Behind the Yellow Curtain Symantec s Proactive Protection and Detection Technology

Transcription

1 Behind the Yellow Curtain Symantec s Proactive Protection and Detection Technology Patrick Gardner VP Engineering Sourabh Satish Distinguished Engineer 1

2 A Feedback Loop: Products and Big Data Intelligence All products collect and submit telemetry data (opt in) Data is all warehoused in a central system for analysis Develop Allows for rapid human and machine driven iterations of protection Analyze Deploy Enables more aggressive content development Monitor 2

3 SYMANTEC DATA ANALYTICS PLATFORM Raw features Big Data System Intelligence driven applications Examples: Downloads Web site visits Intrusion alerts Malware alerts Behaviors File appearance Crashes Symantec Data Analytics Platform trillion rows of data 55,000 rows added every second File URL Crash Behavior Forms SONAR engine File Insight Scam Insight URL Insight Crash Ratings Intelligence 3

4 Security Technology and Response (STAR ) Layers of Protection Reputation Network S TA R P R O T E C T I O N File Behavioral Repair 4

5 STAR PROTECTION: Network File Reputation Behavioral Repair Stops malware as it travels over the network and tries to take up residence on a system Protocol aware IPS Browser Protection Looks for and eradicates malware that has already taken up residence on a system Antivirus Engine Auto Protect Malheur Establishes information about entities e.g. websites, files, IP addresses to be used in effective security Domain Reputation File Reputation Looks at processes as they execute and uses malicious behaviors to indicate the presence of malware SONAR Behavioral Signatures Aggressive tools for hard to remove infections Boot to a clean OS Power Eraser uses aggressive heuristics Threat-specific tools 5

6 Network Threat Protection Reputation Network S T A R P R O T E C T I O N File Behavioral Repair 6

7 Network Threat Protection blocks today s most critical threats Protect Against Drive-by Downloads that install APTs Prevent Social Engineering Attacks Find Infected Systems with Post Infection Protection Prevent Social Media Attacks Protect Against Unpatched Vulnerabilities Hundreds of Millions of threats are stopped with this technology 7

8 How Network Threat Protection Works Identify Parse Scan 8

9 How Network Threat Protection Works Identify Identify Problem: Network Protocols are all layered or Tunneled Web, IM and multi-media content is all tunneled over HTTP Solution: Knowing what content is being protected is key to providing accurate protection Identifying and labeling content is a necessary first step Differentiator: The IPS engine has awesome port agnostic content identification for over 200 protocols and file types Parse Scan 9

10 How Network Threat Protection Works Parse Identify Problem: Scanning an entire file or protocol stream is expensive for performance reasons Certain information must be cached for later use to determine maliciousness Solution: Parsers decode protocol streams or files based on their specification While decoding, parsers skip to relevant portions and cache decoded information Differentiator: This helps with performance of the engine and accuracy of detection Can inspect encoded content (i.e. GZIP, UTF, ) Parse Scan 10

11 How Network Threat Protection Works Scan Identify Problem: Using TCP ports to determine what signatures to apply is prone to FPs and performance degradation Other security vendors can t accurately identify what protocol they are scanning Competitors apply thousands of signatures based on network ports and thousands of irrelevant signatures Parse Scan Solution: Symantec s IPS solution selects the minimum set of signatures to scan with since our engines are protocol aware Information cached from parsers is used while scanning Differentiator: Highly accurate and fast engine Minimizes False Positives 11

12 What makes this better? Precision! A tradition IPS engine like SNORT does not have the Identification and Parse functionality This means they have to blindly scan each packet with all signatures - Leads to slow performance - Leads to FPs due to a lack of context - Can not properly inspect tunneled content With Identify, Parse and Scan Symantec can write precise signatures for a specific vulnerability We can look for a vulnerability in the exact application, file and protocol that it applies rather than in every network packet 12

13 Reputation Network S T A R P R O T E C T I O N File Behavioral Repair 13

14 File-based Protection File Malheur - Increased use of a new Artificial Intelligence engine Extracts 100 s of attributes from each file Looks for suspicious combinations of attributes Endpoint uses predictive classifiers or rules derived from them and corroborates with leverages Insight Reputation Backend uses complex attributes to identify malware and releases definitions for them These heuristics can detect many variants and are specifically effective at polymorphic malware families Benefits Proactive catches new 0-day threats Proactive blocks threats before they have a chance to run 14

15 File-based Protection Improved Detection Capabilities We have grown both the scale and intelligence of our backend systems that produce definitions to detect even more malware File Working Smarter We have added an entirely new backend system called SCALE (Symantec Clustering and Labeling Ensembles) that clusters samples together based on their behaviors and static attributes to find new variants of threat families and produce definitions for these samples Labeled Samples New Label New Label As new unlabeled samples fit the clusters of labeled samples by behavioral or static feature similarity, they inherit the cluster label. Unlabeled Samples 15

16 Reputation Network S T A R P R O T E C T I O N File Behavioral Repair 16

17 Reputation-based Security Insight - Reputation in a Nutshell Our Insight reputation system uses the wisdom of our hundreds of millions of users to automatically derive highly accurate safety ratings for every file on the internet It is an entirely different approach to that requires no traditional virus signatures Reputation Data Collection Opt in program to collect anonymous file usage data File Attribute Database World s largest nexus of data on executable content Reputation Engine Patent pending algorithms to compute safety reputations File Safety Reputations A measure of how good or bad a file is > 210 Million Contributing Users >3 B unique program files, growing continuously Updates every rating every 4 6 hours For all files, both good and bad It can accurately identify threats even if just a single Symantec user encounters them and it blocks them without any signatures 17

18 Superior Protection Our reputation system improves protection in three ways: It blocks entirely new malware that traditional fingerprints miss It ratchets up the resolution of our heuristics and behavior blocking Changes the game, killing mutated malware once and for all Let s see why 18

19 Changes the Game As we ve seen, Hackers are mutating threats to evade fingerprints Fingerprint-based systems are defenseless! On the other hand, mutated threats stick out like a sore thumb in a reputation system Low prevalence + Newly generated = Low reputation! It s a catch-22 for the virus writers Mutate too much = Low reputation Mutate too little = Easy to discover & fingerprint 19

20 STAR MOBILE INSIGHT S E C U R I T Y P R I V A C Y P E R F O R M A N C E Top protection and be the first to spot new threats Identify leaks of confidential data and warn about advertising Improve the mobile experience (battery life, bandwidth use) 20

21 Reputation Network S TA R P R OT EC T I O N File Behavioral Repair 21

22 SONAR Behavioral Protection Build an engine that ignores what the threat LOOKS LIKE But detects threats based on what the threat DOES 22

23 File and Behavioral Heuristics Collects millions of programs Community Watch File & behavior profiles Over 500 million profiles, hundreds of attributes Machine learning engine Analyzes patterns of good and bad programs Changes DNS settings Modifies browser homepage Disables UAC Changes security settings Adds desktop shortcut Is signed by good CA Distributed to our products LiveUpdate Symantec Security Response Classification rules undergo rigorous certification Classification rules Creates rules for classifying files as good or bad 23

24 SONAR Behavioral Protection SONAR (5 th Generation) Behavioral Protection New Behavioral-detection engine with significantly improved effectiveness Same Enterprise UI but totally redesigned behavioral protection under the hood Proactively detects new threats based entirely on Behaviors Day-0 detection for Hydraq/Aurora and StuxNet Sophisticated Rootkits like TidServ Non-process Based Threats (NPT s) are stopped Behavioral Rules-based Customers get up-to-date protection automatically via Liveupdate Coverage for APT like Shamoon PoisonIvy High-Performance real-time engine Behaviors are monitored and assessed as they happen Sandboxing to insulate system from threats No measurable impact on performance Now with 1390 Behaviors 24

25 Reputation Network S TA R P R OT EC T I O N File Behavioral Repair 25

26 Repair Technology Repair Additional options to help fix the problem: 1. Symantec Power Eraser standalone & integrated 2. Bootable Recovery Tool A bootable recovery disk with full detection and repair capabilities 3. Threat Specific Tools Fix tools created for specific threats available from Security Response 26

27 Disclaimer: Any information regarding prerelease Symantec offerings, future updates or other planned modifications is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec offerings should make their purchase decision based upon features that are currently available. 27

28 New: Dynamic Malware Analysis Service Advanced Threat Protection with Cloud based Sandbox Designed to draw out VM aware malware Instrumented to simulate user behaviors to drive malware to execute Ability to observe behaviors; SONAR behavioral scoring; API based clustering; Leverages global intelligence of behaviors, attack patterns, and campaigns Cloud based service enables elastic, fast adoption to changing malware analysis demands & on demand queries Portable Executables, PDF, Office docs, Java files, containers 28

29 Thank you! Please take a few minutes to fill out the short session survey available on the mobile app the survey will be available in the mobile app shortly after the session ends. And then watch for and complete the more extensive post-event survey that will arrive via a few days after the conference. To download the app, go to or search for Vision 2014 in the itunes or Android stores. 29

30 Thank you! Patrick Gardner Sourabh Satish Copyright 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 30