A leading antivirus software company outsmarts viruses and malware and makes the Internet safer.

Similar documents
Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Symantec Protection Suite Add-On for Hosted Security

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

CA Security Management

Securing Your Business Against the Diversifying Targeted Attacks Leonard Sim

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

escan Security Network From MicroWorld Technologies Anti-Virus & Content Security

Information Security Controls Policy

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Maximizing IT Security with Configuration Management WHITE PAPER

The Convergence of Security and Compliance

NetDefend Firewall UTM Services

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

GFI has tens of thousands of customers worldwide and distribution is served by a 10,000-strong Channel.

Six Sigma in the datacenter drives a zero-defects culture

A company built on security

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Bomgar Discovery Report

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

THE ACCENTURE CYBER DEFENSE SOLUTION

TRUE SECURITY-AS-A-SERVICE

ConnectWise Automate. What is ConnectWise Automate?

RSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief

Kaspersky Security Network

MSA Enterprise 1. GENERAL TERMS AND CONDITIONS

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Enhancing Security With SQL Server How to balance the risks and rewards of using big data

Carbon Black PCI Compliance Mapping Checklist

Symantec Network Access Control Starter Edition

AT&T Endpoint Security

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

THE TRIPWIRE NERC SOLUTION SUITE

Redefining IT distribution. The Portfolio. The Nuvias vendor portfolio

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

Sponsored by Raytheon. Don t Wait: The Evolution of Proactive Threat Hunting Executive Summary

THE POWER OF TECH-SAVVY BOARDS:

Symantec Endpoint Protection 14

IT Consulting and Implementation Services

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

Standard CIP Cyber Security Systems Security Management

Digital Wind Cyber Security from GE Renewable Energy

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

Teleworking and Security: IT All Begins with Endpoints. Jim Jessup Solutions Manager, Information Risk Management June 19, 2007

Comodo APT Assessment Tool

Symantec Network Access Control Starter Edition

Symantec Network Access Control Starter Edition

Security Gap Analysis: Aggregrated Results

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

AlgoSec. Managing Security at the Speed of Business. AlgoSec.com

Office 365 Buyers Guide: Best Practices for Securing Office 365

CoreMax Consulting s Cyber Security Roadmap

Cybersecurity, Trade, and Economic Development

RSA NetWitness Suite Respond in Minutes, Not Months

May the (IBM) X-Force Be With You

Industrial Defender ASM. for Automation Systems Management

DEEP FREEZE CLOUD FOR HIPAA COMPLIANCE

deep (i) the most advanced solution for managed security services

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Simplifying Security for IBM i and IBM Security QRadar

BUFFERZONE Advanced Endpoint Security

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Antivirus Myths and Facts. By Helmuth Freericks

Incident Response Services

Imperva Incapsula Website Security

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Get Max Internet Security where to buy software for students ]

Why This Major Automaker Decided BlackBerry Cybersecurity Consulting was the Right Road to Protecting its Connected Cars

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

CipherCloud CASB+ Connector for ServiceNow

Three Key Challenges Facing ISPs and Their Enterprise Clients

Symantec Security.cloud

SIEMLESS THREAT MANAGEMENT

rat Comodo Valkyrie Software Version 1.1 Administrator Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

WEB-APIs DRIVING DIGITAL INNOVATION

locuz.com SOC Services

CounterACT Check Point Threat Prevention Module

Watson Developer Cloud Security Overview

Protecting Your Digital World

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

Barracuda Advanced Threat Protection. Bringing a New Layer of Security for . White Paper

GUIDE. MetaDefender Kiosk Deployment Guide

Arbor White Paper Keeping the Lights On

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

RiskSense Attack Surface Validation for IoT Systems

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

McAfee Embedded Control

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

RSA INCIDENT RESPONSE SERVICES

Transcription:

A leading antivirus software company outsmarts viruses and malware and makes the Internet safer. Technosoft s Threat Researchers improve detection, reduce customer escalations and are at the forefront of rapid zero day responses. Technosoft Case Study Nov 2012 beyond possible

02 Nov 2012 the client Our client is a global leader in malware detection and anticrimeware solutions and their products are used by over 50,000 businesses and four million consumers worldwide. situation and impact Our client s portfolio of security products comprising antivirus, anti-spyware and anti-malware faced significant competition in a crowded marketplace which in turn was having an impact on its leadership position. The need therefore was continuous improvement in the detection and disinfection rates coupled with a proactive approach to detecting zero day malwares and advanced persistent threats (APTs). This was crucial to their twin objectives of increasing customer satisfaction and winning new customers. The products need to prevent, detect and remove malware of all descriptions employing a variety of techniques. The success of antivirus software (in instances where heuristic detection is employed) depends on achieving the right balance between false positives and false negatives. However the greatest challenge is the threat posed by new malware for which no known signature yet exists. the technosoft approach Early on, we recognized that the four pillars to maintaining leadership position and competitive edge were Improve the detection/disinfection rate without affecting the performance of the engine Reduce both False Positives and False Negatives Detect zero day malwares and advanced persistent threats Handle customer escalations within the specified SLA Technosoft quickly formed a seed team that was ramped up to 18 experts in less than 8 weeks. The team consisted of 1 Project Manager, 7 Senior Researchers and 11 Researchers whose combined skills spanned the entire spectrum of threat research and included static and dynamic analysis of samples including advanced persistent threats (APT) and polymorphic cryptors/ viruses, signature creation (checksum based and generic) for malware, IDS/IPS rules creation and maintenance, Url categorization, malware collection including zero day and APTs. Client interface, requirements scoping & Team oversight.exe Sample.exe As previously mentioned, access was given to the client s Collection Handling System (CHS) which picked up malware samples from various sources and assigned a priority for analysis and signature creation. User emails suspicious file Remote access to suspicious file Honeypot Client s Labs Client s Support Teams Forums Collection Handling System Other Security Vendors Sample Analysis Technosoft s Role Signature Creation Release DAT Files (signature definition update) The CHS (shown above) provided all information on the sample including the checksum, the source, whether it has been detected by other competing products, priority etc. The samples were downloaded and moved to a Dirt Lab, a controlled and isolated virtual environment dedicated for malware research and testing, policy creation and for maintenance of content Vista Virtual Environment Collection Handling System Signature Updating System Research PC1 Research PC2 Research PC3 Red Network (Dedicated network for malware analysis) proposed solution filter/firewall/application control. Over here dynamic analysis was performed and behavior such as registry modifications, file and folder changes, network activity and process creation observed. Physical machine to analyze anti-vm samples Technosoft was chosen as the partner of choice given our track record in threat research that included identifying the latest threats in the wild, active persistent threats and zero day malwares along with expertise in URL categorization and Clean File Collection. We proposed a model in which our team of Threat Researchers would be given access to the malware collection repository, would perform analysis of the sample to determine if they were malicious or not and subsequently develop the signature for detection. Malware analysis, CRC and Generic signatures, Blogs and end customer escalations Senior Researchers Project Manager Researchers Analyzing malware, CRC signatures Tools used included Behavior monitoring tools (Procmon, Regshot, Inctrl5, ProcessExplorer) and (Wireshark, TCPView) Based on the report generated, the threat researcher decided if the sample was a legitimate file or a malware. In certain instances, the malware sample recognized the system as an analysis system and did not exhibit any activity. A workaround then was to run this sample on a physical machine to trigger it. Static analysis is then Clean file collection system performed on the malware sample with the help of debuggers like Olly, IDA Pro, Windbg. Signatures are then developed and can be of two types 1:1 or 1:many (targeting a family). These are written in our client s proprietary language (VDL), it is then compiled and the DAT file is produced. A critical step here is to do a cross-check on Technosoft s clean project factfile Team size of 18, clean file collection database of 200,000 safe files, SLA adherence of 4 hours, over 11,000 signatures developed, dedicated Dirt Lab, Behavior and, VDL (Virus Description Language). 03

04 Nov 2012 beyond possible Went over and beyond what was expected by proactively creating a clean file database of nearly 200,000 safe files which was then scanned by every single signature developed by the team. This dramatically reduced the false positive detection which increased the productivity of our client s teams while reducing customer support calls. file database to ensure no legitimate files are detected as malware (False positive). Once the signature has been signed off by the senior researcher, it is pushed into the signature database which in turned is pushed backlog of undetected files 50 % of all customer escalations handled within stringent SLA of 4 hours Reduced the number of False positives and False negatives Workflow out to end customers twice a day. The expertise and experience is reflected in the rapid pace at which signatures are developed - typically in less than 1 hour with a capability to develop over 600 signatures a week. Till date over 11,000 signatures have been created and several hundred thousand samples analyzed. This team added value in several other ways: Certification support - supported our client for the ITW certification awarded in recognition of a product s detection rate, performance, false positive testing and usability. Thanks to our team, our client s products were able to detect 100% of threats in the wild Creating and maintaining a clean file database of over 200,000 safe files and scanning them against the signatures created on a regular basis to eliminate false positives Updating the virus encyclopaedia with the latest threats and underlying technologies Creating and maintaining process flow documents for various internal processes with expected problems and solutions Periodic posts on our client s blog. Covers new techniques used by malware, zero day responses outcomes realized we can help Provide protection against the most common malware while striking a balance between security and productivity concerns. Seamless security enforcement through dynamic and static analysis of malware including payload and distribution methods and analyzing APTs and zero day threats Superior detection rates of newly discovered malware ensure safe and secure environment. Through one-to-one checksum based and generic signatures Protect critical assets from cyber threats. IDS and IPS engine log monitoring, analysis and reporting of unusual activities detects and foils attempts by attackers to compromise systems, applications and data Minimize false positives and false negatives through internal clean file database and malware samples Increase customer satisfaction and win new business through 24x7, multi-channel support (phone, email and chat) Improve enterprise security by preventing users from accessing malicious and unproductive sites through URL categorization based on content. Leverage existing set of preprocessed URLs Ensure proactive compliance to regulations like PCI, HIPAA, HITECH, NERC CIP and FFIEC through vulnerability assessment and patch management Conclude as clean Not approved NO Set the environment/ Update signatures NO Malicious Take Signature for file Review the signature Approved False-positive Check Not detected Replicate the original Download samples from CHS Scan with updated signature Already detected Replicate the samples Scan payload files Collect the payload files Detected Conclude in CHS Not detected Improved the detection rate by adding nearly 100 generic signatures for major malware families Reduced customer escalations: By processing nearly 15000 samples in less than three months in the process reducing the Update the signature in Client s database 05

06 Nov 2012 Static Analysis Dynamic Analysis 07

About Technosoft Technosoft Corporation is an IT and BPO services provider with headquarters in Southfield, MI, USA and delivery centers in India. We provide information technology, business process outsourcing and consulting services to companies in North America, Australia and New Zealand and Asia-Pacific Regions. As a privately owned company we answer to only two constituencies - our customers and our employees. Our customers rely on us to provide services and solutions that leverage our industry and domain expertise combined with our technology prowess, delivery focus and quality. Our collaborative culture and work environment helps attract and retain exceptional talent which is a key ingredient of our sustained growth. To see how Technosoft can go Beyond Possible for your organizational needs, email us at wecanhelp@technosoftcorp.com or visit us at. Corporate Headquarters 28411 Northwestern Hwy, Suite 640 Southfield, MI 48034 Tel: (248) 603-2600 Fax: (248) 603-2599 Copyright 2012, Technosoft. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Technosoft. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. wecanhelp@technosoftcorp.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback