Fighting evolving targeted attacks

Symantec bolsters targeted attack protection portfolio with new Disarm technology for Symantec Messaging Gateway, network threat protection for Mac.

  • Thursday, 21st November 2013 Posted 11 years ago in by Phil Alsop

Defending against sophisticated targeted attacks is now the norm, and it’s not just large companies that are being impacted. These state-sponsored attackers are going after smaller companies now too. Why is that? Well, small companies often have business relationships with larger companies that may be the ultimate target of attackers. And, because small companies may have fewer security safeguards than their larger partners, they make a good target for attackers. So how can businesses – large and small – protect themselves against these sophisticated, targeted attacks?
The answer is through a combination of cutting-edge security technology and a vast intelligence network that monitors our Symantec customers’ networks, and the attackers, around the clock. Our aim is to block attacks no matter what their target is or how they try to get in – at your gateway, on the endpoint and in the data center. And we’re raising the bar every day. I’m excited to discuss here two powerful new innovations that we’ve just added to Symantec’s arsenal against targeted attacks -- Disarm in Symantec Messaging Gateway and Network Threat Protection in Symantec Endpoint Protection for Mac computers.


Why it matters
Developed by Symantec Research Labs, Symantec’s advanced research division, our new Disarm technology in Messaging Gateway 10.5 uses a first-of-a-kind technique to protect companies from targeted attacks. Most targeted attacks are now delivered in the form of malicious, but seemingly innocuous, documents delivered over email. Each such malicious document, e.g., a PDF, DOC or XLS file, contains an embedded attack, and when a victim simply views the document, their computer is automatically and silently compromised.


Traditional protection technologies attempt to scan documents for suspicious characteristics. The problem is that many of these document-based attacks are purposefully crafted so they don’t look suspicious, and as a result, they go undetected. Disarm takes a whole new approach. Instead of scanning the document, it essentially makes a digital harmless “carbon copy” of every incoming email attachment/document, delivering this carbon copy to the recipient, rather than the original, potentially malicious document. The result is that the recipient is never exposed to the attacker’s malicious attachment. And the technology is extremely effective. According to Symantec research, the Disarm technology would have blocked 98 percent of attacks that exploit zero-day document vulnerabilities thus far in 2013 – these are attacks that were entirely unknown and would therefore have likely evaded all traditional scanners, heuristics, emulators and even Virtual Execution (VX) solutions.


At the endpoint, Symantec has added its advanced Network Threat Protection technology to the Mac version of our Symantec Endpoint Protection 12.1.4. Many Mac users think they’re impervious to attacks, and as a result don’t take security seriously. But the reality is that this makes Mac users a potential goldmine for targeted attackers. Symantec’s Network Threat Protection technology intercepts incoming network traffic before it can impact your Mac, looking for targeted attack exploits and automatically blocking them. It uses a patented, application-level, protocol-aware Intrusion Prevention System to not only identify and block known attacks, but also identify and block many unknown or day-zero attacks.


Symantec’s Targeted Attack Protection Powered by Unmatched Expertise, Global Intelligence
In addition to these new innovative technologies, Symantec’s security solutions are powered by the Symantec Global Intelligence Network (GIN) and a team of more than 550 researchers around the world. Symantec’s GIN platform collects anonymous telemetry from Symantec’s hundreds of millions of customers and sensors around the clock. Symantec uses this data – more than 2.5 trillion rows of security telemetry – to automatically discover new attacks, and monitor attacker networks. We also use this data to develop predictive, proactive protection technologies, such as Symantec’s Insight reputation technology, for our gateway, endpoint and data center offerings. Simply put, our expertise and global intelligence and visibility bring unmatched targeted attack protection for our customers.


Symantec’s Innovative Approach to Securing the Gateway
Symantec offers a number of different messaging protection options for customers, each with advanced targeted attack protection. In addition to Symantec Messaging Gateway, which is an on-premise solution, Symantec also offers proactive targeted attack email protection via our Email Security.cloud service. This innovative, hosted service automatically filters all of your inbound and outbound email without requiring you to deploy any software or hardware in your network. Email Security.cloud offers highly advanced targeted attack protection using a number of technologies, like SKEPTIC and Real-Time Link Following.


SKEPTIC uses thousands of extremely sensitive sensors to scrutinize every email and email attachment entering or leaving your network, preventing literally tens of thousands of confirmed targeted attack attempts every year. SKEPTIC is used in conjunction with Email Security.cloud’s link-following technology. This innovative system automatically connects to suspicious URLs embedded in emails to see were they lead. Should a link lead to a targeted attack site that attempts to compromise the email recipient’s computer, the email is automatically blocked. This URL validation technology happens in real-time, before the email is delivered to the recipient, ensuring that they are protected, rather than simply informing the administrator after-the-fact.


Of course targeted attackers will try every attack vector at their disposal. Often, these attackers will contact your employees through social networks (visited via the web browser) and use this to infiltrate their machines, and subsequently your network. Symantec Web Gateway (SWG) – an innovative product that monitors all inbound and outbound web traffic – is designed to detect and block targeted attacks. SWG now leverages our patented Symantec Insight technology to automatically discover “low-reputation” files and block them before they can reach your users. Insight leverages the anonymous software adoption patterns of Symantec’s hundreds of millions of customers to automatically discover and assign a security classification to every single software file, good or bad, on the planet. It essentially uses the “wisdom of the crowds” to learn which software is trusted by users across the world, and which software is avoided or has never been seen before. Since targeted attackers use mutated and custom-crafted malware to evade traditional virus fingerprints, heuristics, emulators and Virtual Execution (VX) systems, technology like Insight is one of the only known ways to identify and block these attacks.


Symantec’s Unique Technologies Protecting the Endpoint
To protect your PCs and laptops against targeted attacks, Symantec Endpoint Protection includes powerful technologies, such as Network Threat Protection, Insight and SONAR. Network Threat Protection analyzes incoming network data before it is processed by the user’s machine. As such, it can block inbound targeted attacks before they even have a chance to interact with the user or with vulnerable software on machines in your network. Symantec Endpoint Protection uses Symantec Insight to automatically block inbound software files that have a low reputation (this is the product’s default blocking policy). Finally, our patented SONAR technology automatically monitors the behaviors of all software running on protected endpoints, analyzing each application’s behaviors in real-time as it runs to identify software that behaves like a targeted attack. In the last year, more than 50 percent of the all threats stopped by Symantec were stopped by these three, proactive, non-signature based technologies.


Symantec’s Solution to Protect the Physical and Virtual Data Center
Finally, Symantec also protects your critical assets and information in the datacenter. Symantec offers Symantec Critical System Protection (CSP), a server lockdown solution designed to protect both physical and virtual infrastructure. You can install and configure CSP so it only allows known-legitimate activities on your servers and blocks all other (anomalous) activities. If a targeted attacker does compromise a server, they must – by definition – perform activities that will deviate from the norm in order to access sensitive data on the machine, or elsewhere in the data center. CSP automatically detects and blocks those deviations, stopping the attack automatically. Only your approved software programs are allowed to run, and those programs are only allowed to perform approved behaviors, access approved resources, etc.


Symantec works around the clock to secure our customers from targeted attacks. As you’ve read, we already have a comprehensive portfolio of targeted attack defenses. And we’re raising the bar every day. Our innovative new Disarm technology for Symantec Messaging Gateway and the addition of Network Threat Protection (application and protocol-aware IPS) to our Symantec Endpoint Protection for Mac product are just the latest additions to our industry-leading protection technologies.