Symantec Email Security.cloud - Skeptic Whitepaper

Similar documents
Symantec Protection Suite Add-On for Hosted and Web Security

Symantec Messaging Gateway 10.5

Symantec Messaging Gateway 10.6

Symantec Messaging Gateway powered by Brightmail

Symantec Endpoint Protection

Improving Business Outcomes: Plug in to Security As A Service Adrian Covich

Symantec Endpoint Protection

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Solution Brief: Enterprise Security

Symantec Endpoint Protection

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Symantec Brightmail Gateway Real-time protection backed by the largest investment in security infrastructure

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Fighting Advanced Threats

WEBSENSE SECURITY SOLUTIONS OVERVIEW

Finding Security in the Cloud

INFORMATION PROTECTED

Trend Micro Hosted Security Stop Spam. Save Time.

Stop Spam. Save Time.

Symantec Endpoint Protection Datasheet

V1.4. Spambrella Continuity SaaS. August 2

Web Protection for Your Business, Customers and Data

Symantec Advanced Threat Protection: Network

Technical Product Overview. Employing cloud-based technologies to address security risks to endpoint systems

Trend Micro Hosted Security Stop Spam. Save Time.

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

The Symantec Approach to Defeating Advanced Threats

Integrating MSS, SEP and NGFW to catch targeted APTs

Unified Security, ATP and more

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

Recurrent Patterns Detection Technology. White Paper

Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform

Securing Office 365 with Symantec

isheriff CLOUD SECURITY

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Public, Private, Hybrid:

Protecting the Infrastructure: Symantec Web Gateway

Data Sheet: Messaging Security Symantec Brightmail Gateway Award-winning messaging security for inbound protection and outbound control

Websense Messaging Security Solutions. Websense Security Websense Hosted Security Websense Hybrid Security

Technology Blueprint. Protect Your . Get strong security despite increasing volumes, threats, and green requirements

Is online backup right for your business? Eight reasons to consider protecting your data with a hybrid backup solution

SPAM FILTER Service Data Sheet

You ll learn about our roadmap across the Symantec and gateway security offerings.

Mailwall Remote Features Tour Datasheet

Quarterly Report: Symantec Intelligence Quarterly

ISB13 Web security deployment options - which is really best for you? Duncan Mills, Piero DePaoli, Stuart Jones

The Hillstone and Trend Micro Joint Solution

Cisco IronPort C370 for Medium-Sized Enterprises and Satellite Offices

Cisco Security Intelligence Operations

Eiteasy s Enterprise Filter

Reviewer s Guide. PureMessage for Windows/Exchange Product tour 1

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

The Challenge of a Comprehensive Network Protection. Introduction

Stop advanced targeted attacks, identify high risk users and control Insider Threats

Symantec Mobile Security

SPEAR PHISHING AN ENTRY POINT FOR APTS

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Putting Web Threat Protection and Content Filtering in the Cloud

10 Things Every Web Application Firewall Should Provide Share this ebook

SR B10: Improving Antispam Effectiveness and Protecting Against Threats with Submissions 2.0

ESET Security Solutions for Your Business

ENABLING FAST RESPONSES THREAT MONITORING

Symantec Cyber Security Services: DeepSight Intelligence

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Insight. Security Response. Deployment Best Practices

Commtouch RPD Technology. Network Based Protection Against -Borne Threats

Cisco IronPort C670 for Large Enterprises and ISPs

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Ipswitch IMail Server with Integrated Technology

Cyber Security Services: Data Loss Prevention Monitoring Overview

Proactively protecting your messaging infrastructure with the IBM Lotus Protector for Mail Security solution.

Cisco Cloud Security Interoperability with Microsoft Office 365

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Cisco IronPort X1070 Security System

IronPort C-Series Overview High performance security appliances. Carrier-proven technology, enterprise-class management.

End to End Security do Endpoint ao Datacenter

Defending Against. Phishing Attacks

Emerging Trends in Fighting Spam

Closing the Vulnerability Gap of Third- Party Patching

Quick Reference. Administrator Guide

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Admin Guide Boundary Defense for Anti-Virus & Anti-Spam

Firewall Testing Methodology W H I T E P A P E R

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Transcription:

TECHNICAL BRIEF: SYMANTEC EMAIL SECURITY.CLOUD........................................ Symantec Email Security.cloud - Skeptic Whitepaper Who should read this paper This white paper outlines the technical approach we use to deliver Symantec Email Security.cloud and protect your business from emailborne spam, phishing, malware, and targeted attacks without the need for on-premise software or hardware. A working knowledge of email and information security principles is recommended.

Content Overview.............................................................................................................. 1 Global Infrastructure................................................................................................... 2 Cloud Security Platform................................................................................................ 2 Security Technology and Response....................................................................................... 5 Service Administration................................................................................................. 6 Industry Leading Service................................................................................................ 6 Summary.............................................................................................................. 7 Glossary............................................................................................................... 8

Overview The need for an effective email defense is very real. Due to the prominence and use of email in business operations, cyber criminals, spammers, and malware authors continue to focus considerable effort on developing email-based forms of attack. In the last few years, these attacks have become more targeted and sophisticated, exhibiting convergence across multiple communication protocols. A common approach is to use email to lure users to websites, which install malware that infiltrates corporate networks and steals information. Once data has been extracted, it can be utilized or sold through what has become a very well organized underground economy. Nearly one in 278 emails today contains some form of malware threat. 1 Advanced toolsets used by cyber criminals are able to automatically mass-produce malware variants designed to overwhelm and evade traditional signature-based antivirus scanners. Some attackers also use highly targeted approaches that are designed to defeat signature-based systems by flying under the radar. Either way, the battle has reached a point where traditional antivirus signature scanning techniques alone are not enough. Without effective defenses, organizations risk costly business disruption, data leaks, and loss of customer confidence. However, mounting an effective defense can consume scarce resources and expertise. Symantec Email Security.cloud helps to protect your business from emailborne malware and does not require on-site hardware or software. Delivered from the cloud, the service is built on excellent customer service and a meaningful service level agreement 2 (SLA) that examines accuracy, effectiveness, and availability. The SLA is underpinned by significant service credits that demonstrate the confidence of Symantec's ability to deliver a robust email security service. This white paper outlines the technical approach we use to deliver Symantec Email Security.cloud and meet our aggressive service level targets. 1- Symantec Intelligence Report, December 2012 http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_12_2012.en-us.pdf 2- Service Level Agreement http://www.symanteccloud.com/documents.aspx 1

Global Infrastructure Symantec Email Security.cloud service uses infrastructure managed in the cloud designed to block email-borne malware threats before they reach your network. The service is delivered through a global infrastructure of highly available data centers located around the world. These data centers are load balanced and housed in highly secure, well-established telecommunications centers located at major Internet exchange points. Redundancy within and across data centers enables us to offer a service level agreement target of 100 percent service uptime. In addition, we aim to run our email servers at below capacity, providing ample headroom to handle unexpected spikes in traffic. As of December 2012, Symantec cloud infrastructure processes more than 7 billion emails a month on behalf of our customers, ranging from Fortune 500 companies to small businesses. Handling such a large amount of email traffic for such a broad range of global customers enables us to identify and block new emerging threats faster. Cloud Security Platform Email Security service uses a sophisticated multilayer architecture that combines multiple scanning engines. The following techniques are used at the perimeter of our platform to provide a first layer of defense: Traffic Shaping Symantec Traffic Shaper uses techniques that analyze traffic patterns at the TCP/IP protocol level to evaluate potentially malicious IP addresses. IPs that are considered a threat are identified, and the number of connections allowed to the Email Security infrastructure is reduced. This dramatically shrinks malicious email volumes while enabling legitimate email to reach its destination. Traffic management technology analyzes IP interaction over a period of time after connection limiting steps are taken. It is known that standard business mail servers have different patterns of connections than those of a Bot that is delivering either malicious code or spam. Taking a holistic approach that goes beyond evaluating current known reputations and includes studying connection patterns over time allows the system to more intelligently determine how many connections should be accepted by the infrastructure. 2

SMTP Heuristics Connection management works at the SMTP connection layer using techniques to verify legitimate SMTP conversations. Multiple component technologies are deployed in this layer of the platform to study the methodologies used by different servers connecting to our infrastructure. Using SMTP heuristics and signature components at the connection layer allows for Email Security to proactively shut down SMTP conversations identified as being illegitimate. Recipient Validation Recipient validation uses email address checking to reduce the overall volume of emails for registered domains and discards connections for which the recipient addresses are identified as invalid or non-existent. In addition to reducing the volume of illegitimate email, this helps to block dictionary attacks against your mail infrastructure. Collectively, traffic shaping, SMTP heuristics, and recipient validation dramatically reduce the volume of mail that hits the scanning layers. This allows us to apply in-depth analysis techniques at the scanning layers without compromising mail delivery times. Spam Scanning The first scanning layer utilizes both dynamic and customer defined block lists to filter out traffic from known bad hosts and other unwanted email. Symantec Brightmail Message Filter provides real-time automated spam filtering backed by the Symantec Global Intelligence Network. More than 2.5 million decoy email accounts focused on collecting fraud, phishing and spam samples make up part of the Global Intelligence Network known as the probe network. The probe network has a global presence, including targeted deployments for foreign language content, and can gauge global spam and phishing activity. This network gathers more than 30 million probe messages per day. 3

Intelligent Data Feeds The Skeptic scanning layer provides further defense against spam, malware, and phishing attacks. Understanding a file's history and reputation goes a long way to determining whether a file should be deemed malicious or not. Symantec Insight is reputation-based security technology that puts files in context, using their age, frequency, location, and more. In-depth heuristic analysis of a file is expensive in terms of time and processing. The most expensive file to scan is one we already know is clean. By leveraging a feed of clean data from Insight, Email Security customers can take advantage of the intelligence captured from over 210 million systems in over 200 countries. The breadth of Symantec's security expertise and intelligence is highlighted further by the use of data from Norton Safe Web. Safe Web is a reputation service from Symantec that analyzes web sites and their content. Data from Norton Safe Web and other external sources is used to detect and block emails containing links to known malicious websites for the purposes of phishing, malware distribution or other malicious activity. Symantec Protection Engine for Cloud Services Symantec Protection Engine for Cloud Services is a fast, scalable, and reliable content scanning engine. It uses patented technology to deliver industry leading malware protection. Email Security uses a multilayered antivirus architecture that combines Protection Engine for Cloud Services with Skeptic, providing defense in depth and limiting reliance on a single detection method. Skeptic Heuristic Technology Although signature based scanners are effective in some areas, they have limited ability to detect new, unknown virus threats. Email Security is designed to provide 100 percent protection from known and unknown viruses as defined in the SLA. 3 To help us to achieve our service level target we use predictive heuristic technologies built into a proprietary defense layer called Skeptic. Skeptic employs heuristic technologies to determine if an email contains any components of malicious code. For example, Skeptic uses email structure analysis to examine headers and attachments. Skeptic then runs complex deep analysis scans within emails and attachments to find out more information. Skeptic also performs advanced code analysis, which operates on findings showing that malware writers reuse portions of their own code across new and different malware. Skeptic uses multiple patented technologies and thousands of rules to analyze and detect unknown threats. Unlike commercial antivirus scanning engines, Skeptic cannot be downloaded and tested by cyber criminals. A few of the techniques deployed by Skeptic to detect threats in email communications include: Link following technology evaluates URL links in emails to test if they point to malicious websites. Links potentially differ from conventional email virus threats in that the URL itself does not contain malicious code but instead the http page that the URL directs users to contains malicious payload. Sandbox techniques in both full and partial forms are used to detect malware that exhibits easily detectable destructive behavior. Code analysis techniques are used to detect malware that is trying to evade sandboxing or which is trying to obscure itself. Reverse virus scanning allows new file-infecting viruses to be identified by detecting changes of formerly known good files. Symantec maintains a database of known good software, such as Windows executables and other popular software, which allows positive identification of good files and reduces virus false positives. 3- http://www.symanteccloud.com/documents.aspx 4

File recognizers use Symantec s own large library of recognizers for known good variable software. Examples include self-extracting zip files, self-extracting PGP encrypted files, flash files, etc. These files vary each time because they carry data that can change. Our service examines and compares files to the known valid versions of these files in order to reduce false positives and aid in the identification of new fileinfecting viruses. Historical recognition uses Symantec s historical attachments data. Our data (which spans over 12 years), allows us to compute the probability of a file being clean based on the length of time it has been in circulation without ever being marked as malicious by antivirus software. Statistical analysis techniques detect malware trying to hide using new compression or encoding techniques. Data file fingerprinting is used to recognize when a data file looks suspicious. This is accomplished using a combination of several techniques. These types of files are often targeted trojan viruses which are designed for industrial or state-sponsored espionage. Malformed email recognition is performed to detect deliberately malformed emails. These emails are used by malware creators to bypass scanners using an email that the scanner will usually not recognize as having a valid attachment. Skeptic decodes these and scans resulting attachments. Skeptic uses scalable server arrays managed in the cloud to perform heuristic analysis techniques on over 7 billion emails each month. The more traffic it scans, the smarter it gets. Policy Control Point Symantec Email Content Control.cloud and Symantec Email Image Control.cloud service add-ons can be enabled to automatically scan all incoming and outgoing email and email attachments to identify and control confidential, malicious, or inappropriate email content and images. The Image Control service add-on incorporates sophisticated Image Composition Analysis (ICA) technology. Particularly well suited to the accurate detection of pornographic images, ICA applies a comprehensive range of image-filtering algorithmic techniques, including facial recognition, body positioning analysis, texture analysis, and flesh tone analysis. ICA results are fed through a sophisticated scoring system which allows the overall acceptability of an image to be determined. Security Technology and Response Email Security.cloud leverages protection technologies developed by the Symantec Security Technology and Response (STAR) team. STAR is a worldwide team of security engineers, threat analysts, and researchers that provide the underlying functionality, content, and support for all Symantec corporate and consumer security products. With eleven global response centers located throughout the world, STAR leverages the vast intelligence of the Global Intelligence Network (the technology backbone of Security Response) to develop and deliver the world's most comprehensive security protection. The team provides an additional layer of protection for all Email Security customers by examining proactive alerts generated by Skeptic. Looking at email content and traffic patterns, Skeptic can proactively alert our security research and response teams about suspicious messages or unusual trends occurring in one or many of our customers. These types of messages would not ordinarily trigger a reaction from signature based scanning technology and could represent an entirely new threat or targeted attack that needs response. 5

The value of a human team behind any security service should not be underestimated. The STAR team has the added advantage of using data gathered from multiple products and services across the Symantec portfolio to investigate and feed security intelligence ensuring our customers get a high performing, robust email security service. Service Administration Administration is performed on the Symantec.cloud management portal. A single administrative logon can be used to manage multiple Symantec cloud services, including Symantec Web Security.cloud and Symantec Instant Messaging Security.cloud. When Email Security intercepts a virus or malware in an email, it places the infected email into a holding pen, where it is stored for up to 30 days before being deleted. This quarantine period means that the malicious email is isolated and cannot infect the intended recipient s computer. Each quarantined email is given a unique identifier. This identifier is provided in the alerts that can be issued to administrators and users when an email containing a suspect virus is received. Key Reporting Capabilities Dashboard, summary, detailed, and scheduled reporting options are included and configurable to provide visibility, accountability, and confidence in the service s effectiveness and your organizations email activity. The key statistics dashboard provides a quick view of the current service performance levels and notable activities such as virus blocks or emails that have triggered a policy. Report requests provide a way to get more in-depth reporting, allowing you to customize what metrics and time periods are included. Reports can be executed as a one-off or scheduled to run at regular intervals, with options to deliver via portal or straight to your inbox. My Services is designed to give you an at a glance overview of service activity across multiple Symantec cloud security services. Industry Leading Service Symantec understands that our customers want a high performing security service and excellent customer service backed by a meaningful and comprehensive service level agreement (SLA). Our confidence and our ability to deliver this is demonstrated by our market leader position 4 and our willingness to underpin our SLA with significant service credits. Email Security service level agreement provides an aggressive set of metrics by which the service is monitored and credit back or other remedies are provided according to the SLA if the following performance targets are not met: AntiVirus Effectiveness 100 percent protection against known and unknown email viruses AntiVirus Accuracy - no more than 0.0001 percent false positives AntiSpam Effectiveness 99 percent spam capture (95 percent for email with double-byte characters) AntiSpam Accuracy - no more than 0.0003 percent false positives Email Delivery 100 percent email delivery Latency average email scanning time within 60 seconds Availability 100 percent service uptime 4- Gartner Magic Quadrant for Secure Email Gateways 2012 http://www.gartner.com/technology/reprints.do?id=1-1bqxs7x&ct=120816&st=sbservice Level 6

Technical Support - specific response times for critical, major, and minor calls Summary By deploying Symantec Email Security.cloud you can block virus, malware, spam, phishing, and targeted attacks before they reach your inbox. Email Security's content and image control services help control the flow of confidential and undesirable material through customer defined policies. Policy based encryption services can also be enabled to help protect confidential information from unauthorized viewers and ensure safe delivery of your most important messages. These services are available in a single integrated management console, simplifying administration while improving your control and visibility into service effectiveness. Begin a free trial of Symantec Email Security.cloud: http://www.symantec.com/email-security-cloud 7

Glossary

About Symantec Symantec protects the world s information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our worldrenowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 3/2013 21284713-1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information