".

"For months Cylance has been making bold claims in various forums, including public demonstrations, where they stage well-choreographed battles against other IT security vendors, including Sophos," he said. "The exhibition ends with Cylance delivering near-perfect scores while everyone else (predictably) shows lacklustre results.

"Yet Cylance has failed to participate in virtually any third-party tests to validate these claims. In an effort to test Cylance's claims, Sophos recently released a video presenting some test results of threat protection and detection by Sophos with Cylance. We conducted the test in good faith, as transparently as we could. The results demonstrated that Sophos was able to protect against nine of the most common attack vectors used by cybercriminals today, including ransomware, whereas Cylance was not."

Schiappa said that Sophos removed the video only at the request of the mutual reseller partner, and stressed that it was not because they believed anything was inaccurate.

"We understand the reseller was threatened by Cylance with retribution and feared legal action," he said. "We respect our partners and removed the video only out of consideration to them, not because we believe the information presented is inaccurate. Sophos has not been contacted directly by Cylance to refute the results of our test. We would welcome a productive conversation with Cylance to discuss our testing method and configurations used. If Cylance believes the configuration settings were somehow incorrect, we would be happy to reconfigure and rerun the test."

Cluley said this is an example of why there should be more independent testing done on security solutions.

"I think whenever vendors get into a slanging match like this, it looks bad on both vendors. I think you would be right to be sceptical about Sophos' video, and you would be right to be sceptical about any Cylance demo you see as well. What we really need are competent independent testers who haven't been paid by Cylance or Sophos.

"There have been accusations on both sides - Sophos claimed that in Cylance's presentation some features of Sophos were turned off and Cylance counter-punched that by saying that's what happened when Sophos tested their products. I have no idea if any of it is true. What I do know is we can't really trust the vendors; we need independent testing agencies to do these things."

James Miller, managing director of Foursys, a Sophos partner, said that despite the rivalry, he hasn't seen any Sophos customers switching to Cylance yet.

"Cylance's technology sounds good and interesting. People are impressed and take it on board, then usually after a year or two perhaps it isn't quite doing what everyone thought it was going to do. I haven't heard of any of our customers looking to jump ship or take on Cylance at the moment," he said.