Adding Security Intelligence to Your Existing Solutions for Enhanced Protection
Al Cooley Director of Product Management, DeepSight
SYMANTEC VISION 2012
Forward Looking Statements This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available.
Symantec Confidential: DeepSight Roadmap: May 2013 2
SYMANTEC VISION 2012
Agenda
Adding Security Intelligence to Solutions - Attendee Internal Use Only 3
Changing Strategies for Changing Times 1
Security Intelligence from Symantec 2
Applying Security Intelligence 3
Integrating Security Intelligence 4
Security Intelligence Enabled Solutions 5
SYMANTEC VISION 2012
Cyber Attacks Continue to Intensify
Source: Symantec Internet Security Threat Report 4
SYMANTEC VISION 2012
While the Threat Landscape Becomes More Chaotic
Source: Symantec Internet Security Threat Report 5
Simplicity vs. Sophistication while the sophistication of attacks increases, many exploit basic security gaps
Hide and Seek Stealth remains a priority
Ease of Exploit 66% of web attacks, growing 93%/year, are attributable to attack kits
Increased Velocity of exploitation
“Sophisticated Attacks, Complex IT Environments and Increased Risks Demand New Approaches to Infrastructure Protection”
- Gartner Predicts 2012
SYMANTEC VISION 2012
Traditional Techniques are Necessary but Insufficient
Adding Security Intelligence to Solutions - Attendee Internal Use Only 6
Network Security Reduce Evasion Improve Zero-Day Effectiveness
Patch Management Processes Improve Timeliness
Correlation Technologies Reduce False Positives & Misses
Internal Threat Research Reduce Skill and Time Demands Improve Timeliness Increase Quality and Depth
Risk Management Improve Data Improve Timeliness
Needs
SYMANTEC VISION 2012
Requiring a New Approach
Adding Security Intelligence to Solutions - Attendee Internal Use Only 7
Intelligence Driven Security Create an information-based decision making and response advantage
More proactive
More effective
More efficient
Information Insight Action
Timely Tailored
SYMANTEC VISION 2012
Security Intelligence from Symantec • Market leader based upon ability to:
– Deliver a broad range of intelligence
– With the highest quality
– In a format tailored to your strategy
– In a timely manner
– With context to tailor its application
– Consistently
• DeepSight security intelligence business established in 2003
• Strong focus on innovation
• Serves customers in virtually all verticals
• Serves customers in over 50 countries
8
Symantec DeepSight Ranked Top Threat
Intelligence Solution
- IDC Worldwide and U.S. Security Services Threat Intelligence 2011-2014 Forecast
Adding Security Intelligence to Solutions - Attendee Internal Use Only
SYMANTEC VISION 2012
Powered by Symantec’s Global Intelligence Network Identifies more threats, takes action faster & prevents impact
Information Protection Preemptive Security Alerts Threat Triggered Actions
Global Scope and Scale Worldwide Coverage 24x7 Event Logging
Rapid Detection
Attack Activity • 240,000 sensors • 200+ countries
Malware Intelligence • >135M client, server,
gateways monitored • Global coverage
Vulnerabilities • 45,000+ vulnerabilities • 15,000 vendors • 105,000 technologies
Spam/Phishing • 5M decoy accounts • 8B+ email messages/day • 1B+ web requests/day
Austin, TX Mountain View, CA Culver City, CA
San Francisco, CA
Taipei, Taiwan
Tokyo, Japan
Dublin, Ireland Calgary, Alberta
Chengdu, China
Chennai, India Pune, India
9 Adding Security Intelligence to Solutions - Attendee Internal Use Only
SYMANTEC VISION 2012 10
Intelligence Feeds
Hosted Intelligence
Attack Quarantine System
Endpoints
Gateways
3rd Party Affiliates
Global Sensor Network
Global Intelligence Network
Global Data Collection Big Data Analytics DeepSight Delivery
Models
DeepSight
DeepSight FY13 Plan - Symantec Confidential
Honeypots Analytics
Warehouse
Security Response Analysts
SYMANTEC VISION 2012
DeepSight Portal Provides Real-time Information and Insight Across the Entire Threat Management Lifecycle
• Malicious
code
• Vulnerabilities
• Brand abuse
• Bad actors
• Spam
• Adware
• Phishing
• Targeted attacks
• Trends
Adding Security Intelligence to Solutions - Attendee Internal Use Only 11
Prevention Remediation
Real-Time Analysis Analyst
Watch List Analyst Journal
Alerts: Vul, Threat…
Daily Report •••
Tools Port
Lookup Susp File Search
Malcode Statistics
Offender Research •••
Unusual Activity/Threats Analyst
Watch List Events on the Rise
Top Outbreaks
Top Offenders •••
In-Depth Expert Analysis Research Reports
Threat Analysis
Honeynet Analysis
Wkly/Mnt Summary •••
Filtered for Your Needs • Technologies • Type • Severity • Industry • Date …
SYMANTEC VISION 2012
One Example of How Customers Apply DeepSight Early Warning Services
Adding Security Intelligence to Solutions - Attendee Internal Use Only 12
1
2
3
4
Alert for severe, new vulnerability in critical platform for customer
Alert that exploit for vulnerability is now available & being used by attackers
Alert that vendor patch for vulnerability is now available for download & install
Alert that vulnerability found to affect more versions of the same platform
Important – determine which systems are affected
Urgent - update IPS immediately, change firewall rules if possible, implement any work-arounds
Critical - deploy patch after basic testing to mitigate risk of exploitation
Expand patch / work-around deployment to additionally affected systems
DeepSight Intelligence Action
SYMANTEC VISION 2012
Integrating Security Intelligence
Adding Security Intelligence to Solutions - Attendee Internal Use Only 13
Applying Security Intelligence
•Improved security •Reduced operational costs
Integrating Security Intelligence
SYMANTEC VISION 2012
• Real time, actionable intelligence
•Delivered as XML formatted files for easy integration with enterprise systems
• DeepSight IP Reputation DataFeed – Most malicious IP addresses – Type of malicious activity and hostility/confidence
ratings • DeepSight D-URL Reputation DataFeed
– Domains, full path URLs participating in malicious activity
– Types of malicious activity and hostility/confidence ratings
• DeepSight Security Risk DataFeed – Adware, spyware, and malicious code intelligence – Threat prevalence/risk ratings, disinfection and
mitigation strategies • DeepSight SCAP Vulnerability DataFeed
– Vulnerability information – Urgency/severity ratings, mitigation guidance,
impact analysis and links to patches
DeepSight DataFeed Portfolio
14 Adding Security Intelligence to Solutions - Attendee Internal Use Only
SYMANTEC VISION 2012
Realizing Greater SIEM Value Through Integrated Security Intelligence
Adding Security Intelligence to Solutions - Attendee Internal Use Only 15
Advanced detection
capabilities
Accuracy with lower
false positives
Quicker response
time
Operational efficiency
Situational awareness
Symantec DeepSight Drives:
SYMANTEC VISION 2012
DeepSight Customer SIEM Use Cases
Adding Security Intelligence to Solutions - Attendee Internal Use Only 16
1. IP and URL Reputation
2. Vulnerability DataFeed
3. Security Risk 4. Portal
• Detect outbound communication with bad actors with high confidence
• Correlate inbound events with reputation to decrease false positives
• Correlate SCAP vulnerability data from
scanner with suspected malicious event and dispatch DeepSight based description and remediation
• Use signature from malware event to lookup & present comprehensive profile
• Provide situational awareness to improve
analyst ability to identify and respond
SYMANTEC VISION 2012
DeepSight Enabling SIEMs - Examples
Adding Security Intelligence to Solutions - Attendee Internal Use Only 17
Real-time identification of suspicious activity in ArcSight
Multi-event correlation and ticket dispatch in Symantec SIM
SYMANTEC VISION 2012
Intelligence Enabled SIEM Case Study
Multinational enterprise with numerous branch locations • IT systems core to revenue
generation; common attack target
• Highly distributed environment increases security challenge
DeepSight IP, DURL Reputation DataFeeds and Early Warning System ArcSight used for event monitoring and correlation • Identify suspicious
communication • Improve event correlation • Block known bad destinations
at the perimeter Adding Security Intelligence to Solutions - Attendee Internal Use Only 18
Customer:
Intelligence:
Need:
SYMANTEC VISION 2012
Improving Governance, Risk and Compliance with Integrated Security Intelligence
Adding Security Intelligence to Solutions - Attendee Internal Use Only 19
Risk reduction through enhanced identification and
management
Simplified compliance and
reduced exceptions
Optimized policies Operational efficiency
Symantec DeepSight Drives:
SYMANTEC VISION 2012
DeepSight Customer GRC Use Cases
Adding Security Intelligence to Solutions - Attendee Internal Use Only 20
1. Vulnerability DataFeed
2. Security Risk
DataFeed 3. Portal
• Identify and prioritize new risks to applications and business processes
• Notify system owners with the ability to patch of corporate policy requirements
• Notify at-risk system owners of new
malicious code and mitigation • Provide insight into the effect of policy
violations on business process risk • Provide proactive situational awareness to
proactively adjust policies
SYMANTEC VISION 2012
Intelligence Enabled GRC Case study
• Financial sector – Fortune 500 company – High profile; IT systems core to business
• DeepSight Security Risk Datafeed • DeepSight Vulnerability Datafeed
– Archer RSA used for IT GRC
• Enables improved determine of risk associated with applications in primary business processes
• Enables proactive actions to be directed to system owners using Archer as the framework for discussion
• Support system and process owners with information that supports risk-reduction activities with less resources
Adding Security Intelligence to Solutions - Attendee Internal Use Only 21
Customer:
Intelligence:
Need:
SYMANTEC VISION 2012
Leveraging Security Intelligence Enabled Solutions
Adding Security Intelligence to Solutions - Attendee Internal Use Only 22
• More tailored • More efficient
Applying Security Intelligence
Security Intelligence Enabled Solutions
Integrating Security Intelligence
SYMANTEC VISION 2012
Security Intelligence is Key to Delivering Advanced Managed Security Services
- The Forrester Wave: MSS Q1, 2012
“Threat Intelligence and Event Correlation are Key Differentiators”
Adding Security Intelligence to Solutions - Attendee Internal Use Only 23
Improve detection Increase accuracy and reduce false
positives
Speed incident handling
Enable proactive protection against emerging threats
Symantec DeepSight Drives:
SYMANTEC VISION 2012
Security Intelligence in Symantec Managed Services
• IP and URL reputation data feed incident detection engine – Improves detection – Reduces false positives – Speeds incident handling
• DeepSight EWS portal provides analysts situational awareness – Alerts ensure awareness of new
and emerging threats – Information to proactively develop
new signatures
• Portal also available to customers
Adding Security Intelligence to Solutions - Attendee Internal Use Only 24
Firewalls IPSs Web Gateways
DeepSight Portal
New Signatures Detection
Engine IP and URL Reputation
Analyst
Ticket
… …
SYMANTEC VISION 2012
Security Intelligence Supports Risk-Based Authentication
Adding Security Intelligence to Solutions - Attendee Internal Use Only 25
Superior Protection
Transparent User Experience
Simple Integration
Symantec DeepSight Drives:
SYMANTEC VISION 2012
Symantec™ VIP Intelligent Authentication Process
26
DeepSight IP Reputation DataFeed
Adding Security Intelligence to Solutions - Attendee Internal Use Only
SYMANTEC VISION 2012
Numerous Other Leverage Points Exist
• Smart firewalls • Web gateways • Mail gateways
• Routers • Patch management systems • Network security
monitoring systems
Adding Security Intelligence to Solutions - Attendee Internal Use Only 27
• • •
Malicious traffic identification and blocking with Lancope StealthWatch
SYMANTEC VISION 2012
Summary
Adding Security Intelligence to Solutions - Attendee Internal Use Only 28
Intelligence Driven Security
Creates an information-based decision making and response advantage • Improve effectiveness and efficiency • Implement proactive preventive measures Successfully implemented globally • Proven effectiveness • Rapid results Strategies to accommodate all environments: • Applied to existing systems and processes • Integrated into key systems
Accelerating Countermeasure
Implementation Flexibility
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Adding Security Intelligence to Solutions - Attendee Internal Use Only 29
Al Cooley Director of Product Management, DeepSight [email protected]