Title: Simple and Complex Threats Shape the Future
1Simple and Complex Threats Shape the Future
- Linda McCarthy
- Executive Security Advisor
- November 22, 2003
2ARPA Network - 1969
3Internet Backbone - 2003
4Faster, Frequent, and More Complex Blended Threats
- Increasing prevalence of blended threats
- Combine hacking, denial of service, more
aggressive, and spread faster than ever before - August 2003 tested defenses of home and corporate
users - Four high impact attacks in the span of eight
days - Tested the defenses of home an corporate users
- Attackers turning up the heat
5 Tremendous Challenges
- Increasing number and sophistication of attacks
- Increasing complexity across an enterprise
- Resource Constraints
- Risks difficult to define and prioritize
- Products alone are reactive
900M
120,000
Worldwide Attacks
800M
Blended Threats (CodeRed, Nimda, Slammer)
100,000
700M
80,000
600M
Denial of Service (Yahoo!, eBay)
500M
Infection Attempts
60,000
Network Intrusion Attempts
Mass Mailer Viruses (Love Letter/Melissa)
400M
Malicious Code
Infection Attempts
40,000
300M
Zombies
200M
Network Intrusion Attempts
20,000
Polymorphic Viruses (Tequila)
100M
0
0
Analysis by Symantec Security Response using
data from Symantec, IDC ICSA 2002 estimated
Source CERT
6Attack Sources
- Top ten attack source countries account for 80
of all attacks - 51 of all attacks originate in the United States
- Japan is 9th most common source
Six Months Ending June 30, 2003
Country
Ranking
51
United States
1
5
China
2
5
Germany
3
4
South Korea
4
4
Canada
5
3
France
6
2
Great Britain
7
2
Netherlands
8
2
Japan
9
2
Italy
10
Source Internet Security Threat Report,
Symantec, September 2003
Highlights Attacks
7Less Knowledge Required to Attack
High
Low
1980
1985
1990
1995
2000
2005
8Software Vulnerabilities on the Rise
70
Average number of new vulnerabilities discovered
every week
60
60
50
50
40
30
30
25
20
10
10
0
'99
'00
'01
'02
'03
Source Bugtraq
9Threat Evolution Day-zero Threats
Vulnerability-Threat Window
A day-zero threat exploits a previously unknown,
and therefore unprotected vulnerability.
Time
Vulnerability Identified
Threat Released
10Threat Evolution Day-zero Threats
A day-zero threat exploits a previously unknown,
and therefore unprotected vulnerability.
Time
Vulnerability identified
Threat released
11Faster, More Aggressive Attacks
- 64 of new attacks targeted
- vulnerabilities less than
- 1 year old
- More attacks are targeting new vulnerabilities
- New vulnerabilities are being exploited more
quickly - Faster exploitation requires better patch
management policies
50
39
40
30
25
Percent of New Attack Targets
20
14
10
10
5
4
1
1
0
0 to 6
6 to 12
12 to 18
18 to 24
24 to 30
30 to 36
36 to 42
42 to 48
Vulnerability Age Range (months)
Trends
12New Technologies and Targets
13General Threat Evolution
Global Impact
Sector
Regional
Scope
Individual Orgs.
Individual PCs
2000
2003
1990s
Time
14Threat Evolution Malicious Code
Class III Human response impossible Automated
response unlikely Proactive blocking possible
Class II Human response difficult/impossible Auto
mated response possible
Contagion Timeframe
Class I Human response possible
Early 1990s
Mid 1990s
Late 1990s
2000
2003
Time
15Malicious Code Protection Strategies
Only useful after initial wave
Distributed Sensor Networks ProtocolAnomaly
Detection Rule and Statistical Correlation
Auto Fingerprint Generation(for slowerClass
II threats)
Manual Fingerprints Auto Fingerprint
Generation
Adaptive Security
16Faster, More Frequent Blended Threats
- 20 increase in blended threats
- New blended threats spread more quickly
- Protection against blended threats requires a
layered, integrated approach to security
Trends
17New Blended Threat Targets
- Microsoft IIS vulnerabilities
- Large installed base
- Numerous severe vulnerabilities
- Microsoft Internet Explorer vulnerabilities
- Large installed base
- Easy exploitation
Trends
18Expanded Dangers from Blended Threats
- Theft of confidential information
- Bugbear.B
- 50 increase in attacks on confidential data
- Remote attacks
- Disguised as worm activity
- Bot armies execute remote commands
Trends
19Information Security Solutions Today
- Fragmented functionality
- No integrated approach
- Lack of a cohesive security management capability
- Limited availability of expertise
- Overly complicated not enough customization of
applications
Vuln Assess
Authen- tication
Common Console
Event Incident Mgmt
Content Updates Security Response
Security Services
Vuln Mgmt
Threat Management Early Warning
Identity Mgmt
Intrusion Detection
Access Control Auth
Honey Pot Decoy Technology
24x7 Global Customer Support
Antivirus
Config. Mgmt
VPN
Firewall
Attack Recovery Services
Policy Mgmt
20Symantec is Securing the Enterprise
Authentication
ThreatManagement Early Warning
Encryption
Antivirus
Honey Pot Decoy Technology
Firewall
Intrusion Detection Prevention
ProactiveControl
Vulnerability Assessment
VPN
PolicyCompliance
Content Updates Security Response
Event Incident Mgmt
24x7 Global Customer Support
Access Control Authorization
Identity Mgmt
Attack Recovery Services
Config. Mgmt
Common Console
21Securing the Enterprise
- Early Warning
- DeepSight
- Decoy Technology
- Decoy Server
- Vulnerability
- Assessment
- Alert Early Warning
- Awareness of new vulnerabilities and global
threats - Areas of Future Focus
- Continue to close the gap between awareness of
security issues and specific immediate action - Leverage the global reach of 100 million
endpoints in 180 countries - Protect valuable assets by focusing security
resources on only those threats that can take
down their network
22DeepSight Blaster Worm Timeline
8/10/03 1039 am DeepSight TMS Port 135 Alert
8/11/03 844 pm Blaster Worm Alert sent (TMS)
8/11/03 757 pm ThreatCon Alert of worm (TMS)
8/11/03 1000 pm Blaster widely seen by others
IP(s)
300,000
200,000
100,000
0
All times GMT
23Securing the Enterprise
- Integrated Solutions
- Client Security
- Gateway Security
- Best-of-breed products
- Host and Network
- Intrusion Detection Prevention
- Antivirus
- Filtering
- Firewall
- VPN
- Protection
- Multi-layered security at the Gateway, Server and
Client - Areas of Future Focus
- Stronger protection
- Faster speeds
- Prevention technologies
- Proactively block attacks
- Wireless mobile support
- Client compliancy
- Tighter integration with Early Warning services
- Extending integrated security to all layers
24Symantec Client Security
- Best-of-breed plus integration provides better
protection for lower Total Cost of Ownership - Antivirus
- Client Firewall
- Intrusion Detection
- Future enhancements to include
- Client-compliancy checking
- Enhanced FW capabilities
- Location awareness
25Intrusion Protection Solutions
- High speed multi-gigabit network detection
- Multiple advanced detection methodologies
- Protocol anomaly detection, signature,
behavioral, hybrids, decoy - iForce appliance option built by Symantec Sun
- Protection controls at the host, network, and
decoy - Interoperability with 3rd party data collection
26Symantec AV for Handhelds Corp Edition
- Desktop assisted solution
- Integrated with existing update infrastructures
- Comprehensive cross-platform support
- On-device real-time and on-demand scanning
- Automatic scans on memory media insertion, after
synchronization - On-device wireless LiveUpdate
27Securing the Enterprise
- Respond
- Trusted, timely content updates
- 24/7 global remediation support
- Areas of Future Focus
- Anticipating likely exploits of vulnerabilities
- Providing proactive updates that block attacks
using anticipated exploits
- Security Response
- (LiveUpdate)
- 7x24 customer support
- Professional Services
- Disk Recovery
28Securing the Enterprise
- Manage
- Real-time security management to Identify and
prioritize - critical vulnerabilities
- non-compliance
- malicious events
- blended threats
- Areas of Future Focus
- Patch management and deployment
- Increased platform (OS/DB) support
- Integration with HelpDesk applications
- Additional correlation technologies
- Significant increase in collectors
- ESM
- (Policy Compliance)
- Security Management
- Incident Manager
- Event Managers
- Managed Security Services
29Conclusion Optimize Control and Minimize
Complexity
- Key process elements for an effective security
program - Alert Protect Respond Manage
- Security is too complex, need to simplify
- Symantecs security application and management
integration simplifies security - Increases protection
- Reduces total cost of ownership
- Provides 360 degree view of security posture
- Integrate our robust security content in all of
our products - Provide flexible, fast, expert support to our
customers - Deliver world-class security threat information
and response
30(No Transcript)