8. 8
Changes in the Threat Landscape
Redefining Endpoint Security
From Hackers… To Thieves
Few named variants Overwhelming variants
Noisy and highly visible Silent
Fame motivated Financially motivated
Indiscriminate Highly targeted
9. 9
••
••
On July 13 2010 a unique form of
malware was discovered that was
attempting to take control of industrial
infrastructure around the world
12. 12
Changes in the Threat Landscape
Redefining Endpoint Security
Period
Numberofsignatures
Source: Symantec Security Response
13. 13
The Problem
Protection is a constant challenge
• As we improve and innovate our
technologies, malware authors
adapt and innovate too
• Their techniques are easy –
exploit, encrypt, deploy and
repeat
Like a game of cat and mouse…
17. 17
The Problem
Millions of file variants (good and bad)
• So imagine that we know:
– about every file in the world today…
– and how many copies of each exist
– and which files are good and which are bad
• Now let’s order them by prevalence with
– Bad on left
– Good on the right
18. 18
Unfortunately neither technique
works well for the tens of millions
of files with low prevalence.
(But this is precisely where the
majority of today’s malware falls)
Unfortunately neither technique
works well for the tens of millions
of files with low prevalence.
(But this is precisely where the
majority of today’s malware falls)
Today, both good and bad software obey a long-tail distribution.
Bad Files Good Files
Prevalence
Whitelisting
works well here.
Whitelisting
works well here.
For this long tail a new
technique is needed.
For this long tail a new
technique is needed.
Blacklisting works
well here.
Blacklisting works
well here.
The Problem
No Existing Protection Addresses the “Long
Tail”
19. 19
Ubiquity
Could we leverage our users for Security?
• We looked at how others leverage their user communities
• They ‘ask’!
• So perhaps we should use a similar approach?
– We ask our users to rate software they use
– Over time, applications build a reputation
– Symantec products then only allows users to run programs
with at least “4 stars.”
Books Music Movies
20. 20
Ubiquity
Well not so fast
• To a user, it’s not at all obvious what is safe and what is
not…
Many threats are
silent, the user
isn’t even aware
of their presence
Some threats
hide inside
legitimate
processes
Other threats
pretend to be
legitimate files…
AntiVirus 2010
This means we can’t just ‘ask’ our users for feedback!
21. 21
How it Works
Submission
Servers
Reputation
Servers
File hash
Good/bad
Confidence
Prevalence
Date first seen
11 Collect
data
22 Calculate
Ubiquity
Safety
Ratings
(updated
every 4 hrs)
33 Deliver Ubiquity Safety Ratings
In 2007, we started collecting data and built a massively-parallel analysis algorithm..
Analogy:
Google’s
PageRank™
Analogy:
Google’s
PageRank™
22. 22
Five important new benefits:
1. Drastically Improved Protection
2. Policy-based lockdown
3. A Weapon Against False Positives
4. Improved performance
5. Unique endpoint visibility
R
eputation
Ubiquity Benefits
23. 23
Conclusion
Ubiquity Changes the Rules of the Game
• Amplifies the protection of
our current technologies
• We no longer rely solely on
traditional signatures
• Use data from tens of millions
of users to automatically identify
otherwise invisible malware
• Shifts the odds in our favor –
attackers can no longer evade
us by tweaking their threats
26. 26
Develop and Enforce IT Policies
Control Compliance Suite
Develop and Enforce IT Policies
Define
Risk and
Develop
IT Policies
Assess
Infrastructure
and Processes
Report,
Monitor and
Demonstrate
Due Care
Remediate
Problems
27. 27
Protect The InformationProtect The Information
Data Loss Prevention Suite
Discover
Where Sensitive
Information
Resides
Monitor
How Data
is Being Used
Protect
Sensitive
Information
From Loss
28. 28
Manage SystemsManage Systems
Altiris Total Management Suite
Implement
Secure
Operating
Environments
Distribute
and Enforce
Patch Levels
Automate
Processes to
Streamline
Efficiency
Monitor and
Report on
System Status
™
29. 29
Protect The Infrastructure
Symantec Protection Suite
Protect The Infrastructure
Secure
Endpoints
Protect
Email and
Web
Defend
Critical
Internal
Servers
Backup
and
Recover
Data
™
30. 30
Organized
Criminal
Malicious
Insider
Organized
Criminal
Malicious
Insider
Protect the Infrastructure
Develop & Enforce IT Policies
Protect the Information
Manage Systems
• Lack of Visibility
• Evolving Threats
• Growing Complexity
• IT Risk Management
• Cost & Complexity of Compliance
• Lack of Visibility
• Growth of Unstructured Data
• Social Media Access
• Cloud Computing
• Management of HW and SW
• Complexity of IT Processes
• Operating System Migration
Integrated Security Platform
Open
Platform
Console
Unification
Security
Intelligence
Dynamic
Protection
New Challenges Require New Technologies
IT security professionals feel they have more to deal with than ever before. Specifically, they have more viruses, more threats (spam, botnets etc.), more surface areas to protect due to people suppliers, customers, contractors and more Information to protect. In fact, regardless of the size of a company, information doubles every year. Finally job descriptions have expanded and not only are IT security professionals responsible for security, they are also responsible for compliance.
Our reference labs (powered by Symantec Global Intelligence Network) showed that 2008 was the tipping point for security and landscape changed radically. Just two years ago, hackers were the biggest threat and they were primarily focused on taking down your machines and infrastructure and the only way you knew you were being hit was your PC started to act odd or you saw a spike in network traffic as a worm was moving through your infrastructure.
We at Symantec warned at that time that in the future you would be more worried about organized crime and this change happened in 2008. 90% of records lost in 2008 involved organized crime targeting corporate information. That is vastly different than just 2 years ago….
Additional Background on GIN
At the heart of all of our products is the Symantec Global Intelligence Network. We are incredibly proud of this Network, and it just gets more and more powerful all the time.
We have a 95% detection rate—that’s the highest of any security vendor—and the lowest number of false positives (0.0001%)
The Network analyzes over 1.5 billion security alerts daily, validates approximately 5,000 as genuine security threats, and notifies customers of within 10 minutes of discovery
This is, by far, the largest, most sophisticated intelligence network on the planet.
It scans 30% of the world’s email traffic, processes over 8 billion email messages daily and gathers malicious code data from 130 million systems
The Network updates every 5-10 Minutes from 240,000 Sensors In over 200 Countries
There are more than 32,000 vulnerabilities in the Symantec vulnerability database
There are 2.5 million decoy accounts in the Symantec Probe Network
There are 4 Symantec Security Operations Centers located in Australia, UK, USA, India
There are 11 Security Response Centers in the USA, Australia, Canada, India, China, Ireland
What all of this means is that if there is a malicious attack about to hit you, we know about it first. We block it, we keep it from affecting your business, and we tell you how to take action. It’s about prioritized risk and response, and our intelligence network keeps you protected and tells you what to do first. There simply is no approach that’s faster or more thorough than ours.
This Network is the main reason that 99% of the Fortune 500 & 1000 utilize our products. This is what makes all the difference between having security software and knowing that your information is protected 24/7.
Transcript:
That includes our flagship endpoint protection product, but it also includes the capabilities to help our customers protect their web traffic and their email infrastructure because, as we saw, those are important vectors for malware to enter a corporate environment. In addition, it's important for our customers to have added hardening and added protection for their critical systems. And then finally, we've heard from our customers that the ability to backup and recover data are important security capabilities, and those are part of our Symantec Protection Suites as well.
Author’s Original Notes:
Secure Endpoints using Symantec Endpoint Protection (SEP)
Protect Email and Web using Brightmail and Web Gateway (Mi5)
Defend Critical Internal Servers using Critical Systems Protect (CSP)
Backup and Recover Data using Backup Exec System Recovery (BESR)
Bridge Solutions
A secure infrastructure is a well managed infrastructure – therefore, part of protection is management and our Altiris suite also helps customers maintain both security and compliance