1

Enterprise IT Security

BriefingIT Security Briefing

Bogdan Stefanescu

Presales Consultant - Symantec Romania

bogdan_stefanescu@symantec.com

2

A CRIME IS BEING COMMITTED...

3

EVERY 15 MINUTES IN

PARIS.

4

EVERY 3½ MINUTES IN

NEW YORK CITY.

5

EVERY 2½ MINUTES IN

TOKYO.

6

EVERY 2 MINUTES IN

BERLIN.

7

EVERY ¼ OF A SECOND

IN CYBERSPACE.

8

Changes in the Threat Landscape

Redefining Endpoint Security

From Hackers… To Thieves

Few named variants Overwhelming variants

Noisy and highly visible Silent

Fame motivated Financially motivated

Indiscriminate Highly targeted

9

• •

• •

On July 13 2010 a unique form of malware was discovered that was

attempting to take control of industrial infrastructure around the world

TH

RE

AT

10

• •

• •

11

Symantec™ Global Intelligence Network Identifies more threats, takes action faster & prevents impact

Copyright © 2009 Symantec Corporation. All rights

Information ProtectionPreemptive Security Alerts Threat Triggered Actions

Global Scope and ScaleWorldwide Coverage 24x7 Event Logging

Rapid Detection

Attack Activity• 240,000 sensors• 200+ countries

Malware Intelligence• 130M client, server, gateways monitored• Global coverage

Vulnerabilities• 32,000+ vulnerabilities

• 11,000 vendors• 72,000 technologies

Spam/Phishing• 2.5M decoy accounts

• 8B+ email messages/day• 1B+ web requests/day

Austin, TXMountain View, CACulver City, CA

San Francisco, CA

Taipei, Taiwan

Tokyo, Japan

Dublin, IrelandCalgary, Alberta

Chengdu, China

Chennai, India

Pune, India

Alexandria, VA

Reading, England

Sydney, AU

12

Changes in the Threat Landscape

Redefining Endpoint Security

Period

Nu

mb

er

of

sig

na

ture

s

Source: Symantec Security Response

13

The Problem

Protection is a constant challenge

• As we improve and innovate our technologies, malware authors adapt and innovate too

• Their techniques are easy – exploit, encrypt, deploy and repeat

Like a game of cat and mouse…

14

Traditional, signature based detections just can’t keep up

15

Then we need something different…

16

Ubiquity is something different

17

The Problem

Millions of file variants (good and bad)

• So imagine that we know:

– about every file in the world today…

– and how many copies of each exist

– and which files are good and which are bad

• Now let’s order them by prevalence with

– Bad on left

– Good on the right

18

Unfortunately neither technique works well for the tens of millions

of files with low prevalence.

(But this is precisely where the majority of today’s malware falls)

Unfortunately neither technique works well for the tens of millions

of files with low prevalence.

(But this is precisely where the majority of today’s malware falls)

Today, both good and bad software obey a long-tail distribution.

Bad Files Good Files

Prev

alen

ce

Whitelisting works well here.

Whitelisting works well here.

For this long tail a new technique is needed. For this long tail a new technique is needed.

Blacklisting works well here.

Blacklisting works well here.

The Problem

No Existing Protection Addresses the “Long Tail”

19

Ubiquity

Could we leverage our users for Security?

• We looked at how others leverage their user communities

• They ‘ask’!

• So perhaps we should use a similar approach?– We ask our users to rate software they use– Over time, applications build a reputation– Symantec products then only allows users to run programs

with at least “4 stars.”

Books Music Movies

20

Ubiquity

Well not so fast

• To a user, it’s not at all obvious what is safe and what is not…

Many threats aresilent, the user isn’t even awareof their presence

Some threats hide inside legitimate processes

Other threats pretend to be legitimate files…AntiVirus 2010

This means we can’t just ‘ask’ our users for feedback!

21

How it Works

SubmissionServers

ReputationServers

File hash

Good/bad

Confidence

Prevalence

Date first seen

11 Collect data

22 Calculate Ubiquity SafetyRatings(updated every 4 hrs)

33 Deliver Ubiquity Safety Ratings

In 2007, we started collecting data and built a massively-parallel analysis algorithm..

Analogy:Google’s

PageRank™

Analogy:Google’s

PageRank™

22

Five important new benefits:

1. Drastically Improved Protection

2. Policy-based lockdown

3. A Weapon Against False Positives

4. Improved performance

5. Unique endpoint visibility

Reputation

Ubiquity Benefits

23

Conclusion

Ubiquity Changes the Rules of the Game

• Amplifies the protection of our current technologies

• We no longer rely solely on traditional signatures

• Use data from tens of millions of users to automatically identifyotherwise invisible malware

• Shifts the odds in our favor – attackers can no longer evade us by tweaking their threats

24

Users – Given the

tools to make choices

Empower Users

25

OrganizedCriminal

WellMeaningInsider

Malicious Insider

OrganizedCriminal

WellMeaningInsider

MaliciousInsider

Develop and Enforce IT PoliciesDevelop and Enforce IT Policies

Protect The InformationProtect The Information

Manage SystemsManage Systems

Protect The InfrastructureProtect The Infrastructure

The Challenge

26

Develop and Enforce IT Policies

Control Compliance Suite

Develop and Enforce IT Policies

Define Risk and Develop

IT Policies

Assess Infrastructure and Processes

Report, Monitor andDemonstrate

Due Care

RemediateProblems

27

Protect The InformationProtect The Information

Data Loss Prevention Suite

DiscoverWhere Sensitive

Information Resides

MonitorHow Data

is Being Used

ProtectSensitive

InformationFrom Loss

28

Manage Systems Manage Systems

Altiris Total Management Suite

ImplementSecure

Operating Environments

Distribute and Enforce Patch Levels

Automate Processes to Streamline Efficiency

Monitor and Report on

System Status

™

29

Protect The Infrastructure

Symantec Protection Suite

Protect The Infrastructure

SecureEndpoints

ProtectEmail and

Web

DefendCritical

Internal Servers

Backupand

RecoverData

™

30

OrganizedCriminal

Malicious Insider

OrganizedCriminal

MaliciousInsider

Protect the Infrastructure

Develop & Enforce IT Policies

Protect the Information

Manage Systems

• Lack of Visibility• Evolving Threats• Growing Complexity

• IT Risk Management• Cost & Complexity of Compliance• Lack of Visibility

• Growth of Unstructured Data• Social Media Access• Cloud Computing

• Management of HW and SW• Complexity of IT Processes• Operating System Migration

Integrated Security PlatformOpen

PlatformConsole

UnificationSecurity

IntelligenceDynamic

Protection

New Challenges Require New Technologies

31

Thank You