"We're collecting all of this information about who owns files, who's accessing them, and what they can are doing with the information," said Joe Pasqua, senior vice president of research at Symantec. "Now we can use machine learning technology to take all of that information and start asking ourselves if anything weird is going on."
Such techniques can be used to identify insider threats, according to Pasqua, who said that it will be integrated with Symantec's data loss prevention system. It can also find out which files have been 'orphaned', after employees responsible for them have left.
"I can drill down even further with information that's provided to the data loss prevention program by Data Insight, and find out the most active user of this information," Pasqua continued, describing a typical scenario: "The owner of this document isn't used by the company anymore, no-one owns the file anymore, and yet it is being accessed by someone else."
It would then be possible to obtain an overview of how the data is being accessed. "I could say that not only have I identified a sensitive piece of information, but I can see which users are accessing it," he said.
Symantec has already integrated Data Insight with its CommandCentral storage resource management software, which will then enable administrators to link the amount of storage used by departments or employees. The system will also be integrated with Enterprise Vault, allowing administrators to automatically archive data that is owned by a current employee but which hasn't been accessed for a set period.
Pasqua also said that the company would be implementing mobile reputation-based systems, which will be used to help secure applications on mobile devices. Symantec already uses a statistical analysis system running in its own server farm, which analyses files picked up by participating client devices. It employs a range of criteria to give the file a reputation, in a marked departure from traditional signature-based scanning and heuristics.
The reputation system can give a low reputation to a file that has been individually crafted for a user by a polymorphic crimeware kit running on a malicious server, for example. Such a file may not have been seen by anyone before, and would not be picked up by a traditional signature scanner. Nevertheless, the reputation-based system would class it as risky, because it would represent an unknown entity.
The forthcoming application of the file reputation syste to a mobile computing platform such as Google's Android will help to identify risky applications, Pasqua concluded.