Horse Sense #92

A Visit to Symantec

[A warning.  The software has not been released yet, so some details may change.]

I recently previewed Symantec's still unfinished new edition of its Endpoint Protection product (SEP version 12.1) with a number of other value added resellers and consultants.  The developers and product managers wanted to know what we and our customers wanted in a business desktop security product.

In this issue of Horse Sense:

A Visit to Symantec
-Why is a new product needed?
-Tip: How to be safer now!
-Staying with the tried and true, using that which is tested and is new
-Reputation is everything!
-Look below the surface with SONAR
-SEP 12.1 in a nutshell
-Help yourself by helping Symantec
-Thinking of you....
-Tip:  For those who have the digital flu already

Why is a new product needed?

Bad guys find new ways to attack us.  Early on, the threats we faced were simple and splashy.  They were easy to find and fix.  Newer threats tend to be quieter and use multiple attack vectors.  This is how some criminals make their living and they can be very aggressive, sneaky, and professional.  Subverting your computer and compromising your trust can be very profitable.  Good security is all about making it harder for the bad guys to profit off you.  Antivirus alone is not enough to protect you from the newer threats.  In addition, portable computer sales have outnumbered desktop sales for some time.  The protection mechanisms that we relied on in our business networks simply are not there when we leave them.  So, we must better protect the devices we carry with us and the ones we do not because those mobile devices can become a way to infect our business network when we return home.

Social engineering, or using the human to get through defenses, is used in many attacks.  Social engineers know we use our search engines a lot to find things.  So they poison search engine results so their own links will place within the top 10.  Merely clicking their link could expose you to infection.  Malware writers now can buy inexpensive tool sets to make stealthy malware.  They can pay for access to already infected machines to help spread their malware far and wide with little chance of having it traced back to them.  Malware is often designed to steal e mail addresses, user and system information, and logins and passwords compromising the trustworthiness of your machine (and your trust as well).  Malware writers also put control software on your machine allowing them to control thousands of machines like a zombie army.  Once a foothold is gained, other attack programs are often downloaded from zombie servers.

New reasons to attack computers have emerged like promoting a particular political agenda, industrial espionage, and nation state sponsored attacks and information gathering.  I believe Stuxnet to be a quite potent example of a nation state attack.  Stuxnet was designed to cause a specific brand of centrifuge used in nuclear enrichment, primarily in Iran, to run out of control and destroy itself.  Symantec played a critical role in dissecting this very sophisticated malware.  It was designed to spread to computers on networks that were not connected to the Internet.  It is a common security practice to isolate "secure" machines and not let them have any access to the Internet.  Often, these machines do not receive software updates or have anti-malware protection.  Stuxnet used human beings carrying USB keys to bridge the gap, kind of like malaria uses mosquitoes.  Stuxnet is a particularly terrifying new breed of malware whose sophistication is phenomenal:
<> Stuxnet shows that previously "safe" environments like segregated networks, medical equipment, isolated machine controllers, and other devices are vulnerable to attack.  Imagine the wide scale disruption in the US if all the stop lights turned red at once....

Traditional antiviral systems alone could not stop something like Stuxnet.  Newer malware evades detection by creating a new version on demand.  Instead of seeing millions of copies of this malware in the wild, traditional antivirus pattern matching software will see millions of different programs.  So, what is needed is a more holistic approach to security.  Current and forthcoming versions of SEP use a range of technologies to protect your computers.  However, many current installations are not configured to use the full power of the product because they have some features turned off or they are not running the latest edition of the client protection software.

Tip:  How to be safer now!

Make sure that not only are your definitions up to date, but that all your security options are turned on and that you have the latest edition of the client software for your machine.  While antivirus signatures update automatically with most manufacturers, you must choose to update the client software itself.  Even without tuning the product for performance, the current SEP 11.6200.x client is three times faster than it was when it was first released! Old software is slower, less compatible, takes more resources, and is more vulnerable to current infections.  Call us and have us help you.  It is like going to the doctor and getting a tetanus booster shot.

Staying with the tried and true, using that which is tested and is new

Many of the new protection technologies in the SEP 12.1 corporate product will be lifted from the Norton consumer products.  See the Horse Sense newsletter #88 on our web site "Are You Testing Software for Someone Else?" <> for more information. 

Pattern matching antivirus software still works (surprise!) and catches many of the infections still wandering around the world.  350 million workstations prove it to be a stable, high performance, cross platform way of dealing with viruses.  It updates without a need for updating the product itself via signature files.  Advanced general purpose scans using generic signatures and malware heuristic signatures are available to block newer threats.  The 12.1 engine will be able to skip scans that do not apply to a particular file type.  It will not scan the file at all if it knows it is trustworthy or has already been scanned by your current set of definitions.  This so called Scanless technology significantly lowers the impact of scanning on your system and decreases the time needed to scan dramatically.  In addition, the new engine has been redesigned to use five times less memory when doing its scans than before!

Unfortunately, many people do not have firewalls and intrusion protection on their machines.  Network threat protection can stop malware before it even gets on to your machine.  In SEP 12.1, network traffic is scanned against a signature database to show what is harmful and what is not.  New browser based protection protects against attacks via the browser.  This type of protection can block drive by downloads (infections delivered just by visiting a compromised web site or displaying an infected add on a good web site) and social engineering attacks like fake antivirus or music codecs.  Good security has multiple layers.  Good security eliminates threats at the earliest possible moment with the least amount of effort.  Exceptional security integrates various individual security methods together so they work synergistically to provide the most amount of protection with the least amount of effort.  SEP 11 is such a product and SEP 12.1 should be even better.

Reputation is everything!

Building on the 64 million users who contribute information about what they are running to Symantec via Norton products, Symantec has built a reputation based system into SEP 12.1.  Reputation relies on analyzing what your neighbors are doing.  There will be some known safe software.  But, there will also be software running on machines that is not known to be safe.  How do we know if a piece of software we want to run is safe or not, especially when malware makers are building customized infection packages?  We obviously cannot just white or black list programs.  There are too many of them out there.  Instead, SEP 12.1 using its Insight component collects information on your program and automatically compares it to a constantly updated database now numbering 250 million programs.  Something that is not in the database or has a low incidence in the database should merit more critical inspection.  This allows for tougher scans of possible malware without triggering a false positive.  You can also save time and effort by not scanning files known to be good.  You can even set your own risk tolerance.  For example, you can be conservative and say you want to lock out all software that has not been used by at least 10,000 users in the database for 2 months.  You can also choose to allow software to run with lower reputations, but at least Insight will indicate the possible danger.

Insight is particularly valuable when you are doing behavior based blocking, or relying on heuristics and generic blocks.  You have to be very careful that you do not end up blocking a useful program.  Reputation combined with these other blocks is a much more certain way of catching suspect programs and of letting good ones run.

Look beneath the surface with SONAR

One of the bigger changes in SEP 12.1 will be a totally new SONAR (Symantec Online Network for Advanced Response).  This component would detect and prevent something as sophisticated as Stuxnet and other threats never before seen in the wild.  SONAR is a behavior monitor that looks at up to 400 behaviors and characteristics of the program being run.  SONAR allows the program to run while it watches what is happening.  It then backs out any changes that have been made and restores everything back to the way it was before if something nefarious is found.

SEP 12.1 in a nutshell

SEP 12.1 includes network based protection for your system and browser, a crowd sourced Internet reputation database for determining the probable safety of a program or web location (Insight), file based protection using traditional on demand and timed scanners as well as generic blockers and heuristic blocking, and behavioral blocking (SONAR).  In addition, SEP 12.1 software suites will include other security features like mail and web gateway security software which will stop threats before your machine even sees them and image backup software to protect your machine not only from threats from the outside, but the greatest threat of all, you!  (OK, maybe I am the only one who has deleted a file or configuration I wanted back later.)

Help yourself by helping Symantec

Who cares?  Symantec does.  Iron Horse does.  And maybe you do too.  SEP 11 was something of a disaster for Symantec.  They did not test it nearly as much as they wanted to or should have.  A corporate merger with Veritas and the release of Windows Vista soon after launch complicated matters.  Though SEP 11 had a lot of improvements over their older Symantec Antivirus product in speed and protection, there were some issues that actually made the speed and compatibility less than it should have been.  Symantec learned from that mistake and does not want to repeat it.  [If you have an early SEP 11 version, see the tip above and ask us about replacing it!] 1.7 man years per day of work is being put into SEP 12.1 right now.  But Symantec needs more real world input and testing.  That is where I came in and where you can help both yourself and Symantec.

Symantec asked me if I had customers who would be interested in testing this yet to be released software.   Understand that you would be testing software that is beta, which means "not fully baked" or "still broken."  You would be helping them fix issues.  In turn, your input would be used to craft the product more to your liking and you would get experience with these new technologies before everyone else.  Symantec is especially interested in environments that do not look like ones which might be running the Norton consumer software.  They would like to see how you might use their deployment and management tools, for example.

If you are interested in beta testing SEP 12.1, please contact me.

Thinking of you....

Of course, while I was with Symantec, I was thinking of you.  Here are some of the things I mentioned to them:

-Customers just want a bag-o-security.  This is not quite realistic because good security comes in layers and the best security involves consistently training the end user but.... it is what everybody wants.  They want a bunch of security technologies that work together reliably, do not impede their work, work silently in the background, and cost them little in the way of staff resources and dollars.

-Customers worry about malware beating their current protection and want to know what is being done.  [Maybe this newsletter will answer a little of that.]

-Customers want to keep the bad guy from getting their most sensitive data.  [Not in this product iteration.  This type of technology is called Digital Leak Protection and is available in other products.]

-Customers want to be able to be able to license their software and support easily.  [Unfortunately, no one from licensing was there.]

-Customers, business professionals, auditors, and computer consultants want to be able to analyze security policies and compare them to recommended best practices, corporate best practices, shipping defaults, and current settings.  [They don't have this tool yet.]

-A password manager and form filler like that in the Norton product would be very handy and enhance security for a lot of businesses.  [Currently not planned for this product, but surprised them enough that they are thinking about it.]

-A behavior scanner similar to the one used in their Norton parental control product would be helpful at enhancing security and improving productivity in many companies.  For example, you could lock out banned sites like Facebook or monitor the time employees spent on a computer by log on and log off. [Not currently planned.]

-Mobile devices are being used more and more.  Phones now rival computers in processing power.  Customers would like to see more support for these devices.  [Although SEP 12.1 encompasses Mac, LINUX, and gateways, it will not include protection for mobile devices other than portable computers primarily because the phone market has been moving so fast and is so fractured that Symantec finds it hard to build, test, and integrate a product like that.]

-I also reported a number of errors and unclear instructions on tests of the product itself while testing it in their lab.

Tip:  For those who have the digital flu already

Infections do happen.  An infected machine is in a completely different state from one that is uninfected or immunized.  How can those machines be effectively repaired and protected?  It turns out that none of the resellers and even some Symantec employees knew that Symantec already had a tool for this.  Norton Power Eraser (NPE) is a free tool for Windows, but it is dangerous.  It is not meant for regularly scanning systems.  The assumption when you run this tool is that your machine is already infected.  That means you need to scan deeply and false positives are less of an issue.  Normal Symantec antivirus tools have extremely low false positive rates.  This tool has a 1.7% false positive rate.  That means it is much more likely to identify something good as bad and remove it which might break your system or cause programs to fail.  Well.... the patient is already sick and you use pretty strong drugs and aggressive treatment when that happens.  You have been warned.

NPE is a small download that can run off a USB key so that you do not need to install it.  Download it when you need it as the current definitions download with it.  <> SEP users can download the even more powerful Symantec Endpoint Recovery Tool.  You boot to a CD using this tool so you can remove threats even if they hide from the operating system.  < > I recommend this tool only to professionals.

Symantec offers these and other tools on its web site, which is available 24x7.  You can also use your antivirus maintenance contracts for definition upgrades, new versions, and support if you do get the digital flu.  And, of course, Iron Horse offers Symantec products, its own services, and products and services from other manufacturers to help make network management easier and safer.

©2011 Tony Stirk, Iron Horse