Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
SR B17 |
Dean Turner Director - Engineering, Global Intelligence Network Symantec Intelligence Group
The Threat Landscape Continues to Change: How are You Keeping Pace?
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
Agenda
Symantec Intelligence – Roles, Missions and Functions
1
The Threat Landscape – Facts and Figures 2
Security Intelligence and the Symantec Global Intelligence Network
3
Questions 5
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
Symantec Security Intelligence – Roles, Missions and Functions
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
Symantec Intelligence Group Primary Areas of Oversight
• Global Intelligence Network
– Collection of security intelligence data from Symantec products and services as well as third-party data providers and partners
– Data collection network providing access to normalized data sets from all data sources
– Platform for the analysis, monitoring and alerting on fused security related events
• Security Intelligence Data Warehousing
– Centralization of normalized security threat intelligence across threats, products and services
– High capacity, fast response storage systems – short and long term data retention
– 24/7/365 availability of fused security intelligence data
• Security Intelligence Data Feeds
– Production and delivery of data feeds directly to Symantec customers, Symantec products and services, partners and custom solutions
– Malicious Code, Vulnerability, IP Address and URL Reputation Data Feeds
• Strategic Threat Analysis and Research
– Threat Actor profiling, threat research, custom reporting and analysis
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
Security Technology and Response Primary Areas of Oversight
• Technology
– Oversees R&D of security technologies across Symantec products
– Malware Engines: Antivirus, Antispyware, Intrusion Prevention, Behavioral and Heuristic Engines
– New technologies: Whitelisting, Reputation-based security, etc.
– Common components: Common Client, LiveUpdate, Decomposer, etc.
• Content
– Security updates for new threats across all products
– Signatures for all threat classes (e.g., spyware, adware, viruses, spam, etc.)
– 24/7 global support for customer threat issues
• Infrastructure
– Infrastructure to streamline all Response support operations (customer issues, sample processing, etc.)
– Vulnerability and security risk content provided through Deepsight data feeds
• Visibility
– Response website, weblog, publication of malicious trends, ISTR, global PR, etc.
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
Threat Landscape – Facts and Figures
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
The Big Numbers for 2011
5.5B Attacks blocked by Symantec +81%
403M Unique variants of malware +41%
4,597 Web attacks per day +36%
4,989 New vulnerabilities -20%
315 New mobile vulnerabilities +93%
75% Spam rate -34%
7 Internet Security Threat Report, Vol. 17
SYMANTEC VISION 2012
Four Key Trends
The Threat Landscape Continues to Change
Malware Attacks
81% ↑
Targeted Attacks Expand
Mobile Threats Expose All
Data Breaches on Rise
Internet Security Threat Report, Vol. 17
SYMANTEC VISION 2012 The Threat Landscape Continues to Change
Malware Attacks
SYMANTEC VISION 2012
Top Families Dominate Malicious Code
• 10 families account for 45% of all unique malware variants
Internet Security Threat Report, Vol. 17
SYMANTEC VISION 2012
Why is Malware Continuing to Rise?
• Attack tool kits continue to flourish
• Increase efficacy of known vulnerabilities
Internet Security Threat Report, Vol. 17
SYMANTEC VISION 2012 The Threat Landscape Continues to Change
Targeted Attacks
SYMANTEC VISION 2012
Targeted Attacks by Sector
Internet Security Threat Report, Vol. 17
Government & Public Sector
Manufacturing
Finance
IT Services
Chemical & Pharmaceutical
Transport & Utilities
Non-Profit
Marketing & Media
Education
Retail
15% 14%
13
25% 6%
4%
3% 3%
6%
6%
3%
SYMANTEC VISION 2012
Targeted Attacks by Sector
Internet Security Threat Report, Vol. 17
Government & Public Sector
Manufacturing
Finance
IT Services
Chemical & Pharmaceutical
Transport & Utilities
Non-Profit
Marketing & Media
Education
Retail
14
SYMANTEC VISION 2012 The Threat Landscape Continues to Change
Mobile Threats
SYMANTEC VISION 2012
Mobile Malware on the Rise
• This represents families of mobile malware
• There are 3,000-4,000 variants in the wild today and growing
Internet Security Threat Report, Vol. 17
SYMANTEC VISION 2012
Mobile Threats Focus Areas for Malware Authors
• Stealing information, spying and sending SMS messages
• Malware authors porting old threats and working on new ones
• Most popular way to make money? Sending premium SMS
Internet Security Threat Report, Vol. 17
SYMANTEC VISION 2012 The Threat Landscape Continues to Change
Data Breaches
SYMANTEC VISION 2012
Data Breaches
Internet Security Threat Report, Vol. 17
SYMANTEC VISION 2012
Data Breaches
• 232 million identities were stolen in 2011 (1.1 million/breach avg.)
Internet Security Threat Report, Vol. 17
SYMANTEC VISION 2012 The Threat Landscape Continues to Change
On the Horizon….
SYMANTEC VISION 2012
What’s Ahead in 2012?
Macs are not immune
Targeted attacks will continue
Attackers will capitalize on
work/personal info on mobiles
Cloud computing and mobile will
force IT to rethink security
Internet Security Threat Report, Vol. 17
SYMANTEC VISION 2012
Security Intelligence and the Symantec Global Intelligence Network (GIN) The Threat Landscape Continues to Change
SYMANTEC VISION 2012
Traditional Security Intelligence – Past and Present
Fractured
• Multiple data sets, multiple
owners
• Multiple:
– Physical locations
– Database platforms
– Data standards
• Limited data fusion
Coalesced
• Centralized location of refined
data
• Common platform
• Codified common data
standards
• Designed with data fusion in
mind – correlation and analysis
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
Security Intelligence Lifecycle Management
Planning
What needs to be tracked and
analyzed
Collection
Capturing relevant source
data
Analysis
Integrating, collating,
evaluating, and analyzing data
Dissemination
Providing the results of
processing Data into
Information
Client Directive or Symantec
provided
Symantec Mission
Symantec Mission
Client Directive or Symantec
provided
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
• Distinct and independent distributed technologies for detecting specific types of malicious behaviors including:
– Spam
– Malware
– Phishing
– Attacks
– Malware infection and transmission
– Botnet participation
– Botnet C&C
The eyes and ears of Symantec
Symantec Global Intelligence Network (GIN)
Sensors
The Threat Landscape Continues to Change
GIN
SYMANTEC VISION 2012
• Reported instances of malicious behavior
• Reports include
– Hostile entity identifiers
• IP
• URL
• File
– Target demographics
• Industry
• Location
– Behavior Details
• Type of attack, vulnerability exploited or attempted, etc
• Payloads
– Timestamp
The basic building block of intelligence analysis
Symantec Global Intelligence Network (GIN)
Events
The Threat Landscape Continues to Change
EVENT LOG
Sensor Host
Sensor Network
Sensor Host
Sensor Network
Sensor Host
Sensor Network
Sensor Host
Sensor Network
Sensor Host
Sensor Network
Sensor
Sensor Host
Sensor Network
Sensor Host
Sensor Network
Sensor Host
Sensor Network
Sensor
Sensor
Sensor
Sensor
Sensor
Sensor
Sensor
SYMANTEC VISION 2012
• Normalized
– Raw data loaded from sensor networks stored in a single database
– Outliers, FPs and FNs discarded – vetted, high value data
• Fused
– Multiple data sets queried to provide event related data
– Event data cross-correlated and fused into event analysis
– Event analysis provided to multiple platforms
• Actionable
– Deepsight Portal
– Deepsight Data Feeds – direct to customer
– Deepsight Data Feeds – direct to internal product/service
– Custom Security Reports
• Sales generated
• Incident generated
• Services generated
Normalized, Fused & Actionable
Symantec Global Intelligence Network (GIN)
Analysis - Outputs
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
Intelligence Feeds
Hosted Intelligence
Attack Quarantine System
Endpoints
Gateways
3rd Party Affiliates
Global Sensor Network
Global Intelligence Network
Global Data Collection Big Data Analytics DeepSight Delivery
Models
DeepSight
Honeypots Analytics
Warehouse
Analysts
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
IP and URL Reputation
• How do I know if information from my end users is going to legitimate IP addresses, URLs, or if are devices in my environment trying to connect to Botnets?
• Where will the next attack come from, is it possible to proactively prepare for the next wave of attacks?
• Who are the attack actors trying to gain access to my network or my customers?
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
IP Reputation
• The IP reputation Datafeed is designed to provide customers with:
– The ability to leverage the power of Symantec’s Global Intelligence Network to act as their sensors in a connected world.
– An XML format and schema that will be consumable by mission critical systems.
– Insight into the types of activities that specific IP addresses are performing.
– Data that can be accessed daily to provide fresh details on what can be expected that day.
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
URL Reputation
• The URL reputation Datafeed is designed to provide customers with:
– The ability to leverage the power of Symantec’s Global Intelligence Network to act as their sensors in a connected world.
– An XML format and schema that will be consumable by mission critical systems, also in testing are CSV and CEF.
– Insight into the types of activities that specific URLS are performing.
– Data that can be accessed daily to provide fresh details on what can be expected that day.
The Threat Landscape Continues to Change
SYMANTEC VISION 2012
Discover the Power of Security Intelligence…
• Know what threats are likely to impact you
• Know who is likely to target you
• Dynamically update your security policies based on changes in the threat landscape
• Make sure your security infrastructure is performing optimally – feed it with data
The Threat Landscape Continues to Change
Thank you!
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2012 Symantec Corporation. All rights reserved.
Dean Turner
The Threat Landscape Continues to Change