Behind the Yellow Curtain Symantec’s Proactive Protection and...
Transcript of Behind the Yellow Curtain Symantec’s Proactive Protection and...
1
Behind the Yellow Curtain Symantec’s Proactive Protection and Detection Technology
Patrick Gardner VP Engineering
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
Sourabh Satish Distinguished Engineer
A Feedback Loop: Products and Big Data Intelligence
• All products collect and submit telemetry data (opt in)
• Data is all warehoused in a central system for analysis
• Allows for rapid human and machine driven iterations of protection
• Enables more aggressive content development
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 2
Develop
Deploy
Monitor
Analyze
SYMANTEC DATA ANALYTICS PLATFORM
Malware alerts
Behaviors
Web sites visited
Downloads
Crashes
File appearance
Intrusion alerts
Symantec Data Analytics Platform
1 0 0 2 0 0 0 0 0 0 0 0 0
55,000 rows added every second
File Insight
URL Insight
SONAR engine
Crash Ratings
Intelligence
Scam Insight
2.1 trillion rows of data
Examples:
Downloads
Web site visits
Intrusion alerts
Malware alerts
Behaviors
File appearance
Crashes
…
Raw features Big Data System Intelligence driven applications
File URL Crash Behavior Forms …
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 3
Security Technology and Response (STAR ) Layers of Protection
4
Reputation
File
Network
Behavioral Repair
S TA R P R O T E C T I O N
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
STAR PROTECTION:
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 5
Network Stops malware as it
travels over the network and tries to take up
residence on a system
• Protocol aware IPS
• Browser Protection
File Looks for and eradicates
malware that has already taken up
residence on a system
• Antivirus Engine
• Auto Protect
• Malheur
Reputation Establishes information
about entities e.g. websites, files, IP
addresses to be used in effective security
• Domain Reputation
• File Reputation
Behavioral Looks at processes as they execute and uses malicious behaviors to indicate the presence
of malware
• SONAR
• Behavioral Signatures
Repair Aggressive tools for hard
to remove infections
• Boot to a clean OS
• Power Eraser uses aggressive heuristics
• Threat-specific tools
Reputation
File
Network
Behavioral Repair
S TA R
P R O T E C T I O N
Network Threat Protection
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 6
Network Threat Protection blocks today’s most critical threats
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 7
Hundreds of Millions of threats are stopped with
this technology
Protect Against Drive-by Downloads that install “APTs”
Prevent Social Engineering Attacks
Find Infected Systems with Post Infection Protection
Prevent Social Media Attacks
Protect Against Unpatched Vulnerabilities
How Network Threat Protection Works
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 8
Parse
Identify
Scan
How Network Threat Protection Works Identify
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 9
Problem:
• Network Protocols are all layered or “Tunneled”
• Web, IM and multi-media content is all tunneled over HTTP
Solution:
• Knowing what content is being protected is key to providing accurate protection
• Identifying and labeling content is a necessary first step
Differentiator:
• The IPS engine has awesome port agnostic content identification for over 200 protocols and file types
Parse
Identify
Scan
How Network Threat Protection Works Parse
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 10
Problem: • Scanning an entire file or protocol stream is expensive
for performance reasons • Certain information must be cached for later use to
determine maliciousness
Solution: • Parsers decode protocol streams or files based on
their specification • While decoding, parsers skip to relevant portions and
cache decoded information
Differentiator: • This helps with performance of the engine
and accuracy of detection • Can inspect encoded content (i.e. GZIP, UTF, …)
Parse
Identify
Scan
How Network Threat Protection Works Scan
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 11
Problem:
• Using TCP ports to determine what signatures to apply is prone to FPs and performance degradation – Other security vendors can’t accurately identify what
protocol they are scanning
– Competitors apply thousands of signatures based on network ports and thousands of irrelevant signatures
Solution:
• Symantec’s IPS solution selects the minimum set of signatures to scan with since our engines are protocol aware
• Information cached from parsers is used while scanning
Differentiator:
• Highly accurate and fast engine
• Minimizes False Positives
Parse
Identify
Scan
Precision! A tradition IPS engine like SNORT does not have the Identification and Parse functionality
• This means they have to blindly scan each packet with all signatures - Leads to slow performance
- Leads to FPs due to a lack of context
- Can not properly inspect tunneled content
With Identify, Parse and Scan
• Symantec can write precise signatures for a specific vulnerability
• We can look for a vulnerability in the exact application, file and protocol that it applies rather than in every network packet
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 12
What makes this better?
13
Reputation
File
Network
Behavioral Repair
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
S TA R
P R O T E C T I O N
File-based Protection
14 Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
File
• Malheur - Increased use of a new Artificial Intelligence engine
– Extracts 100’s of attributes from each file
– Looks for suspicious combinations of attributes
– Endpoint uses predictive classifiers or rules derived from them and corroborates with leverages Insight Reputation
• Backend uses complex attributes to identify malware and releases definitions for them
– These heuristics can detect many variants and are specifically effective at polymorphic malware families
• Benefits
– Proactive – catches new 0-day threats
– Proactive – blocks threats before they have a chance to run
File-based Protection
Improved Detection Capabilities
• We have grown both the scale and intelligence of our backend systems that produce definitions to detect even more malware
15 Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
File
• We have added an entirely new backend system called SCALE (Symantec Clustering and Labeling Ensembles) that clusters samples together based on their behaviors and static attributes to find new variants of threat families and produce definitions for these samples
Working Smarter
New Label
New Label
Unlabeled Samples
Labeled Samples
As new unlabeled samples fit the clusters of labeled samples by behavioral or static feature similarity, they inherit the
cluster label.
16
Reputation
File
Network
Behavioral Repair
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
S TA R
P R O T E C T I O N
Reputation-based Security
Insight - Reputation in a Nutshell
• Our Insight reputation system uses the wisdom of our hundreds of millions of users to automatically derive highly accurate safety ratings for every file on the internet
• It is an entirely different approach to that requires no traditional virus signatures
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
Data Collection
Opt in program to collect
anonymous file usage data
‘Reputation’ Engine
Patent pending algorithms to
compute safety reputations
> 210 Million
Contributing Users
>3 B unique program files,
growing continuously
It can accurately identify threats even if just a single Symantec user encounters them – and it blocks them without any signatures
17
File Attribute Database
World’s largest nexus of
data on executable content
File Safety Reputations
A measure of how good or
bad a file is
Updates every rating
every 4 – 6 hours
For all files, both
good and bad
17
Reputation
Superior Protection
Our reputation system improves protection in three ways:
18
It blocks entirely new malware that
traditional fingerprints miss
It ratchets up the “resolution” of our
heuristics and behavior blocking
Changes the game, killing mutated malware once
and for all
– Let’s see why…
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
Changes the Game
As we’ve seen, Hackers are mutating threats to evade fingerprints
– Fingerprint-based systems are defenseless!
On the other hand, mutated threats stick out like a sore thumb in a reputation system
– Low prevalence + Newly generated = Low reputation!
It’s a catch-22 for the virus writers
– Mutate too much = Low reputation
– Mutate too little = Easy to discover & fingerprint
19 Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 19
STAR MOBILE INSIGHT
P R I V A C Y
Identify leaks of confidential data and warn about
advertising
S E C U R I T Y
Top protection and be the first
to spot new threats
P E R F O R M A N C E
Improve the mobile experience
(battery life, bandwidth use)
20 Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
Reputation
File
Network
Behavioral Repair
S TA R P R OT EC T I O N
21
SONAR Behavioral Protection
Build an engine that ignores what the threat
LOOKS LIKE
22 Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
But detects threats based on what the threat
DOES
22
23 Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
File and Behavioral Heuristics
File & behavior profiles
Community Watch
Machine learning engine
LiveUpdate Symantec Security Response
Classification rules
Collects millions of programs
Over 500 million profiles, hundreds of attributes
Analyzes patterns of good and bad programs
Creates rules for classifying files as good or bad
Classification rules undergo rigorous certification
Distributed to our products
Modifies browser
homepage
Changes security settings
Is signed by good CA
Changes DNS
settings
Disables UAC
Adds desktop shortcut
1 3 2
6 4 5
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
SONAR Behavioral Protection SONAR (5th Generation) Behavioral Protection
New Behavioral-detection engine with significantly improved effectiveness
• Same Enterprise UI but totally redesigned behavioral protection under the hood
Proactively detects new threats based entirely on Behaviors
• Day-0 detection for Hydraq/Aurora and StuxNet
• Sophisticated Rootkits like TidServ
• Non-process Based Threats (NPT’s) are stopped
Behavioral Rules-based
• Customers get up-to-date protection automatically via Liveupdate
• Coverage for APT like Shamoon PoisonIvy
High-Performance real-time engine
• Behaviors are monitored and assessed as they happen
• Sandboxing to insulate system from threats
• No measurable impact on performance
Now with
1390 Behaviors
24
25
Reputation
File
Network
Behavioral Repair
S TA R P R OT EC T I O N
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
Repair Technology
26
Additional options to help fix the problem:
2. Bootable Recovery Tool A bootable recovery disk
with full detection and repair
capabilities
1. Symantec Power
Eraser standalone & integrated
3. Threat Specific Tools
Fix tools created for
specific threats available
from Security Response
Repair
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
27 Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
Disclaimer: Any information regarding pre-
release Symantec offerings, future updates or
other planned modifications is subject to ongoing
evaluation by Symantec and therefore subject to
change. This information is provided without
warranty of any kind, express or
implied. Customers who purchase Symantec
offerings should make their purchase decision
based upon features that are currently available.
28 Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology
New: Dynamic Malware Analysis Service Advanced Threat Protection with Cloud based Sandbox
Designed to draw out VM aware malware
Instrumented to simulate user behaviors to drive malware to execute
Ability to observe behaviors; SONAR behavioral scoring; API based clustering; Leverages global intelligence of behaviors , attack patterns, and campaigns
Cloud based service enables elastic, fast adoption to changing malware analysis demands & on demand queries
Portable Executables, PDF, Office docs, Java files, containers
Thank you!
29
Please take a few minutes to fill out the short session survey available on the mobile app—the survey will be available in the mobile app shortly after the session ends. And then watch for and complete the more extensive post-event survey that will arrive via email a few days after the conference.
To download the app, go to https://vision2014.quickmobile.com or search for Vision 2014 in the iTunes or Android stores.
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 30
Patrick Gardner Sourabh Satish