[UPLOAD]
Strengthening the Defensive Line
4 CIO Digest July 2009
By Stephen Trilling, Senior Vice President Security Technology and Response (STAR)
[ Mi5 Networks Acquisition
Rounds Off Security Portfolio ]
With its acquisition of Mi5 Net-
works, Symantec has expanded
its security solutions portfolio
for small business and enter-
prise customers. Mi5’s technol-
ogy brings a unique approach
to Web gateway security,
using streaming technology
to examine traffic coming into
and leaving the enterprise.
Integrated into the Symantec
Protection Suite, along with
Symantec’s industry-leading
email and endpoint security
solutions, this protects cus-
tomers against rapidly evolving
Web-based malware. And, the
multiple layers of protection
ensure consistent protection
across platforms.
Symantec Protection
Suite Small Business Edi-
tion protects against vul-
nerabilities due to system
failures, malware, and spam
by rapidly recovering client
computer systems. For larger
IT infrastructures, Symantec
Protection Suite Enterprise
Edition includes Symantec’s
endpoint security, messaging
security, and endpoint recovery
technologies. Find out more at
go.symantec.com/mi5.
>Continued on page 5
yx SYMANTEC CHRONICLES
yx SECURITY TECHNOLOGY AND RESPONSE
Symantec’s new BASH technology catches threats that evade signature scanning and heuristic detection with process-based behavioral blocking.
We’ve discussed be-havioral detection before; however,
there are two good reasons to revisit the topic. First, there has been a recent explosion in the number of new security threats as of late, making this technology increasingly im-portant. Second, Symantec’s latest version of our behav-ioral technology, code-named “BASH”—Behavioral Analysis and System Heuristics—is taking behavioral protection software to a new level.
A quick review for those who may have missed my previous columns. As sophisticated, polymorphic threats emerge and evolve, they have the potential to escape detection by traditional signature scanning and even static heuristic methods. And as the last line of defense, behavioral protection stops malware that has bypassed these layers of protection and is actively running and performing suspicious behaviors on the system.
Behavioral protection “convicts” malware based on suspicious behaviors; not simply based on the attributes of the executable file, as with traditional signatures or heuristics. It actively monitors applications for system activities, configuration changes, user interaction, and network communications, deciding whether those behaviors—or combinations thereof—are good or bad.
So what’s new and exciting in the next generation of BASH? The new system uses an artificial intelligence technology called a decision tree to identify suspicious
behaviors. This is similar to the approach we’re using in our “MalHeur” heuristic technology. The difference here is that we’re tracking program behaviors rather than the static contents of executable files. This decision tree will allow us to detect and block new threats as they’re running, even more effectively than in the past.
An added benefit is that our new behavioral engine can be updated with “behavioral
signatures” that are similar to virus definitions. So, as threats evolve, we can evolve our behavioral protection in concert without requiring deployment of a product update. Also, by using our upcoming reputation-based security technology in conjunction with behavioral protection, we’ll be able to identify malware faster while reducing false positives on legitimate programs.
Our system’s enhanced capabilities are particularly use-ful in combating a new class of threats. These so-called
MIC
HA
EL
MO
RG
EN
STE
RN
The April 2009 Symantec Global Internet Threat Report highlights the
extension of a trend in Web-based crimes that Symantec has been following for years. Perpetrators continue to become more sophis-ticated and focused on financial gain. Many are stealing user data, and then selling that information through the rapidly maturing underground economy.
However, a new twist on the trend emerged this year: Web-based attacks now tend to reach victims by compromising high-traffic, legitimate
sites. Rather than directly steal-ing confidential information from a targeted business, malware is increasingly infecting the machines of visitors to the business’s Web site. Some attacks entice users to click on fraudulent ads or take other action, but many exploit security vulner-abilities in the user’s Web browser, plug-ins, or operating system; a user only needs to visit the compromised site to become a victim.
Perhaps more alarming, many attacks now target medium-severity vulnerabilities in client-side applica-tions, instead of the high-severity vulnerabilities that most organiza-tions and users focus on patching. Comprehensive client-side security solutions are more crucial now than ever before.
[ CRN Recognizes
Symantec Sales ]
This year, Symantec has won
two CRN best-seller awards,
which recognize vendors with
the highest sales through
distributors. The 2009 Best-Sellers Report reveals that
Symantec has 58.8 percent
market share in security suites
and 58.4 percent market share
in storage management soft-
ware. In addition, Symantec
finished second, with 25.9
percent market share, in email
security software. View the
entire report at go.symantec.com/crn-sales.
[ Symantec-Dell Partnership
Yields Smarter Solutions ]
In late March, Dell announced
the release of the Dell Manage-
ment Console (DMC) as part
of the Dell 11g server launch.
DMC is the new systems
management console built on
Symantec’s Management Plat-
form that unifies monitoring
and management for all Dell
servers, storage, and clients
through a single browser
window. It also unites systems
management processes,
allowing businesses to save
time, money, and resources.
Many of Symantec’s products,
such as Altiris Client Manage-
ment Suite and Altiris Server
Management Suite, Symantec
Endpoint Protection, Symantec
Backup Exec, Symantec Backup
Exec System Recovery, Syman-
tec Backup Exec Infrastructure >
>
>> Spam Is Surging
MessageLabs Intelligence attributes
the increase to a few key factors.
First is the resurgence in image
spam, which had
faded in popularity
last year. To evade
spam filters, some
attackers are now
serving spam .jpg
or .gif images via
links that appear
to redirect from
a reputable site.
In addition, spam
messages have
begun to include
standard email text,
such as list opt-outs
and privacy links,
in order to appear
legitimate and thus
avoid getting caught
in spam filters.
However, the report does include
good news: both email-borne viruses and
phishing decreased slightly from March
to April. Viruses fell to 1 in every 304.9
emails sent, while phishing attacks fell to
1 in 404.7 emails.
Criminals Go Client-Side
Defensive Line Continued from page 4
non-process threats (NPTs) are very different from traditional stand-alone threats that operate on their own. Rather, NPTs hide themselves within existing legitimate process-es—like your word processor or Web browser—popular programs that are well-trusted by users. These threats hide from traditional behavior-block-ing technology because they perform malicious actions under the cover of an otherwise trusted application.
Non-process-based threats could very well be the next big challenge for the security industry. Based on our research, they
currently account for 10 to 15 percent of malware, but they could become much more prevalent. Our new engine will detect and remove these threats, and block similar threats from hiding inside legitimate processes in the future. Moreover, we’ll be able to author behavioral signatures to lock down legitimate applications and prevent them from becoming unwitting hosts of NPT-based malware.
The new version of BASH will be shipping in Symantec’s 2010 consumer products, branded as SONAR, and in the next release of Symantec Endpoint Protection, branded as TrueScan.
Symantec Global Internet Threat Report reveals a trend towards sophisticated attacks perpetu-ated via trusted, legitimate sites.
MessageLabs Intelligence reports that spam has reached its highest levels in two months.
GlobalApril 2009 85.3%
March 2009 75.7%
Six-month Average 74.4%
Top Five Countries (April 2009)
United Kingdom 94.0%
China 90.3%
Hong Kong 89.9%
India 87.9%
Australia 87.8%
For more information, visit www.messagelabs.com/intelligence.Source: Symantec Corporation
Spam Frequency as a Proportion of All Emails
symantec.com/ciodigest 5
6 CIO Digest July 2009
Manager, Veritas Configuration
Manager, and Symantec Data
Loss Prevention, will simply
“snap in” to the platform.
DMC will ship with every
Dell server. Dell’s previous
management console, IT
Assistant, shipped with over
2,500,000 servers worldwide
last year. To learn more, visit
go.symantec.com/dmc.
[ Symantec Leads Storage
Software Market ]
According to the IDC Worldwide
Quarterly Storage Software
Tracker, March 2009, Symantec
expanded its leadership in the
overall storage software market.
Results indicate that while other
vendors either lost market share
or made only a slight gain in 2008,
Symantec captured 18.2 percent
of the overall storage software
market, up significantly from
2007. This growth outpaces the
market, which saw a 15.1 percent
year-over-year revenue growth,
and all competitors.
Symantec also remains the
market share leader in key IDC
storage software categories,
including data protection and
recovery software, with 33.8
percent revenue share in 2008 as
calculated by IDC—nearly three
times that of its next-largest
competitor; storage infrastruc-
ture software, with 28.3 percent
revenue share; and file system
software, with 51.6 percent—
more than five times the next-
largest competitor. To review the
IDC report, visit go.symantec.com/idc-market-share.
[UPLOAD]
>
Online activity is part of everyday life for children. However, the wonders and power of the Internet are not without their challenges—and dangers. In fact, today’s
parents rate Internet dangers higher than drugs on their list of concerns. According to a recent Norton Online Living Report, a clear majority of parents are con-cerned their children may be exposed to Internet dangers, including online predators, cyberbullies, and inappropri-ate material.1
So what’s a parent to do?“Most of us recognize that the computer and the Internet are integral to our lives,” says Marian Merritt, Symantec’s Internet
Safety Advocate. “Even teachers have Web sites for homework, which they expect students to access. Further, it’s commonplace for kids to use email and instant messaging to communi-cate with each other. Internet tech-
nologies are an inevitable part of our children’s lives, and we simply must figure out how to keep it safe for our children.”
Seeking to address this issue, Symantec’s OnlineFamily.Norton lets parents monitor their children’s online lives by:
> Showing what their children do online> Allowing parents to set age-appropriate rules for every
child in their family> Helping parents to talk to their children about safe
behavior online
No substitute for “The Talk”While OnlineFamily.Norton gives parents the tools to manage their children’s online activity, Merritt emphasizes there is no substitute for good parent involvement in a child’s life.
“We really encour-age parents to engage in something called ‘The Talk,’” Merritt says. “And it’s not the old fashioned birds and bees talk, which they also need to have with their children. We call this talk ‘the bits and bytes talk.’ We want parents to recognize that technology and the Inter-
net are a big part of their kids’ lives.” Merritt recommends that parents talk to their children about what they’re experiencing on the Internet—and to do so in a non-con-frontational way that allows their children to feel comfort-able about sharing all of their online experiences.
“If a child bumps into pornography while downloading a screensaver and was upset by what he saw, hopefully he won’t hide that experience,” Merritt says. “That’s a great opportunity for a parent to talk about it and help the child deal with it.”
A multi-pronged approachMerritt encourages parents to take a multi-pronged approach to protect their children from online threats. First, she indicates they must use Internet security software and, just as importantly, keep it up to date. “Parents must keep operating systems, browsers, and applications patched and secure,” Merritt says. Second, she recommends that parents leverage a service like OnlineFamily.Norton as a backup when they aren’t in the room. Finally, parents need to partner with their children and maintain an ongoing conversation with them about their online experiences.
Despite the “bad things” on the Internet, Merritt empha-sizes there are a lot more good things. “It’s important that we as parents set a good example for our children in how we approach the Internet,” she says. n 1 “Norton Online Living Report,” Symantec Corporation, March 2009.
Brian Heckert is the manager of content development and editing at Symantec and a managing editor for CIO Digest.
By Brian Heckert
Check out the podcast interview with Marian Merritt at go.symantec.com/merritt
Podcast
Instilling Internet Confidence for Parents and Their Children
symantec.com/ciodigest 7
> CIO Digest Now Available on the Amazon KindleConsume CIO Digest content at your leisure on your Amazon Kindle. The current issue is available at go.symantec.com/cio-digest-kindle.
> CIO Digest Editor-in-Chief BlogGet insights and highlights of new content, and interact with the CIO Digest editorial team. Check out the editor-in-chief blog at go.symantec.com/ cio-digest-blog. > CIO Digest Facebook PageReaders with Facebook accounts can now connect and share ideas with the CIO Digest editorial team, receive notification of each new issue release, and more. Sign up as a Facebook friend of CIO Digest today at go.symantec.com/ciodigest_facebook. > CIO Digest Wikipedia EntryCIO Digest joined “The Wikipedia Revolution” earlier this year. Check us out at http://en.wikipedia.org/wiki/CIO_Digest. > TwitterTweeting on everything from new CIO Digest articles, research reports, podcasts, webcasts, white papers, customer successes, user groups, and more, the Symantec Publishing Twitter keeps Symantec customers and partners up to date. Follow the tweets at http://twitter.com/SymPublishing.
> LinkedlnExchange tips and strategies with peers by joining the CIO Digest group on LinkedIn.com at go.symantec.com/ciodigest_linkedin.
Social NetworkTHE CIO DIGEST
[ Go-to-Portal for CIOs ]
This new online resource
from Symantec is designed to
give time-strapped CIOs easy
access to a wide spectrum of
information on IT security-
related trends, challenges, and
solutions. Industry Perspectives
examines industry trends
through research reports and
white papers. Peer Insights
presents a close look at the
experiences of other executives
in addressing security needs.
Monthly podcasts, videocasts,
and interactive blogs will
enable visitors to engage in
an online conversation with
senior Symantec leaders and
seek answers for their top-of-
mind issues. Check it out at
go.symantec.com/cxo.
[ Soccer on Alert ]
Symantec is warning South Af-
ricans to be vigilant in thwart-
ing online attacks in the run-
up to the 2010 Soccer World
Cup Tournament. The company
anticipates that criminals will
seek personal information on
prospective attendees through
spam that falsely advertises
products, such as tickets to
the event, and by attacking
legitimate sites related to the
World Cup. Organizations that
will sell World Cup-related
products or services need
to take measures now to
safeguard their Web sites and
protect any customer informa-
tion that they collect online. To
learn more, visit go.symantec.com/soccer.
© 2009 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
SYMANTEC ISKeep your confidential data confidential. Symantec can discover,
monitor, and protect your sensitive data wherever it is stored or used.
Protect the privacy of your company’s intellectual property and
customer data. So your confidential data will never be compromised.
Get your Data Loss Prevention info kit at go.symantec.com/dlp
DATA LOSSPREVENTION.
8 CIO Digest July 2009
The New School of Information Security aims to take a fresh look at information security, identifying what the authors consider to be endemic, long-standing
problems in the field and proposing different ways of thinking that can help address some of those concerns. Ultimately, the New School boils down to two broad tenets for making security decisions: (1) Leveraging meaningful security metrics, and (2) considering security from a holistic angle, covering not only technology but also the broader psychological and economic factors.
These tenets are not entirely new. In particular, there are a number of well-written texts on security metrics collection and visualization, such as Andrew Jaquith’s well-known book, Security Metrics: Replacing Fear, Uncertainty, and Doubt, and Raffael Marty’s Applied Security Visualization. In the area of a more holistic view of security, much has already been written about the economics of information security, though many of these references are in the form of academic research papers. Indeed, both Bruce Schneier and Ross Anderson have
already written books that contain discus-sions of practical security engineering and decision making.
In some cases, the process of trying to tie the book’s contents back to the original
themes of the New School seemed a little forced. The book actually reads more like a collection of advanced insights on information security taken from two well-known practitioners.
One advantage of The New School of Information Security is that it can be readily digested by a broad audi-ence relatively quickly. In the process, many readers will encounter ideas with which they are not familiar. For ex-ample, the material on cognitive biases in human decision making can allow the security practitioner to make more informed decisions. Naturally, any book aimed at a broad audience is bound to contain some generalizations that are questionable. For example, the authors speak pejoratively about compliance measures—because it is possible to be compliant without necessarily being secure. While not every aspect of the book resonated with me, it is definitely worth perusing, especially as a precursor to more advanced treatments of these topics.
Zulfikar Ramzan (Ph.D.) is technical director and architect with
Symantec’s Security Technology and Response group and co-author
of Crimeware: Understanding New Attacks and Defenses.
Adam Shostack and Andrew Stewart, The New School of Information Security (Boston: Addison-Wesley Professional, 2008).
ISBN: 978-0-3215-0278-0Price: $29.99
[BOOK REVIEWS]
Security Risk Management Body of Knowledge was originally intended to be a short refer-ence manual on enterprise security risk
management, but the authors realized that there was a major gap in the industry with no agreed body of knowledge for security practitioners to reference. The book redresses that balance by providing a unified framework across all elements of security, including information, physical, and personnel security. However, it achieves so much more than this.
The authors provide a very clear overview of the changing security risk management environment and the move in the traditional view from “guns, guards, and gates” to the concept of “providing resilience.” There is good coverage of the history of security and risk management through current trends and influences on security risk management, includ-ing the uncertainties of globalization and terrorism. The
book also contains one of the best ex-planations of security governance and how a good governance framework can help maximize a company’s security.
Talbot and Jakeman cover all the elements of managing security risk that need to be considered by a security practitioner or organiza-tion. And it is not just information technology risk, which is only a small part of security risk management.
The authors’ framework also covers physical security, personnel, operations, and information risks. The au-thors effectively employ figures and diagrams too.
Security Risk Management Body of Knowledge achieves its authors’ aim admirably by providing a framework with suggested methods of integration into security management that security practitioners can discuss and develop. The first few chapters also serve as a very good introduction to the principles of security risk management for those who are new to the subject.
Sian John is a distinguished engineer at Symantec.
Julian Talbot and Miles Jakeman, Security Risk Management Body of Knowledge (Hoboken, NJ: Wiley, 2009).
ISBN: 978-0-4704-5462-6Price: $85.00