[UPLOAD]

Strengthening the Defensive Line

4 CIO Digest July 2009

By Stephen Trilling, Senior Vice President Security Technology and Response (STAR)

[ Mi5 Networks Acquisition

Rounds Off Security Portfolio ]

With its acquisition of Mi5 Net-

works, Symantec has expanded

its security solutions portfolio

for small business and enter-

prise customers. Mi5’s technol-

ogy brings a unique approach

to Web gateway security,

using streaming technology

to examine traffic coming into

and leaving the enterprise.

Integrated into the Symantec

Protection Suite, along with

Symantec’s industry-leading

email and endpoint security

solutions, this protects cus-

tomers against rapidly evolving

Web-based malware. And, the

multiple layers of protection

ensure consistent protection

across platforms.

Symantec Protection

Suite Small Business Edi-

tion protects against vul-

nerabilities due to system

failures, malware, and spam

by rapidly recovering client

computer systems. For larger

IT infrastructures, Symantec

Protection Suite Enterprise

Edition includes Symantec’s

endpoint security, messaging

security, and endpoint recovery

technologies. Find out more at

go.symantec.com/mi5.

>Continued on page 5

yx SYMANTEC CHRONICLES

yx SECURITY TECHNOLOGY AND RESPONSE

Symantec’s new BASH technology catches threats that evade signature scanning and heuristic detection with process-based behavioral blocking.

We’ve discussed be-havioral detection before; however,

there are two good reasons to revisit the topic. First, there has been a recent explosion in the number of new security threats as of late, making this technology increasingly im-portant. Second, Symantec’s latest version of our behav-ioral technology, code-named “BASH”—Behavioral Analysis and System Heuristics—is taking behavioral protection software to a new level.

A quick review for those who may have missed my previous columns. As sophisticated, polymorphic threats emerge and evolve, they have the potential to escape detection by traditional signature scanning and even static heuristic methods. And as the last line of defense, behavioral protection stops malware that has bypassed these layers of protection and is actively running and performing suspicious behaviors on the system.

Behavioral protection “convicts” malware based on suspicious behaviors; not simply based on the attributes of the executable file, as with traditional signatures or heuristics. It actively monitors applications for system activities, configuration changes, user interaction, and network communications, deciding whether those behaviors—or combinations thereof—are good or bad.

So what’s new and exciting in the next generation of BASH? The new system uses an artificial intelligence technology called a decision tree to identify suspicious

behaviors. This is similar to the approach we’re using in our “MalHeur” heuristic technology. The difference here is that we’re tracking program behaviors rather than the static contents of executable files. This decision tree will allow us to detect and block new threats as they’re running, even more effectively than in the past.

An added benefit is that our new behavioral engine can be updated with “behavioral

signatures” that are similar to virus definitions. So, as threats evolve, we can evolve our behavioral protection in concert without requiring deployment of a product update. Also, by using our upcoming reputation-based security technology in conjunction with behavioral protection, we’ll be able to identify malware faster while reducing false positives on legitimate programs.

Our system’s enhanced capabilities are particularly use-ful in combating a new class of threats. These so-called

MIC

HA

EL

MO

RG

EN

STE

RN

The April 2009 Symantec Global Internet Threat Report highlights the

extension of a trend in Web-based crimes that Symantec has been following for years. Perpetrators continue to become more sophis-ticated and focused on financial gain. Many are stealing user data, and then selling that information through the rapidly maturing underground economy.

However, a new twist on the trend emerged this year: Web-based attacks now tend to reach victims by compromising high-traffic, legitimate

sites. Rather than directly steal-ing confidential information from a targeted business, malware is increasingly infecting the machines of visitors to the business’s Web site. Some attacks entice users to click on fraudulent ads or take other action, but many exploit security vulner-abilities in the user’s Web browser, plug-ins, or operating system; a user only needs to visit the compromised site to become a victim.

Perhaps more alarming, many attacks now target medium-severity vulnerabilities in client-side applica-tions, instead of the high-severity vulnerabilities that most organiza-tions and users focus on patching. Comprehensive client-side security solutions are more crucial now than ever before.

[ CRN Recognizes

Symantec Sales ]

This year, Symantec has won

two CRN best-seller awards,

which recognize vendors with

the highest sales through

distributors. The 2009 Best-Sellers Report reveals that

Symantec has 58.8 percent

market share in security suites

and 58.4 percent market share

in storage management soft-

ware. In addition, Symantec

finished second, with 25.9

percent market share, in email

security software. View the

entire report at go.symantec.com/crn-sales.

[ Symantec-Dell Partnership

Yields Smarter Solutions ]

In late March, Dell announced

the release of the Dell Manage-

ment Console (DMC) as part

of the Dell 11g server launch.

DMC is the new systems

management console built on

Symantec’s Management Plat-

form that unifies monitoring

and management for all Dell

servers, storage, and clients

through a single browser

window. It also unites systems

management processes,

allowing businesses to save

time, money, and resources.

Many of Symantec’s products,

such as Altiris Client Manage-

ment Suite and Altiris Server

Management Suite, Symantec

Endpoint Protection, Symantec

Backup Exec, Symantec Backup

Exec System Recovery, Syman-

tec Backup Exec Infrastructure >

>

>> Spam Is Surging

MessageLabs Intelligence attributes

the increase to a few key factors.

First is the resurgence in image

spam, which had

faded in popularity

last year. To evade

spam filters, some

attackers are now

serving spam .jpg

or .gif images via

links that appear

to redirect from

a reputable site.

In addition, spam

messages have

begun to include

standard email text,

such as list opt-outs

and privacy links,

in order to appear

legitimate and thus

avoid getting caught

in spam filters.

However, the report does include

good news: both email-borne viruses and

phishing decreased slightly from March

to April. Viruses fell to 1 in every 304.9

emails sent, while phishing attacks fell to

1 in 404.7 emails.

Criminals Go Client-Side

Defensive Line Continued from page 4

non-process threats (NPTs) are very different from traditional stand-alone threats that operate on their own. Rather, NPTs hide themselves within existing legitimate process-es—like your word processor or Web browser—popular programs that are well-trusted by users. These threats hide from traditional behavior-block-ing technology because they perform malicious actions under the cover of an otherwise trusted application.

Non-process-based threats could very well be the next big challenge for the security industry. Based on our research, they

currently account for 10 to 15 percent of malware, but they could become much more prevalent. Our new engine will detect and remove these threats, and block similar threats from hiding inside legitimate processes in the future. Moreover, we’ll be able to author behavioral signatures to lock down legitimate applications and prevent them from becoming unwitting hosts of NPT-based malware.

The new version of BASH will be shipping in Symantec’s 2010 consumer products, branded as SONAR, and in the next release of Symantec Endpoint Protection, branded as TrueScan.

Symantec Global Internet Threat Report reveals a trend towards sophisticated attacks perpetu-ated via trusted, legitimate sites.

MessageLabs Intelligence reports that spam has reached its highest levels in two months.

GlobalApril 2009 85.3%

March 2009 75.7%

Six-month Average 74.4%

Top Five Countries (April 2009)

United Kingdom 94.0%

China 90.3%

Hong Kong 89.9%

India 87.9%

Australia 87.8%

For more information, visit www.messagelabs.com/intelligence.Source: Symantec Corporation

Spam Frequency as a Proportion of All Emails

symantec.com/ciodigest 5

6 CIO Digest July 2009

Manager, Veritas Configuration

Manager, and Symantec Data

Loss Prevention, will simply

“snap in” to the platform.

DMC will ship with every

Dell server. Dell’s previous

management console, IT

Assistant, shipped with over

2,500,000 servers worldwide

last year. To learn more, visit

go.symantec.com/dmc.

[ Symantec Leads Storage

Software Market ]

According to the IDC Worldwide

Quarterly Storage Software

Tracker, March 2009, Symantec

expanded its leadership in the

overall storage software market.

Results indicate that while other

vendors either lost market share

or made only a slight gain in 2008,

Symantec captured 18.2 percent

of the overall storage software

market, up significantly from

2007. This growth outpaces the

market, which saw a 15.1 percent

year-over-year revenue growth,

and all competitors.

Symantec also remains the

market share leader in key IDC

storage software categories,

including data protection and

recovery software, with 33.8

percent revenue share in 2008 as

calculated by IDC—nearly three

times that of its next-largest

competitor; storage infrastruc-

ture software, with 28.3 percent

revenue share; and file system

software, with 51.6 percent—

more than five times the next-

largest competitor. To review the

IDC report, visit go.symantec.com/idc-market-share.

[UPLOAD]

>

Online activity is part of everyday life for children. However, the wonders and power of the Internet are not without their challenges—and dangers. In fact, today’s

parents rate Internet dangers higher than drugs on their list of concerns. According to a recent Norton Online Living Report, a clear majority of parents are con-cerned their children may be exposed to Internet dangers, including online predators, cyberbullies, and inappropri-ate material.1

So what’s a parent to do?“Most of us recognize that the computer and the Internet are integral to our lives,” says Marian Merritt, Symantec’s Internet

Safety Advocate. “Even teachers have Web sites for homework, which they expect students to access. Further, it’s commonplace for kids to use email and instant messaging to communi-cate with each other. Internet tech-

nologies are an inevitable part of our children’s lives, and we simply must figure out how to keep it safe for our children.”

Seeking to address this issue, Symantec’s OnlineFamily.Norton lets parents monitor their children’s online lives by:

> Showing what their children do online> Allowing parents to set age-appropriate rules for every

child in their family> Helping parents to talk to their children about safe

behavior online

No substitute for “The Talk”While OnlineFamily.Norton gives parents the tools to manage their children’s online activity, Merritt emphasizes there is no substitute for good parent involvement in a child’s life.

“We really encour-age parents to engage in something called ‘The Talk,’” Merritt says. “And it’s not the old fashioned birds and bees talk, which they also need to have with their children. We call this talk ‘the bits and bytes talk.’ We want parents to recognize that technology and the Inter-

net are a big part of their kids’ lives.” Merritt recommends that parents talk to their children about what they’re experiencing on the Internet—and to do so in a non-con-frontational way that allows their children to feel comfort-able about sharing all of their online experiences.

“If a child bumps into pornography while downloading a screensaver and was upset by what he saw, hopefully he won’t hide that experience,” Merritt says. “That’s a great opportunity for a parent to talk about it and help the child deal with it.”

A multi-pronged approachMerritt encourages parents to take a multi-pronged approach to protect their children from online threats. First, she indicates they must use Internet security software and, just as importantly, keep it up to date. “Parents must keep operating systems, browsers, and applications patched and secure,” Merritt says. Second, she recommends that parents leverage a service like OnlineFamily.Norton as a backup when they aren’t in the room. Finally, parents need to partner with their children and maintain an ongoing conversation with them about their online experiences.

Despite the “bad things” on the Internet, Merritt empha-sizes there are a lot more good things. “It’s important that we as parents set a good example for our children in how we approach the Internet,” she says. n 1 “Norton Online Living Report,” Symantec Corporation, March 2009.

Brian Heckert is the manager of content development and editing at Symantec and a managing editor for CIO Digest.

By Brian Heckert

Check out the podcast interview with Marian Merritt at go.symantec.com/merritt

Podcast

Instilling Internet Confidence for Parents and Their Children

symantec.com/ciodigest 7

> CIO Digest Now Available on the Amazon KindleConsume CIO Digest content at your leisure on your Amazon Kindle. The current issue is available at go.symantec.com/cio-digest-kindle.

> CIO Digest Editor-in-Chief BlogGet insights and highlights of new content, and interact with the CIO Digest editorial team. Check out the editor-in-chief blog at go.symantec.com/ cio-digest-blog. > CIO Digest Facebook PageReaders with Facebook accounts can now connect and share ideas with the CIO Digest editorial team, receive notification of each new issue release, and more. Sign up as a Facebook friend of CIO Digest today at go.symantec.com/ciodigest_facebook. > CIO Digest Wikipedia EntryCIO Digest joined “The Wikipedia Revolution” earlier this year. Check us out at http://en.wikipedia.org/wiki/CIO_Digest. > TwitterTweeting on everything from new CIO Digest articles, research reports, podcasts, webcasts, white papers, customer successes, user groups, and more, the Symantec Publishing Twitter keeps Symantec customers and partners up to date. Follow the tweets at http://twitter.com/SymPublishing.

> LinkedlnExchange tips and strategies with peers by joining the CIO Digest group on LinkedIn.com at go.symantec.com/ciodigest_linkedin.

Social NetworkTHE CIO DIGEST

[ Go-to-Portal for CIOs ]

This new online resource

from Symantec is designed to

give time-strapped CIOs easy

access to a wide spectrum of

information on IT security-

related trends, challenges, and

solutions. Industry Perspectives

examines industry trends

through research reports and

white papers. Peer Insights

presents a close look at the

experiences of other executives

in addressing security needs.

Monthly podcasts, videocasts,

and interactive blogs will

enable visitors to engage in

an online conversation with

senior Symantec leaders and

seek answers for their top-of-

mind issues. Check it out at

go.symantec.com/cxo.

[ Soccer on Alert ]

Symantec is warning South Af-

ricans to be vigilant in thwart-

ing online attacks in the run-

up to the 2010 Soccer World

Cup Tournament. The company

anticipates that criminals will

seek personal information on

prospective attendees through

spam that falsely advertises

products, such as tickets to

the event, and by attacking

legitimate sites related to the

World Cup. Organizations that

will sell World Cup-related

products or services need

to take measures now to

safeguard their Web sites and

protect any customer informa-

tion that they collect online. To

learn more, visit go.symantec.com/soccer.

© 2009 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

SYMANTEC ISKeep your confidential data confidential. Symantec can discover,

monitor, and protect your sensitive data wherever it is stored or used.

Protect the privacy of your company’s intellectual property and

customer data. So your confidential data will never be compromised.

Get your Data Loss Prevention info kit at go.symantec.com/dlp

DATA LOSSPREVENTION.

8 CIO Digest July 2009

The New School of Information Security aims to take a fresh look at information security, identifying what the authors consider to be endemic, long-standing

problems in the field and proposing different ways of thinking that can help address some of those concerns. Ultimately, the New School boils down to two broad tenets for making security decisions: (1) Leveraging meaningful security metrics, and (2) considering security from a holistic angle, covering not only technology but also the broader psychological and economic factors.

These tenets are not entirely new. In particular, there are a number of well-written texts on security metrics collection and visualization, such as Andrew Jaquith’s well-known book, Security Metrics: Replacing Fear, Uncertainty, and Doubt, and Raffael Marty’s Applied Security Visualization. In the area of a more holistic view of security, much has already been written about the economics of information security, though many of these references are in the form of academic research papers. Indeed, both Bruce Schneier and Ross Anderson have

already written books that contain discus-sions of practical security engineering and decision making.

In some cases, the process of trying to tie the book’s contents back to the original

themes of the New School seemed a little forced. The book actually reads more like a collection of advanced insights on information security taken from two well-known practitioners.

One advantage of The New School of Information Security is that it can be readily digested by a broad audi-ence relatively quickly. In the process, many readers will encounter ideas with which they are not familiar. For ex-ample, the material on cognitive biases in human decision making can allow the security practitioner to make more informed decisions. Naturally, any book aimed at a broad audience is bound to contain some generalizations that are questionable. For example, the authors speak pejoratively about compliance measures—because it is possible to be compliant without necessarily being secure. While not every aspect of the book resonated with me, it is definitely worth perusing, especially as a precursor to more advanced treatments of these topics.

Zulfikar Ramzan (Ph.D.) is technical director and architect with

Symantec’s Security Technology and Response group and co-author

of Crimeware: Understanding New Attacks and Defenses.

Adam Shostack and Andrew Stewart, The New School of Information Security (Boston: Addison-Wesley Professional, 2008).

ISBN: 978-0-3215-0278-0Price: $29.99

[BOOK REVIEWS]

Security Risk Management Body of Knowledge was originally intended to be a short refer-ence manual on enterprise security risk

management, but the authors realized that there was a major gap in the industry with no agreed body of knowledge for security practitioners to reference. The book redresses that balance by providing a unified framework across all elements of security, including information, physical, and personnel security. However, it achieves so much more than this.

The authors provide a very clear overview of the changing security risk management environment and the move in the traditional view from “guns, guards, and gates” to the concept of “providing resilience.” There is good coverage of the history of security and risk management through current trends and influences on security risk management, includ-ing the uncertainties of globalization and terrorism. The

book also contains one of the best ex-planations of security governance and how a good governance framework can help maximize a company’s security.

Talbot and Jakeman cover all the elements of managing security risk that need to be considered by a security practitioner or organiza-tion. And it is not just information technology risk, which is only a small part of security risk management.

The authors’ framework also covers physical security, personnel, operations, and information risks. The au-thors effectively employ figures and diagrams too.

Security Risk Management Body of Knowledge achieves its authors’ aim admirably by providing a framework with suggested methods of integration into security management that security practitioners can discuss and develop. The first few chapters also serve as a very good introduction to the principles of security risk management for those who are new to the subject.

Sian John is a distinguished engineer at Symantec.

Julian Talbot and Miles Jakeman, Security Risk Management Body of Knowledge (Hoboken, NJ: Wiley, 2009).

ISBN: 978-0-4704-5462-6Price: $85.00