Hallo Zusammen,

um möchst vielen Teilnehmern des Forum die Möglichkeit zu geben am nächsten User Group Treffen teilzunehmen möchte ich dieser Stelle den ungefähren Zeitrahmen schon mal definieren. 

Geplant ist es für den Okt/Nov 2016 und es soll diesmal im Norden der Republik statt finden. 

Aktuell suchen wir einen Gastgeber, aus dem Runde der Teilnehmer, der einen Meetingraum zur Verfügung stellen könnte.

Wer dies gerne übernehmen würde darf sich gerne direkt bei mir melden, dies wird mit 300 Connect Punkten belohnt.

Vielen Dank

Sven von Kreyfeld

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hi all,

in order to give as much as possible Connect Members the chance to join the next Usergroup meeting we would like to annonce her a rough planning.

Meeting shall take place in the north of Germany in Oct/Nov timeframe. 

We are currenly looking for volunteers to host the meeting, 300 Connct point will be granted.

Pls feel free to contact me directly in case you want to apply.  

best regards

Sven von Kreyfeld

Innovation and creativity needs to be deeply woven into any company's culture. At Symantec, I see every day great technology and business ideas coming from across the company. We need to enable our team members with these ideas to work with our engineering centers, research labs, and global services teams to transform their innovative ideas into cutting-edge products and services.

Recently, Symantec was recognized for its innovation by several independent industry organizations.

• Thomson Reuters named Symantec a Top 100 Global Innovator for the 5th consecutive year. Symantec was also mentioned in Thomson Reuters' new list of top 25 Bay Area Innovators.
• Gartner named Symantec a Leader in three critical areas of the 2016 Gartner Magic Quadrant report: Data Loss Prevention, Managed Security Service Providers, and Endpoint Protection Platforms.
• AV-TEST.org announced that Symantec Endpoint Protection won the Best Protection 2015 award for corporate endpoint security

Principles of Innovation

What makes an organization truly innovative, and what are the elements that create a culture of innovation? In my experience, there are several principles that help position a company for successful innovation. These include:

• Strong culture of innovation - Innovation should be coming from the "bottom up" and not just "top down" and should be coming from all pockets of an organization; it's important for the management to create a thriving culture of innovation by providing the right contour and framework, right settings, and appropriate incentives vs. top down edicts.
• Solving contemporary problems - The trick with innovation is that it should not come too late, nor too early but at the right time where the innovative ideas can address contemporary problems and challenges facing the industry and society at large.
• Organic innovation vs. Inorganic innovation - Companies succeed or fail by their ability to innovate organically; inorganic innovation needs to complement organic innovation rather than being in lieu of it.
• Innovation in current products and technologies - This is just as important as developing brand new solutions
• Celebrating both successes and failures - It's critical for organizations to mark not only success but failures, too. What worked? What didn't? What are the lessons learned for future endeavors?

Innovation for Today and Tomorrow

As a global leader in cybersecurity, Symantec sees more threats and protects more customers from the next generation of attacks. Every day we strive to achieve a higher level of security for our customers, partners, and the entire industry.

There is an infinite demand for innovation in security due to the ever changing threat landscape. Today, we are on the cusp of a true post-industrial and digital revolution, with the advent of Cloud, Mobile, and Internet of Things. However, success of this post-industrial digital revolution will depend on organizations' and consumers' ability to trust these systems. The security industry needs to be on the front lines to defend this and defend what we all believe in—that is, a thriving and prosperous world for generations to come.

At Symantec, we're in the midst of the most active and organic product innovation cycles. More importantly, we're deeply committed to help make a difference towards the betterment of this world. Innovation and creativity inspires us to achieve this and help ensure prosperity today and tomorrow.

This week is the 65th annual Engineers Week, and today, is Introduce a Girl to Engineering Day or “Girl Day”. Started in 2001 as a joint effort between NSPE, IBM, and National Engineers Week Foundation, Girl Day 2016 marks the 15th year of a special focus where women engineers, and their male colleagues, have the opportunity to introduce more than one million girls and young women to engineering. With just 12% of engineers as women, more than just one day, Introduce a Girl to Engineering is a national movement that shows girls how creative and collaborative engineering is and how engineers are changing our world. 

The purpose is not only about inspiring girls to pursue engineering; it is also about changing their perceptions of what engineering is all about. Science, engineering, technology, and math (STEM) education is a core philanthropic focus area for Symantec and we’ve partnered with organizations that address the skills gap by inspiring and encouraging girls and young women to pursue STEM.

Tech Trek Camp Building Excitement and Self-Confidence in STEM

We partnered with the American Association of University Women (AAUW) to support their National Tech Trek program– a weeklong summer camp that introduces middle-school aged girls to STEM. The campers participate in hands-on workshops to learn everything from coding to how to build a rocket and even about cybersecurity. As part of their experience, one of the days is a meet-and-greet field trip where they get to interact with professionals in STEM. Mentorship or having a role model helps young people see the possibilities. One Tech Trek camper shared her experience with us on the blog: “One of my favorite evenings was Professional Women’s Night when lots of women from all sorts of backgrounds in STEM came to the campus to speak about what they do. I was inspired by the fact that there is a lot more out there than I had expected. Although STEM may seem like just a science class in school, there are many professions out there.”

Tech Trek Campers at Bowling Green State University

Sparking a World of Innovation and Equality

Symantec and the Global Fund for Women joined forces last year to launch a global campaign and online multimedia project called IGNITE: Women Fueling Science and Technology. Through this campaign, Global Fund for Women hopes to highlight that, with equal access and control to shape technology and science, women and girls bring unique and in-demand needs, experiences and perspectives to this sector. Symantec’ General Manager (GM) of Symantec’s Trust Services, Roxane Divol, shared her thoughts on the importance of bringing women into technology. “I advocate for more women in STEM not just because I believe in the potential of the STEM and tech sectors to lift millions of women and their families around the world out of poverty, but also because I feel that diversity is fuel for our future. Without it, we are missing out on untapped talent, differing points of view, and on innovation that can make a real difference to both corporate culture and the bottom line,” Divol states in her article. IGNITE seeks to empower women by removing the barriers to technology that women and girls’ face globally. In the ‘Be the Spark!’ collection, it showcases sixty women from historical figures such as Ada Lovelace to young women who are just embarking on their careers like Siphathisiwe Sibanda. The collection shares the stories of these women and their passion for science and technology to inspire and encourage women to pursue their passions in STEM.

Be the Spark!: Inspiring women to pursue their passions in STEM.

Conference for Women Technologists, by Women Technologists

Each year, Symantec participates at the Grace Hopper Conference (GHC) presented by the Anita Borg Institute, which is the largest gathering of women technologists in the world and is dedicated to celebrating women in computing. The three day conference is designed to empower women technologists by providing a platform to showcase women in technology featuring inspiring presentations from industry leaders and professional development activities. The Grace Hopper Conference happens two times a year, in the United States and in India, drawing in thousands from all over the world to connect, inspire, and guide women in computing. Over 100 female Symantec employees from across India attended the Grace Hopper Conference in Bengaluru, India. Sudhanshu Pandit said of the event: “Events such as GHCI play a big role in building our brand as a great place to work for technical women and in recruiting future employees. We hosted a career fair booth at the event, which never had a dull moment.”

Symantec women with Telle Whitney, President and CEO of The Anita Borg Institute

Symantec Hosts Screening of the Documentary CODEGIRL

The screening of CODEGIRL at the Symantec Headquarters was an event to be remembered! Over 100 people gathered at Symantec’s Mountain View Headquarters for the documentary screening of CODEGIRL, a film that follows teams of girls from all around the world as they compete in the Technovation Challenge – an international mobile app competition for girls in middle and high school that tasks them to solve an issue in their community by creating an app. The concept of the Technovation Challenge is to empower girls within technology and entrepreneurship and the film takes you from rural Moldova to urban Brazil and to the suburbs of Massachusetts as the girls find mentors, learn to code, and develop their business plan. Dr. Anuranjita Tewary, founder of the Technovation Challenge, was compelled to start Technovation when she noticed how immensely underrepresented women are in technology and entrepreneurship. Leslie Chilcott, Director of CODEGIRL, made the film because she wanted to inspire girls to code. “I wanted to get the film out because I wanted to inspire more teen girls to sign up for the competition this year, and that’s what happened,” Chilcott says. “It scares me that 51 percent of the population is often left out of the design, architecture, and decision-making process,” Chilcott adds. “Women are huge users of apps and technology but not big creators of it. I think it’s going to have a huge impact on society if that doesn’t change.” At the Symantec screening, one of the featured teams in the documentary, the Puppy Sized Elephants, two girls based out of Cupertino, California did a Q&A about their experience with the Technovation Challenge. They shared how they learned to code from free online platforms and described the process of making their app, My Cash Count. 

The Puppy Sized Elephants, one of the teams featured in the documentary, did a Q&A after the showing of the film.

Introduce a Girl to Engineering

What does it mean to be an engineer? There are essential skills or aspects about being an engineer that are often overlooked. DiscoverE shares five powerful messages of what being an engineer looks like:

• Curiosity—Engineers ask lots of questions that start with: Why? How? What if? 
• Creativity—Engineering is a great outlet for the imagination—the perfect field for independent thinkers.
• Teamwork—Engineering takes teamwork, and engineers work with all kinds of people inside and outside the field. Whether they’re designers or architects, doctors or entrepreneurs, engineers are surrounded by smart, inspiring people.
• Opportunities—An engineering degree offers lots of freedom in finding a person’s dream job. It can be a launching pad for jobs in business, design, medicine, law, and government. To employers or graduate schools, an engineering degree reflects a well-educated individual who has been taught ways of analyzing and solving problems that can lead to success in all kinds of fields.
• Helping Others—Imagine what life would be like without pollution controls to preserve the environment, life-saving medical equipment, or low-cost building materials for fighting global poverty. All this takes engineering. In very real and concrete ways, engineers save lives, prevent disease, reduce poverty, and protect our planet.

Today on #IntroduceAGirltoEngineeringDay, share the benefits and amazing opportunities that come with being involved in STEM! 

Thanks to all who attended our webcast, "Best Kept Secrets of IT Management Suite" (EMEA edition) on Thursday, February 25!

And, extra special thanks to our esteemed customer panel!

• Ian Atkin (Oxford University)
• Stefan Scheuber (ICA Gruppen)

To download or play the Webcast recording, click here.

Be sure to join us on March 23rd for our Launch Webcast for IT Managment Suite 8.0!

Bonus Materials:

• How to set detection rules for compliance when rolling out applications
• How to create a pilot computers filter: dynamic, automatic & maintenance free

Here is the Q & A transcript with answers to all the questions asked during the webcast.

Question:
Question to Stefan, do you have some Self Service portal where the user easily can download and install the software (if uninstalled by workflow process) or do they have to submit a ticket to Servicedesk to get the software.

Answer:
Stefan answered, "As of now, we do not have a self-service portal. The user has to call the Service Desk to get the software back. But, we're currently working on to integrate this in our order process for certain software to include this."

Question:
Hi, I have a question regarding a feature that I have been looking for in Patch Management. In the Patch Management view looking at for example 'Compliance by Update' it would have been much helpful to be able to view this by adding another Parameter selecting ONLY one or several Patch Policies to scope down the result based on the actual Policies you just applied.

Answer:
The patch compliance reports are from a stored procedure in the database, with this in mind we did recently write a report for a customer that altered the patch compliance report, and allowed the customer to filter the view by "severity". Your request is similar as you wish to filter by "Policy" or "Bulletin". I can supply the report we created and maybe you can look to see how it is created and replicate it. Again if you struggle please engage our consultancy services for this customisation project. 

Question:
Stefan, Do you use SWV -packages or msi/setup.exe -based software?

Answer:
Stefan answered, "We mainly use traditional msi software packages. We did a couple of tests with the virtualized packages but we are not really using it. We had it for Internet Explorer but we don't really use it."

Question:
Hi, Do anyone have a way to get a notification when a Patch Policy have been successfully applied. Like letting the system sending an email to an Administrator notifying that all patches is now applied on a specific machine or for all selected targets?

Answer:
This is a great idea and I beleive possible but would probably involve either workflow solution or a Notification Policy. I would encourage you to speak with one of our consultancy partners as they may have the experience in creating this customisation

Question (Comment):
The workflow is great for patch management. We have expanded it to be 4-level, all happens automatically! Great tool! And PM is working perfectly within 7.6.

Answer:
Excellent! Thanks for the feedback!

Question:
Ian, why is Oxford is using 7.5+DS 6.9 combination? Are you planning to move into DS 7.6 within CMS 7.6?

Answer:
Ian answered, "The reason why we currently stuck with Deployment Solution 6.9 for deployment because it was our legacy deployment mechanism but also because it's something we've highly tuned. Our customer wants to be able to take a machine and have it deployed from start to finish and know that its deployed and know that its patched in about 45 minutes. That's our target. That we found difficult to achieve with DS 7.5 framework because its all policy based. So for organizations who wants to set-up a machine in the corner and don't really mind when it's completed, 7.5 is great for that. But, as we have a stringent requirement with the live feedback, then we currently kept with Deployment Solution 6.9. And we will migrate to Ghost Solution Suite 3.0 when those licenses get transferred."

Question:
When is ITMS 8.0 available for customers ? We are in process of standing up ITMS 7.6 in next 1-3 months.Is it advisable to install ITMS 8.0 instead of 7.6 ? Please advise.

Answer:
IT Management Suite will be generally available on Monday, March 7th.

It is difficult to make a recommendation on whether to go with 7.6 or 8.0 without having more details on your specific situation. Please contact your sales rep or a member of our Solutions PM team to discuss further. We also invite you to attend our Launch Webcast on March 23rd to learn more about 8.0 and hear from customers who have implemented it. You can sign-up for that webcast here:  https://www.brighttalk.com/webcast/13361/193871?cid=70138000000jN7uAAE&mc=197526&ot=wc&tt=em

Question:
Does it require buying a new license for ITMS 8.0 inorder to upgrade from 7.6 to 8.0?

Answer:
IT Management Suite customers current on maintenance have a free entitlement for version 8.0. In addition, IT Management Suite 8.0 is an in-place upgrade from versions 7.5 and 7.6.

Question:
About Patch Management, Stefan says that they are patching all software from available vendors than Microsoft. How do they handle software build-in auto-update function?

Answer:
Stefan answered, "This is always a tricky one. We always try to actually disable to the auto update function for the products which we package because it normally interferes with the automated process of patch management. So my tip here is to disable the auto update functionality. Especially with certain applications this is important. For example if you are using Java, it can be improtant to have a certain version of Java running on the system. It has been a problem in the past if the auto update was hitting and was updating the Jave version and certain applications no longer work. It can be very important to not use the auto-update feature."

                A little over a year ago, my team and I were looking down the barrel of a brand new Altiris solution that was going to revolutionize the way that we manage assets.  This solution carried the promise of increased patch coverage, faster data return and a more solid view into our remote workforce.  There has to be a catch right?  You want me to place an unhardened Windows box on the edge of our fiercely protected beach AND put it’s toes in the water?! Blasphemy!  It will never work!  Well, after much work with Symantec engineering over certificate relationships and trust models, we finally felt confident that we were safe.  After this journey, to be honest, I only half expected this solution to work much less yield any tangible results. 

                It turns out that I couldn’t have been more off-point.  In the last year with Cloud Enabled Management, I have seen our coverage and reach increase tenfold.  Patching has never looked better, assets that were once lost are now found, and our management team has so much more insight into where and what are endpoints are experiencing on their respective journeys.  Anyone with a mobile workforce would benefit from CEM in more ways than you can imagine.  In my adventures as a system admin, I come across all sorts of nonsensical “reviews” and “blogs” claiming miracles.  I’m the first one to shoot holes in these claims but as a real world admin with real world concerns, I can confidently stand behind this product as a winner.

Defending your enterprise from cyber threats today is an increasing challenge. Targeted attacks pose risks to sensitive data loss, financial loss, reputation damage and more. Meanwhile, advanced attacks continue to accelerate and evolve. Symantec research reveals that 5 out of 6 large companies were victims of targeted attacks in 2014, a 40% increase over the previous year, and that an estimated 1 million new malware threats are created daily.

Today’s attackers are often well funded and state-sponsored. Highly stealthy and persistent, these attackers create new techniques to hide themselves while compromising defenses and critical data. Attackers have moved far beyond targeting limited financial incentives like theft of credit card and Netflix accounts. They are disrupting power grids; taking hospital systems offline with ransomware; influencing political outcomes with deceptive, targeted attacks; and destabilizing financial market systems with financial, hacktivism, political, and nation-state cyber offensive and defensive goals in mind.

To fight these growing threats, enterprises need an intelligent next generation threat protection solution that doesn’t just address one or two capabilities but provides end-to-end protection.

At Symantec, we’ve developed the most intelligent next generation threat protection by focusing on areas like multi-dimensional machine learning and deep learning. I’ll go into more detail later how Symantec is leading the industry with these, but first, let’s look at what intelligent next generation threat protection entails.

How we define next generation threat protection

There’s seems to be a lot of confusion over what next generation threat protection really is and isn’t. It’s time to debunk some of the myths out there.

To help customers and the industry understand what next generation threat protection means, Symantec recently defined what enterprises should look for in an intelligent next generation threat protection solution.

As an example, Symantec Next Generation Threat Protection capabilities include:

• Blocking advanced threats and zero-day attacks with multi-dimensional machine learning, advanced exploit prevention and hardening;
• Proactive attack prevention with real time intelligence from Symantec’s global threat analytics and expert threat researchers;
• Deep forensics and fast remediation of advanced attacks with the latest EDR technology using a single agent;  
• High performance and low false positives.

These four capabilities are the essential building blocks for what true next generation threat protection is and should be defined. 

Multi-dimensional machine learning to protect against advanced threats

How can multi-dimensional machine learning help protect your enterprise?

Machine learning (ML) is a class of algorithms that can learn concepts through automated analysis of large amounts of data. Many security firms use ML “classifiers” to detect new attack artifacts like malicious files or URLs. For example, to build a malicious file classifier, they might gather large numbers of legitimate and malicious software files and analyze them to extract their behaviors (such as, this program attempts to delete files in the system directory, or this file tries to change a security setting, etc.). They then feed this training data into a ML system, which learns to discern good files from bad by learning characteristics of behaviors associated with each category of software. 

The problem with these systems is that their decision-making is based on behaviors that are entirely under the attacker’s control. For example, an attacker can simply change their threat to use a different sequence of behaviors and an existing ML classifier is vulnerable to fail to detect it. Or the attacker can adjust the size of their threat’s binary file and shuffle around a few instructions, and their new threat will no longer trigger the classifier. Ultimately, this singular reliance on attacker-controllable features (such as behaviors or software instructions) makes these ML systems extremely brittle to attack.

How is Symantec’s machine learning approach different?

Symantec has pioneered an entirely new approach to security using multi-dimensional machine learning that combines both traditional features (like those described above) with a “wisdom of the crowds” cloud approach that computes the safety of any single software file and URL on the Internet by analyzing their adoption patterns across Symantec’s hundreds of millions of active customers.

By analyzing trillions of real-time, daily interactions between Symantec’s customers and software files and websites across the Internet, Symantec’s ML systems learn which software and websites are adopted by different demographics of users—power users, novices, enterprises, frequently attacked users, users in different geographical regions, etc., and which software and websites are avoided by these same demographics. This approach—looking at the context of who adopts or avoids software and websites—rather than what the software/website itself looks like or how it behaves, provides a completely independent evaluation of an artifact’s safety that is nearly impossible for an attacker to control. Symantec’s adoption-based ML systems know whether a file has been adopted by thousands of users, or has never been adopted by a single user. It knows whether a file is being avoided by power-users, or being adopted at high rates by frequently-infected users. These interactions provide a huge amount of context into the safety of a new file or URL.

Symantec uses this population adoption-based ML approach both on its own, as well as in conjunction with more traditional ML approaches that consider a software file (or URLs) behavior and structure. The result is an ML system that considers both what a software file (or URL) does as well as its real-time interactions with Symantec’s customers, and as such is far more resilient to attack and also far more sensitive (while reducing false positives).

The other issue for security firms that rely entirely on endpoint based ML with no cloud component is that the entire software stack is available to the attacker for potential manipulation—on the endpoint. Symantec uses ML where it matters—on the endpoint, and in the cloud that attackers cannot compromise, while also optimizing for scale and speed, making it effective across a variety of enterprise conditions.   

And Symantec, with the world’s largest sensor network, is uniquely positioned to deliver such an innovative ML approach. No other vendor has the level of global visibility required to compute such context-based ratings.

Better data, better protection

Data and algorithms are key to “tuning in” protection; and having better data is the first hurdle to cross. Without the right data, you may be missing visibility that cannot be extrapolated. Without the right algorithms, you can’t focus on the relevant data. And lastly, without the right experts, you can’t make sense of it all. Fortunately, Symantec combines all these attributes and capabilities.

So what does all this mean for signature definitions?

With the advancement of proactive machine learning technologies like cloud intelligence, signature definition sizes have dropped significantly. To use an analogy, they are not larger than a few image downloads when browsing the web.

Beyond machine learning, deep learning

Symantec is taking machine learning even further with deep learning.

Simply defined, deep learning is a state of the art machine learning technique that uses artificial neural networks, inspired by the human brain, to learn in a manner similar to the way we learn. Deep learning networks are capable of progressively abstracting from raw data inputs to higher-level concepts. It is this hierarchical generalization capability that endows them with robust statistical properties capable of learning from very little labeled data, reconstructing partial inputs, detecting anomalies, etc.

Symantec has a Center for Advanced Machine Learning (CAML), a team of security machine learning experts who perform research and development in advanced ML techniques, including deep learning.

Symantec Cynic—an example of how we apply machine learning in the context of cloud-based sandboxing

Symantec Cynic, a part of Symantec Advanced Threat Protection, is a cloud-based dynamic malware analysis service that provides the ability to detect advanced threats. Unlike most sandbox analysis products, which focus on offering a variety of virtual machines or customer-specific images to detonate and detect malware, Cynic uses advanced machine learning-based analysis combined with Symantec's global intelligence to detect even the most stealthy and persistent threats.

Today, 28 percent of advanced attacks are "virtual machine-aware" which means they don't reveal their suspicious behaviors when run in typical sandboxing systems. To combat this, Symantec Cynic executes suspicious files on physical hardware to uncover those attacks that would evade detection by traditional sandboxing technologies.

Cynic takes the results from all of these technologies and provides the verdict and analysis results to users, along with valuable threat intelligence.

Innovative thinking produces innovative results

As part of Symantec’s ongoing commitment to innovation, our vision is built on the four key pillars of threat protection, information protection, cyber security services and unified security analytics. We are developing a comprehensive big data analytics platform for collecting vast security telemetry that analyzes it for local and global threats, and then converts the insights into secure outcomes. And our advanced machine learning and deep learning technology innovations are vital components of our vision.

Recently, AV-TEST.org announced that Symantec Endpoint Protection won the Best Protection 2015 award for corporate endpoint security. Furthermore, Symantec was recently named a leader in three critical areas in the 2016 Gartner Magic Quadrant report: Data Loss Prevention, Managed Security Service Providers, and Endpoint Protection Platforms.

These achievements prove that Symantec is recognized as a leader in this space and how our continuous innovation advances the industry. And while it’s an honor to receive these recognitions, we’re still focused on doing what’s best for our customers: defining and delivering true next generation threat protection.

My company; Cumulo9 Limted, processes 2-3 million emails per month for our customers in New Zealand.  Among our customers are a large number of brokers who process loan origination documents and insurance applications.  Some of their email recipients use Message Labs Cloud solution, others have Message Labs/Symantec installed.  Last week an update was made to the Messge Lab definition which meant that a large number of our emails were being accepted (with a 250 SMTP response code to us) but were then being dropped - leaving no way for the recipients to release them to their final destination.  We tried to contact Message Labs but were told nothing could be done as we are not a customer.  Your Custoerm Servcies rep did confirm that our IP addresses were all OK in your system.  In parallel we made contact with a number of the email recipient IT departments who contacted Messsage Labs (Symantec) and the problem was resolved - but in no case were the inidividuals who raised the issue informed of what the change was.  This last weekend the problem has been re-introduced to both the Cloud system and installed systems.  It is causing a serious impact on business in New Zealand.  None of Symantec's competitors is blocking any of our email including Mail Marshall, Kaspersky, Death 2 Spam and SMX.  Several of the recipient customers have spent considerable time on the telephone with Symantec and with no resolution in sight, at least one of them has had to turn off the Message Labs/Symantec service until a fix is resolved - in other words, poor secrity decisions are getting in the way of business

There are several issues that need to be answered here:

1 Why does the Message Labs Admin inteface give NO information about why the emails are being dropped?

2 Why will Message Labs not provide their customers with a reason as to why the problem was casued or how it was fixed

3 What controls need to be improved to ensure that fixed issues are not immediately re-created

4 Why won't Message Labs (Symantec) consider a relationship with recognised volume senders in various geographies so that issues like this can be resolved.  WE coudl work directly with Symantec to resolve situations like this very quickly.

In an earlier blog, Symantec Labs posted the results of some internal tests that compared the efficacy of Symantec Endpoint Protection (SEP) to CylanceProtect (http://www.symantec.com/connect/blogs/cylanceprotect-symantec-labs-analysis).

Our Symantec Labs team believed that we had identified some glaring, objective weaknesses in the Cylance product when addressing real-world threats, and we suggested that third-party validation was a reasonable next step.  Given Cylance’s lack of participation in any independent tests at the time, the industry lacked independent validation.

We did not have to wait long for independent researchers to step up to fill this gap.  AV-Comparatives (www.av-comparatives.org) and MRG-Effitas (www.mrg-effitas.com) tested the efficacy of SEP versus CylanceProtect and have published their results.

The Test Results

“In this independent assessment Cylance clearly delivered inferior protection against In-the-Wild threats and exploits compared to Symantec.”

AV-Comparatives and MRG-Effitas recently completed an in-depth real-world protection comparison between Symantec Endpoint Protection and CylanceProtect.  Results demonstrated that SEP protected against 100% of in-the-wild malware while Cylance trailed behind at 92% efficacy.  Even more significantly, SEP protected against almost 45% more exploits than CylanceProtect, with SEP protecting against 90% of exploits versus CylanceProtect guarding against only 63% (http://www.av-comparatives.org/wp-content/uploads/2016/02/avc_mrg_prot_2016_02_24_cyl_sym_en.pdf). 

Symantec’s superior preemptive detection and prevention capabilities were also evident during the AV-Comparatives and MRG-Effitas tests.  In addition to achieving significantly higher overall efficacy, SEP prevented more than three times as many exploits from executing than CylanceProtect.

The Deeper Issue

Despite detecting some of the malware installed by the shellcode tests, these failures on Cylance’s part are indicative of a deeper product strategy issue. Hackers are never idle.  Their toolkits and approaches are continuously mutating in an effort to find weaknesses to exploit the moment that cyber security products deploy new defenses.  As a result, a multi-dimensional approach is critical to ensuring long-term confidence in your cyber security solution.

Consider the hacker as the player and completion of a marble maze as a successful exploit and exfiltration of data.  A single-dimensional solution like CylanceProtect that relies on only one strategy (i.e., algorithmic detection) offers perhaps a single wall and hole for the hacker to circumvent.  Once the hacker is successful, it will become easier over time to sidestep any single-approach product’s protection technologies.  Hackers have yet to see enough of the Cylance marble maze in the wild to exploit all its weaknesses.

Machine learning (ML) is a great tool but shouldn’t be used in isolation.  While the machine is learning, so are the attackers… learning how to circumvent the detection algorithms.

Some specific concerns come to mind from our extensive experience with machine learning:

1. Many security firms use ML “classifiers” to detect new artifacts like malicious files or URLs.  The problem with these systems is that their decision-making is based on behaviors that are entirely under the attacker’s control. For example, an attacker can simply change their threat to use a different sequence of behaviors and an existing ML classifier is vulnerable to fail to detect it,
2. The other issue for security firms that rely entirely on endpoint based ML with no cloud component is that the entire software stack is available to the attacker for potential manipulation – on the endpoint.  Symantec uses ML where it matters – on the endpoint and in the cloud where attackers cannot compromise the intelligence, while also optimizing for scale and speed, making it effective across a variety of enterprise conditions.

Unlike CylanceProtect, Symantec Endpoint Protection is a multi-dimensional Intelligent Endpoint Protection Platform with machine learning that leverages multiple unique classifiers, combined with analysis of real-time software adoption patterns across Symantec’s hundreds of millions of active customers.   This multi-dimensional approach, deployed on the endpoint and the cloud, makes it extremely effective in proactive prevention while reducing false positives, and far more resilient to attack.  Symantec endpoints have withstood attacks from an army of hackers who have played its complex marble maze many times.

Data and algorithms are key to “tuning in” protection, and having better data is the first hurdle to cross. Without the right data, you may be missing visibility that cannot be extrapolated. Without the right algorithms, you can’t focus on the relevant data. And lastly, without the right experts, you can’t make sense of it all.  Fortunately, Symantec combines all these attributes and capabilities. SEP leverages multiple, complementary strategies and technologies to counter attacks: Machine learning-based, network-based, hardening-based, and policy-based protection all work together to provide customers with the best endpoint protection.  These technologies are described in detail on our next Next-Generation Threat Protection site: https://www.symantec.com/solutions/next-generation-threat-protection.

Our proven technology also recently received the top industry award for the 2015 best enterprise protection solution from AV-TEST: http://www.symantec.com/connect/blogs/and-best-protection-award-2015-goes-symantec-endpoint-protection-av-test.

Now consider the full portfolio of Symantec’s threat and information protection products like Symantec Advanced Threat Protection and Data Loss Prevention to realize that the hacker’s marble maze becomes exponentially more daunting to navigate.  For a complete look at some of our new offerings, check out our announcements at the RSA Conference (http://www.symantec.com/rsa/).

These dimensional marble maze differences between CylanceProtect and Symantec’s security portfolio are not purely academic.  In the AV-Comparatives and MRG-Effitas tests, CylanceProtect failed to catch Dridex, a financial Trojan:

“Among the missed samples are Metasploit exploits with in-memory Meterpreter, Dridex financial malware, in-the-wild exploit (malvertisement) and Sandworm Office exploit.”

In 2015 we leveraged our email security footprint, detection of spam, and cloud-based machine learning to deliver meaningful data to SEP through our Global Intelligence Network that permitted us to quickly lock in protection against Dridex.  For more details on this threat and our multi-dimensional capabilities, visit our Connect article: http://www.symantec.com/connect/blogs/dridex-financial-trojan-aggressively-spread-millions-spam-emails-each-day.

The Curtain

AV-Comparatives and MRG-Effitas made an observation about niche players like Cylance, who are delivering only single-dimensional protection strategies and who are reluctant to participate in independent tests:

“This behaviour is seen by many of the newer products that claim to be next generation. It looks like they try to avoid getting tested in order to continue to attract users simple [sic] by unproven marketing claims.”

A multi-dimensional approach is table stakes for effectively stopping today’s malware. If something looks too simple then perhaps it is time to check the math.  

Data and algorithms are key to “tuning in” protection; and having better data is the first hurdle to cross. Without the right data, you may be missing visibility that cannot be extrapolated. Without the right algorithms, you can’t focus on the relevant data. And lastly, without the right experts, you can’t make sense of it all. Fortunately, Symantec combines all these attributes and capabilities.

For a more extensive listing of the recent third-party tests, please visit our new Performance Center (http://www.symantec.com/connect/performance-center/).

A special thanks to AV-Comparatives and MRG-Effitas for providing these test results.

Two weeks ago, Worldpay, a major international payment processor, approached Symantec and the CA/Browser Forum with an urgent situation.  A small but still meaningful portion of the payment terminals within their global network can only function using the SHA-1 hashing algorithm.

SHA-1 is an older technology that has been shown to be increasingly vulnerable.  According to the current CA/Browser forum standards, starting Jan 1, 2016 Certificate Authorities are no longer allowed to issue new public SHA-1 certificates (although existing certificates can remain in use until they expire or until browsers and operating systems block them, currently planned for January 1, 2017 by several browsers). 

While Worldpay made considerable efforts to identify all their servers and believed they had obtained all the required certificates last year, some were missed which service roughly 1% of their credit card terminals and ATM machines globally. Due to Worldpay’s large global footprint, that small percentage translates into a number of potentially impacted businesses and end consumers.   

Following Worldpay’s request to the CA/Browser Forum, Symantec followed up with each of the major browsers directly.  After a public discussion on the Mozilla Dev Security Policy list, Mozilla proposed an approach that would enable Worldpay to get the required exception while minimizing the risk associated with additional SHA-1 certificate issuances.

The long-standing concerns about continued use of SHA-1 were reiterated by many as were the practical issues posed by Worldpay. We took this issue very seriously, as we had to weigh the additional risk against the potential negative disruption to Worldpay’s global merchant network and consumers.  After ruling out other possible technical options, we concluded that the approach proposed by Mozilla was the best available option. We issued these exception certificates to Worldpay last week and we will continue to work with them on alternate solutions that will adhere to industry best practices for certificate security, compliance, and management. A key element in our decision to issue these exception certificates was that they will be used only with non-browser clients – allowing the browsers to proceed uninterrupted with their upcoming plans to disable SHA-1 support.

Recognizing today’s complex technical interdependencies, several in the CA/Browser Forum raised the question of how to avoid this type of issue in the future. We are working with Worldpay and other customers to deploy alternate solutions, such as Symantec’s Private CA offering, that will ultimately separate the handling of encryption in credit card terminals, ATMs, cable boxes, and other non-browser clients from that in popular web browsers.

Symantec fully understands and promotes the necessity for adherence to best practices for certificate security management. That said, we also understand that real-world implementation is sometimes more challenging than we might anticipate, and we need to work together to not only create the right incentives for 100% compliance, but also to handle these real-world cases with the right level of consideration and nuance. We believe by collaborating with Mozilla and others, we have found a short-term solution that will enable businesses around the globe to keep functioning while providing some additional time, clearly required, to allow for the technical migration to SHA-2.

Symantec has enhanced its Cyber Security Services business globally on a massive scale, with a new dedicated Security Operations Center (SOC) in Singapore forming part of a US$50 million plus investment. The Singapore SOC will be the lead SOC (supporting customers in Singapore, ASEAN and Greater China) and Symantec’s fourth in the APJ region.

Why Singapore? APJ is a very dynamic and diverse region – and Symantec is right at the hub of an environment where organizations are being hit hard and targeted by any number of security threats. That is now driving our customers to seek out world-class solutions, as they move away from solutions that have become far less effective in this much more challenging world. At the same time, as for many other regions, security skills are really scarce, particularly at the high end. Moreover, a lot of enterprises within APJ are growing so fast that they need to prioritize how they use their internal resources. That has seen many out-task components of their security such as monitoring, allowing them to focus on other key areas within their business, but that means they have to have those world-class solutions as their security guarantee. Many of the customers we work with in APJ are world-class themselves, of course, with operations that also embrace the US and Europe.

So, consistency also matters greatly; they not only want to be able to protect their operations in APJ, but wherever they do business around the globe. Also, one important basic that can lead to confusion is in thinking that security is simply a technology business when it’s much more than that. It’s a people business. It is people who attack organizations and people who defend organizations. So putting a new SOC into Singapore is all about building those trusted personal relationships with our customers locally – and you only do that through people.

Our SOCs work on the principle of knowing exactly what is important to those customers, whether that be brand, availability or data protection. Making those key connections with our customers, whatever industry sector they are in, lies at the core of what we do.

Ultimately, because of that, those customers trust Symantec when it comes to protecting their business – and some of those companies are amongst the biggest brands in the world. But we have similar relationships right down to the smallest organizations. What unites them all is that they have entrusted us with helping to keep their operations safe. Our goal each and every day is to ensure we fulfil that trust.

Symantec’s CSS (Cyber Security Services) business has developed and matured more over recent years than at any other time in its existence. Most of all, we are on a journey where that development is reaching unparalleled levels, in terms of our analytics platform. This transformation is only going to continue over the coming 18 months or so and will have a huge impact, I believe, on how we work with and develop the close engagements we have with our customers in the APJ region.

Ghost Solution Suite 3.0 HF5 is now available from Fileconnect and the trialware site.

Please find the release notes here: https://support.symantec.com/en_US/article.DOC9187.html

I recently notice, Symantec End Point spontaneously changed group to "avdefs", when some new change is introduced e. g. creating new sftp directories etc.  It seems  problems occur during Symantec installation  "avdefs" is a group local to the system (i.e., not in LDAP), so it's important to have it not conflict with existing LDAP groups Pasted output below:

On stage-rtr1:
[root@stage-rtr1 ~]# grep avdefs /etc/group
avdefs:x:501:

[root@stage-rtr1 ~]# ldapsearch -x cn=cacheusr -b "ou=posixGroups,dc=healthix,dc=org"
...
gidNumber: 501
...
cn: cacheusr

During our conversation we came to a conclusion, the possible solution to this is:

1. Prompt us to enter correct group number.

2. Query LDAP database for unused Group numbers.

   Can code be modified so that “avdefs” group can be changed to a different group number.  We cannot change our software and there is a conflict between the two groups?

   Thanks,

   Michael   

Please feel free to contact me if any questions arise.

Michael Verbitsky

Systems Engineer

mverbitsky@healthix.org