While cyber attack toolkits have been in circulation since at least 1992, only recently have they become readily accessible and easy to use.
Just how popular are these packages of prewritten malicious code? According to the recent Symantec Report on Attack Kits and Malicious Websites
, attack toolkits are now attracting traditional criminals who would otherwise lack the technical expertise into cyber crime, fueling “a self-sustaining, profitable, and increasingly organized economic model worth millions of dollars.” The report goes on to observe that attack toolkits are now being used in more than half of all malicious Internet attacks.
As they gain in popularity, attack toolkits are responsible for another disturbing development: the proliferation of rapidly mutating threats. Today’s attack kits are more sophisticated than ever, allowing cyber criminals to continuously generate new, mutated malware variants, each targeting a different victim. These toolkits also employ a variety of techniques to make their output virtually undetectable by traditional virus scanning solutions. The result has been a veritable explosion in the scope of malware. Symantec estimates that attackers unleashed more than 286 million distinct malicious programs last year, an average of more than nine new threats every second of every day.
For organizations that are moving from physical to virtual environments in their data centers, these recent changes in the threat landscape have important ramifications.
Not only are cyber attacks proliferating at an unprecedented rate, they’re also making traditional discovery and fingerprinting of these threats nearly impossible. Reactive approaches such as signature scanning simply can’t keep up. For example, the latest Symantec Internet Security Threat Report
found that 50% of attacks were detected not by virus scanning but through intrusion prevention technology (IPS) incorporated into our endpoint protection platforms.¹
Much has been made of the need to drive increased performance and density in virtual environments. Hence the recent discussion of shifting from in-guest, multi-instance protection, where each guest has its own instance of malware definitions and scanning engines, to out-of-guest protection, where guests share a single instance of relevant protection technologies. However, solutions based on VMware vShield™ Endpoint technology share a common shortcoming—they support only virus scanning. Other, equally important elements of endpoint security such as IPS and firewall are not supported through vShield.
While Symantec’s virtualization security strategy also targets delivering customers single instance security, it is focused above all on providing complete protection, covering attack vectors that traditional antivirus protection can’t defend against. It’s a strategy that goes beyond file scanning to provide the following essential protection technologies:
- Antivirus and antispyware
- Intrusion Prevention
- Application Control
- Device Control
- Network Access Control
Remember: Virtualization can change many things, but the need to stay completely protected from malicious threats always remains the same. Every endpoint on the network, whether virtual or physical, has to be secured. That’s worth emphasizing because virtualization makes it much easier and faster to deploy new systems, and it’s not uncommon to forego the security best practices that were painstakingly developed for the physical environment.
Also keep in mind how the latest threats operate. For example, the unprecedented Stuxnet worm
, which was developed to attack industrial control systems, spread primarily by USB device. Without device control, an organization would be defenseless against such an attack.
At the heart of Symantec’s strategy to deliver optimized protection for both physical and virtual environments is Insight, the community and cloud-based reputation technology that powers Symantec Endpoint Protection (SEP). Insight analyzes and catalogs nearly every file on the Internet to identify new threats as they’re created. Based on advanced data mining techniques, Insight seeks out changing encryption and mutating code, separating files at risk from those that are safe for faster and more accurate malware detection.
Context is the key to this new line of defense. Context comprises all the information that can be collected about a file that’s not embodied in the file itself—that is, information beyond its contents and behavior. Insight is designed to answer such questions as:
- How many instances of the file exist?
- When did the first instance of this file appear?
- Where did it come from?
- With what other files is the file connected?
- Has it been scanned by other machines on the Internet. And with what results?
The technology enables Symantec to harness the anonymous software usage patterns of more than 175 million Symantec customer computers and deliver protection against today’s micro-distributed, mutating threats that would otherwise evade traditional security solutions.
That’s important because while a number of security vendors claim to offer reputation-based systems, in reality what they offer are malware signatures in the cloud. But a cloud-based blacklist cannot identify new threats based on their prevalence or uniqueness or on their relationship with other threat data. Ultimately, blacklists in the cloud react faster, but they’re still reactive.
The bottom line: Insight uses context to take the most important advantage of cyber criminals—their ability to generate millions of unique threats—and turn it against them.
What’s more, this new technology can significantly reduce the impact of antivirus scanning. Because Insight skips any file that is known to be good, virus scanning overhead can be reduced by as much as 70%.
SEP protects the virtual infrastructure in other important ways as well. For example:
- Virtual image exception: SEP can white list files from a standard virtual machine image to optimize scanning.
- Resource leveling: SEP randomizes scan and update schedules to prevent resource utilization spikes (“AV storms”).
- Shared Insight cache: SEP not only caches Insight cloud lookups, it actually caches all scan results—preventing the duplication of file scans.
- Virtual client tagging: Symantec Endpoint Protection Manager can automatically identify and manage virtual clients.
Taken together, these developments can reduce the disk I/O by up to 90%, reducing load on virtual hosts and preventing scans from bogging down system resources. The result is faster, more responsive systems, which in turn support greater density of virtual instances.
Recently, leading security testing organization PassMark Software conducted performance tests on six endpoint security products. The products were benchmarked using 13 performance metrics to assess product performance and system impact on the endpoint or client machine. Symantec Endpoint Protection 12 (currently in beta) attained the top overall score against all tested competitors.²
Data collected by Symantec documents an overwhelming shift in the creation and distribution of malicious software. Increasingly, cyber criminals rely on attack toolkits to launch hundreds of millions of customized and targeted threats. This shift threatens to overwhelm traditional defenses, leaving enterprises exposed to a barrage of unique threats.
Symantec Endpoint Protection 12 leverages Insight, Symantec’s cloud-based reputation technology, to protect against this new threat landscape. With advanced features designed specifically to secure virtual infrastructures, SEP offers advanced defense against all types of attacks, including new and unknown threats missed by traditional security solutions. By integrating essential security tools in a single agent with a single management console, SEP offers the protection and performance needed in today’s heterogeneous physical and virtual environments.
- ¹ Symantec Internet Security Threat Report, Volume XVI, April 5, 2011
- ² “Enterprise Endpoint Protection Performance Benchmarks,” PassMark Software, February 9, 2011