RSS Alerts
The threat landscape is changing.

Share

More services

Related Links

  • Symantec
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • The evolution of anti-virus
    Sometimes considered more an irritant than prophylactic, has the traditional anti-virus file checker been assigned to the recycle bin of computer history? William Knight scratches beneath the surface to ask where all that anti-virus scanning technology will end up
  • The Good, the Bad, and the Ugly Insider Threats
    Whether intentional or unintentional, insider threats take many forms. The (ISC)² US Government Advisory Board Executive Writers Bureau examines this dichotomy and how it is being affected by both regulatory considerations, and the rapidly changing technology landscape
    Members' Content
  • Researching the Security Researchers
    The security industry doesn’t have it easy. For every virus it detects and prevents, several new ones are being designed for maximum impact and damage. Information security researchers are up against a deluge of malware writers. Wendy M. Grossman reports on how they keep up
  • Anti-virus: a technology update
    Anti-virus software might be the archetypal security product, but with so many high-profile malware attacks – including Stuxnet and Zeus – is it doing its job? Kevin Townsend investigates whether anti-virus software is still relevant
  • Microsoft warns over another zero-day flaw; upgrade to IE 8 say experts
    Microsoft has issued an advisory warning of a zero-day vulnerability in Internet Explorer affecting versions 6, 7 and 8 of the incumbent web browsing software.

Top 5 Stories

Feature

Comment: Making protection against the impossible information security threats, possible

11 January 2010
Kevin Hogan, Symantec

The information security industry is changing and as more and more crime is committed online, security software vendors will have no choice but to adjust. Kevin Hogan, director of Symantec’s response centre explains how it is leading the market in responding to this shift…

Information security vendors cannot ignore the fact that the dynamics of malware are changing. The traditional signature-driven approach works well with highly prevalent threats such as CodeRed, Nimda and Conficker where many users have been impacted.

However, the threat landscape has changed significantly over the last thee years and increasingly malware is either being micro-distributed to only a handful of machines across the entire internet or is highly variable with the exact same file only being used to infect a small number of users. At the same time, the way in which malware is used has changed, with more malware being used as part of a single attack. This of course has lead to the sheer number of malicious files that need to be detected to rise: In 2008 Symantec added over 1.6 million anti-virus signatures, which was more than we had written in the last 17 years.

In years past, the main approach Symantec had taken with malware was to identify suspicious files via our Global Intelligence Network, analyse it and write a signature if it was determined to be malicious. Although we have 240 000 sensors in over 200 countries, the fact that some viruses are designed to exist for only a couple of hours or to be downloaded by one or two machines is incredibly problematic.

Rather than ignore this issue and let viruses seep through, we are tackling the problem head-on. Playing to our strengths, we have the ability to monitor malicious code intelligence from more than 130 million client, server, and gateway systems that have deployed our anti-virus products. Over eight billion email messages and over one billion web requests are processed each day across our 16 major data centres.

These resources give our analysts unparalleled sources of data by which they can analyse and identify emerging trends in attacks, malicious code activity, phishing, and spam. This means that, although it may be impossible to monitor every threat, we can catch the majority and have an unparalleled knowledge of the threats in the internet and what constitutes malware.

As the industry gets closer to a potential 'tipping point', where more new malicious programmes are being created than good programmes, we need to create new and innovative ways to tackle the criminals. With this in mind, we have recognised the need to supplement not only the classic blacklist approach but the heuristic and behavioural technologies we already have in our toolkit as well and have developed a reputation-based security technology that we have built from the ground up.

Symantec has moved to a model where instead of just providing information about malicious files, we will provide information about all executable files - both good and bad - to help our technology and ultimately our users make the right choices about what to run on their system.

Effectively, when a user attempts to a run an unrecognised file on their computer, our security software assesses the likelihood of whether or not it could be malware. It does this by checking its 'reputation', anonymous data contributed by tens of millions of Norton Community Watch members, data provided by software publishers, and anonymous data contributed by enterprise customers in a data collection programme tailored to large enterprises.

The data is continually imported and fed into the reputation engine to produce a security reputation rating for each software file, all without ever having to scan the file itself. The technology uses information such as the file’s prevalence, age and other attributes to compute highly accurate reputation scores. For example if millions of people have used it then it is probably safe, but if only ten people have run it before then the user should think twice.

By checking the reputation of a programme, a user is given the opportunity to adopt an educated approach to personal computing. Flagging an executable file as a potential threat presents the user with all the facts and therefore an additional layer of protection from unwittingly running malware. We have already integrated this advanced technology into our Norton range and we plan to add it into our enterprise product portfolio next year.

The most visible way to see this technology in action in Norton Internet Security 2010 and Norton AntiVirus 2010 is to download a new executable file off the internet. The new Download Insight feature uses the reputation information to help determine each downloaded file’s safety - the user is then informed of the file’s reputation, and bad-reputation files are automatically blocked. In addition, a user can right click on any executable file and find out where the file came from, how many other Symantec users are using the file, when Symantec first saw the file and what the security reputation is for the file.

2010 is already set to be a challenging year in the world of IT security - with the emergence and propagation of new, fast spreading threats. Using this reputation based security approach, in conjunction with our global team of security specialists to monitor and blacklist malware, we plan to stay one step ahead of criminals and protect users against tomorrow threats, today.

This article is featured in:
Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012