- From CIO Digest, January 2009 Issue ( Download This Entire Issue in PDF)
Behavioral protection can provide an added layer of defense against malicious software and guard systems from threats for which no virus signatures yet exist.
Writing virus signatures—the classic mechanism for detecting and stopping threats—is analogous to using fingerprint matching to catch criminals. If you’re looking for a known criminal who has a fingerprint on file, it’s a perfect system. If you don’t have their fingerprint yet, this traditional “blacklisting” mechanism isn’t effective.
Heuristic technology—examining the attributes of files on disk to check for suspicious characteristics—takes threat detection a step further. To continue our analogy, if you see a person walking down the street in the middle of summer wearing an ankle length coat with something obviously concealed underneath, you identify their appearance as “suspicious.” Although you might not have their fingerprint, the individual may still represent a security threat and therefore warrant further investigation.
Beyond blacklisting and heuristics, the last line of defense is behavioral protection technology. This involves monitoring actively running software and network streams for behavioral patterns that could be malicious. Using this approach, it is possible to identify entirely new threats or classes of threats by examining their behavior. Once you determine that a threat is exhibiting suspicious behaviors, you can block it and, in many cases, clean up any damage it has already caused.
Back to our criminal analogy, if someone breaks into a store and walks out with something, the police can arrest the person based on behavior alone. Of course, if the individual was a known criminal, fingerprinting may have stopped him from entering the store in the first place. Nevertheless, any further damage is averted.
Symantec’s behavioral protection technologies can catch entirely new and unknown malware that has bypassed classic, fingerprint-based antivirus protection and heuristic protection. There are three components to this behavioral technology, all of which work together.
The first two components are primarily intended to prevent malicious software from getting onto your computer in the first place. The first of these, Network Intrusion Prevention, scans both incoming and outgoing network streams to identify suspicious traffic. If suspicious incoming traffic is observed, it can be blocked before it reaches the computer and does damage. If suspicious outgoing traffic is observed as originating from a program on the computer, the program can be blocked from doing further damage on the computer.
The third component, called SONAR, is intended to stop malicious programs that are already on your computer. SONAR uses process-based behavior blocking to monitor all running programs, note any suspicious characteristics, and remove applications that exceed a predefined risk threshold. Details about key executables are anonymously communicated back to Symantec for further analysis—for customers who agree to participate—and used for continuous improvement in accuracy and scoring weights.
With a very low impact on system performance, the latest versions of Symantec’s behavioral protection technologies are integrated into the newest versions of our consumer products and will be included in a future release of Symantec Endpoint Protection. To date, behavioral technologies have already blocked more than 5.2 million Web-based attacks for Symantec customers and have stopped thousands of new programs from performing malicious activities on Symantec customers’ computers.
What innovations and best practices substantially reduce information risks?
By Alan Drummer
A few key initiatives—and sometimes not the most obvious ones—can make the biggest difference in minimizing your company’s information risks. That’s the conclusion of this conversation with Francis deSouza, Symantec’s Senior Vice President, Information Risk Management Group. deSouza also details key benefits of the three products at the core of Symantec’s Information Risk Management (IRM) strategy: Brightmail Gateway 8.0, Data Loss Prevention 9.0, and Enterprise Vault 8.0.
Q. Francis, if c-level decision makers have only 30 seconds with you, what key points should they take away?
A. Francis: While it’s important for CIOs to protect their company’s infrastructure, it is increasingly more important for them to protect their company’s information. Information is often their most valuable asset—and in many cases the most vulnerable asset. The key is to understand what important information exists in the company.
Q. What would you say are the building blocks of a cohesive strategy for protecting unstructured information?
A. Francis: There are four building blocks. First, keep the bad stuff out—such as phishing attacks or spam. Second, keep the good information in. Understand what the important information assets are within a company, where they are, and ensure they can only leave the company appropriately, with adequate protection. This is called data loss prevention. The third priority around information risk management is archiving. Companies need to retain information only for a required period—not a day longer. They need to understand retention requirements for different types of information such as email and files—and then apply those policies consistently. The fourth priority is around e-discovery. Companies need to be able to retrieve requested information in a timely way—either for data mining, or to respond to an e-discovery request quickly.
Q. To support those priorities, what new capabilities is Symantec offering in messaging security?
A. Francis: We invest heavily in making sure that we offer the best and most comprehensive threat protection out there. That means we spend a lot of time not only delivering our award winning antivirus capability but also an antispam capability that delivers the industry’s highest effectiveness with the lowest false positive rates. We also have focused on delivering the most scalable offering in the market today. Our threat management products are in use by some of the world’s largest ISPs to manage over 300 million mailboxes—and they’re also in use all the way down to small businesses and home offices. The third area we’ve invested in is manageability. We make sure that our products are simple to install and configure, and customers can get up and running as fast as possible. The other area we’ve invested in is being the only company in the world that looks at incoming messages to capture threats and outgoing messages to stop the leak of sensitive information.
Q. Data loss prevention—what is Symantec developing in this area?
A. Francis: We acquired Vontu—the pioneer in data loss prevention. That means Symantec now serves over half of the data loss prevention marketplace. And our innovations are focused on ensuring you can protect sensitive information across your enterprise. That includes understanding where confidential information is both at rest and in motion—whether it’s entering or leaving your company through email, Web messaging, USB drives, the printer, or on mobile endpoints.
Q. On another topic—email storage costs and e-discovery costs are hard to control and are pain points in many organizations. What relief does Symantec offer?
A. Francis: We see customer email storage typically growing at 30 to 70 percent a year. So we’ve done a lot of work on Symantec Enterprise Vault to deliver the industry’s most efficient message archive. We’ve invested in technologies such as single instancing, so only a single instance of multiple copies of a PowerPoint attachment is stored. In e-discovery, we’re addressing a different challenge. It may cost a dollar just to store a gigabyte of information, but it can cost up to $30,000 to have lawyers review that gigabyte. For this business requirement, we have Enterprise Vault Discovery Accelerator. With it, customers can fulfill a legal request in a matter of minutes or hours that might have previously taken weeks.
Q. That’s powerful. Companies might be discouraged by the number of projects they should be launching in IRM. What’s the easiest ROI?
A. Francis: One of the quickest paybacks can come from our Brightmail Gateway solution. By blocking spam, it reduces the volume of incoming messages, saving bandwidth, storage, and messaging processing costs—and shielding employees from productivity loss. Another quick payback opportunity is email archiving. Customers reclaim large amounts of primary disk space—which often costs up to $45 per gigabyte—by implementing Enterprise Vault. At Symantec.com we have a number of ROI tools that quickly calculate the potential payback. When it comes to data loss prevention, the payback is in cost avoidance. Customers build a business case for a data loss prevention solution around the costs of notifying customers of a data breach, along with the severe damage to a company’s reputation. When it comes to e-discovery, customers often hit seven-figure litigation costs at a minimum. That’s strong justification for getting Enterprise Vault and Enterprise Vault Discovery Accelerator.
Q. What would you say are the most typical “barn doors” that companies forget to lock before the horses escape?
A. Francis: Great question. I think that there are a few. Customers don’t always have the best handle on what their sensitive information is, and where it lives within their company. And it’s too late to start looking when somebody loses a laptop or there’s a data breech. A second area of high risk is not having an e-discovery infrastructure in place. When a company is hit by litigation, it’s then hit with a double whammy. One is that it’s hard to retrieve requested information fast—and often that results in unfavorable reactions from the legal system. Second, because the retrieval infrastructure is not in place, the cost of getting the information is very high.
Q. Good tips. It’s said that information risk management requires more than solutions—it takes an awareness and discipline in all employees. What best practices have you seen for spreading that awareness and discipline?
A. Francis: One valuable practice is to proactively communicate within a company about the importance of information assets—and teach every employee how to protect those assets. Which information is sensitive? What practices are inappropriate? Employees should know if it’s inappropriate to send information to their Hotmail or Gmail accounts to work on at home. Policies need to be clearly laid out. Second, employees need to clearly understand retention guidelines. What should be kept? For how long? When should it be deleted? A third best practice is to communicate that messages should be retained in a central archive—and not on desktops or in file shares. This ensures that when a message is deleted, it’s deleted everywhere.
Alan Drummer is Creative Director for Content at NAVAJO Company.
|< Previous Page||Page||4||of||4|
In its 2008 Technology Survey, the International Legal Technology Association (ILTA) reports that a significant number of legal firms, 23 percent, have a “green” initiative or program, while another 21 percent indicate they are working on such a program. In line with this, 80 percent of the firms that were already using virtual server technology reported they increased their investments in virtualization solutions since last year.
While managing email is still the most significant challenge, an interesting new trend in this area is the practice of restricting the “Reply to All” button. Of course, it makes sense that a “Reply to All” with several thousand users will generate many more problems than at a smaller organization. The results bear this out—a third of very large firms find this restriction necessary.
The survey covered 537 respondents representing firms with attorney counts ranging from 5 to 3,400. More than 108,000 attorneys and 245,000 total end users are represented by the data. Responses came from Canada, Australia, the United Kingdom, and the United States.