The Importance of Re-creating In-the-Wild Infection Conditions for Testing Multi-Layered Security Products Mark Kennedy Ma...
Overview Current Trends 1 Traditional Static Analysis 2 Proactive Static Analysis 3 Dynamic Analysis 4 Lab Bias 5
Problem Statement <ul><li>Current testing methods only exercise a portion of security suites </li></ul><ul><ul><li>Heavily...
Current Trends <ul><li>Types and Techniques </li></ul><ul><li>Obfuscation Techniques </li></ul><ul><ul><li>Polymorphism </...
Traditional Testing Method <ul><li>Primarily Static Analysis </li></ul><ul><li>Large directory of Zoo and ITW samples </li...
Traditional Testing Method <ul><li>Pros for Traditional Static Analysis </li></ul><ul><ul><li>Fast </li></ul></ul><ul><ul>...
Proactive Static Analysis <ul><li>Tested using Traditional Testing Method </li></ul><ul><ul><li>Freeze Virus signatures </...
Proactive Static Analysis <ul><li>Pros </li></ul><ul><ul><li>Detect threats prior to execution </li></ul></ul><ul><ul><li>...
Results: <ul><li>Current testing methods are becoming less meaningful </li></ul><ul><ul><li>Only testing a portion of the ...
Multi-Layered Security Products <ul><li>Defense in Depth </li></ul><ul><ul><li>Firewall </li></ul></ul><ul><ul><li>Host ba...
Symantec Client Layered Protection Architecture Page  OS & Application Vulnerabilities Targeted Attacks & Insider Threats ...
A Word about Success <ul><li>Correct Decision making </li></ul><ul><ul><li>Blocks threat at earliest possible point </li><...
You All Remember This
Defense in Depth:  Firewall <ul><li>First line of defense </li></ul><ul><li>Inbound </li></ul><ul><ul><li>Prevents threats...
Defense in Depth:  Host Based IPS <ul><li>Analysis of network blocks </li></ul><ul><ul><li>Blocks malicious behavior  </li...
Defense in Depth:  Buffer Overflow Protection / Browser Exploit Protection <ul><li>Protect against Drive-by Downloads </li...
Defense in Depth:  Real-time File Scanning <ul><li>Scans files when created or accessed </li></ul><ul><li>Known signature ...
Defense in Depth:  Shields <ul><li>Monitor known hook points in OS </li></ul><ul><ul><li>Can look for suspicious hook poin...
Defense in Depth:  Behavior Blocking <ul><li>Closely related to Shields </li></ul><ul><li>Can monitor how executables arri...
An Analogy:  Automobile Safety <ul><li>Past </li></ul><ul><ul><li>Safety was defined by seat belts </li></ul></ul><ul><ul>...
Scoring Gradient:  File Based Threat Never executes Executes but cannot communicate Communicates but is automatically remo...
Detractions <ul><li>Blocks which require user interaction should score lower </li></ul><ul><ul><li>Asking the user to make...
This All Leads To… <ul><li>Dynamic Testing:  Testing real threats on real machines </li></ul><ul><li>Other Industries have...
Dynamic Testing <ul><li>Running real threats on real machines </li></ul><ul><ul><li>This is the acid test </li></ul></ul><...
Dynamic Testing (continued) <ul><li>Introduction vector and mode of execution important </li></ul><ul><ul><li>If a threat ...
Discreet Dynamic Testing <ul><li>Isolate proactive portions of a product </li></ul><ul><li>Prevent signature update </li><...
Dynamic Testing:  Benefits <ul><li>Lab results better match real world </li></ul><ul><ul><li>Understand Lab Bias </li></ul...
Lab Biases <ul><li>Platform </li></ul><ul><li>Method of introduction </li></ul><ul><li>Method of invocation </li></ul><ul>...
Lab Biases:  Platform <ul><li>VMWare and Virtual PC </li></ul><ul><ul><li>Threats may detect that they are executing in a ...
Lab Bias: Method of Introduction <ul><li>Circumstances by which a threat is introduced to a system may be important </li><...
Lab Bias:  Method of Invocation <ul><li>Automatic vs. manual vs. very manual </li></ul><ul><ul><li>Automatic </li></ul></u...
Lab Bias:  Internet Connectivity <ul><li>Many threats need to phone home </li></ul><ul><li>Establish connection for Comman...
Lab Bias:  Definition Rollback or Freeze <ul><li>Tests some aspect of heuristic/behavior detection </li></ul><ul><li>Artif...
Dynamic Testing:  “Do”s <ul><li>Configure machines to natural conditions </li></ul><ul><ul><li>Test with unpatched OS </li...
Dynamic Testing:  “Don’t”s <ul><li>Just scan the file and conclude effectiveness </li></ul><ul><ul><li>Many other layers m...
Summary <ul><li>Threats have changed </li></ul><ul><li>Testing methodology must also change </li></ul><ul><ul><li>Better s...
Questions?
Presentation Identifier Goes Here Copyright © 2007 Symantec Corporation. All rights reserved.  Symantec and the Symantec L...
Upcoming SlideShare
Loading in …5
×

Active Testing

1,971 views

Published on

Presented at the International Antivirus Testing Workshop 2007 by Mark Kennedy, Distinguished Engineer, Symantec

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,971
On SlideShare
0
From Embeds
0
Number of Embeds
55
Actions
Shares
0
Downloads
642
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Active Testing

    1. 1. The Importance of Re-creating In-the-Wild Infection Conditions for Testing Multi-Layered Security Products Mark Kennedy May 15 th , 2007
    2. 2. Overview Current Trends 1 Traditional Static Analysis 2 Proactive Static Analysis 3 Dynamic Analysis 4 Lab Bias 5
    3. 3. Problem Statement <ul><li>Current testing methods only exercise a portion of security suites </li></ul><ul><ul><li>Heavily geared toward static file scanning </li></ul></ul><ul><ul><ul><li>Signatures </li></ul></ul></ul><ul><ul><ul><li>Packers </li></ul></ul></ul><ul><ul><ul><li>Emulators </li></ul></ul></ul><ul><li>New types of Security Suites require new types of testing </li></ul><ul><ul><li>Multiple layers protection </li></ul></ul><ul><ul><li>Existing testing methods test only a portion of these solutions </li></ul></ul>
    4. 4. Current Trends <ul><li>Types and Techniques </li></ul><ul><li>Obfuscation Techniques </li></ul><ul><ul><li>Polymorphism </li></ul></ul><ul><ul><li>Metamorphism </li></ul></ul><ul><ul><li>Packed Variant </li></ul></ul><ul><ul><li>In Memory only Threats (no on disk footprint) </li></ul></ul><ul><li>Yesterday’s Threats </li></ul><ul><ul><li>File Infectors </li></ul></ul><ul><ul><li>Mass Mailing Worms </li></ul></ul><ul><ul><ul><li>VB Script </li></ul></ul></ul><ul><ul><ul><li>SMTP Mass Mailers </li></ul></ul></ul><ul><li>Current Threats </li></ul><ul><ul><li>Non Self Replicating </li></ul></ul><ul><ul><li>Targeted Attacks </li></ul></ul><ul><ul><ul><li>Threats created for a specific target </li></ul></ul></ul><ul><ul><li>File Infectors and Worms decline </li></ul></ul><ul><li>Motivations and Payloads </li></ul><ul><li>Yesterday’s Threats </li></ul><ul><ul><li>Spreading </li></ul></ul><ul><ul><li>Fame (infamy) </li></ul></ul><ul><ul><ul><li>Making the news </li></ul></ul></ul><ul><ul><li>Vandalism </li></ul></ul><ul><li>Current Threats </li></ul><ul><ul><li>Monetary gain </li></ul></ul><ul><ul><ul><li>Bancos </li></ul></ul></ul><ul><ul><ul><li>Identity theft </li></ul></ul></ul><ul><ul><li>Long lasting control of the machine </li></ul></ul><ul><ul><li>High value assets of specific machines </li></ul></ul>
    5. 5. Traditional Testing Method <ul><li>Primarily Static Analysis </li></ul><ul><li>Large directory of Zoo and ITW samples </li></ul><ul><li>Extensions modified to prevent accidental execution </li></ul><ul><li>Names changed to indicate threat or family </li></ul>
    6. 6. Traditional Testing Method <ul><li>Pros for Traditional Static Analysis </li></ul><ul><ul><li>Fast </li></ul></ul><ul><ul><ul><li>Helps meet tight deadlines </li></ul></ul></ul><ul><ul><li>Well understood </li></ul></ul><ul><ul><li>Large existing collections </li></ul></ul><ul><li>Cons for Traditional Static Analysis </li></ul><ul><ul><li>Highly dependent on signatures </li></ul></ul><ul><ul><li>Limited heuristics due to threat not actually executing on a live system </li></ul></ul><ul><ul><li>Vulnerable to obfuscation </li></ul></ul><ul><ul><li>Limited effectiveness to truly new threats </li></ul></ul>
    7. 7. Proactive Static Analysis <ul><li>Tested using Traditional Testing Method </li></ul><ul><ul><li>Freeze Virus signatures </li></ul></ul><ul><ul><li>Rollback Virus signatures </li></ul></ul><ul><li>Windows emulators </li></ul><ul><ul><li>NOD32 </li></ul></ul><ul><li>Sand Box Emulators </li></ul><ul><ul><li>BitDefender </li></ul></ul><ul><ul><li>Norman Sandbox </li></ul></ul>
    8. 8. Proactive Static Analysis <ul><li>Pros </li></ul><ul><ul><li>Detect threats prior to execution </li></ul></ul><ul><ul><li>Detect threats without signatures </li></ul></ul><ul><ul><li>Can bypass some obfuscation techniques </li></ul></ul><ul><li>Cons </li></ul><ul><ul><li>Performance intensive </li></ul></ul><ul><ul><li>Vulnerable to sophisticated obfuscation techniques </li></ul></ul><ul><ul><ul><li>Obfuscators which make use of obscure APIs cannot be emulated </li></ul></ul></ul><ul><ul><ul><li>Obfuscators which make use of obscure instructions can fool them </li></ul></ul></ul><ul><ul><ul><li>Malcode can detect the emulator and change its behavior </li></ul></ul></ul><ul><ul><ul><li>Threat could require a minimum number of executions or time prior to becoming active </li></ul></ul></ul>
    9. 9. Results: <ul><li>Current testing methods are becoming less meaningful </li></ul><ul><ul><li>Only testing a portion of the Security Suite </li></ul></ul><ul><ul><li>Individual results are accurate, but do not fully reflect the true customer experience </li></ul></ul><ul><li>Reliability </li></ul><ul><ul><li>Static testing has become unreliable due to the increased dynamic nature of malware </li></ul></ul><ul><li>Bottom line: Current tests are not producing as Customer-relevant results as they could </li></ul>
    10. 10. Multi-Layered Security Products <ul><li>Defense in Depth </li></ul><ul><ul><li>Firewall </li></ul></ul><ul><ul><li>Host based Intrusion Prevention </li></ul></ul><ul><ul><li>Buffer Overflow Protection / Browser Exploit Protection </li></ul></ul><ul><ul><li>Real-time file scanning </li></ul></ul><ul><ul><li>Shields </li></ul></ul><ul><ul><li>Behavior Blocking </li></ul></ul>
    11. 11. Symantec Client Layered Protection Architecture Page OS & Application Vulnerabilities Targeted Attacks & Insider Threats Malware & Spyware Zero Day Threats My Only Marketing Slide (I promise) Network Filtering “Block threats before they impact the client” Behavior Blocking “Police execution activity” Storage Filtering “Don’t let threats persist!”
    12. 12. A Word about Success <ul><li>Correct Decision making </li></ul><ul><ul><li>Blocks threat at earliest possible point </li></ul></ul><ul><ul><li>Low False Positive rate </li></ul></ul><ul><li>Automatic decision making </li></ul><ul><ul><li>No prompting/asking for permission </li></ul></ul><ul><ul><li>Most users are not qualified to answer correctly </li></ul></ul><ul><ul><li>May become fatigued </li></ul></ul><ul><ul><li>Turn solution off </li></ul></ul>
    13. 13. You All Remember This
    14. 14. Defense in Depth: Firewall <ul><li>First line of defense </li></ul><ul><li>Inbound </li></ul><ul><ul><li>Prevents threats from getting onto the machine by: </li></ul></ul><ul><ul><ul><li>Blocking known C&C ports </li></ul></ul></ul><ul><ul><ul><li>Blocking ports used by non-essential services e.g. RPC </li></ul></ul></ul><ul><li>Outbound: </li></ul><ul><ul><li>If threats cannot communicate their damage can be limited </li></ul></ul><ul><ul><li>Application control. Only allow known, authorized applications. </li></ul></ul>
    15. 15. Defense in Depth: Host Based IPS <ul><li>Analysis of network blocks </li></ul><ul><ul><li>Blocks malicious behavior </li></ul></ul><ul><ul><li>Lets good behavior through </li></ul></ul><ul><li>Detect and block known Command and Control sequences </li></ul><ul><ul><li>Outbound </li></ul></ul><ul><ul><li>Inbound </li></ul></ul><ul><li>Detect incoming vulnerability exploit attacks </li></ul><ul><ul><li>Known signatures </li></ul></ul><ul><ul><li>Generic exploit signatures </li></ul></ul><ul><ul><ul><li>A generic signature can block an entire family </li></ul></ul></ul>
    16. 16. Defense in Depth: Buffer Overflow Protection / Browser Exploit Protection <ul><li>Protect against Drive-by Downloads </li></ul><ul><ul><li>One of the most popular vectors for malware to get on the machine. </li></ul></ul><ul><ul><li>Any website is vulnerable, even trusted ones! Therefore any user can be infected, even if they only visit trusted websites. </li></ul></ul><ul><li>Prevents exploits in malicious HTML, VML etc. </li></ul><ul><li>Detect buffer overflows in Browser script </li></ul><ul><li>Detect abuse of Browser ActiveX objects </li></ul><ul><li>BID 22680 (http://www.securityfocus.com/bid/22680) </li></ul><ul><ul><li>Microsoft Internet Explorer OnUnload Javascript Browser Entrapment Vulnerability </li></ul></ul>
    17. 17. Defense in Depth: Real-time File Scanning <ul><li>Scans files when created or accessed </li></ul><ul><li>Known signature detection </li></ul><ul><li>Static Heuristic analysis </li></ul><ul><li>Can analyze file prior to any access </li></ul>
    18. 18. Defense in Depth: Shields <ul><li>Monitor known hook points in OS </li></ul><ul><ul><li>Can look for suspicious hook points </li></ul></ul><ul><ul><li>Can detect “over” hooking </li></ul></ul><ul><li>Monitor interactions with other processes on the system </li></ul><ul><ul><li>Detect injection, both direct and through Windows Hooks </li></ul></ul><ul><ul><li>Detect attempts to terminate security processes </li></ul></ul><ul><li>Monitor tampering with security settings </li></ul><ul><ul><li>Attempts to disable firewall </li></ul></ul><ul><ul><li>Attempts to add self to firewall exceptions </li></ul></ul><ul><li>Monitor tampering with HOSTS file </li></ul>
    19. 19. Defense in Depth: Behavior Blocking <ul><li>Closely related to Shields </li></ul><ul><li>Can monitor how executables arrive on system </li></ul><ul><li>Can correlate actions across numerous shield points </li></ul><ul><li>Can detect collaboration between multiple processes </li></ul><ul><li>Have a holistic view of system and interactions </li></ul><ul><li>Has the context necessary to make correct decisions </li></ul>
    20. 20. An Analogy: Automobile Safety <ul><li>Past </li></ul><ul><ul><li>Safety was defined by seat belts </li></ul></ul><ul><ul><li>Tests checked seat belts in isolation </li></ul></ul><ul><li>Current </li></ul><ul><ul><li>Auto safety is a system </li></ul></ul><ul><ul><ul><li>Anti-lock brakes (ABS) </li></ul></ul></ul><ul><ul><ul><li>Steering stabilization </li></ul></ul></ul><ul><ul><ul><li>Crumple zones </li></ul></ul></ul><ul><ul><ul><li>Airbags (driver, passenger, side) </li></ul></ul></ul><ul><ul><ul><li>Seat belts </li></ul></ul></ul>Is it fair to say one car is safer than another based only on seat belts?
    21. 21. Scoring Gradient: File Based Threat Never executes Executes but cannot communicate Communicates but is automatically removed Communicates but is removed by definitions Communicates and is never detected / cannot be removed Content never reaches box Never impact Impact, but no damage (bumper) Impact, but no injuries Minor injuries, victims walk away Major injuries, but survive Some Fatalities Fatalities, car explodes, kills bystanders
    22. 22. Detractions <ul><li>Blocks which require user interaction should score lower </li></ul><ul><ul><li>Asking the user to make decisions is problematic </li></ul></ul><ul><li>Blocks which require updates should score lower </li></ul><ul><ul><li>Effectiveness subject to delays </li></ul></ul><ul><li>False positives should score lower </li></ul><ul><ul><li>User will lose confidence </li></ul></ul><ul><ul><li>May impact productivity </li></ul></ul>
    23. 23. This All Leads To… <ul><li>Dynamic Testing: Testing real threats on real machines </li></ul><ul><li>Other Industries have adopted </li></ul><ul><li>Auto industry stages real crashes with real cars </li></ul><ul><li>Airline industry stages real crashes with real airplanes </li></ul>
    24. 24. Dynamic Testing <ul><li>Running real threats on real machines </li></ul><ul><ul><li>This is the acid test </li></ul></ul><ul><ul><li>This is what matters to customers </li></ul></ul><ul><li>Running on real internet </li></ul><ul><ul><li>Many new threats need to phone home, or make contact in some way </li></ul></ul><ul><ul><li>Many of today’s threats are primarily a threat to the machine they are running on, not to others (at least initially) </li></ul></ul><ul><ul><ul><li>Retrieving information off the test machine does no harm </li></ul></ul></ul><ul><ul><ul><li>Only threats like spam bots which become active would be an issue, and that can be mitigated </li></ul></ul></ul><ul><ul><li>Some threats are dangerous, so you must know </li></ul></ul>
    25. 25. Dynamic Testing (continued) <ul><li>Introduction vector and mode of execution important </li></ul><ul><ul><li>If a threat arrives from email and expects to be launched as an attachment, launching it another way may change its behavioral profile </li></ul></ul><ul><ul><li>If a threat arrives via a browser exploit, then it should be created and launched by the browser </li></ul></ul><ul><ul><li>The firewall must be configured just like the customer would for their environment </li></ul></ul><ul><ul><ul><li>In a home network environment, most customers put machines on their home network into the trusted zone. </li></ul></ul></ul><ul><ul><ul><li>This would automatically open up ports that are normally closed by the firewall. </li></ul></ul></ul><ul><ul><ul><li>Any machine that is infected on that network could infect this machine. </li></ul></ul></ul>
    26. 26. Discreet Dynamic Testing <ul><li>Isolate proactive portions of a product </li></ul><ul><li>Prevent signature update </li></ul><ul><ul><li>Side effect: This may prevent product update </li></ul></ul><ul><li>Detections likely to have generic names </li></ul><ul><ul><li>Bloodhound </li></ul></ul><ul><ul><li>Variant </li></ul></ul><ul><ul><li>Exploit </li></ul></ul><ul><ul><li>Newmalware </li></ul></ul><ul><ul><li>Unknown </li></ul></ul>
    27. 27. Dynamic Testing: Benefits <ul><li>Lab results better match real world </li></ul><ul><ul><li>Understand Lab Bias </li></ul></ul><ul><ul><li>Take steps to limit it </li></ul></ul><ul><li>Greater Credibility </li></ul><ul><ul><li>Static testing is not as accurate a reflection of user experience </li></ul></ul><ul><li>Customer relevant results </li></ul><ul><li>System testing methodology </li></ul><ul><ul><li>Legacy testing methods have inherent bias towards signatures that leads to skewed results </li></ul></ul><ul><ul><li>As the threat landscape has evolved, and the security suites have evolved, so too must the testing methodology </li></ul></ul>
    28. 28. Lab Biases <ul><li>Platform </li></ul><ul><li>Method of introduction </li></ul><ul><li>Method of invocation </li></ul><ul><li>Internet connectivity </li></ul><ul><li>Definition Rollback or freeze </li></ul>
    29. 29. Lab Biases: Platform <ul><li>VMWare and Virtual PC </li></ul><ul><ul><li>Threats may detect that they are executing in a virtual environment </li></ul></ul><ul><ul><li>Once detected, they may modify their behavior </li></ul></ul><ul><ul><li>Sufficient Resources required to run </li></ul></ul><ul><ul><ul><li>If threat cannot perform escalation, or exceeds resources then the threat may not function </li></ul></ul></ul><ul><li>OS Revision and Patch Level </li></ul><ul><ul><li>Some threats may rely on unpatched vulnerabilities to operate </li></ul></ul><ul><ul><li>Threat may not run, or may not exhibit malicious behavior under certain circumstances </li></ul></ul><ul><ul><ul><li>Open ports </li></ul></ul></ul><ul><ul><ul><li>Installed components </li></ul></ul></ul>
    30. 30. Lab Bias: Method of Introduction <ul><li>Circumstances by which a threat is introduced to a system may be important </li></ul><ul><li>Some Portals may be more trusted than others </li></ul><ul><ul><li>A Portal is way to introduce software </li></ul></ul><ul><ul><ul><li>Email </li></ul></ul></ul><ul><ul><ul><li>Browser </li></ul></ul></ul><ul><ul><ul><li>CD </li></ul></ul></ul><ul><ul><ul><li>USB key </li></ul></ul></ul><ul><ul><li>Some are more trusted </li></ul></ul><ul><ul><ul><li>CD </li></ul></ul></ul><ul><ul><li>Than others </li></ul></ul><ul><ul><ul><li>Email </li></ul></ul></ul><ul><ul><ul><li>Browser </li></ul></ul></ul>
    31. 31. Lab Bias: Method of Invocation <ul><li>Automatic vs. manual vs. very manual </li></ul><ul><ul><li>Automatic </li></ul></ul><ul><ul><ul><li>Drive-by download </li></ul></ul></ul><ul><ul><ul><li>Downloader </li></ul></ul></ul><ul><ul><li>Manual </li></ul></ul><ul><ul><ul><li>Email attachment </li></ul></ul></ul><ul><ul><ul><li>Double-click </li></ul></ul></ul><ul><ul><li>Very manual </li></ul></ul><ul><ul><ul><li>Command prompt, navigate, run </li></ul></ul></ul><ul><li>These influence the behavioral score </li></ul>
    32. 32. Lab Bias: Internet Connectivity <ul><li>Many threats need to phone home </li></ul><ul><li>Establish connection for Command and Control </li></ul><ul><li>Establish connection for content delivery </li></ul>
    33. 33. Lab Bias: Definition Rollback or Freeze <ul><li>Tests some aspect of heuristic/behavior detection </li></ul><ul><li>Artificial state that does not match customer experience </li></ul><ul><li>Can inadvertently roll back heuristic/behavioral componentry </li></ul><ul><li>Can create mismatch errors should components presume minimum version of definitions </li></ul>
    34. 34. Dynamic Testing: “Do”s <ul><li>Configure machines to natural conditions </li></ul><ul><ul><li>Test with unpatched OS </li></ul></ul><ul><ul><li>Test with default security features of suite enabled </li></ul></ul><ul><li>Pay attention to threat injection vector </li></ul><ul><ul><li>Email borne threats should be tested from email </li></ul></ul><ul><ul><li>Browser borne threats should be tested using the browser </li></ul></ul><ul><ul><ul><li>If arrive from exploit, construct an exploit </li></ul></ul></ul><ul><li>Pay attention to invocation </li></ul><ul><ul><li>If a threat needs to run twice, once to “install” and once to act, test it that way </li></ul></ul><ul><li>Use as much “real” internet as is safe </li></ul><ul><ul><li>If a threat does not affect other machines, give it freer reign </li></ul></ul>
    35. 35. Dynamic Testing: “Don’t”s <ul><li>Just scan the file and conclude effectiveness </li></ul><ul><ul><li>Many other layers may provide detection </li></ul></ul><ul><li>Launch the threats manually </li></ul><ul><ul><li>Particularly from the desktop </li></ul></ul><ul><li>Publish tests without publishing criteria </li></ul><ul><ul><li>Important to understand what the data means </li></ul></ul><ul><li>Publish tests without publishing methodology </li></ul><ul><ul><li>Important to understand how the data was calculated </li></ul></ul>
    36. 36. Summary <ul><li>Threats have changed </li></ul><ul><li>Testing methodology must also change </li></ul><ul><ul><li>Better simulate real world conditions </li></ul></ul><ul><ul><li>Actively execute threats </li></ul></ul><ul><li>Need objective method for comparing </li></ul><ul><li>Not an easy problem to solve </li></ul><ul><ul><li>However, it is an important problem that must be solved </li></ul></ul>
    37. 37. Questions?
    38. 38. Presentation Identifier Goes Here Copyright © 2007 Symantec Corporation. All rights reserved.  Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.  Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising.  All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law.  The information in this document is subject to change without notice. Thank You! Mark Kennedy [email_address] 310-449-4263

    ×