[A warning. The software has not been
released yet, so some details may change.]
I recently previewed Symantec's still
unfinished new edition of its Endpoint
Protection product (SEP version 12.1) with a
number of other value added resellers and
consultants. The developers and product
managers wanted to know what we and our
customers wanted in a business desktop
security product.
In this issue of Horse
Sense:
A Visit to Symantec
-Why is a new product needed?
-Tip: How to be safer now!
-Staying with the tried and true, using that
which is tested and is new
-Reputation is everything!
-Look below the surface with SONAR
-SEP 12.1 in a nutshell
-Help yourself by helping Symantec
-Thinking of you....
-Tip: For those who have the digital flu
already
Why is a new product needed?
Bad guys find new ways to attack us. Early
on, the threats we faced were simple and
splashy. They were easy to find and fix.
Newer threats tend to be quieter and use
multiple attack vectors. This is how some
criminals make their living and they can be
very aggressive, sneaky, and professional.
Subverting your computer and compromising
your trust can be very profitable. Good
security is all about making it harder for
the bad guys to profit off you. Antivirus
alone is not enough to protect you from the
newer threats. In addition, portable
computer sales have outnumbered desktop
sales for some time. The protection
mechanisms that we relied on in our business
networks simply are not there when we leave
them. So, we must better protect the
devices we carry with us and the ones we do
not because those mobile devices can become
a way to infect our business network when we
return home.
Social engineering, or using the human to
get through defenses, is used in many
attacks. Social engineers know we use our
search engines a lot to find things. So
they poison search engine results so their
own links will place within the top 10.
Merely clicking their link could expose you
to infection. Malware writers now can buy
inexpensive tool sets to make stealthy
malware. They can pay for access to already
infected machines to help spread their
malware far and wide with little chance of
having it traced back to them. Malware is
often designed to steal e mail addresses,
user and system information, and logins and
passwords compromising the trustworthiness
of your machine (and your trust as well).
Malware writers also put control software on
your machine allowing them to control
thousands of machines like a zombie army.
Once a foothold is gained, other attack
programs are often downloaded from zombie
servers.
New reasons to attack computers have emerged
like promoting a particular political
agenda, industrial espionage, and nation
state sponsored attacks and information
gathering. I believe Stuxnet to be a quite
potent example of a nation state attack.
Stuxnet was designed to cause a specific
brand of centrifuge used in nuclear
enrichment, primarily in Iran, to run out of
control and destroy itself. Symantec played
a critical role in dissecting this very
sophisticated malware. It was designed to
spread to computers on networks that were
not connected to the Internet. It is a
common security practice to isolate "secure"
machines and not let them have any access to
the Internet. Often, these machines do not
receive software updates or have
anti-malware protection. Stuxnet used human
beings carrying USB keys to bridge the gap,
kind of like malaria uses mosquitoes.
Stuxnet is a particularly terrifying new
breed of malware whose sophistication is
phenomenal:
<http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf>
Stuxnet shows that previously "safe"
environments like segregated networks,
medical equipment, isolated machine
controllers, and other devices are
vulnerable to attack. Imagine the wide
scale disruption in the US if all the stop
lights turned red at once....
Traditional antiviral systems alone could
not stop something like Stuxnet. Newer
malware evades detection by creating a new
version on demand. Instead of seeing
millions of copies of this malware in the
wild, traditional antivirus pattern matching
software will see millions of different
programs. So, what is needed is a more
holistic approach to security. Current and
forthcoming versions of SEP use a range of
technologies to protect your computers.
However, many current installations are not
configured to use the full power of the
product because they have some features
turned off or they are not running the
latest edition of the client protection
software.
Tip: How
to be safer now!
Make sure
that not only are your definitions up to
date, but that all your security options are
turned on and that you have the latest
edition of the client software for your
machine. While antivirus signatures update
automatically with most manufacturers, you
must choose to update the client software
itself. Even without tuning the product for
performance, the current SEP 11.6200.x
client is three times faster than it was
when it was first released! Old software is
slower, less compatible, takes more
resources, and is more vulnerable to current
infections. Call us and have us help you.
It is like going to the doctor and getting a
tetanus booster shot.
Staying with the tried and true, using that
which is tested and is new
Many of the new protection
technologies in the SEP 12.1 corporate
product will be lifted from the Norton
consumer products. See the Horse Sense
newsletter #88 on our web site "Are You
Testing Software for Someone Else?" <http://www.ih-online.com/hs88.html>
for more information.
Pattern matching antivirus software still
works (surprise!) and catches many of the
infections still wandering around the
world. 350 million workstations prove it to
be a stable, high performance, cross
platform way of dealing with viruses. It
updates without a need for updating the
product itself via signature files.
Advanced general purpose scans using generic
signatures and malware heuristic signatures
are available to block newer threats. The
12.1 engine will be able to skip scans that
do not apply to a particular file type. It
will not scan the file at all if it knows it
is trustworthy or has already been scanned
by your current set of definitions. This so
called Scanless technology significantly
lowers the impact of scanning on your system
and decreases the time needed to scan
dramatically. In addition, the new engine
has been redesigned to use five times less
memory when doing its scans than before!
Unfortunately, many people do not have
firewalls and intrusion protection on their
machines. Network threat protection can
stop malware before it even gets on to your
machine. In SEP 12.1, network traffic is
scanned against a signature database to show
what is harmful and what is not. New
browser based protection protects against
attacks via the browser. This type of
protection can block drive by downloads
(infections delivered just by visiting a
compromised web site or displaying an
infected add on a good web site) and social
engineering attacks like fake antivirus or
music codecs. Good security has multiple
layers. Good security eliminates threats at
the earliest possible moment with the least
amount of effort. Exceptional security
integrates various individual security
methods together so they work
synergistically to provide the most amount
of protection with the least amount of
effort. SEP 11 is such a product and SEP
12.1 should be even better.
Reputation
is everything!
Building on the 64 million users
who contribute information about what they
are running to Symantec via Norton products,
Symantec has built a reputation based system
into SEP 12.1. Reputation relies on
analyzing what your neighbors are doing.
There will be some known safe software.
But, there will also be software running on
machines that is not known to be safe. How
do we know if a piece of software we want to
run is safe or not, especially when malware
makers are building customized infection
packages? We obviously cannot just white or
black list programs. There are too many of
them out there. Instead, SEP 12.1 using its
Insight component collects information on
your program and automatically compares it
to a constantly updated database now
numbering 250 million programs. Something
that is not in the database or has a low
incidence in the database should merit more
critical inspection. This allows for
tougher scans of possible malware without
triggering a false positive. You can also
save time and effort by not scanning files
known to be good. You can even set your own
risk tolerance. For example, you can be
conservative and say you want to lock out
all software that has not been used by at
least 10,000 users in the database for 2
months. You can also choose to allow
software to run with lower reputations, but
at least Insight will indicate the possible
danger.
Insight is particularly valuable when you
are doing behavior based blocking, or
relying on heuristics and generic blocks.
You have to be very careful that you do not
end up blocking a useful program.
Reputation combined with these other blocks
is a much more certain way of catching
suspect programs and of letting good ones
run.
Look
beneath the surface with SONAR
One of the bigger changes in SEP
12.1 will be a totally new SONAR (Symantec
Online Network for Advanced Response). This
component would detect and prevent something
as sophisticated as Stuxnet and other
threats never before seen in the wild.
SONAR is a behavior monitor that looks at up
to 400 behaviors and characteristics of the
program being run. SONAR allows the program
to run while it watches what is happening.
It then backs out any changes that have been
made and restores everything back to the way
it was before if something nefarious is
found.
SEP 12.1
in a nutshell
SEP 12.1 includes network based
protection for your system and browser, a
crowd sourced Internet reputation database
for determining the probable safety of a
program or web location (Insight), file
based protection using traditional on demand
and timed scanners as well as generic
blockers and heuristic blocking, and
behavioral blocking (SONAR). In addition,
SEP 12.1 software suites will include other
security features like mail and web gateway
security software which will stop threats
before your machine even sees them and image
backup software to protect your machine not
only from threats from the outside, but the
greatest threat of all, you! (OK, maybe I
am the only one who has deleted a file or
configuration I wanted back later.)
Help
yourself by helping Symantec
Who cares? Symantec does. Iron
Horse does. And maybe you do too. SEP 11
was something of a disaster for Symantec.
They did not test it nearly as much as they
wanted to or should have. A corporate
merger with Veritas and the release of
Windows Vista soon after launch complicated
matters. Though SEP 11 had a lot of
improvements over their older Symantec
Antivirus product in speed and protection,
there were some issues that actually made
the speed and compatibility less than it
should have been. Symantec learned from
that mistake and does not want to repeat
it. [If you have an early SEP 11 version,
see the tip above and ask us about replacing
it!] 1.7 man years per day of work is being
put into SEP 12.1 right now. But Symantec
needs more real world input and testing.
That is where I came in and where you can
help both yourself and Symantec.
Symantec asked me if I had customers who
would be interested in testing this yet to
be released software. Understand that you
would be testing software that is beta,
which means "not fully baked" or "still
broken." You would be helping them fix
issues. In turn, your input would be used
to craft the product more to your liking and
you would get experience with these new
technologies before everyone else. Symantec
is especially interested in environments
that do not look like ones which might be
running the Norton consumer software. They
would like to see how you might use their
deployment and management tools, for
example.
If you are interested in beta testing SEP
12.1, please contact me.
Thinking
of you....
Of course, while I was with
Symantec, I was thinking of you. Here are
some of the things I mentioned to them:
-Customers just want a bag-o-security. This
is not quite realistic because good security
comes in layers and the best security
involves consistently training the end user
but.... it is what everybody wants. They
want a bunch of security technologies that
work together reliably, do not impede their
work, work silently in the background, and
cost them little in the way of staff
resources and dollars.
-Customers worry about malware beating their
current protection and want to know what is
being done. [Maybe this newsletter will
answer a little of that.]
-Customers want to keep the bad guy from
getting their most sensitive data. [Not in
this product iteration. This type of
technology is called Digital Leak Protection
and is available in other products.]
-Customers want to be able to be able to
license their software and support easily.
[Unfortunately, no one from licensing was
there.]
-Customers, business professionals,
auditors, and computer consultants want to
be able to analyze security policies and
compare them to recommended best practices,
corporate best practices, shipping defaults,
and current settings. [They don't have this
tool yet.]
-A password manager and form filler like
that in the Norton product would be very
handy and enhance security for a lot of
businesses. [Currently not planned for this
product, but surprised them enough that they
are thinking about it.]
-A behavior scanner similar to the one used
in their Norton parental control product
would be helpful at enhancing security and
improving productivity in many companies.
For example, you could lock out banned sites
like Facebook or monitor the time employees
spent on a computer by log on and log off.
[Not currently planned.]
-Mobile devices are being used more and
more. Phones now rival computers in
processing power. Customers would like to
see more support for these devices.
[Although SEP 12.1 encompasses Mac, LINUX,
and gateways, it will not include protection
for mobile devices other than portable
computers primarily because the phone market
has been moving so fast and is so fractured
that Symantec finds it hard to build, test,
and integrate a product like that.]
-I also reported a number of errors and
unclear instructions on tests of the product
itself while testing it in their lab.
Tip: For
those who have the digital flu already
Infections
do happen. An infected machine is in a
completely different state from one that is
uninfected or immunized. How can those
machines be effectively repaired and
protected? It turns out that none of the
resellers and even some Symantec employees
knew that Symantec already had a tool for
this. Norton Power Eraser (NPE) is a free
tool for Windows, but it is dangerous. It
is not meant for regularly scanning
systems. The assumption when you run this
tool is that your machine is already
infected. That means you need to scan
deeply and false positives are less of an
issue. Normal Symantec antivirus tools have
extremely low false positive rates. This
tool has a 1.7% false positive rate. That
means it is much more likely to identify
something good as bad and remove it which
might break your system or cause programs to
fail. Well.... the patient is already sick
and you use pretty strong drugs and
aggressive treatment when that happens. You
have been warned.
NPE is a small download that can run off a
USB key so that you do not need to install
it. Download it when you need it as the
current definitions download with it. <http://security.symantec.com/nbrt/npe.asp?lcid=1033>
SEP users can download the even more
powerful Symantec Endpoint Recovery Tool.
You boot to a CD using this tool so you can
remove threats even if they hide from the
operating system. <http://www.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert
> I recommend this tool only to
professionals.
Symantec offers these and other tools on its
web site, which is available 24x7. You can
also use your antivirus maintenance
contracts for definition upgrades, new
versions, and support if you do get the
digital flu. And, of course, Iron Horse
offers Symantec products, its own services,
and products and services from other
manufacturers to help make network
management easier and safer.
©2011 Tony
Stirk, Iron Horse tstirk@ih-online.com