企业网络威胁防护成为一项越来越大的挑战。有针对性的攻击能够带来敏感数据丢失、经济损失、名誉损失和诸多其他风险。同时，先进的攻击技术不断加速涌现和发展。赛门铁克的研究表明，2014年，每6家大公司中有5家是有针对性攻击的受害者，比上一年度增长了40％；估计每天有100万个新的恶意软件威胁产生。

今天的攻击者往往有充足的资金以及某些组织的支持。这些攻击者具有高隐密性和持久性。在给防御系统和关键数据带来损害的同时，他们创造新的技术来隐藏自己。攻击者的目标已经远远超出诸如盗用信用卡和Netflix帐户等有限经济回报的范畴。他们破坏电网；以勒索软件使医院系统脱机；以欺骗性、有针对性的攻击影响政治结果；扰乱金融市场体系，以实现其经济、黑客行动主义、政治以及民族国家网络攻击和防御等目标。

为了对抗这些日益增长的威胁，企业需要一个智能的下一代威胁防护解决方案——它不仅仅具有一两种功能，而是提供终端到终端的保护。

在赛门铁克，我们专注于多维机器学习和深入学习等领域，开发出最智能的下一代威胁防护系统。稍后将更详细地介绍赛门铁克如何以这些技术引领行业，但是首先，让我们来了解下一代威胁防护系统的概念。

我们如何定义下一代威胁防护系统

关于下一代威胁防护系统的真正含义，似乎存在很多疑惑。现在，让我们来揭开其中的一些神秘真相。

为了帮助客户和业界理解新一代威胁防护的意义，赛门铁克最近阐释了企业在下一代智能威胁防护解决方案中可能获得的益处。

例如，赛门铁克下一代威胁防护系统的功能包括：

• 以多维机器学习、高级漏洞防御和强化阻止高级威胁和零日攻击；
• 以赛门铁克的全球威胁分析和威胁专家研究员提供的实时情报防范主动攻击；
• 使用最新单一代理EDR技术对高级攻击进行深度取证和快速补救；
• 高性能和低误报。

这四个功能是真正的下一代威胁防护系统内涵和定义的最重要的构件。

多维机器学习，防范高级威胁

多维机器学习如何帮助保护您的企业呢？

机器学习（ML）是一类可以通过对大量数据的进行自动分析以学习概念的算法。许多安全公司使用ML“分类器”来检测新的攻击工件，如恶意文件或URL。例如，要建立一个恶意文件分类器，它们可能会收集大量合法和恶意软件的文件，并对其进行分析，以提取他们的行为（例如，该程序会尝试在系统目录中删除文件，或该文件会试图改变安全设置，等等）。然后，它们会将这些训练数据馈入ML系统，该系统会学习与每类软件相关的行为特征，从而辨别正常文件和恶意文件。

这些系统的问题是，其决策是基于攻击者完全控制下的行为。例如，攻击者可以简单地使用不同的行为序列来改变它们的威胁，现有的ML分类即可能无法检测到威胁。或者攻击者可以调整其威胁的二进制文件的大小和穿梭于数个指令，则新的威胁将不再触发分类器。最终，这种对攻击者可控制的功能（如行为或软件指令）的单一依赖性，使这些ML系统极易受到攻击。

赛门铁克的机器学习方法有什么不同？

通过多维度机器学习，赛门铁克开辟了一种全新的安全方法，它结合了传统的功能（如上述的那些）和一种被称为“群众智慧”的云方法，后者通过分析软件文件和互联网URL在赛门铁克数亿活跃客户的采用模式（Adoption Pattern），以计算其安全性。

通过在全互联网分析赛门铁克的客户与软件文件和网站之间的万亿级次实时、日常交互，赛门铁克的ML系统了解哪些软件和网站由不同的用户-超级用户、新手、企业、经常受到攻击的用户、不同地理区域的用户等群体采用，以及哪些软件和网站被这些群体回避。这种考察采用和避免软件和网站的用户环境而非软件/网站本身的结构或行为方式的方法，提供了对产品安全性的完全独立评估，而且几乎不可能受攻击者控制。赛门铁克基于采用情况的ML系统知道文件是已被成千上万的用户采用，还是从未被任何用户采用。它知道一个文件是否为超级用户所避免，或被频繁感染的用户所采用。这些互动为新文件或URL的安全性提供了一个巨大语境。

赛门铁克采用这种基于采用情况的ML方法，结合采用那些考虑软件文件（或URL）的行为和结构的较为传统的ML方法，开发出其独特的ML系统。这种系统既考虑软件文件（或URL）的功能，又考虑其与赛门铁克客户的实时互动，因此对攻击的防御能力更强，也更为敏感（同时能减少误报）。

对于那些完全依赖于没有云组件的终端ML的安全公司而言，另一个问题是整个软件栈都可能被攻击者在终端上操纵。赛门铁克根据需要在终端和云端使用ML，不受攻击者控制，同时优化规模和速度，使其在各种企业环境中有效。  

同时，拥有世界上最大的传感器网络的赛门铁克具有独特的优势，便于提供这种创新的ML方法。没有任何其他供应商有计算这种基于语境的排行所需的全球可见性。

更好的数据，更好的保护

数据和算法是“调谐”保护的关键；获得更好的数据是第一个要解决的问题。如果没有合适的数据，您可能会丢失能见度而无法外推。如果没有合适的算法，就无法聚焦于相关的数据。最后，如果没有合适的专家，就无法从这些数据中获得所需的信息。幸运的是，赛门铁克结合了所有这些特性和功能。

那么，这一切对签名定义意味着什么？

随着主动机器学习技术（例如云智能）的发展，签名定义的大小已显著降低。打个比方，它们在浏览网页时的流量不超过下载几个图像文件的大小。

除了机器学习，还有深度学习

赛门铁克正在通过深度学习将机器学习更推进一步。

简单而言，深度学习是受人脑启发、利用人工神经网络的最先进的机器学习技术，其学习方式类似于我们人类学习的方式。深学习网络能够从原始数据输入逐步提取到更高级别的概念。正是这种分层的泛化能力为它们提供了强大的统计特性，从而使它们能够从非常小的标记数据中学习，重建部分输入，检测异常，等等。

赛门铁克拥有先进的机器学习中心（Center for Advanced Machine Learning，CAML），其安全机器学习专家团队从事先进ML技术的研发——其中包括深度学习。

Symantec Cynic——一个在基于云的沙盒环境中应用机器学习的例子

Symantec Cynic是赛门铁克高级威胁防护的一个组成部分，它是一个基于云计算的动态恶意软件分析服务，具有检测高级威胁的能力。与大多数注重于推出各种虚拟机或客户特定图像来触发和检测恶意软件的沙盘分析产品不同，Cynic采用先进的基于机器学习的分析，结合利用赛门铁克全球情报，能够检测到最隐秘和持久的威胁。

如今，28％的先进攻击具备“虚拟机感知”能力，这意味着它们在典型的沙盒系统中运行时，不会暴露他们的可疑行为。为了解决这个问题，Symantec Cynic在物理硬件上执行可疑文件，以揭露那些能够躲避传统沙箱技术检测的攻击。

Cynic以所有这些技术获得检测信息，并向用户提供结论和分析结果以及有价值的威胁情报。

创新思维产生创新成果

作为赛门铁克关于创新的持续承诺的一部分，我们的愿景是打造威胁防护、信息保护、网络安全服务和统一安全分析四大支柱。我们正在开发用于一个收集广阔安全遥测数据的综合大数据分析平台，从中发掘局部和全球威胁，然后将这种洞察力转化为安全结果。我们先进的机器学习和深入学习技术创新是我们这一愿景的重要组成部分。

近日，AV-TEST.org宣赛门铁克终端保护系统获得了“2015年企业终端安全最佳保护奖”。此外，赛门铁克最近在2016年Gartner魔力象限报告三个关键领域获得领导者称号，这些领域包括：数据丢失防护、安全管理服务提供商和终端保护平台。

这些成绩证明，赛门铁克是本领域公认的领导者，以及我们如何通过不断创新推进产业的发展。在为获得这些认可而感到荣耀的同时，我们仍然在专注于最大程度地保护客户的利益：定义并提供真正的下一代威胁防护系统。

Symantec employees Darryl Cyphers, Scott Taylor, Kimberly Carriere, and Jannine Mahone. 

San Francisco Bay Area, CA — HBCUConnect.com, America’s original online network for community engagement and professional connections for alumni of the nation’s Historically Black Colleges and Universities (HBCUs), recently partnered with the global leader in cybersecurity to host a fireside chat to discuss the need for greater diversity inside Silicon Valley tech companies.

Thanks to all who attended our Launch Webcast (either in person or online) for IT Management Suite 8.0 on March 23, 2016! We had a fantastic Launch and are very excited about the release of ITMS 8.0!

We want to especially thank our presenters and esteemed customer panel:

• Vishal Gupta, Symantec, Vice President of Engineering and Product Management
• Hugo Parra, Symantec, Director of Product Management
• Damon Covey, Symantec, Director of Solutions Product Management
• Michael Cruz, Coach, Enterprise Endpoint Manager
• Jason Iloff, Secure-24, Symantec Senior Architect
• Tom LaRue, Cardinal Health, Supervisor, Infrastructure Management

To watch the Webcast recording, click here:

To learn more about, IT Management Suite 8.0, please visit: http://go.symantec.com/itms8

Be sure to join us on April 20 for the Launch Webcast for Ghost Solution Suite 3.1. Register here.

We are still working on answering all the questions that came in during the webcast and will update this post with the full Q & A transcript early next week. Check back soon.

Symantec is pleased to announce TouchDown for Android 9.0, codename TouchDown Venus.  The latest release features a new look and feel that provides you a simple and intuitive experience to help you get your work done faster.

TouchDown 9.0 features the following exciting benefits:

Redesigned TouchDown Features:

• Email
• Calendar
• Contacts
• Tasks
• Notes

TouchDown navigation screens.

Swipe left and right actions are available throughout the application for easy access to the information you need now.  Swipe from the left edge of your screen to display a TouchDown navigation screen.  The TouchDown navigation screen is available from anywhere within the app to help you navigate quickly and easily between email, calendar, notes, etc.    

Access to expanded Settings options.

The Settings Screen can be accessed from any TouchDown navigation screen by tapping the Settings icon.  The Settings is located on the bottom left portion of a TouchDown navigation screen.  Access the About Screen, Diagnostics Screen, and Licensing Screen , all from the Settings Screen.

Improved email management.

Select multiple emails at once to apply managment functions and perform tasks quickly.

Built-in threat protection.

Threat protection is embedded into your TouchDown app to protect you against the following:

• Rooted devices
• Devices infected with malware or other threats
• Devices with an emulator mode
• Devices with debugger attached
• Devices with a hiding root condition
• Devices with development options enabled

Your threat protection diagnostic data is provided by Symantec and held in strict privacy.  You can enable or disable threat protection mode at any time by toggling diagnostic mode.

TouchDown 9.0 replaces existing TouchDown applications on the Google Play Store.

The following TouchDown app information applies:

• TouchDown 9.0 will replace TouchDown HD on the Google Play Store at the end o March, 2016.  Updates are provided to users in phases throughout the month of April.
• Binary (.apk) files for both the applications will be shared with MDM vendors at a separate location at the same day that TouchDown 9.0 published on the store.

Note: If you are using TouchDown in an MDM controlled environment, you will need to contact your MDM vendor to get make this update available to you.

We welcome your feedback on this new version of TouchDown.  Please add comments here.

Blog Feature Image: 

ThinkstockPhotos-467606343.jpg

筆者の前回のブログでは、シマンテックの製品が、お客様へ提供するサービスのすべてについて、今後数週間で Certificate Transparency（透かし入り証明書、以下 CT）のサポートを拡大していくとお伝えしました。

CT を利用すると、組織が所有しているドメインにおいてどのような SSL/TLS サーバ証明書が有効かを監視できます。大多数のお客様の用途では、現在の CT 実装でも問題はありません。ところが、イントラネットの用途で証明書を利用する場合には、証明書の情報（特にサブドメイン情報）を秘密にしておきたいという要望もあります。たとえば、support.mycompany.com については証明書情報を公開してもかまわないが、top-secret-project.mycompany.com のログを記録することには難色を示すというお客様がいても当然でしょう。現在の CT 仕様 RFC 6962は、こういったプライバシーを伴う配慮や用途は考慮されていません。

このような現実的な使い方に対応するために、シマンテックの現在の CT 実装では、デフォルトで証明書すべてのログを記録しますが、お客様が証明書の記録を「オプトアウト」するオプションも用意されています。確かに、これは最適なアプローチとは言えません。証明書のログをすべて記録するかすべて記録しないかのどちらかしか選択できないからです。しかし、現在の CT 仕様の限界を考えれば、お客様のプライバシーに対処するには今のところ最も効果的な方法と言えます。

現在、IETF（Internet Engineering Task Force）が CT 仕様の次期バージョン（RFC 6962-bis）の策定に当たっているところです。この新バージョンでは、CT のログを編集してサブドメインの情報を除外できるようになります。上の例で言えば、top-secret-project.mycompany.com の証明書を「?.mycompany.com」として記録しようということです。この方式であれば、企業は証明書すべてのログを記録して監視したうえで、プライバシー問題にも対処できるようになります。

シマンテックが名前部分の削除をサポートしているのは、透明性とプライバシーを両立する最適な方法と判断しているためで、最終的に承認され次第、新しい仕様を実装する予定です。

シマンテックの CT サポートについて詳しくは、こちらをご覧ください。

【参考訳】

Blog Feature Image: 

ThinkstockPhotos-467606343.jpg

在上一篇博文中，我提到，在接下来的几周内，赛门铁克的所有产品和客户体验都将支持证书透明。

证书透明（CT）可帮助企业监测自己所拥有的域名是否启用了有效的SSL/TLS证书。基于众多客户反馈以及用例调查，当前证书透明度政策的执行力度令人满意。然而，当涉及到仅供内部使用的应用软件时，部分客户更倾向于对证书信息严格保密（尤其是子域名信息）。例如，客户也许同意将信息发布于“support.mycompany.com”上，但或许会拒绝将其导入“top-secret-project.mycompany.com”，这是可以理解的。现行的证书透明规范RFC 6962并未能消除此类隐私顾虑或提供相应用例解决方案。

为制定相应用例解决方案，赛门铁克目前的证书透明日志默认导入所有证书，但客户可以拒绝导入。这并非最优解决方案，因为并不是所有的证书都能顺利导入。然而，目前，在证书透明规范所限制的范围内，这是消除客户隐私顾虑的最有效方法。

目前，互联网工程任务组正着手制定全新证书透明规范——RFC 6962-bis。新规范将允许编辑证书透明日志中的子域名信息。如此一来，客户发布于“top-secret-project.mycompany.com”的证书，将以“?.mycompany.com”证书的形式导入。通过这一方法，企业可顺利导入并监测所有证书，消除隐私顾虑。

赛门铁克认为名称编辑是平衡证书透明与隐私保护的最佳途径。新规范一旦制定完成，我们将立即予以执行。

如需进一步了解我们对证书透明的支持，请点击此处。

Blog Feature Image: 

ThinkstockPhotos-467606343.jpg

在我最新一篇部落格文章中，我告訴大家賽門鐵克 (Symantec) 在未來幾週內將會把對憑證透明度的支援完整部署到所有產品及面向客戶的使用經驗上。

憑證透明度 (CT) 可協助組織監控他們名下的網域有哪些使用中的 SSL/TLS 憑證，對於許多客戶和使用案例而言，目前實施的 CT 運作良好。但是一說到部署僅限內部使用的憑證時，有些客戶傾向將憑證資訊保密 (尤其是子網域資訊)。例如，某位客戶可能認為公開「support.mycompany.com」的憑證資訊沒什麼大礙，但同樣這位客戶也可能拒絕登錄「top-secret-project.mycompany.com」，這是情有可原的。目前的憑證透明度規範 RFC 6962尚無法解決這些在隱私和使用案例上的隱憂。

為了解決這類客戶實際遭遇到的案例問題，賽門鐵克目前 CT 的實施方式在預設下會登錄所有憑證，但同時也為客戶提供一個可以「選擇性移除」憑證登錄的選項。這明顯並非最佳方式，因為如此會產生出並非所有憑證皆完整登錄的漏洞，但此為在目前憑證透明度規範的限制下所能處理客戶隱私問題的最有效方式。

目前網際網路工程任務小組 (Internet Engineering Task Force) 正在建立憑證透明度規範的新版本 - RFC 6962-bis。此新版本可在登錄 CT 時修訂子網域資訊。以上述的案例來看的話，該位客戶就能將「top-secret-project.mycompany.com」的憑證登錄為「?.mycompany.com」。這個方法可讓公司既能解決隱私問題，同時也能確保所有憑證都有登錄並受到監控。

賽門鐵克同樣認為名稱修訂是在透明度和隱私之間取得平衡的最佳辦法，因此在新規範完成後，賽門鐵克會盡快實行。

請至此處深入瞭解賽門鐵克對憑證透明度的支援。

I found MPowerSaver (Monitor Power Saver), an useful tool that help you to turn off your computer when you lock your computer. MPowerSaver is a portable freeware program, so you don't have to install the program but only download and store in your local hard disk, then double-click and run it.

The Basics Of  MpowerSaver

General Options

1) Automatically Turn off the monitor when user lock down their system (Win +L)
2) Automatically Turn off the monitor with screen saver starts. (Click check box to activate)
3) Automatically Lock and Turn off the monitor when system is in inactive mode. (Set time to activate)
4) Automatically Turn off the monitor when system is in inactive mode. (Set time to activate)

Advance Features

Auto Sleep/Hibernate, Standby, Restart or Shut Down your computer on a daily or weekly basis.

Daily basis

For example, let’s say you want to set your computer to shutdown in fifteen minutes. First select
the Action Settings (Sleep/Hibernate, Standby, Restart or Shut down), then set the time and date. Once
that  is complete you must click the (Start) check box and click (OK) button.

Weekly basis

For example, let’s say you want to set your computer to shutdown every day at 11:00:00 PM.
First select the Action Settings (Sleep/Hibernate, Standby, Restart or Shut down), then set the time.
Once that is complete you must click the (Shut down Computer on selected days) check box
and select the days (Sun, Mon, Tue.Wed, Thu, Fri, Sat) you want to shutdown your computer,
and click the (Start) check box and click (OK) button.

Link :  Monitor Power Saver

Gartner pointed out that ‘Setting Policy’ is essential in the endpoint security life cycle in its latest Magic Quadrant Report for Endpoint Protection Platforms. By proactively configuring your endpoints, you can effectively reduce the potential attack surface. However, setting security policies across all endpoints sounds like a painful, time-consuming process. Well, not if you’re with Symantec Endpoint Protection 12.1 (SEP).

Application Control is an integrated feature in SEP 12.1. It offers one-click lockdown via a whitelist or blacklist of applications, allowing you to easily keep bad stuff out and good stuff in. And if you have multiple user groups located in various locations, Application Control in SEP also empowers you to customize security policies and set granular control based on your needs, maximizing the flexibility and scalability of your security policies.

Here are some ways that you can mitigate risks by taking advantage of the Application Control:

• Use whitelisting or blacklisting to harden endpoints by only allowing certain applications to run

• Restrict what applications are permitted to do and which system resources they can use

• Block employees or others from using USB devices or only allow approved external devices

How exactly does it work? This demo will give you a great example of how Application Control can block threats even with all the other protection features disabled.  

WATCH the DEMO (3:16)

And there’s more you can achieve with Application Control in Symantec Endpoint Protection 12.1. To find out more information,

Download the Solution Overview.

Security Transformation for Organizations of Low Bandwidth Organizations using Symantec Products

• Organizations had to balance security and connectivity needs of their remote offices/locations. To address this need the transformation project had to address the harsh reality of connectivity not being available and local service provider last mile links.

Bandwidth Service Providers seems to be taking eternity and this reality was to be addressed to service Business growing need of connectivity, higher security at remote offices/locations and transformation automation to address entire business unit locations.

To address this needs:

A)End system services were planned to cover:

B)Endpoint security, Endpoint systems lifecycle covering asset management and patch management, Endpoint whole disk encryption, Endpoint Network access control, Endpoint identity and LDAP using Microsoft Active Directory.

C)The architecture should be capable of delivering Data loss prevention or Data lifecycle which is crucial for safeguard of customer data and any accidental data concerns.

D)Organizations also wanted the elements of Anti-Malware to address mail and web challenges which can be concern to the endpoint as the threat to the endpoint was a risk to mitigate.

E)Remote access management using traditional tools to be shifted to Access control via the privilege admin at central locations be it in DC or DR.

F)It was essential that the security architecture be sustainable and address the reality of bandwidth being limited and also bandwidth available for a small window of time.

G)Automation plans were the only choice kept for any service provider as SLAs were linked to sustenance and not just delivery and one time completion.

The servers and infrastructure planned is with redundancy across the Datacenters and during drill the infrastructure would be managed from the DR site and updated to all remote offices/locations.

Threat intelligence and sharing to the other elements to reduce the risk from web and mail and enable defense in depth measures are some of the initiatives the Organizations are planning to undertake as part of Data lifecycle protection and would also include data loss prevention controls.

As the Organizations plans to move towards advanced security controls the converged view of 11 controls incorporated among today four agents in the desktops of which real time controls and Task based controls are addressed in maker checker concept of asset reconciliation.

The 11 controls incorporated are:

Control 1: System wide asset inventory and status.

Control 2: System patch gap identification and remediate via patch management catalogue.

Control 3: System wide software delivery

Control 4: System whole disk encryption control

Control 5: System endpoint PC transplant solution to migrate and deploy as backup and refresh for new systems.

Control 6: System endpoint security control for antimalware covering antivirus and anti spyware.

Control 7: System endpoint host firewall and application control enabling device blocking and peripheral control.

Control 8: System identity repository and LDAP attribute across assets.

Control 9: System and network converged to address policy control and admission control via network access control.

Control 10: System host level network and host intrusion detection and prevention.

Control 11: Blacklist and whitelist of Applications.

The above controls make the base for the addition of further controls like data loss prevention and Backup for user data specially out of office users in a seamless manner.

The controls now can be integrated with network like network firewall or next generation firewalls as well as web application firewall for greater application control at the perimeter be it for ingress or egress.

The risk identification and mitigation process enable readiness for known threats as well as enable risk mitigation via the controls planned.

I feel it’s important to start by giving you the top things to do if you are a victim of ransomware:

• Don’t pay the ransom
• Don’t power off any endpoints
• Contact Symantec Incident Response team as quickly as possible
• Ensure you have good backups, ready to restore

We are seeing a lot in the media lately about ransomware. This type of attack isn’t new, but the attention is greater than ever. And what’s worse? Many organizations suffering through ransomware attacks think they are at the mercy of the attacker. This doesn’t have to be the case. 

There are many things an incident response (IR) provider can do to help in this situation. Symantec has one of the world’s largest civilian cyber security threat intelligence networks – giving our IR team access to not only technical intelligence about the malware, but also adversary intelligence that provides Indicators of Compromise (IoC). Symantec’s IR team has been able to use this wealth of intelligence during our ransomware investigations to learn several important facts about ransomware.

One of the most important things to bring light to is that ransomware is almost never the primary attack vector. Ransomware is deployed as either a way to deflect attention from a primary attack or as “clean up” after an attack to help the attackers make a few extra bucks selling the access that they already used to perform their initial operation.

Here are some examples of what our team has seen during investigations.

“Smoke Screen” Attack

One customer was battling a worm-based ransomware variant. The infection had taken over the network and had started encrypting files. Their first reaction was that this wasn’t a big deal, just a nuisance. The problem got bigger when it spread and they couldn’t control it, which prompted them to call our IR team. During the investigation we performed memory forensics and found a memory-only resident attack that was positioned to capture account and login information. It was a very well written piece of code that was masking itself in 64-bit memory. Once we discovered it, we were able to stop the primary attack, contain the worm and provide the customer with recommendations to minimize further attacks.

Having learned this, we were able to apply this information to many other customers that called with the same indicators, allowing us to more rapidly respond and contain the attack, ultimately ending the campaign.

These are just a couple examples of investigations we’ve successfully closed, but we expect to see more and want to make sure organizations know to engage resources that can help them look beyond the obvious ransomware attack to understand the full spectrum.

Want to know more?Read our full brief on how IR can help with ransomware outbreaks.