SR B17 | The Threat Landscape Continues to Change: How are ...vox.veritas.com/legacyfs/online/veritasdata/SR B17.pdf · SYMANTEC VISION 2012 Agenda Symantec Intelligence – Roles,

SR B17 |

Dean Turner Director - Engineering, Global Intelligence Network Symantec Intelligence Group

The Threat Landscape Continues to Change: How are You Keeping Pace?

The Threat Landscape Continues to Change

SYMANTEC VISION 2012

Agenda

Symantec Intelligence – Roles, Missions and Functions

1

The Threat Landscape – Facts and Figures 2

Security Intelligence and the Symantec Global Intelligence Network

3

Questions 5



Symantec Security Intelligence – Roles, Missions and Functions



Symantec Intelligence Group Primary Areas of Oversight

• Global Intelligence Network

– Collection of security intelligence data from Symantec products and services as well as third-party data providers and partners

– Data collection network providing access to normalized data sets from all data sources

– Platform for the analysis, monitoring and alerting on fused security related events

• Security Intelligence Data Warehousing

– Centralization of normalized security threat intelligence across threats, products and services

– High capacity, fast response storage systems – short and long term data retention

– 24/7/365 availability of fused security intelligence data

• Security Intelligence Data Feeds

– Production and delivery of data feeds directly to Symantec customers, Symantec products and services, partners and custom solutions

– Malicious Code, Vulnerability, IP Address and URL Reputation Data Feeds

• Strategic Threat Analysis and Research

– Threat Actor profiling, threat research, custom reporting and analysis



Security Technology and Response Primary Areas of Oversight

• Technology

– Oversees R&D of security technologies across Symantec products

– Malware Engines: Antivirus, Antispyware, Intrusion Prevention, Behavioral and Heuristic Engines

– New technologies: Whitelisting, Reputation-based security, etc.

– Common components: Common Client, LiveUpdate, Decomposer, etc.

• Content

– Security updates for new threats across all products

– Signatures for all threat classes (e.g., spyware, adware, viruses, spam, etc.)

– 24/7 global support for customer threat issues

• Infrastructure

– Infrastructure to streamline all Response support operations (customer issues, sample processing, etc.)

– Vulnerability and security risk content provided through Deepsight data feeds

• Visibility

– Response website, weblog, publication of malicious trends, ISTR, global PR, etc.



Threat Landscape – Facts and Figures



The Big Numbers for 2011

5.5B Attacks blocked by Symantec +81%

403M Unique variants of malware +41%

4,597 Web attacks per day +36%

4,989 New vulnerabilities -20%

315 New mobile vulnerabilities +93%

75% Spam rate -34%

7 Internet Security Threat Report, Vol. 17


Four Key Trends


Malware Attacks

81% ↑

Targeted Attacks Expand

Mobile Threats Expose All

Data Breaches on Rise

Internet Security Threat Report, Vol. 17

SYMANTEC VISION 2012 The Threat Landscape Continues to Change

Malware Attacks


Top Families Dominate Malicious Code

• 10 families account for 45% of all unique malware variants



Why is Malware Continuing to Rise?

• Attack tool kits continue to flourish

• Increase efficacy of known vulnerabilities



Targeted Attacks


Targeted Attacks by Sector


Government & Public Sector

Manufacturing

Finance

IT Services

Chemical & Pharmaceutical

Transport & Utilities

Non-Profit

Marketing & Media

Education

Retail

15% 14%

13

25% 6%

4%

3% 3%

6%

6%

3%


Targeted Attacks by Sector


Government & Public Sector

Manufacturing

Finance

IT Services

Chemical & Pharmaceutical

Transport & Utilities

Non-Profit

Marketing & Media

Education

Retail

14


Mobile Threats


Mobile Malware on the Rise

• This represents families of mobile malware

• There are 3,000-4,000 variants in the wild today and growing



Mobile Threats Focus Areas for Malware Authors

• Stealing information, spying and sending SMS messages

• Malware authors porting old threats and working on new ones

• Most popular way to make money? Sending premium SMS



Data Breaches


Data Breaches



Data Breaches

• 232 million identities were stolen in 2011 (1.1 million/breach avg.)



On the Horizon….


What’s Ahead in 2012?

Macs are not immune

Targeted attacks will continue

Attackers will capitalize on

work/personal info on mobiles

Cloud computing and mobile will

force IT to rethink security



Security Intelligence and the Symantec Global Intelligence Network (GIN) The Threat Landscape Continues to Change


Traditional Security Intelligence – Past and Present

Fractured

• Multiple data sets, multiple

owners

• Multiple:

– Physical locations

– Database platforms

– Data standards

• Limited data fusion

Coalesced

• Centralized location of refined

data

• Common platform

• Codified common data

standards

• Designed with data fusion in

mind – correlation and analysis



Security Intelligence Lifecycle Management

Planning

What needs to be tracked and

analyzed

Collection

Capturing relevant source

data

Analysis

Integrating, collating,

evaluating, and analyzing data

Dissemination

Providing the results of

processing Data into

Information

Client Directive or Symantec

provided

Symantec Mission

Symantec Mission

Client Directive or Symantec

provided



• Distinct and independent distributed technologies for detecting specific types of malicious behaviors including:

– Spam

– Malware

– Phishing

– Attacks

– Malware infection and transmission

– Botnet participation

– Botnet C&C

The eyes and ears of Symantec

Symantec Global Intelligence Network (GIN)

Sensors


GIN


• Reported instances of malicious behavior

• Reports include

– Hostile entity identifiers

• IP

• URL

• File

– Target demographics

• Industry

• Location

– Behavior Details

• Type of attack, vulnerability exploited or attempted, etc

• Payloads

– Timestamp

The basic building block of intelligence analysis


Events


EVENT LOG

Sensor Host

Sensor Network

Sensor Host

Sensor Network

Sensor Host

Sensor Network

Sensor Host

Sensor Network

Sensor Host

Sensor Network

Sensor

Sensor Host

Sensor Network

Sensor Host

Sensor Network

Sensor Host

Sensor Network

Sensor

Sensor

Sensor

Sensor

Sensor

Sensor

Sensor


• Normalized

– Raw data loaded from sensor networks stored in a single database

– Outliers, FPs and FNs discarded – vetted, high value data

• Fused

– Multiple data sets queried to provide event related data

– Event data cross-correlated and fused into event analysis

– Event analysis provided to multiple platforms

• Actionable

– Deepsight Portal

– Deepsight Data Feeds – direct to customer

– Deepsight Data Feeds – direct to internal product/service

– Custom Security Reports

• Sales generated

• Incident generated

• Services generated

Normalized, Fused & Actionable


Analysis - Outputs



Intelligence Feeds

Hosted Intelligence

Attack Quarantine System

Endpoints

Gateways

3rd Party Affiliates

Global Sensor Network

Global Intelligence Network

Global Data Collection Big Data Analytics DeepSight Delivery

Models

DeepSight

Honeypots Analytics

Warehouse

Analysts



IP and URL Reputation

• How do I know if information from my end users is going to legitimate IP addresses, URLs, or if are devices in my environment trying to connect to Botnets?

• Where will the next attack come from, is it possible to proactively prepare for the next wave of attacks?

• Who are the attack actors trying to gain access to my network or my customers?



IP Reputation

• The IP reputation Datafeed is designed to provide customers with:

– The ability to leverage the power of Symantec’s Global Intelligence Network to act as their sensors in a connected world.

– An XML format and schema that will be consumable by mission critical systems.

– Insight into the types of activities that specific IP addresses are performing.

– Data that can be accessed daily to provide fresh details on what can be expected that day.



URL Reputation

• The URL reputation Datafeed is designed to provide customers with:

– The ability to leverage the power of Symantec’s Global Intelligence Network to act as their sensors in a connected world.

– An XML format and schema that will be consumable by mission critical systems, also in testing are CSV and CEF.

– Insight into the types of activities that specific URLS are performing.

– Data that can be accessed daily to provide fresh details on what can be expected that day.



Discover the Power of Security Intelligence…

• Know what threats are likely to impact you

• Know who is likely to target you

• Dynamically update your security policies based on changes in the threat landscape

• Make sure your security infrastructure is performing optimally – feed it with data


Thank you!

SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2012 Symantec Corporation. All rights reserved.

Dean Turner

[email protected]


Documents

SR B17 | The Threat Landscape Continues to Change: How are ...vox.veritas.com/legacyfs/online/veritasdata/SR B17.pdf · SYMANTEC VISION 2012 Agenda Symantec Intelligence – Roles,