The Story Behind Symantec’s Full-Court Press on Innovation

The intense and rapid rise of so called digital transformation, or what Symantec calls the Cloud Generation, raises new, often vexing scenarios for security practitioners, who can’t protect their data any longer simply by erecting perimeters around their corporate networks.

“Security has changed a lot over the last couple of decades,” said Eric Chien, a distinguished engineer at Symantec in the company’s security response group. “It used to be a question of defending a single machine and making sure that it was protected. That’s no longer the case.”

In the era of cloud computing and mobile, this means a couple of things:

• Individual products now must work together seamlessly.
• CISOs need solutions that “future-proof” their operations to help organizations defend their valuable information against rapidly-evolving security threats.

Symantec took that as the cue to invest in building new platforms and products. It took a couple of years of spade work as well as the timely acquisitions of coveted technologies through the purchase of Blue Coat, SkyCure and Fireglass. The upshot: A portfolio of innovations that offers integrated protection across endpoints, web, and messaging apps.  

Hardening and Isolation

In the latest version of Symantec Endpoint Protection, Symantec added hardening and isolation technologies that act to prevent bad or suspicious applications from winding up on your network.

The genesis of this effort traces back to the company’s earlier work with Symantec Critical Systems Protection (SCSP), which isolated apps on servers. But SCSP also required an advanced level of technical expertise. The challenge was to port that level of functionality to a wider market and make it more usable and accessible to help endpoint security administrators secure their organizations’ endpoints. It took Symantec about 15 months but its engineers came through.

And the timing was propitious. In the last couple of years, attackers have graduated to the deployment of more sophisticated attacks that are more difficult to detect by traditional means. CISOs found themselves in situations where good users and good applications were being used to do bad things.

So rather than just relying on blocking the bad stuff, Symantec has taken a different tack. SEP 14.1 not only blocks all known and unknown malware, but its hardening features put good apps in their own “castle” to ensure that bad things don’t get in. 

If it’s an unknown app, the IT department has more information at its disposal to make an informed judgment about next steps. Until then, the app will run in what Symantec calls “jails,” so that potentially bad things don’t get out and persist. The application can still run, but with limited privileges to protect the operating system and other good applications from any harm or tampering. It can contain items opened from an untrusted source (email or web, by example) to mitigate any risk they may pose and restrict these applications to only ‘good’ behavior.  

Innovating to Foil Malicious Email

What’s more, as Symantec continued to build out its Integrated Cyber Defense platform to provide better protection for endpoints, network, the cloud and email, the company’s engineers came up with two new ways to tackle the phishing menace.

First, it integrated security awareness training into Symantec’s email security solution so that security teams can run simulated campaigns to assess the readiness of any organization to malicious email attacks. These simulations closely resemble real-world attacks and can be easily customized. Security teams can also call up a heat map revealing which users are more susceptible to scams and order up training sessions to learn what to avoid.  

The second innovation was to integrate isolation technology into Symantec’s email security technology. Isolation eliminates threats by creating a secure execution environment. So, if someone clicks on a link, the action now first gets rendered in Symantec’s isolation portal; any malware payloads get neutered and only safe, inoculated web content is sent down to the browser.

Deception

Cyber criminals have been successfully deceiving end users for decades. But what about a way to give them a taste of their own medicine?

Deception picks up where an organization’s other security technologies leave off, providing help uncovering the presence of an attacker. Deception technology deceives attackers into believing they have successfully breached an organization, when in reality, attackers are shunted to a false environment, served up fake assets and information – essentially leading them on a “wild goose chase” -- while the security team works to neutralize the attack.

Until recently, however, customers had to rely on simple network “honeypots” - essentially fake lures deployed as counter-weapons to fool hackers with phony credentials, databases, web servers, and vulnerable systems. These were usually good enough to fool novices, though not sophisticated attackers. They also required a lot of time and expertise to deploy, manage and maintain. 

Symantec got around that bottleneck by integrating deception capabilities into its endpoint protection family, allowing defenders to detect and identify attackers during the early stages of a breach. 

This is a big deal on several different planes. Attackers can be on a network quite a while before they get detected. Operating in stealth, they may want to carry out reconnaissance of an organization’s entire infrastructure, or map out the network’s file structure.

Customers can now turn on deception and deploy the high-interaction bait that is integrated in the SEP family to improve their attack detection. As a result, they can reduce the time that it takes to detect attackers from months to a matter of minutes.   

The Power of Integrated Product Intelligence

Behind the scenes, a lot of hard work and consideration has gone into building out the various pieces of Symantec’s Integrated Cyber Defense platform approach. The overarching goal was to have multiple components sitting at every control point - desktop machines, the perimeter network, the cloud, and the mail server - that operate in conjunction with each other, sharing information about potential signs of trouble.   

“It's bringing all of the forces to bear that we have upon the security problems,” said Adam Glick, chief architect for Symantec's Advanced Threat Protection. “There are plenty of competitors that will tout machine learning or will tout their sandbox or will tout any individual technologies. But ultimately the bad guys will continue to do their work and no one technology is going to solve it all.”

True enough. It’s no longer just about watching a single machine. Systems need to be able to simultaneously monitor any number of machines, networks, and cloud implementations to detect signs of potential trouble. They also need to help CISOs understand what’s taking place in the threat environment.

As Kevin Haley, the director of Symantec’s Security Technology and Response Group notes, “You have to bring your security data together because if something is happening in one place and something else is happening in another, by themselves that may not have meaning.”

With data spread around so many places nowadays, companies also need to gather up information from multiple places and make sense of it. That’s a formidable task. Advanced attackers nowadays hide their tracks all too well. Collecting malicious, or just suspicious, data is no longer sufficient. You need to look at everything. You need to be driving back telemetry on every action that's happening on a machine so that you can understand when something might be going wrong, investigate further and then bring all the data together.  

Several years ago, Symantec made a major decision to ensure that its telemetry was not just focused on malicious items. It also wanted telemetry about clean programs and clean actions happening on machines as well. That data came from hundreds of millions of machines, endpoints and devices as well as all of Symantec’s interception points around the globe.

That’s where Symantec’s Global Intelligence Network plays a key role in identifying attacks. With sensors tracking all over the internet as well as at all of those major control points, the system sifts through this enormous volume of data to uncover the proverbial needles in the haystack to identify threats before they actually unfold. It supports that effort with a centralized team of security experts, analysts, and engineers on the front lines who track attackers 24 x 7.

Automating Analytics

Around 2010, Symantec saw the need to dive in deeper to better understand the anatomy behind some of the more extreme attacks taking place. While most customers remained unaffected, the attacks in many cases represented a new level of proficiency among cyber criminals, who were rapidly improving their ability to hide their fingerprints.

Symantec subsequently formed a team to focus on these more advanced attacks, gathering exponentially larger amounts of data related to threats and attacks. The amount of information was beyond human capacity to analyze and use to bolster customer protection. That’s why Symantec started investing heavily in automation and machine learning. The goal was to automate many of the tasks previously performed by human analysts and find more things, faster, with the help of advanced analytics

Nowadays, Symantec uses Machine Learning and AI to go through the telemetry and determine the presence of a targeted attack. It then analyzes all the machine information, all the proxy information, all the email information - to find any links to other similar attacks. It also crawls Symantec’s entire telemetry set to establish a web of all of the related machines, programs, URLs, and companies that might be impacted.

“The goal was to take the vast amount of data that Symantec was privy to from the threat landscape and pull together information about the highly malicious activity we found there so that we could pass it over to the products and our customers to better protect themselves,” said Vikram Thakur, a technical director with Symantec’s STAR team.

It didn’t take long to bear fruit. Targeted Attack Analytics helped to spot many new types of attacks - including the latest Dragonfly incident in which shadowy adversaries had conducted cyber attacks. against the energy sector in North America and Europe. (Symantec received a nod from the Department of Homeland Security for its work uncovering the Dragonfly campaign against energy companies.) TAA merges the best threat hunting talent in the business with machine learning and AI and productizes it, putting in our customers hands, the most sophisticated advance threat detection possible.

Stay Tuned for More  

A year and a half ago, CEO Greg Clark promised customers more innovation and faster delivery of new products. Surveying the track record to date, Clark says the company’s done all that and more, moving to anticipate industry shifts and innovate faster than its rivals.

And, that effort is paying off: For the third straight year, the AV-TEST Institute, the equivalent of a Consumer Reports for enterprise and consumer cyber security, has awarded the prestigious Best Protection Award to Symantec.

But Clark says that Symantec is nowhere near finished. In coming months, the company intends to step up the pace of innovation, adding new capabilities to its security offerings.