Behind the Yellow Curtain Symantec’s Proactive Protection and...

1

Behind the Yellow Curtain Symantec’s Proactive Protection and Detection Technology

Patrick Gardner VP Engineering

Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology

Sourabh Satish Distinguished Engineer

A Feedback Loop: Products and Big Data Intelligence

• All products collect and submit telemetry data (opt in)

• Data is all warehoused in a central system for analysis

• Allows for rapid human and machine driven iterations of protection

• Enables more aggressive content development

Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 2

Develop

Deploy

Monitor

Analyze

SYMANTEC DATA ANALYTICS PLATFORM

Malware alerts

Behaviors

Web sites visited

Downloads

Crashes

File appearance

Intrusion alerts

Symantec Data Analytics Platform

1 0 0 2 0 0 0 0 0 0 0 0 0

55,000 rows added every second

File Insight

URL Insight

SONAR engine

Crash Ratings

Intelligence

Scam Insight

2.1 trillion rows of data

Examples:

Downloads

Web site visits

Intrusion alerts

Malware alerts

Behaviors

File appearance

Crashes

…

Raw features Big Data System Intelligence driven applications

File URL Crash Behavior Forms …


Security Technology and Response (STAR ) Layers of Protection

4

Reputation

File

Network

Behavioral Repair

S TA R P R O T E C T I O N


STAR PROTECTION:


Network Stops malware as it

travels over the network and tries to take up

residence on a system

• Protocol aware IPS

• Browser Protection

File Looks for and eradicates

malware that has already taken up

residence on a system

• Antivirus Engine

• Auto Protect

• Malheur

Reputation Establishes information

about entities e.g. websites, files, IP

addresses to be used in effective security

• Domain Reputation

• File Reputation

Behavioral Looks at processes as they execute and uses malicious behaviors to indicate the presence

of malware

• SONAR

• Behavioral Signatures

Repair Aggressive tools for hard

to remove infections

• Boot to a clean OS

• Power Eraser uses aggressive heuristics

• Threat-specific tools

Reputation

File

Network

Behavioral Repair

S TA R

P R O T E C T I O N

Network Threat Protection


Network Threat Protection blocks today’s most critical threats


Hundreds of Millions of threats are stopped with

this technology

Protect Against Drive-by Downloads that install “APTs”

Prevent Social Engineering Attacks

Find Infected Systems with Post Infection Protection

Prevent Social Media Attacks

Protect Against Unpatched Vulnerabilities

How Network Threat Protection Works


Parse

Identify

Scan

How Network Threat Protection Works Identify


Problem:

• Network Protocols are all layered or “Tunneled”

• Web, IM and multi-media content is all tunneled over HTTP

Solution:

• Knowing what content is being protected is key to providing accurate protection

• Identifying and labeling content is a necessary first step

Differentiator:

• The IPS engine has awesome port agnostic content identification for over 200 protocols and file types

Parse

Identify

Scan

How Network Threat Protection Works Parse


Problem: • Scanning an entire file or protocol stream is expensive

for performance reasons • Certain information must be cached for later use to

determine maliciousness

Solution: • Parsers decode protocol streams or files based on

their specification • While decoding, parsers skip to relevant portions and

cache decoded information

Differentiator: • This helps with performance of the engine

and accuracy of detection • Can inspect encoded content (i.e. GZIP, UTF, …)

Parse

Identify

Scan

How Network Threat Protection Works Scan


Problem:

• Using TCP ports to determine what signatures to apply is prone to FPs and performance degradation – Other security vendors can’t accurately identify what

protocol they are scanning

– Competitors apply thousands of signatures based on network ports and thousands of irrelevant signatures

Solution:

• Symantec’s IPS solution selects the minimum set of signatures to scan with since our engines are protocol aware

• Information cached from parsers is used while scanning

Differentiator:

• Highly accurate and fast engine

• Minimizes False Positives

Parse

Identify

Scan

Precision! A tradition IPS engine like SNORT does not have the Identification and Parse functionality

• This means they have to blindly scan each packet with all signatures - Leads to slow performance

- Leads to FPs due to a lack of context

- Can not properly inspect tunneled content

With Identify, Parse and Scan

• Symantec can write precise signatures for a specific vulnerability

• We can look for a vulnerability in the exact application, file and protocol that it applies rather than in every network packet


What makes this better?

13

Reputation

File

Network

Behavioral Repair


S TA R

P R O T E C T I O N

File-based Protection

14 Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology

File

• Malheur - Increased use of a new Artificial Intelligence engine

– Extracts 100’s of attributes from each file

– Looks for suspicious combinations of attributes

– Endpoint uses predictive classifiers or rules derived from them and corroborates with leverages Insight Reputation

• Backend uses complex attributes to identify malware and releases definitions for them

– These heuristics can detect many variants and are specifically effective at polymorphic malware families

• Benefits

– Proactive – catches new 0-day threats

– Proactive – blocks threats before they have a chance to run

File-based Protection

Improved Detection Capabilities

• We have grown both the scale and intelligence of our backend systems that produce definitions to detect even more malware


File

• We have added an entirely new backend system called SCALE (Symantec Clustering and Labeling Ensembles) that clusters samples together based on their behaviors and static attributes to find new variants of threat families and produce definitions for these samples

Working Smarter

New Label

New Label

Unlabeled Samples

Labeled Samples

As new unlabeled samples fit the clusters of labeled samples by behavioral or static feature similarity, they inherit the

cluster label.

16

Reputation

File

Network

Behavioral Repair


S TA R

P R O T E C T I O N

Reputation-based Security

Insight - Reputation in a Nutshell

• Our Insight reputation system uses the wisdom of our hundreds of millions of users to automatically derive highly accurate safety ratings for every file on the internet

• It is an entirely different approach to that requires no traditional virus signatures


Data Collection

Opt in program to collect

anonymous file usage data

‘Reputation’ Engine

Patent pending algorithms to

compute safety reputations

> 210 Million

Contributing Users

>3 B unique program files,

growing continuously

It can accurately identify threats even if just a single Symantec user encounters them – and it blocks them without any signatures

17

File Attribute Database

World’s largest nexus of

data on executable content

File Safety Reputations

A measure of how good or

bad a file is

Updates every rating

every 4 – 6 hours

For all files, both

good and bad

17

Reputation

Superior Protection

Our reputation system improves protection in three ways:

18

It blocks entirely new malware that

traditional fingerprints miss

It ratchets up the “resolution” of our

heuristics and behavior blocking

Changes the game, killing mutated malware once

and for all

– Let’s see why…


Changes the Game

As we’ve seen, Hackers are mutating threats to evade fingerprints

– Fingerprint-based systems are defenseless!

On the other hand, mutated threats stick out like a sore thumb in a reputation system

– Low prevalence + Newly generated = Low reputation!

It’s a catch-22 for the virus writers

– Mutate too much = Low reputation

– Mutate too little = Easy to discover & fingerprint

19 Symantec Vision 2014 - Symantec’s Proactive Protection and Detection Technology 19

STAR MOBILE INSIGHT

P R I V A C Y

Identify leaks of confidential data and warn about

advertising

S E C U R I T Y

Top protection and be the first

to spot new threats

P E R F O R M A N C E

Improve the mobile experience

(battery life, bandwidth use)



Reputation

File

Network

Behavioral Repair

S TA R P R OT EC T I O N

21

SONAR Behavioral Protection

Build an engine that ignores what the threat

LOOKS LIKE


But detects threats based on what the threat

DOES

22


File and Behavioral Heuristics

File & behavior profiles

Community Watch

Machine learning engine

LiveUpdate Symantec Security Response

Classification rules

Collects millions of programs

Over 500 million profiles, hundreds of attributes

Analyzes patterns of good and bad programs

Creates rules for classifying files as good or bad

Classification rules undergo rigorous certification

Distributed to our products

Modifies browser

homepage

Changes security settings

Is signed by good CA

Changes DNS

settings

Disables UAC

Adds desktop shortcut

1 3 2

6 4 5


SONAR Behavioral Protection SONAR (5th Generation) Behavioral Protection

New Behavioral-detection engine with significantly improved effectiveness

• Same Enterprise UI but totally redesigned behavioral protection under the hood

Proactively detects new threats based entirely on Behaviors

• Day-0 detection for Hydraq/Aurora and StuxNet

• Sophisticated Rootkits like TidServ

• Non-process Based Threats (NPT’s) are stopped

Behavioral Rules-based

• Customers get up-to-date protection automatically via Liveupdate

• Coverage for APT like Shamoon PoisonIvy

High-Performance real-time engine

• Behaviors are monitored and assessed as they happen

• Sandboxing to insulate system from threats

• No measurable impact on performance

Now with

1390 Behaviors

24

25

Reputation

File

Network

Behavioral Repair

S TA R P R OT EC T I O N


Repair Technology

26

Additional options to help fix the problem:

2. Bootable Recovery Tool A bootable recovery disk

with full detection and repair

capabilities

1. Symantec Power

Eraser standalone & integrated

3. Threat Specific Tools

Fix tools created for

specific threats available

from Security Response

Repair



Disclaimer: Any information regarding pre-

release Symantec offerings, future updates or

other planned modifications is subject to ongoing

evaluation by Symantec and therefore subject to

change. This information is provided without

warranty of any kind, express or

implied. Customers who purchase Symantec

offerings should make their purchase decision

based upon features that are currently available.


New: Dynamic Malware Analysis Service Advanced Threat Protection with Cloud based Sandbox

Designed to draw out VM aware malware

Instrumented to simulate user behaviors to drive malware to execute

Ability to observe behaviors; SONAR behavioral scoring; API based clustering; Leverages global intelligence of behaviors , attack patterns, and campaigns

Cloud based service enables elastic, fast adoption to changing malware analysis demands & on demand queries

Portable Executables, PDF, Office docs, Java files, containers

Thank you!

29

Please take a few minutes to fill out the short session survey available on the mobile app—the survey will be available in the mobile app shortly after the session ends. And then watch for and complete the more extensive post-event survey that will arrive via email a few days after the conference.

To download the app, go to https://vision2014.quickmobile.com or search for Vision 2014 in the iTunes or Android stores.

https://vision2014.quickmobile.com/

https://vision2014.quickmobile.com/

Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Patrick Gardner Sourabh Satish

[email protected] [email protected]

mailto:[email protected]

mailto:[email protected]

Behind the Yellow Curtain Symantec’s Proactive Protection and...

Documents

Transcript of Behind the Yellow Curtain Symantec’s Proactive Protection and...