Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Extreme Makeover – Symantec's ThreatCon

Created: 18 Jul 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:47:55 GMT
Dave Cole's picture
0 0 Votes
Login to vote

A while back we took a look at how securityalerting was being done across the industry and noticed that there wasplenty of room for improvement. We started out with our own ThreatCon.It was easy to see that it wasn’t very effective for helping lesstech-savvy consumers to protect themselves online. On the humorousside, we did a little survey on customer perception and effectivenessof the ThreatCon and one of the respondents thought it was related tosomething on StarTrek. Ouch! The feedback we got gave us a clearpicture of where to begin our journey to improve our alerting systems.

Old threatcon

We began the overhaul of our security alerting systems early last spring by introducing the Internet Threat Meter(ITM) for consumers. The idea was to make the system based on a safetyrating for the most popular online activities, namely Web browsing,email, instant messaging, and file-sharing. Today, the ITM is version1.0 and we have a lot of ideas of where we’d like to take it. However,after launching a “consumer-friendly” version of the ThreatCon weshifted our attention to overhauling the original ThreatCon alertingsystem.


We code-named the project to overhaul the venerable ThreatCon“Extreme Makeover”, or “XM” for short. It was a pretty auspicious namefor the project, but we were aiming for a ThreatCon that had a littleHollywood sizzle to it, so the name fit nicely. We had three keyobjectives for the project:

1. Make it interactive. There’s just too much going on in the dailythreat landscape to lay it out in a space the size of a few hundredpixels. So, our challenge was to sufficiently cover the reallyimportant stuff, provide enough detail, and allow users to easilyaccess the “down-and-dirty” information without making them click abunch of times or visit a large number of Web pages. We ended up usinga series of sliding panels that shift out when clicked and allow theuser to drill-down for more information. For example, in the “ThreatWatch” area shown below, you can view all the malicious activitieswe’re currently keeping an eye on, and if you want the gory details,you can see the blogs and advisories related to each item on the watchlist. The example shown is for the recent Mpackattack on Italian Web sites and their visitors, for which we had aseries of blogs, a video, as well as an advisory. Not bad for a coupleof clicks…


2. Make it comprehensive. The original ThreatCon was focused heavilyon vulnerabilities and malware. With spyware, adware, fakeapplications, phishing, spam of all sorts and a new scam seeminglybeing born every minute, the scope of the old ThreatCon seemeduncomfortably limited. Moreover, today’s threats don’t exist inisolation but are typically part of a complex attack with manycomponents. For example, the Mpack attack used a hacked Web site and anattack toolkit (MPack), which installed a downloader Trojan, which inturn downloaded more full-featured Trojans such as LinkOptimizer andSrizbi. Phew!

The problem was that everyone (Symantec included) had individualthreat write-ups but did a pretty mediocre job of showing how it allfit together. Enter the new “Attack Explorer”, shown below, whichvisually describes important attacks, allowing users to see how it’sall connected. From spam to spyware, you can now check out a complexattack and drill-down into the element of interest.

[Attack Explorer]

3. Make it visually appealing. Why does security alerting have to beso, … uh …, ugly? As trivial as it may seem, we felt like our designhad to stand out from the pack. Simple geographic maps that showed thenumber of viruses currently in Bulgaria were strictly ruled out. Whilethis might be dismissed as vanity, think of how crowded Web pages arethese days and how many things are vying for your attention. In a worldwhere rich content is taking over, we wanted to up the ante a bit andstand apart from the crowd. We also felt like this might help “in thetrenches” security professionals copy and paste some of the content sothat it could be used with the higher-ups to explain the current threatconditions. In our experience, anything that heads up to the exec levelbetter look pretty.

While we had to cut back on some of the cool things we had initiallywanted to do, we’re satisfied with the end result of our extrememakeover. We’re already cooking up plans for the next version (likelyto include a downloadable desktop widget and/or syndication). But don’ttake our word for it, take a minute and check out the new ThreatCon to see how it all turned out.