RSS Alerts
The threat landscape is changing.

Related Links

  • Symantec
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • The evolution of anti-virus
    Sometimes considered more an irritant than prophylactic, has the traditional anti-virus file checker been assigned to the recycle bin of computer history? William Knight scratches beneath the surface to ask where all that anti-virus scanning technology will end up
  • Information security and the recession
    As the recession continues to chew into budgets, and cyber criminals see increased opportunity for looting, CIOs must ensure that information security defences remain strong and affordable, even if this means a little bargaining. Stephen Pritchard looks at how organisations can negotiate the rough seas ahead.
  • US standards drive Canadian information security
    An absence of legislation and the presence of the laissez-faire attitude has resulted in Canada being rather lax when it comes to information security compliance. Robin Arnfield looks at how US standards are driving the Canadian information security marketplace
  • Catch me if you can
    These days, malware writers are in it for the money. In order to maximise profit, discretion is imperative so stealth technology has been adopted as a rule, rather than an exception. Danny Bradbury looks to the cat and mouse game that researchers and attackers are playing to see who’s coming out on top
  • Zero Day of the Dead
    The data load that has accompanied the globalization of trade would make even Atlas stagger. And that’s without the added burden of counter-terrorisAs you read this, zombie programs are flitting across the internet like a pestilence to infect and drain the life from innocent computer systems. Yet, for all the aggravation and grief they cause, you may never know you are part of a global invasion of the system snatchers, says William Knight. Unless…

Feature

Comment: Making protection against the impossible information security threats, possible

11 January 2010
Kevin Hogan, Symantec

The information security industry is changing and as more and more crime is committed online, security software vendors will have no choice but to adjust. Kevin Hogan, director of Symantec’s response centre explains how it is leading the market in responding to this shift…

Information security vendors cannot ignore the fact that the dynamics of malware are changing. The traditional signature-driven approach works well with highly prevalent threats such as CodeRed, Nimda and Conficker where many users have been impacted.

However, the threat landscape has changed significantly over the last thee years and increasingly malware is either being micro-distributed to only a handful of machines across the entire internet or is highly variable with the exact same file only being used to infect a small number of users. At the same time, the way in which malware is used has changed, with more malware being used as part of a single attack. This of course has lead to the sheer number of malicious files that need to be detected to rise: In 2008 Symantec added over 1.6 million anti-virus signatures, which was more than we had written in the last 17 years.

In years past, the main approach Symantec had taken with malware was to identify suspicious files via our Global Intelligence Network, analyse it and write a signature if it was determined to be malicious. Although we have 240 000 sensors in over 200 countries, the fact that some viruses are designed to exist for only a couple of hours or to be downloaded by one or two machines is incredibly problematic.

Rather than ignore this issue and let viruses seep through, we are tackling the problem head-on. Playing to our strengths, we have the ability to monitor malicious code intelligence from more than 130 million client, server, and gateway systems that have deployed our anti-virus products. Over eight billion email messages and over one billion web requests are processed each day across our 16 major data centres.

These resources give our analysts unparalleled sources of data by which they can analyse and identify emerging trends in attacks, malicious code activity, phishing, and spam. This means that, although it may be impossible to monitor every threat, we can catch the majority and have an unparalleled knowledge of the threats in the internet and what constitutes malware.

As the industry gets closer to a potential 'tipping point', where more new malicious programmes are being created than good programmes, we need to create new and innovative ways to tackle the criminals. With this in mind, we have recognised the need to supplement not only the classic blacklist approach but the heuristic and behavioural technologies we already have in our toolkit as well and have developed a reputation-based security technology that we have built from the ground up.

Symantec has moved to a model where instead of just providing information about malicious files, we will provide information about all executable files - both good and bad - to help our technology and ultimately our users make the right choices about what to run on their system.

Effectively, when a user attempts to a run an unrecognised file on their computer, our security software assesses the likelihood of whether or not it could be malware. It does this by checking its 'reputation', anonymous data contributed by tens of millions of Norton Community Watch members, data provided by software publishers, and anonymous data contributed by enterprise customers in a data collection programme tailored to large enterprises.

The data is continually imported and fed into the reputation engine to produce a security reputation rating for each software file, all without ever having to scan the file itself. The technology uses information such as the file’s prevalence, age and other attributes to compute highly accurate reputation scores. For example if millions of people have used it then it is probably safe, but if only ten people have run it before then the user should think twice.

By checking the reputation of a programme, a user is given the opportunity to adopt an educated approach to personal computing. Flagging an executable file as a potential threat presents the user with all the facts and therefore an additional layer of protection from unwittingly running malware. We have already integrated this advanced technology into our Norton range and we plan to add it into our enterprise product portfolio next year.

The most visible way to see this technology in action in Norton Internet Security 2010 and Norton AntiVirus 2010 is to download a new executable file off the internet. The new Download Insight feature uses the reputation information to help determine each downloaded file’s safety - the user is then informed of the file’s reputation, and bad-reputation files are automatically blocked. In addition, a user can right click on any executable file and find out where the file came from, how many other Symantec users are using the file, when Symantec first saw the file and what the security reputation is for the file.

2010 is already set to be a challenging year in the world of IT security - with the emergence and propagation of new, fast spreading threats. Using this reputation based security approach, in conjunction with our global team of security specialists to monitor and blacklist malware, we plan to stay one step ahead of criminals and protect users against tomorrow threats, today.

 

This article is featured in:
Internet and Network Security Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water