+ All Categories
Home > Technology > Symantec Ubiquity

Symantec Ubiquity

Date post: 20-Jun-2015
Category:
Upload: symantec
View: 2,294 times
Download: 2 times
Share this document with a friend
Description:
Symantec Ubiquity is an award-winning, next generation security technology that is built on community-based reputation for fighting evolving malware. A result of more than four years of development, Ubiquity enables Symantec to harness the anonymous software usage patterns of more than 100 million Symantec customer computers, and deliver protection against micro-distributed, mutating threats, that would otherwise completely evade traditional security solutions.
Popular Tags:
25
Symantec Ubiquity Symantec Ubiquity September 2010
Transcript
Page 1: Symantec Ubiquity

Symantec Ubiquity

Symantec Ubiquity

September 2010

Page 2: Symantec Ubiquity

The Problem

A quick look at Cyber security 2009 by the numbers

⁻ 12 new 0day vulnerabilities

⁻ 14 new public SCADA vulnerabilities

⁻ 321 browser plug-in vulnerabilities

⁻ 4,501 new vulnerabilities

⁻ 17,432 new bot C&C servers

⁻ 30,000 domains hosting malware

⁻ 59,526 phishing hosts

⁻ 2,895,802 new AV signatures

⁻ 6,798,338 bot infected computers

2

240,000,000million new malware variants

3,200,000,000attacks blocked by Symantec in 2009

In the time it takes to give this presentation, we will block more than

540,000 attacks!

Symantec Ubiquity

Page 3: Symantec Ubiquity

The Problem

Protection is a constant challenge

• As we improve and innovate our technologies, malware authors adapt and innovate too

• Their techniques are easy –exploit, encrypt, deploy and repeat

3

Like a game of cat and mouse…

Symantec Ubiquity

Page 4: Symantec Ubiquity

The Problem

Malware authors have switched tactics

From:

A mass distribution of a relatively few threats e.g.

Storm made its way onto millions of machines across the globe

To:

A micro distribution model e.g.

The average Vundo variant is distributed to 18 Symantec users!

The average Harakit variant is distributed to 1.6 Symantec users!

4

240M+ distinct new threats discovered last year!

What are the odds a security vendor will discover all these threats?If you don’t know about it, how do you protect against it?

Symantec Ubiquity

Page 5: Symantec Ubiquity

The Problem

Millions of file variants (good and bad)

• So imagine that we know:

– about every file in the world today…

– and how many copies of each exist

– and which files are good and which are bad

• Now let’s order them by prevalence with

– Bad on left

– Good on the right

5Symantec Ubiquity

Page 6: Symantec Ubiquity

Unfortunately neither technique works well for the tens of millions of

files with low prevalence.

(But this is precisely where the majority of today’s malware falls)

Today, both good and bad software obey a long-tail distribution.

Bad Files Good Files

Pre

vale

nce

Whitelisting works

well here.

For this long tail a new

technique is needed. Blacklisting works

well here.

The Problem

No Existing Protection Addresses the “Long Tail”

Symantec Ubiquity 6

Page 7: Symantec Ubiquity

Traditional, signature based detections just can’t keep up

Symantec Ubiquity

Page 8: Symantec Ubiquity

We need something different

Symantec Ubiquity

Page 9: Symantec Ubiquity

Ubiquity is something different

Symantec Ubiquity

Page 10: Symantec Ubiquity

Ubiquity™ A revolutionary technology that provides safety

ratings for every program on the Internet, based on the collective wisdom to Symantec's

more than 100 million users.

10Symantec Ubiquity

Page 11: Symantec Ubiquity

How often has this file been downloaded?

Where is it from?

Have other users reported infections?

Is the source associated with infections?

How will this file behave if executed?

How old is the file?

How old is the source?

Is the source associated with SPAM?

Is the source associated with many new files?

Does the file look similar to malware?

Is the file associated with files that are linked to infections?

Who created it?

Does it have a security rating?

Is it signed?

What rights are required?

Who owns it?

Ubiquity

What does it do?

Is the source associated with infections?

How will this file behave if executed?

Have other users reported infections?

Page 12: Symantec Ubiquity

The Idea

Unique programs are almost always suspicious

You probably want to know if you are the first

person to run a program or if the file was just

created

12Symantec Ubiquity

Page 13: Symantec Ubiquity

Only malware mutates

13Symantec Ubiquity

Page 14: Symantec Ubiquity

Identify what is unique

Supplement with risk ratings

End up with a highly confident assessment

14Symantec Ubiquity

Page 15: Symantec Ubiquity

Ubiquity - How it works

2

Prevalence

Age

Source

Behavior

3

4

Assemble into a DB and data

mine

Serve the rankings during

scans Rate every

file on every client

5 Provide actionable data

1 Build a collection network

Associations 15Symantec Ubiquity

Page 16: Symantec Ubiquity

Not a replacement technology

It makes our other technologies more powerful

Exceptional Detection

Unmatched Accuracy

Ubiquity

Policies based on actual risk

Blazing Performance

Security based on real data

Why Ubiquity?

16Symantec Ubiquity

Page 17: Symantec Ubiquity

It blocks unknown malware

It ratchets up the “resolution” of our heuristics and behavior blocking

It kills targeted and mutated malware, once and for all

– Let’s see why…

Exceptional Detection

Detection

Symantec Ubiquity 17

Page 18: Symantec Ubiquity

Spotting Unique Threats

Hackers mutate threats to evade fingerprints

In Context, mutated threats stick out like a sore thumb

It’s a catch-22 for the virus writers

– Mutate too much = Easily spotted

– Mutate too little = We’ve seen it before

Exceptional Detection

Symantec Ubiquity 18

Page 19: Symantec Ubiquity

Blazing Performance

Ubiquity Traditional Scanning

On a typical system, 80% of active applications can be skipped!

Blazing Performance

Symantec Ubiquity 19

Page 20: Symantec Ubiquity

Users – Given the tools to

make choices

Empower Users

20Symantec Ubiquity

Page 21: Symantec Ubiquity

Finance Dept:

Only software

with at least

10,000 users over

2 months old

Data Driven Policies

Help-desk

employees can

install medium-

reputation

software with at

least 100 other

users.

Applications with

a low reputation

forbidden from

accessing

documents

identified by DLP

as containing

financial data.

Policies based on actual risk

21Symantec Ubiquity

Page 22: Symantec Ubiquity

Conclusion

Ubiquity Changes the Rules of the Game

• Amplifies the protection of our current technologies

• We no longer rely solely on traditional signatures

• Use data from tens of millions of users to automatically identifyotherwise invisible malware

• Shifts the odds in our favor –attackers can no longer evade us by tweaking their threats

22Symantec Ubiquity

Page 23: Symantec Ubiquity

Conclusion

Where is Ubiquity in use today?

• Deploying into all our flagship products

– First used in blocking mode in the Norton 2010 products.

– Currently also used in Symantec Hosted Endpoint Protection

– Will soon be available in the Symantec Web Gateway product

– Will follow in others

• Is also used within Symantec back office systems

– To enrich and validate traditional malware analysis

– Fast tracks new malware detections

– Provides a safety check to further mitigate false positives

23Symantec Ubiquity

Page 24: Symantec Ubiquity

Conclusion

Results

– Ubiquity’s reputation database now contains accurate safety ratings on more than 1.5 billion good and bad executable files.

– New files are being discovered at the rate of 22 million each week.

– Ubiquity data confirms the original premise that malware today is largely micro-distributed – more than 75 percent of malware discovered by Ubiquity affects less than 50 Symantec users.

– Today Ubiquity serves an average of more than 45 billion application safety ratings every month for customers.

– Ubiquity was recently named the winner of the network security category in the 2010 Wall Street Journal Technology Innovation Awards

… and this is just the beginning!

24Symantec Ubiquity

Page 25: Symantec Ubiquity

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Thank you!

25Symantec Ubiquity


Recommended