Symantec Security.cloud - Skeptic Whitepaper

Transcription

1 TECHNICAL BRIEF: SYMANTEC SECURITY.CLOUD Symantec Security.cloud - Skeptic Whitepaper Who should read this paper This white paper outlines the technical approach we use to deliver Symantec Security.cloud and protect your business from borne spam, phishing, malware, and targeted attacks without the need for on-premise software or hardware. A working knowledge of and information security principles is recommended.

2

3 Content Overview Global Infrastructure Cloud Security Platform Security Technology and Response Service Administration Industry Leading Service Summary Glossary

4 Overview The need for an effective defense is very real. Due to the prominence and use of in business operations, cyber criminals, spammers, and malware authors continue to focus considerable effort on developing -based forms of attack. In the last few years, these attacks have become more targeted and sophisticated, exhibiting convergence across multiple communication protocols. A common approach is to use to lure users to websites, which install malware that infiltrates corporate networks and steals information. Once data has been extracted, it can be utilized or sold through what has become a very well organized underground economy. Nearly one in 278 s today contains some form of malware threat. 1 Advanced toolsets used by cyber criminals are able to automatically mass-produce malware variants designed to overwhelm and evade traditional signature-based antivirus scanners. Some attackers also use highly targeted approaches that are designed to defeat signature-based systems by flying under the radar. Either way, the battle has reached a point where traditional antivirus signature scanning techniques alone are not enough. Without effective defenses, organizations risk costly business disruption, data leaks, and loss of customer confidence. However, mounting an effective defense can consume scarce resources and expertise. Symantec Security.cloud helps to protect your business from borne malware and does not require on-site hardware or software. Delivered from the cloud, the service is built on excellent customer service and a meaningful service level agreement 2 (SLA) that examines accuracy, effectiveness, and availability. The SLA is underpinned by significant service credits that demonstrate the confidence of Symantec's ability to deliver a robust security service. This white paper outlines the technical approach we use to deliver Symantec Security.cloud and meet our aggressive service level targets. 1- Symantec Intelligence Report, December Service Level Agreement 1

5 Global Infrastructure Symantec Security.cloud service uses infrastructure managed in the cloud designed to block -borne malware threats before they reach your network. The service is delivered through a global infrastructure of highly available data centers located around the world. These data centers are load balanced and housed in highly secure, well-established telecommunications centers located at major Internet exchange points. Redundancy within and across data centers enables us to offer a service level agreement target of 100 percent service uptime. In addition, we aim to run our servers at below capacity, providing ample headroom to handle unexpected spikes in traffic. As of December 2012, Symantec cloud infrastructure processes more than 7 billion s a month on behalf of our customers, ranging from Fortune 500 companies to small businesses. Handling such a large amount of traffic for such a broad range of global customers enables us to identify and block new emerging threats faster. Cloud Security Platform Security service uses a sophisticated multilayer architecture that combines multiple scanning engines. The following techniques are used at the perimeter of our platform to provide a first layer of defense: Traffic Shaping Symantec Traffic Shaper uses techniques that analyze traffic patterns at the TCP/IP protocol level to evaluate potentially malicious IP addresses. IPs that are considered a threat are identified, and the number of connections allowed to the Security infrastructure is reduced. This dramatically shrinks malicious volumes while enabling legitimate to reach its destination. Traffic management technology analyzes IP interaction over a period of time after connection limiting steps are taken. It is known that standard business mail servers have different patterns of connections than those of a Bot that is delivering either malicious code or spam. Taking a holistic approach that goes beyond evaluating current known reputations and includes studying connection patterns over time allows the system to more intelligently determine how many connections should be accepted by the infrastructure. 2

6 SMTP Heuristics Connection management works at the SMTP connection layer using techniques to verify legitimate SMTP conversations. Multiple component technologies are deployed in this layer of the platform to study the methodologies used by different servers connecting to our infrastructure. Using SMTP heuristics and signature components at the connection layer allows for Security to proactively shut down SMTP conversations identified as being illegitimate. Recipient Validation Recipient validation uses address checking to reduce the overall volume of s for registered domains and discards connections for which the recipient addresses are identified as invalid or non-existent. In addition to reducing the volume of illegitimate , this helps to block dictionary attacks against your mail infrastructure. Collectively, traffic shaping, SMTP heuristics, and recipient validation dramatically reduce the volume of mail that hits the scanning layers. This allows us to apply in-depth analysis techniques at the scanning layers without compromising mail delivery times. Spam Scanning The first scanning layer utilizes both dynamic and customer defined block lists to filter out traffic from known bad hosts and other unwanted . Symantec Brightmail Message Filter provides real-time automated spam filtering backed by the Symantec Global Intelligence Network. More than 2.5 million decoy accounts focused on collecting fraud, phishing and spam samples make up part of the Global Intelligence Network known as the probe network. The probe network has a global presence, including targeted deployments for foreign language content, and can gauge global spam and phishing activity. This network gathers more than 30 million probe messages per day. 3

7 Intelligent Data Feeds The Skeptic scanning layer provides further defense against spam, malware, and phishing attacks. Understanding a file's history and reputation goes a long way to determining whether a file should be deemed malicious or not. Symantec Insight is reputation-based security technology that puts files in context, using their age, frequency, location, and more. In-depth heuristic analysis of a file is expensive in terms of time and processing. The most expensive file to scan is one we already know is clean. By leveraging a feed of clean data from Insight, Security customers can take advantage of the intelligence captured from over 210 million systems in over 200 countries. The breadth of Symantec's security expertise and intelligence is highlighted further by the use of data from Norton Safe Web. Safe Web is a reputation service from Symantec that analyzes web sites and their content. Data from Norton Safe Web and other external sources is used to detect and block s containing links to known malicious websites for the purposes of phishing, malware distribution or other malicious activity. Symantec Protection Engine for Cloud Services Symantec Protection Engine for Cloud Services is a fast, scalable, and reliable content scanning engine. It uses patented technology to deliver industry leading malware protection. Security uses a multilayered antivirus architecture that combines Protection Engine for Cloud Services with Skeptic, providing defense in depth and limiting reliance on a single detection method. Skeptic Heuristic Technology Although signature based scanners are effective in some areas, they have limited ability to detect new, unknown virus threats. Security is designed to provide 100 percent protection from known and unknown viruses as defined in the SLA. 3 To help us to achieve our service level target we use predictive heuristic technologies built into a proprietary defense layer called Skeptic. Skeptic employs heuristic technologies to determine if an contains any components of malicious code. For example, Skeptic uses structure analysis to examine headers and attachments. Skeptic then runs complex deep analysis scans within s and attachments to find out more information. Skeptic also performs advanced code analysis, which operates on findings showing that malware writers reuse portions of their own code across new and different malware. Skeptic uses multiple patented technologies and thousands of rules to analyze and detect unknown threats. Unlike commercial antivirus scanning engines, Skeptic cannot be downloaded and tested by cyber criminals. A few of the techniques deployed by Skeptic to detect threats in communications include: Link following technology evaluates URL links in s to test if they point to malicious websites. Links potentially differ from conventional virus threats in that the URL itself does not contain malicious code but instead the http page that the URL directs users to contains malicious payload. Sandbox techniques in both full and partial forms are used to detect malware that exhibits easily detectable destructive behavior. Code analysis techniques are used to detect malware that is trying to evade sandboxing or which is trying to obscure itself. Reverse virus scanning allows new file-infecting viruses to be identified by detecting changes of formerly known good files. Symantec maintains a database of known good software, such as Windows executables and other popular software, which allows positive identification of good files and reduces virus false positives

8 File recognizers use Symantec s own large library of recognizers for known good variable software. Examples include self-extracting zip files, self-extracting PGP encrypted files, flash files, etc. These files vary each time because they carry data that can change. Our service examines and compares files to the known valid versions of these files in order to reduce false positives and aid in the identification of new fileinfecting viruses. Historical recognition uses Symantec s historical attachments data. Our data (which spans over 12 years), allows us to compute the probability of a file being clean based on the length of time it has been in circulation without ever being marked as malicious by antivirus software. Statistical analysis techniques detect malware trying to hide using new compression or encoding techniques. Data file fingerprinting is used to recognize when a data file looks suspicious. This is accomplished using a combination of several techniques. These types of files are often targeted trojan viruses which are designed for industrial or state-sponsored espionage. Malformed recognition is performed to detect deliberately malformed s. These s are used by malware creators to bypass scanners using an that the scanner will usually not recognize as having a valid attachment. Skeptic decodes these and scans resulting attachments. Skeptic uses scalable server arrays managed in the cloud to perform heuristic analysis techniques on over 7 billion s each month. The more traffic it scans, the smarter it gets. Policy Control Point Symantec Content Control.cloud and Symantec Image Control.cloud service add-ons can be enabled to automatically scan all incoming and outgoing and attachments to identify and control confidential, malicious, or inappropriate content and images. The Image Control service add-on incorporates sophisticated Image Composition Analysis (ICA) technology. Particularly well suited to the accurate detection of pornographic images, ICA applies a comprehensive range of image-filtering algorithmic techniques, including facial recognition, body positioning analysis, texture analysis, and flesh tone analysis. ICA results are fed through a sophisticated scoring system which allows the overall acceptability of an image to be determined. Security Technology and Response Security.cloud leverages protection technologies developed by the Symantec Security Technology and Response (STAR) team. STAR is a worldwide team of security engineers, threat analysts, and researchers that provide the underlying functionality, content, and support for all Symantec corporate and consumer security products. With eleven global response centers located throughout the world, STAR leverages the vast intelligence of the Global Intelligence Network (the technology backbone of Security Response) to develop and deliver the world's most comprehensive security protection. The team provides an additional layer of protection for all Security customers by examining proactive alerts generated by Skeptic. Looking at content and traffic patterns, Skeptic can proactively alert our security research and response teams about suspicious messages or unusual trends occurring in one or many of our customers. These types of messages would not ordinarily trigger a reaction from signature based scanning technology and could represent an entirely new threat or targeted attack that needs response. 5

9 The value of a human team behind any security service should not be underestimated. The STAR team has the added advantage of using data gathered from multiple products and services across the Symantec portfolio to investigate and feed security intelligence ensuring our customers get a high performing, robust security service. Service Administration Administration is performed on the Symantec.cloud management portal. A single administrative logon can be used to manage multiple Symantec cloud services, including Symantec Web Security.cloud and Symantec Instant Messaging Security.cloud. When Security intercepts a virus or malware in an , it places the infected into a holding pen, where it is stored for up to 30 days before being deleted. This quarantine period means that the malicious is isolated and cannot infect the intended recipient s computer. Each quarantined is given a unique identifier. This identifier is provided in the alerts that can be issued to administrators and users when an containing a suspect virus is received. Key Reporting Capabilities Dashboard, summary, detailed, and scheduled reporting options are included and configurable to provide visibility, accountability, and confidence in the service s effectiveness and your organizations activity. The key statistics dashboard provides a quick view of the current service performance levels and notable activities such as virus blocks or s that have triggered a policy. Report requests provide a way to get more in-depth reporting, allowing you to customize what metrics and time periods are included. Reports can be executed as a one-off or scheduled to run at regular intervals, with options to deliver via portal or straight to your inbox. My Services is designed to give you an at a glance overview of service activity across multiple Symantec cloud security services. Industry Leading Service Symantec understands that our customers want a high performing security service and excellent customer service backed by a meaningful and comprehensive service level agreement (SLA). Our confidence and our ability to deliver this is demonstrated by our market leader position 4 and our willingness to underpin our SLA with significant service credits. Security service level agreement provides an aggressive set of metrics by which the service is monitored and credit back or other remedies are provided according to the SLA if the following performance targets are not met: AntiVirus Effectiveness 100 percent protection against known and unknown viruses AntiVirus Accuracy - no more than percent false positives AntiSpam Effectiveness 99 percent spam capture (95 percent for with double-byte characters) AntiSpam Accuracy - no more than percent false positives Delivery 100 percent delivery Latency average scanning time within 60 seconds Availability 100 percent service uptime 4- Gartner Magic Quadrant for Secure Gateways Level 6

10 Technical Support - specific response times for critical, major, and minor calls Summary By deploying Symantec Security.cloud you can block virus, malware, spam, phishing, and targeted attacks before they reach your inbox. Security's content and image control services help control the flow of confidential and undesirable material through customer defined policies. Policy based encryption services can also be enabled to help protect confidential information from unauthorized viewers and ensure safe delivery of your most important messages. These services are available in a single integrated management console, simplifying administration while improving your control and visibility into service effectiveness. Begin a free trial of Symantec Security.cloud: 7

11 Glossary

12

13 About Symantec Symantec protects the world s information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our worldrenowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at or by connecting with Symantec at go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1 (650) (800) Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 3/