Adding Security Intelligence to Your Existing Solutions...

Adding Security Intelligence to Your Existing Solutions for Enhanced Protection

Al Cooley Director of Product Management, DeepSight

SYMANTEC VISION 2012

Forward Looking Statements This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available.

Symantec Confidential: DeepSight Roadmap: May 2013 2


Agenda

Adding Security Intelligence to Solutions - Attendee Internal Use Only 3

Changing Strategies for Changing Times 1

Security Intelligence from Symantec 2

Applying Security Intelligence 3

Integrating Security Intelligence 4

Security Intelligence Enabled Solutions 5


Cyber Attacks Continue to Intensify

Source: Symantec Internet Security Threat Report 4


While the Threat Landscape Becomes More Chaotic

Source: Symantec Internet Security Threat Report 5

Simplicity vs. Sophistication while the sophistication of attacks increases, many exploit basic security gaps

Hide and Seek Stealth remains a priority

Ease of Exploit 66% of web attacks, growing 93%/year, are attributable to attack kits

Increased Velocity of exploitation

“Sophisticated Attacks, Complex IT Environments and Increased Risks Demand New Approaches to Infrastructure Protection”

- Gartner Predicts 2012


Traditional Techniques are Necessary but Insufficient


Network Security Reduce Evasion Improve Zero-Day Effectiveness

Patch Management Processes Improve Timeliness

Correlation Technologies Reduce False Positives & Misses

Internal Threat Research Reduce Skill and Time Demands Improve Timeliness Increase Quality and Depth

Risk Management Improve Data Improve Timeliness

Needs


Requiring a New Approach


Intelligence Driven Security Create an information-based decision making and response advantage

More proactive

More effective

More efficient

Information Insight Action

Timely Tailored


Security Intelligence from Symantec • Market leader based upon ability to:

– Deliver a broad range of intelligence

– With the highest quality

– In a format tailored to your strategy

– In a timely manner

– With context to tailor its application

– Consistently

• DeepSight security intelligence business established in 2003

• Strong focus on innovation

• Serves customers in virtually all verticals

• Serves customers in over 50 countries

8

Symantec DeepSight Ranked Top Threat

Intelligence Solution

- IDC Worldwide and U.S. Security Services Threat Intelligence 2011-2014 Forecast

Adding Security Intelligence to Solutions - Attendee Internal Use Only


Powered by Symantec’s Global Intelligence Network Identifies more threats, takes action faster & prevents impact

Information Protection Preemptive Security Alerts Threat Triggered Actions

Global Scope and Scale Worldwide Coverage 24x7 Event Logging

Rapid Detection

Attack Activity • 240,000 sensors • 200+ countries

Malware Intelligence • >135M client, server,

gateways monitored • Global coverage

Vulnerabilities • 45,000+ vulnerabilities • 15,000 vendors • 105,000 technologies

Spam/Phishing • 5M decoy accounts • 8B+ email messages/day • 1B+ web requests/day

Austin, TX Mountain View, CA Culver City, CA

San Francisco, CA

Taipei, Taiwan

Tokyo, Japan

Dublin, Ireland Calgary, Alberta

Chengdu, China

Chennai, India Pune, India

9 Adding Security Intelligence to Solutions - Attendee Internal Use Only

SYMANTEC VISION 2012 10

Intelligence Feeds

Hosted Intelligence

Attack Quarantine System

Endpoints

Gateways

3rd Party Affiliates

Global Sensor Network

Global Intelligence Network

Global Data Collection Big Data Analytics DeepSight Delivery

Models

DeepSight

DeepSight FY13 Plan - Symantec Confidential

Honeypots Analytics

Warehouse

Security Response Analysts


DeepSight Portal Provides Real-time Information and Insight Across the Entire Threat Management Lifecycle

• Malicious

code

• Vulnerabilities

• Brand abuse

• Bad actors

• Spam

• Adware

• Phishing

• Targeted attacks

• Trends


Prevention Remediation

Real-Time Analysis Analyst

Watch List Analyst Journal

Alerts: Vul, Threat…

Daily Report •••

Tools Port

Lookup Susp File Search

Malcode Statistics

Offender Research •••

Unusual Activity/Threats Analyst

Watch List Events on the Rise

Top Outbreaks

Top Offenders •••

In-Depth Expert Analysis Research Reports

Threat Analysis

Honeynet Analysis

Wkly/Mnt Summary •••

Filtered for Your Needs • Technologies • Type • Severity • Industry • Date …


One Example of How Customers Apply DeepSight Early Warning Services


1

2

3

4

Alert for severe, new vulnerability in critical platform for customer

Alert that exploit for vulnerability is now available & being used by attackers

Alert that vendor patch for vulnerability is now available for download & install

Alert that vulnerability found to affect more versions of the same platform

Important – determine which systems are affected

Urgent - update IPS immediately, change firewall rules if possible, implement any work-arounds

Critical - deploy patch after basic testing to mitigate risk of exploitation

Expand patch / work-around deployment to additionally affected systems

DeepSight Intelligence Action


Integrating Security Intelligence


Applying Security Intelligence

•Improved security •Reduced operational costs



• Real time, actionable intelligence

•Delivered as XML formatted files for easy integration with enterprise systems

• DeepSight IP Reputation DataFeed – Most malicious IP addresses – Type of malicious activity and hostility/confidence

ratings • DeepSight D-URL Reputation DataFeed

– Domains, full path URLs participating in malicious activity

– Types of malicious activity and hostility/confidence ratings

• DeepSight Security Risk DataFeed – Adware, spyware, and malicious code intelligence – Threat prevalence/risk ratings, disinfection and

mitigation strategies • DeepSight SCAP Vulnerability DataFeed

– Vulnerability information – Urgency/severity ratings, mitigation guidance,

impact analysis and links to patches

DeepSight DataFeed Portfolio

14 Adding Security Intelligence to Solutions - Attendee Internal Use Only


Realizing Greater SIEM Value Through Integrated Security Intelligence


Advanced detection

capabilities

Accuracy with lower

false positives

Quicker response

time

Operational efficiency

Situational awareness

Symantec DeepSight Drives:


DeepSight Customer SIEM Use Cases


1. IP and URL Reputation

2. Vulnerability DataFeed

3. Security Risk 4. Portal

• Detect outbound communication with bad actors with high confidence

• Correlate inbound events with reputation to decrease false positives

• Correlate SCAP vulnerability data from

scanner with suspected malicious event and dispatch DeepSight based description and remediation

• Use signature from malware event to lookup & present comprehensive profile

• Provide situational awareness to improve

analyst ability to identify and respond


DeepSight Enabling SIEMs - Examples


Real-time identification of suspicious activity in ArcSight

Multi-event correlation and ticket dispatch in Symantec SIM


Intelligence Enabled SIEM Case Study

Multinational enterprise with numerous branch locations • IT systems core to revenue

generation; common attack target

• Highly distributed environment increases security challenge

DeepSight IP, DURL Reputation DataFeeds and Early Warning System ArcSight used for event monitoring and correlation • Identify suspicious

communication • Improve event correlation • Block known bad destinations

at the perimeter Adding Security Intelligence to Solutions - Attendee Internal Use Only 18

Customer:

Intelligence:

Need:


Improving Governance, Risk and Compliance with Integrated Security Intelligence


Risk reduction through enhanced identification and

management

Simplified compliance and

reduced exceptions

Optimized policies Operational efficiency



DeepSight Customer GRC Use Cases


1. Vulnerability DataFeed

2. Security Risk

DataFeed 3. Portal

• Identify and prioritize new risks to applications and business processes

• Notify system owners with the ability to patch of corporate policy requirements

• Notify at-risk system owners of new

malicious code and mitigation • Provide insight into the effect of policy

violations on business process risk • Provide proactive situational awareness to

proactively adjust policies


Intelligence Enabled GRC Case study

• Financial sector – Fortune 500 company – High profile; IT systems core to business

• DeepSight Security Risk Datafeed • DeepSight Vulnerability Datafeed

– Archer RSA used for IT GRC

• Enables improved determine of risk associated with applications in primary business processes

• Enables proactive actions to be directed to system owners using Archer as the framework for discussion

• Support system and process owners with information that supports risk-reduction activities with less resources


Customer:

Intelligence:

Need:


Leveraging Security Intelligence Enabled Solutions


• More tailored • More efficient

Applying Security Intelligence

Security Intelligence Enabled Solutions



Security Intelligence is Key to Delivering Advanced Managed Security Services

- The Forrester Wave: MSS Q1, 2012

“Threat Intelligence and Event Correlation are Key Differentiators”


Improve detection Increase accuracy and reduce false

positives

Speed incident handling

Enable proactive protection against emerging threats



Security Intelligence in Symantec Managed Services

• IP and URL reputation data feed incident detection engine – Improves detection – Reduces false positives – Speeds incident handling

• DeepSight EWS portal provides analysts situational awareness – Alerts ensure awareness of new

and emerging threats – Information to proactively develop

new signatures

• Portal also available to customers


Firewalls IPSs Web Gateways

DeepSight Portal

New Signatures Detection

Engine IP and URL Reputation

Analyst

Ticket

… …


Security Intelligence Supports Risk-Based Authentication


Superior Protection

Transparent User Experience

Simple Integration



Symantec™ VIP Intelligent Authentication Process

26

DeepSight IP Reputation DataFeed

Adding Security Intelligence to Solutions - Attendee Internal Use Only


Numerous Other Leverage Points Exist

• Smart firewalls • Web gateways • Mail gateways

• Routers • Patch management systems • Network security

monitoring systems


• • •

Malicious traffic identification and blocking with Lancope StealthWatch


Summary


Intelligence Driven Security

Creates an information-based decision making and response advantage • Improve effectiveness and efficiency • Implement proactive preventive measures Successfully implemented globally • Proven effectiveness • Rapid results Strategies to accommodate all environments: • Applied to existing systems and processes • Integrated into key systems

Accelerating Countermeasure

Implementation Flexibility

Thank you!

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Al Cooley Director of Product Management, DeepSight [email protected]

Date post:	16-Apr-2020
Category:	Documents
Upload:	others
View:	17 times
Download:	1 times

Adding Security Intelligence to Your Existing Solutions...

Documents