Simple and Complex Threats Shape the Future

1
Simple and Complex Threats Shape the Future

• Linda McCarthy
• Executive Security Advisor
• November 22, 2003

2
ARPA Network - 1969
3
Internet Backbone - 2003
4
Faster, Frequent, and More Complex Blended Threats

• Increasing prevalence of blended threats
• Combine hacking, denial of service, more
  aggressive, and spread faster than ever before
• August 2003 tested defenses of home and corporate
  users
• Four high impact attacks in the span of eight
  days
• Tested the defenses of home an corporate users
• Attackers turning up the heat

5

Tremendous Challenges

• Increasing number and sophistication of attacks
• Increasing complexity across an enterprise
• Resource Constraints
• Risks difficult to define and prioritize
• Products alone are reactive

900M
120,000
Worldwide Attacks
800M
Blended Threats (CodeRed, Nimda, Slammer)
100,000
700M
80,000
600M
Denial of Service (Yahoo!, eBay)
500M
Infection Attempts
60,000
Network Intrusion Attempts
Mass Mailer Viruses (Love Letter/Melissa)
400M
Malicious Code
Infection Attempts
40,000
300M
Zombies
200M
Network Intrusion Attempts
20,000
Polymorphic Viruses (Tequila)
100M
0
0
Analysis by Symantec Security Response using
data from Symantec, IDC ICSA 2002 estimated
Source CERT
6
Attack Sources

• Top ten attack source countries account for 80
  of all attacks
• 51 of all attacks originate in the United States
• Japan is 9th most common source

Six Months Ending June 30, 2003
Country
Ranking
51
United States
1
5
China
2
5
Germany
3
4
South Korea
4
4
Canada
5
3
France
6
2
Great Britain
7
2
Netherlands
8
2
Japan
9
2
Italy
10
Source Internet Security Threat Report,
Symantec, September 2003
Highlights Attacks
7
Less Knowledge Required to Attack
High
Low
1980
1985
1990
1995
2000
2005
8
Software Vulnerabilities on the Rise
70
Average number of new vulnerabilities discovered
every week
60
60
50
50
40
30
30
25
20
10
10
0
'99
'00
'01
'02
'03
Source Bugtraq
9
Threat Evolution Day-zero Threats
Vulnerability-Threat Window
A day-zero threat exploits a previously unknown,
and therefore unprotected vulnerability.
Time
Vulnerability Identified
Threat Released
10
Threat Evolution Day-zero Threats
A day-zero threat exploits a previously unknown,
and therefore unprotected vulnerability.
Time
Vulnerability identified
Threat released
11
Faster, More Aggressive Attacks

• 64 of new attacks targeted
• vulnerabilities less than
• 1 year old

• More attacks are targeting new vulnerabilities
• New vulnerabilities are being exploited more
  quickly
• Faster exploitation requires better patch
  management policies

50
39
40
30
25
Percent of New Attack Targets
20
14
10
10
5
4
1
1
0
0 to 6
6 to 12
12 to 18
18 to 24
24 to 30
30 to 36
36 to 42
42 to 48
Vulnerability Age Range (months)
Trends
12
New Technologies and Targets
13
General Threat Evolution
Global Impact
Sector
Regional
Scope
Individual Orgs.
Individual PCs
2000
2003
1990s
Time
14
Threat Evolution Malicious Code
Class III Human response impossible Automated
response unlikely Proactive blocking possible
Class II Human response difficult/impossible Auto
mated response possible
Contagion Timeframe
Class I Human response possible
Early 1990s
Mid 1990s
Late 1990s
2000
2003
Time
15
Malicious Code Protection Strategies
Only useful after initial wave
Distributed Sensor Networks ProtocolAnomaly
Detection Rule and Statistical Correlation
Auto Fingerprint Generation(for slowerClass
II threats)
Manual Fingerprints Auto Fingerprint
Generation
Adaptive Security
16
Faster, More Frequent Blended Threats

• 20 increase in blended threats
• New blended threats spread more quickly
• Protection against blended threats requires a
  layered, integrated approach to security

Trends
17
New Blended Threat Targets

• Microsoft IIS vulnerabilities
• Large installed base
• Numerous severe vulnerabilities
• Microsoft Internet Explorer vulnerabilities
• Large installed base
• Easy exploitation

Trends
18
Expanded Dangers from Blended Threats

• Theft of confidential information
• Bugbear.B
• 50 increase in attacks on confidential data
• Remote attacks
• Disguised as worm activity
• Bot armies execute remote commands

Trends
19
Information Security Solutions Today

• Fragmented functionality
• No integrated approach
• Lack of a cohesive security management capability
• Limited availability of expertise
• Overly complicated not enough customization of
  applications

Vuln Assess
Authen- tication
Common Console
Event Incident Mgmt
Content Updates Security Response
Security Services
Vuln Mgmt
Threat Management Early Warning
Identity Mgmt
Intrusion Detection
Access Control Auth
Honey Pot Decoy Technology
24x7 Global Customer Support
Antivirus
Config. Mgmt
VPN
Firewall
Attack Recovery Services
Policy Mgmt
20
Symantec is Securing the Enterprise
Authentication
ThreatManagement Early Warning
Encryption
Antivirus
Honey Pot Decoy Technology
Firewall
Intrusion Detection Prevention
ProactiveControl
Vulnerability Assessment
VPN
PolicyCompliance
Content Updates Security Response
Event Incident Mgmt
24x7 Global Customer Support
Access Control Authorization
Identity Mgmt
Attack Recovery Services
Config. Mgmt
Common Console
21
Securing the Enterprise

• Early Warning
• DeepSight
• Decoy Technology
• Decoy Server
• Vulnerability
• Assessment

• Alert Early Warning
• Awareness of new vulnerabilities and global
  threats
• Areas of Future Focus
• Continue to close the gap between awareness of
  security issues and specific immediate action
• Leverage the global reach of 100 million
  endpoints in 180 countries
• Protect valuable assets by focusing security
  resources on only those threats that can take
  down their network

22
DeepSight Blaster Worm Timeline
8/10/03 1039 am DeepSight TMS Port 135 Alert
8/11/03 844 pm Blaster Worm Alert sent (TMS)
8/11/03 757 pm ThreatCon Alert of worm (TMS)
8/11/03 1000 pm Blaster widely seen by others
IP(s)
300,000
200,000
100,000
0
All times GMT
23
Securing the Enterprise

• Integrated Solutions
• Client Security
• Gateway Security
• Best-of-breed products
• Host and Network
• Intrusion Detection Prevention
• Antivirus
• Filtering
• Firewall
• VPN

• Protection
• Multi-layered security at the Gateway, Server and
  Client
• Areas of Future Focus
• Stronger protection
• Faster speeds
• Prevention technologies
• Proactively block attacks
• Wireless mobile support
• Client compliancy
• Tighter integration with Early Warning services
• Extending integrated security to all layers

24
Symantec Client Security

• Best-of-breed plus integration provides better
  protection for lower Total Cost of Ownership
• Antivirus
• Client Firewall
• Intrusion Detection
• Future enhancements to include
• Client-compliancy checking
• Enhanced FW capabilities
• Location awareness

25
Intrusion Protection Solutions

• High speed multi-gigabit network detection
• Multiple advanced detection methodologies
• Protocol anomaly detection, signature,
  behavioral, hybrids, decoy
• iForce appliance option built by Symantec Sun
• Protection controls at the host, network, and
  decoy
• Interoperability with 3rd party data collection

26
Symantec AV for Handhelds Corp Edition

• Desktop assisted solution
• Integrated with existing update infrastructures
• Comprehensive cross-platform support
• On-device real-time and on-demand scanning
• Automatic scans on memory media insertion, after
  synchronization
• On-device wireless LiveUpdate

27
Securing the Enterprise

• Respond
• Trusted, timely content updates
• 24/7 global remediation support
• Areas of Future Focus
• Anticipating likely exploits of vulnerabilities
• Providing proactive updates that block attacks
  using anticipated exploits

• Security Response
• (LiveUpdate)
• 7x24 customer support
• Professional Services
• Disk Recovery

28
Securing the Enterprise

• Manage
• Real-time security management to Identify and
  prioritize
• critical vulnerabilities
• non-compliance
• malicious events
• blended threats
• Areas of Future Focus
• Patch management and deployment
• Increased platform (OS/DB) support
• Integration with HelpDesk applications
• Additional correlation technologies
• Significant increase in collectors

• ESM
• (Policy Compliance)
• Security Management
• Incident Manager
• Event Managers
• Managed Security Services

29
Conclusion Optimize Control and Minimize
Complexity

• Key process elements for an effective security
  program
• Alert Protect Respond Manage
• Security is too complex, need to simplify
• Symantecs security application and management
  integration simplifies security
• Increases protection
• Reduces total cost of ownership
• Provides 360 degree view of security posture
• Integrate our robust security content in all of
  our products
• Provide flexible, fast, expert support to our
  customers
• Deliver world-class security threat information
  and response

30
(No Transcript)