Blog Feature Image: 

ThinkstockPhotos-488564122.jpg

For too long, information security has been a piecemeal battle. Security leaders have been forced to stitch together an array of point products that weren’t designed to work together, leaving gaps and overlaps in their ability to fight the bad guys.

That’s exactly why the combination of Symantec and Blue Coat is so exciting for us. We’ve combined two security pioneers with deep roots across several categories – and the unified portfolio enables us to attack new and old security challenges with clear focus, deep intelligence and smart software.

Symantec Endpoint Protection 14 helps bring that integrated vision to fruition. Specifically, we’re delivering pre-built integrations with Blue Coat’s Secure Web Gateway that allow companies for the first time to leverage and orchestrate security management across network proxies and endpoints. Endpoint security now learns from network security, and vice versa. Threats can be identified and blocked at either control point. Customers no longer need to build their own integrations and correlations – allowing network and security leaders to focus on fighting the bad guys rather than fighting their technology.

This is just one step in Symantec’s vision of an integrated cyber defense platform that listens, learns and adapts across the enterprise. It’s also an important sign of maturity in the security market – and comes at the right time for security leaders who face more threats on more fronts at a faster pace than ever before.

How Does Integrated Endpoint + Network Security Work?

Let’s start with some background on the core products involved:

Symantec Endpoint Protection 14 provides protection, detection and response for advanced malware within a single endpoint agent – including innovations for advanced machine learning, memory exploit mitigation and packer emulation, along with proven technologies for file reputation and behavior analysis, application and device control, firewall and intrusion prevention. All of this is powered by the world’s largest civilian threat intelligence network, consisting of telemetry data from 175 million endpoints and 57 million attack sensors in 157 countries, providing unique visibility into the latest security threats.

Meanwhile, on the network itself, Blue Coat’ Secure Web Gateway authenticates, decrypts and inspects Internet content for compliance and advanced threat protection. The gateway’s full proxy architecture allows it to effectively monitor, control and secure traffic to ensure a safe Internet experience. Security leaders can enforce policies, detect threats and block advanced attacks from entering their network. Traffic is terminated at the proxy and all downloaded and uploaded objects are processed through multiple layers of security in a single efficient pass.

So how do they work together? Symantec Endpoint Protection 14 opens its APIs to collaborate with Secure Web Gateway, allowing the two products to communicate with each other and share blacklists, whitelists, security logs, etc. Data and insights are exposed through the Content Analysis System software (v2.1) built into Secure Web Gateway products (including Advanced Security Gateway and Blue Coat ProxySG).

Security managers simply log in to the Content Analysis System console to set up the integration with Symantec Endpoint Protection manager. From there, security managers can look at logs across their security infrastructure, define correlation parameters and set remediation roles all from the same console – without needing to switch back and forth. Beyond making it easier to use, the combined system allows leaders to benefit from the most powerful threat data set that you can possibly combine – leveraging insight from thousands of customers, millions of networks and billions of endpoints captured via Symantec’s and Blue Coat’s combined Global Intelligence Network.

What Are the Use Cases for Endpoint + Network Security?

Here are some common use cases that are easily addressed by the integration between Symantec Endpoint Protection and Secure Web Gateway:

Network to Endpoint Incident Verification: When security managers receive an alert from Blue Coat’s sandboxing system, they want to know what endpoints across their entire network have seen these same indicators of compromise. This will shorten incident response time by eliminating hours or days of unnecessary work to confirm if the malicious sample infected the endpoint. The workflow is simple: the Blue Coat sandbox discovers malicious content, then Blue Coat’s Content Analysis System queries Symantec endpoints to verify indicators (file hash, registry changes, URLs, process name, registry changes, etc.). The list of infected endpoints (along with a URL to Symantec management) are then added to the sandbox report showing the administrator not only what happened in the sandbox but what endpoints are infected.

Endpoint Blacklisting: Security managers want attacks that are discovered via the network to be isolated without spreading to other endpoints. Again, the workflow is simple: Blue Coat’s sandbox discovers malicious content with high certainty, and Blue Coat’s Content Analysis System queries Symantec Endpoint Protection – and adds a file to the blacklist for all endpoints via the Symantec Endpoint Protection Manager. This prevents the spread of this file to other endpoint devices.

Beyond these use cases, Symantec will continue extending integration between endpoint and network security to address other customer needs. We also anticipate our customers will identify new use cases as they explore the possibilities.

Bottom Line: Better Protection from Endpoint to Cloud

Security leaders can now leverage and optimize protection across networks and endpoints, providing a full spectrum of threat protection with fewer integration headaches.  Shared intelligence results in early and effective threat detection, fueled by a massive global intelligence network. Granular controls allow you to take proactive action to blacklist attacks and apply security policies that prevent the spread of attacks. And automated remediation allows you to remediate issues with one click via integrated management consoles.

# # #

Check out our webinar with Adrian Sanabria from 451 Research to learn more about next-generation endpoint protection, and watch this space for regular blog posts that drill deeper into key capabilities with insights from Symantec and third-party experts.

Written by Danny Williams

I. BACKGROUND:

Symantec is currently investigating reports of another new attack in the Middle East involving the destructive disk-wiping malware used by the Shamoon group (W32.Disttrack, W32.Disttrack.B). Similar to previous attacks, the Disttrack malware used by Shamoon is just the destructive payload. It requires other means to be deployed on targeted organizations’ networks and is configured with previously stolen credentials. 

Symantec discovered the Greenbug cyberespionage group during its investigation into previous attacks involving W32.Disttrack.B (aka Shamoon). Shamoon (W32.Disttrack) first made headlines in 2012 when it was used in attacks against energy companies in Saudi Arabia. It recently resurfaced in November 2016 (W32.Disttrack.B), again attacking targets in Saudi Arabia. While these attacks were covered extensively in the media, how the attackers stole these credentials and introduced W32.Disttrack on targeted organizations’ networks remains a mystery.

Could Greenbug be responsible for getting Shamoon those stolen credentials?

Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors. The group uses a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor as well as a selection of hacking tools to steal sensitive credentials from compromised organizations.

Although there is no definitive link between Greenbug and Shamoon, the group compromised at least one administrator computer within a Shamoon-targeted organization’s network prior to W32.Disttrack.B being deployed on November 17, 2016.

II. THREAT DETAILS:

The worm creates the following files:

• %System%\trksrv.exe
• %System%\netinit.exe
• %System%\drivers\drdisk.sys
• %System%\[NAME SELECTED FROM LIST].exe
  (see below for currently known list)

The worm deletes the following file:

• %System%\drivers\drdisk.sys

The worm is comprised of several components:

• Dropper: main component that drops other modules and is the first to infect the system
• Wiper: module that contains destructive functionality
• Reporter: module that reports infection information back to the attacker

The Dropper

The Dropper component has the following functionality:

• Copies itself to %System%\trksrv.exe
• Drops the following files embedded into resources:
  
  • 64-bit Dropper: %System%\trksrv.exe (contained in the “X509” resource)
  • Reporter module: %System%\netinit.exe (contained in the "PKCS7" resource)
  • Wiper module: %System%\[NAME SELECTED FROM LIST].exe (contained in the "PKCS12" resource)
    • Note: [NAME SELECTED FROM LIST] may be one of the following:
      • caclsrv
      • certutl
      • clean
      • ctrl
      • dfrag
      • dnslookup
      • dvdquery
      • event
      • extra ct
      • findfile
      • fsutl
      • gpget
      • iissrv
      • ipsecure
      • msinit
      • ntx
      • ntdsutl
      • ntfrsu til
      • ntnw
      • power
      • rdsadmin
      • regsys
      • routeman
      • rrasrv
      • sacses
      • sfmsc
      • sigver
      • smbinit
      • wcscript
  • Copies itself to the following network shares:
    • \\[COMPUTER NAME]\ADMIN$
    • \\[COMPUTER NAME]\C$\\WINDOWS
    • \\[COMPUTER NAME]\D$\\WINDOWS
    • \\[COMPUTER NAME]\E$\\WINDOWS
  • Creates a job task to execute itself
  • Creates the following service to start itself when Windows starts:
    • Service: TrkSvr
    • DisplayName: Distributed Link Tracking Server
    • ImagePath: %System%\trksvr.exe

The Wiper

The Wiper module has the following functionality:

• Deletes the existing driver from the following location and writes a different legitimate driver embedded in resources:
  
  • %System%\drivers\drdisk.sys
• The device driver is a clean disk driver that enables user-land applications to read and write to disk sectors. The driver is used to overwrite the computer's MBR but is not malicious by itself.
• The file is digitally signed by “EldoS Corporation".
• Executes the following commands that collect file names, which will be overwritten and writes them to f1.inf and f2.inf:
  
  • dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i download 2>nul >f1.inf
  • dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i download 2>nul >>f1.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i picture 2>nul >>f1.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i video 2>nul >>f1.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i music 2>nul >>f1.inf
  • dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i desktop 2>nul >f2.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i desktop 2>nul >>f2.inf
  • dir C:\Windows\System32\Drivers /s /b /a:-D 2>nul >>f2.inf
  • dir C:\Windows\System32\Config /s /b /a:-D 2>nul | findstr -v -i systemprofile 2>nul >>f2.inf
• Note: Files from f1.inf and f2.inf will be overwritten with a JPEG image that is located in the Wiper module. Overwritten files are rendered useless and cannot be repaired.
• The module will overwrite the MBR so that the compromised computer can no longer boot.

The Reporter

The Reporter module is responsible for sending information about the infection to the attacker. Information is sent as an HTTP GET request and is structured as:

• http://[DOMAIN]/ajax_modal/modal/data.asp?mydata=[MYDATA]&uid=[UID]&state=[STATE]

The following data is sent to the attacker:

• [DOMAIN] = domain name
• [MYDATA] = specifies how many files were overwritten
• [UID] = IP address of the compromised computer
• [STATE] = random number

How it spreads:

When the worm is executed, it copies itself to the following network shares:

• \\[COMPUTER NAME]\ADMIN$
• \\[COMPUTER NAME]\C$\\WINDOWS
• \\[COMPUTER NAME]\D$\\WINDOWS
• \\[COMPUTER NAME]\E$\\WINDOWS

Coverage:

Symantec Endpoint Protection:
Antivirus Signatures:

• W32.Disttrack
• W32.Disttrack!gen1
• W32.Disttrack!gen4
• W32.Disttrack!gen6
• W32.Disttrack!gen7
• W32.Disttrack!gen8
• W32.Disttrack.B

Intrusion Prevention Signatures:

• System Infected: Disttrack Trojan Activity 2
• System Infected: Disttrack Trojan Activity 3

Applying the 5 Steps of Virus Troubleshooting to a W32.Disttrack (Shamoon) Outbreak 
AKA 
The Shamoon Battle Plan

Step 1. Identify the threat

• This means getting AV detection on any new (undetected) samples.

Step 2. Identify infected machines:

• Machines with Auto-Protect alerts should be scanned with up-to-date definitions.
• The entire network needs to be audited for unprotected machines, out of date machines, and infected or likely infected machines.
• Traffic to known Shamoon domains is a good indicator of a potentially infected machine.
• Protecting and managing fileservers is often the key to solving any outbreak scenario. - Unprotected NAS devices are at risk!

Step 3. Quarantine the infected/unprotected/under protected machines: 

• Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
• Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.

Step 4. Clean the infected machines:

• Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.
• Don’t forget file servers. This bears repeating.
• Watch scan logs closely for indications of “Reboot required” or results that indicate a potential issue like “Quarantine failed”

Step 5. Prevent future outbreaks:

• AutoPlay is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well.
• An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
• Remove write-access on shares from users not needing this level of access.
• Maintain a strict patching regimen. Threats often add new capabilities in response to new vulnerabilities.
• Once clean, upgrade to the newest version of SEP (Recommended: with all technologies installed).
• Review mail server policies.

III. Questions and Answers

Q - How does this spread, once in the network?
A - Open administrator shares. Closing these shares, removing infected machines from the network, or dropping infected machines to a quarantined subnet will keep this from spreading. Enabling Network AutoProtect will also help.

Q - How did this get into my network?
A – There are preliminary indications that Greenbug could be responsible for delivering Shamoon.  The presence of Greenbug within an organization prior to the destructive attack involving W32.Disttrack.B provides only a tentative connection to Shamoon. Greenbug’s choice of targets and the fact that Ismdoor and associated tools downloaded by the threat appear to have gone quiet a day prior to the November 17, 2016 Shamoon attack is, however, suspicious. At this time, Symantec tracks these groups separately unless additional corroborating evidence emerges.  

Q - Will patching vulnerabilities help me stop this threat in my network?
A - No, vulnerabilities can be a door and the threat has already come in. These vulnerabilities should be patched ASAP (along with any other holes in the environment), but this will not counter an already-live infection.

Q - Are there URLs and Domains I should be blocking at the firewall?
A - Yes.  See Section II (The Reporter)

Q - What about Autorun?
A – The Shamoon variants observed haven’t been using this, however autoplay should be disabled either with a GPO or ADC policy, just in case.

V. W32.DISTTRACK (SHAMOON) MITIGATION POSTURE

Note: This is not necessarily a checklist of everything you must do, but a way to understand where your environment may need to be scrutinized.

• Autorun / AutoPlay Disabled?
• Open File Shares Closed/Password Protected? Strong Passwords?
• All Unprotected machines removed from the network and queued for updates/cleaning/protection?
• Associated URLs blocked at the Perimeter Firewall / Client Firewall?
• SEP AutoProtect set to load at System Startup?
• SEP Network AutoProtect enabled?
• Application and Device Control policy implemented?

VI. REFERENCES:

• Greenbug cyberespionage group targeting Middle East, possible links to Shamoon: https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon
• W32.Disttrack technical details: https://www.symantec.com/security_response/writeup.jsp?docid=2012-081608-0202-99&tabid=2

I. BACKGROUND:

Symantec is currently investigating reports of another new attack in the Middle East involving the destructive disk-wiping malware used by the Shamoon group (W32.Disttrack, W32.Disttrack.B). Similar to previous attacks, the Disttrack malware used by Shamoon is just the destructive payload. It requires other means to be deployed on targeted organizations’ networks and is configured with previously stolen credentials. 

Symantec discovered the Greenbug cyberespionage group during its investigation into previous attacks involving W32.Disttrack.B (aka Shamoon). Shamoon (W32.Disttrack) first made headlines in 2012 when it was used in attacks against energy companies in Saudi Arabia. It recently resurfaced in November 2016 (W32.Disttrack.B), again attacking targets in Saudi Arabia. While these attacks were covered extensively in the media, how the attackers stole these credentials and introduced W32.Disttrack on targeted organizations’ networks remains a mystery.

Could Greenbug be responsible for getting Shamoon those stolen credentials?

Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors. The group uses a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor as well as a selection of hacking tools to steal sensitive credentials from compromised organizations.

Although there is no definitive link between Greenbug and Shamoon, the group compromised at least one administrator computer within a Shamoon-targeted organization’s network prior to W32.Disttrack.B being deployed on November 17, 2016.

II. THREAT DETAILS:

The worm creates the following files:

• %System%\trksrv.exe
• %System%\netinit.exe
• %System%\drivers\drdisk.sys
• %System%\[NAME SELECTED FROM LIST].exe
  (see below for currently known list)

The worm deletes the following file:

• %System%\drivers\drdisk.sys

The worm is comprised of several components:

• Dropper: main component that drops other modules and is the first to infect the system
• Wiper: module that contains destructive functionality
• Reporter: module that reports infection information back to the attacker

The Dropper

The Dropper component has the following functionality:

• Copies itself to %System%\trksrv.exe
• Drops the following files embedded into resources:
  
  • 64-bit Dropper: %System%\trksrv.exe (contained in the “X509” resource)
  • Reporter module: %System%\netinit.exe (contained in the "PKCS7" resource)
  • Wiper module: %System%\[NAME SELECTED FROM LIST].exe (contained in the "PKCS12" resource)
    • Note: [NAME SELECTED FROM LIST] may be one of the following:
      • caclsrv
      • certutl
      • clean
      • ctrl
      • dfrag
      • dnslookup
      • dvdquery
      • event
      • extra ct
      • findfile
      • fsutl
      • gpget
      • iissrv
      • ipsecure
      • msinit
      • ntx
      • ntdsutl
      • ntfrsu til
      • ntnw
      • power
      • rdsadmin
      • regsys
      • routeman
      • rrasrv
      • sacses
      • sfmsc
      • sigver
      • smbinit
      • wcscript
  • Copies itself to the following network shares:
    • \\[COMPUTER NAME]\ADMIN$
    • \\[COMPUTER NAME]\C$\\WINDOWS
    • \\[COMPUTER NAME]\D$\\WINDOWS
    • \\[COMPUTER NAME]\E$\\WINDOWS
  • Creates a job task to execute itself
  • Creates the following service to start itself when Windows starts:
    • Service: TrkSvr
    • DisplayName: Distributed Link Tracking Server
    • ImagePath: %System%\trksvr.exe

The Wiper

The Wiper module has the following functionality:

• Deletes the existing driver from the following location and writes a different legitimate driver embedded in resources:
  
  • %System%\drivers\drdisk.sys
• The device driver is a clean disk driver that enables user-land applications to read and write to disk sectors. The driver is used to overwrite the computer's MBR but is not malicious by itself.
• The file is digitally signed by “EldoS Corporation".
• Executes the following commands that collect file names, which will be overwritten and writes them to f1.inf and f2.inf:
  
  • dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i download 2>nul >f1.inf
  • dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i download 2>nul >>f1.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i picture 2>nul >>f1.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i video 2>nul >>f1.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i music 2>nul >>f1.inf
  • dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i desktop 2>nul >f2.inf
  • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i desktop 2>nul >>f2.inf
  • dir C:\Windows\System32\Drivers /s /b /a:-D 2>nul >>f2.inf
  • dir C:\Windows\System32\Config /s /b /a:-D 2>nul | findstr -v -i systemprofile 2>nul >>f2.inf
• Note: Files from f1.inf and f2.inf will be overwritten with a JPEG image that is located in the Wiper module. Overwritten files are rendered useless and cannot be repaired.
• The module will overwrite the MBR so that the compromised computer can no longer boot.

The Reporter

The Reporter module is responsible for sending information about the infection to the attacker. Information is sent as an HTTP GET request and is structured as:

• http://[DOMAIN]/ajax_modal/modal/data.asp?mydata=[MYDATA]&uid=[UID]&state=[STATE]

The following data is sent to the attacker:

• [DOMAIN] = domain name
• [MYDATA] = specifies how many files were overwritten
• [UID] = IP address of the compromised computer
• [STATE] = random number

How it spreads:

When the worm is executed, it copies itself to the following network shares:

• \\[COMPUTER NAME]\ADMIN$
• \\[COMPUTER NAME]\C$\\WINDOWS
• \\[COMPUTER NAME]\D$\\WINDOWS
• \\[COMPUTER NAME]\E$\\WINDOWS

Coverage:

Symantec Endpoint Protection:
Antivirus Signatures:

• W32.Disttrack
• W32.Disttrack!gen1
• W32.Disttrack!gen4
• W32.Disttrack!gen6
• W32.Disttrack!gen7
• W32.Disttrack!gen8
• W32.Disttrack.B
• PUA.Disttrack!sys

Intrusion Prevention Signatures:

• System Infected: Disttrack Trojan Activity 2
• System Infected: Disttrack Trojan Activity 3

Applying the 5 Steps of Virus Troubleshooting to a W32.Disttrack (Shamoon) Outbreak 
AKA 
The Shamoon Battle Plan

Step 1. Identify the threat

• This means getting AV detection on any new (undetected) samples.

Step 2. Identify infected machines:

• Machines with Auto-Protect alerts should be scanned with up-to-date definitions.
• The entire network needs to be audited for unprotected machines, out of date machines, and infected or likely infected machines.
• Traffic to known Shamoon domains is a good indicator of a potentially infected machine.
• Protecting and managing fileservers is often the key to solving any outbreak scenario. - Unprotected NAS devices are at risk!

Step 3. Quarantine the infected/unprotected/under protected machines: 

• Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
• Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.

Step 4. Clean the infected machines:

• Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.
• Don’t forget file servers. This bears repeating.
• Watch scan logs closely for indications of “Reboot required” or results that indicate a potential issue like “Quarantine failed”

Step 5. Prevent future outbreaks:

• AutoPlay is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well.
• An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
• Remove write-access on shares from users not needing this level of access.
• Maintain a strict patching regimen. Threats often add new capabilities in response to new vulnerabilities.
• Once clean, upgrade to the newest version of SEP (Recommended: with all technologies installed).
• Review mail server policies.

III. Questions and Answers

Q - How does this spread, once in the network?
A - Open administrator shares. Closing these shares, removing infected machines from the network, or dropping infected machines to a quarantined subnet will keep this from spreading. Enabling Network AutoProtect will also help.

Q - How did this get into my network?
A – There are preliminary indications that Greenbug could be responsible for delivering Shamoon.  The presence of Greenbug within an organization prior to the destructive attack involving W32.Disttrack.B provides only a tentative connection to Shamoon. Greenbug’s choice of targets and the fact that Ismdoor and associated tools downloaded by the threat appear to have gone quiet a day prior to the November 17, 2016 Shamoon attack is, however, suspicious. At this time, Symantec tracks these groups separately unless additional corroborating evidence emerges.  

Q - Will patching vulnerabilities help me stop this threat in my network?
A - No, vulnerabilities can be a door and the threat has already come in. These vulnerabilities should be patched ASAP (along with any other holes in the environment), but this will not counter an already-live infection.

Q - Are there URLs and Domains I should be blocking at the firewall?
A - Yes.  See Section II (The Reporter)

Q - What about Autorun?
A – The Shamoon variants observed haven’t been using this, however autoplay should be disabled either with a GPO or ADC policy, just in case.

IV. W32.DISTTRACK (SHAMOON) MITIGATION POSTURE

Note: This is not necessarily a checklist of everything you must do, but a way to understand where your environment may need to be scrutinized.

• Autorun / AutoPlay Disabled?
• Open File Shares Closed/Password Protected? Strong Passwords?
• All Unprotected machines removed from the network and queued for updates/cleaning/protection?
• Associated URLs blocked at the Perimeter Firewall / Client Firewall?
• SEP AutoProtect set to load at System Startup?
• SEP Network AutoProtect enabled?
• Application and Device Control policy implemented (attached)?

V. REFERENCES:

• Greenbug cyberespionage group targeting Middle East, possible links to Shamoon: https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon
• W32.Disttrack technical details: https://www.symantec.com/security_response/writeup.jsp?docid=2012-081608-0202-99&tabid=2

VI. ATTACHMENTS

• Block_Eldos_driver_v4.dat
  
  • ADC policy to block known versions of the Eldos driver used by Shamoon.

NOTE: Above ADC policy no longer needed, as we have released signature PUA.Disttrack!sys to protect machines from Shamoon proactively.

WEBINAR: The Inside Scoop on Cloud Security Gateways Featuring Andras Cser, Independent Research Firm Analyst

DATE: February 7, 2017

TIME: 1:00 PM (PST) / 4:00 PM (EST)

Get advice on evaluating cloud security products from our guest speaker, Andras Cser, primary author of Forrester's first Wave Report on Cloud Security. He will discuss the risks associated with adopting cloud applications and services and how cloud security gateways (CSG), also known as CASBs, can help protect your organization with integrated data protection and activity monitoring. 



This webcast will include insights from the recently released report, The Forrester Wave™: Cloud Security Gateways Q4 2016, which evaluated 8 of the most significant CSG vendors against 23 different criteria.

You'll hear from guest Andras Cser of Forrester and Deena Thomchick of Symantec on:

• The state of the enterprise in today's cyber threat world
• Why organizations must take security precautions
• The requirements for a Cloud Security Gateway
• How Cloud Security Gateways operate
• How to evalulate Cloud Security Gateways
• The top ten aspects of cloud application security​  

Register Here

Blog Feature Image: 

CASA TP.png

Product donation is Symantec’s largest mechanism to support the nonprofit community and help nonprofits fulfill their missions. In partnership with TechSoup, each year we provide cyber security solutions to more than 25,000 organizations across 55 countries worldwide, allowing them to secure their most important data wherever it lives. Since launching the software donation program in 2002, Symantec has helped more than 93,000 nonprofits solve today’s biggest security challenges and protect against the ever-evolving threat landscape.

As the Symantec Internet Threat Report showed, there were more than 429 million exposed identities in 2015. And despite noble missions, nonprofits are not immune. Like businesses, they must also take the critical steps to protect their stakeholder’s sensitive information. In the case of Court Appointed Special Advocates (CASA), their data and records include confidential details about each child they serve.

Across the United States, CASA is known for its steadfast commitment to and advocacy for children. The nonprofit works diligently to provide court-appointed volunteer advocates for abused and neglected children who are involved in the foster care and court system. Last year, more than 76,000 CASA and guardian ad litem (GAL) volunteers helped more than 251,000 children find safe, permanent homes. Needless to say, all of the data associated with these children must be kept secure.

Unlike businesses with dedicated IT teams, CASA of the Tri-Peaks, which represents the 15th Judicial District of Arkansas, has a small staff of two full-time and two part-time employees, tasked with not only advocating on behalf of 200 youth each year, but also managing operations including their technology systems. Their electronic records include personal data not only on their cases, but also their 40 plus community volunteers, financial donations and staff.

After receiving a local community grant, CASA of the Tri-Peaks had the opportunity to upgrade its computer systems. Through Symantec’s software donation partnership with TechSoup, they chose to deploy Symantec’s Norton Small Business to protect the organization’s data from viruses, spyware, malware and other security threats. Symantec protects all of CASA’s computers and tablets—allowing CASA staff and volunteers to focus on the children, attending court appointments, providing judges with carefully researched backgrounds and assisting the children in expressing his or her own “voice” which can often go unheard in these official proceedings—ultimately advocating for each child to help the court make a sound decision about that child’s future.

“Data security is quite important at CASA because we are managing highly confidential information on behalf of children. We have to maintain the integrity of the data given to us and ensure its secured at all times—not only information about the children and their cases, but also our volunteers, who have entrusted us with their sensitive data as well. Having trust in Symantec with their Norton products, gives me the comfort of knowing our electronic records are safe and secure at all times,” said Cheri Garcez, Executive Director, CASA of the Tri-Peaks.

According to CASA, children who have been assigned an advocate through the organization often spend less time in court and less time within the foster care system than those who do not have CASA representation. They often suffer fewer temporary placements and find safe, permanent homes—or are reunited with their parents—more quickly. Symantec products help this small but nimble CASA team focus on the children they serve, making a lasting impact and forever changing lives.

Jaime Barclay is Symantec’s Manager, Corporate Responsibility

Blog Feature Image: 

ThinkstockPhotos-590247654.jpg

[For those keeping score, this is the 19th in our series on Shady Top Level Domains. Links to the previous posts in the series are found at the bottom of the page.]

Before diving into a look at interesting traffic in another Shady TLD, let's wrap up 2016 with the Top 20 list of the shadiest TLDs in the fourth quarter. As usual, there were several position changes from the previous quarter...

* As of late December, 2016. Shady Percentage is a simple calculation: the ratio of "domains and subdomains ending in this TLD which are rated in our database with a 'shady' category, divided by the total number of database entries ending in this TLD". Shady categories include Suspicious, Spam, Scam, Phishing, Botnet, Malware, and Potentially Unwanted Software (PUS). Categories such as Porn, Piracy, and Placeholders (for example) are not counted as "shady" for this research.

Caveats

As always, we caution against reading too much into the relative positions of TLDs on this list. Rankings are very fluid from quarter to quarter.

Also, we are not advocating setting up policy to block all domains on all of these TLDs. Any such recommendation would come only after more research into a TLD. In particular, .xin is rather popular in China, as is .kim in South Korea, and it would not be wise to automatically block such domains if you do any business there. Also, several TLDs have percentages based on much lower numbers of domains than some of the other TLDs in the list.

In general, it's better to leave shady domain blocking up to the professionals...

.GooD for Nothing?

.GDN entered the Top Ten in our 2016 Q3 list. We'd been noticing it in traffic before then, but we started keeping a closer eye on it, and I marked it down as a good candidate for a future Deep Dive -- and here we are!

For the Deep Dive, I pulled a recent week of WebPulse traffic, and selected the 100 domains with the most traffic. Here is the breakdown of the categorization of these sites:

So that's 92% shady, or 96% if we include the Piracy and Porn sites.

The vast majority of sites in the Suspicious bucket were part of a big scareware campaign, targeting smartphones. There were two main patterns of naming the domains:

• read-this-message-[junk].gdn
• install-app-[junk].gdn

The [junk] part is a pseudo-random string of numbers and letters. The pattern from the beginning of the week always used three characters, mostly with a zero as the third one (8b0, ue0, bb0, etc.) By the end of the week, the patterns tended to be five characters, usually ending in three or four zeroes (f0000, 91000, 30000, e0000, etc.)

Victims of the campaign will see pages that look like these on their phones. (The first variant is the most common one I saw.)

(Abusing the Google logo and robot makes sense when targeting Android users, as above, but not so much when targeting Apple users, as below. They didn't bother to change the look-and-feel much...)

There was also a less-common variant:

Needless to say, you shouldn't click the button... But what happens if you do? For me, clicking the button either led into a WebAd network that we had already flagged as Suspicious, or dead-ended on a page saying "Currently, the requested game is not available in your region." So I didn't bother to explore much further downstream.

In looking at the upstream traffic, it looks like a malvertising attack, as most of the traffic appears to be arriving at these sites from ad networks. It also appears to be somewhat more prevalent in Asia, although we've been seeing it world-wide.

All in all, it's an interesting campaign, combining elements of other scareware/ransomware attacks, but with a little twist: wanting you to download and run their app for 7 days.

In other words, in this attack, the "ransom" is the "ware".

Versions of this attack have been around for some time -- if you've been hit by this, try searching for "battery damaged by virus" to find articles discussing how to remove the scareware from your device -- but I haven't seen anything detailing its current usage of .gdn domains to host the scareware pages.

Given the prevalence of these attacks (not to mention various SEO-type sites, and a general lack of sites with useful content), we are recommending that people who care about security consider blocking all .gdn traffic.

--C.L.

@bc_malware_guy

P.S. For easy reference, here are the links to the earlier posts in our "Shady TLD" series:

.country

.kim

.science

.gq

.work

.ninja

.xyz

.date

.faith

.zip

.racing

.cricket

.win

.space

.accountant

.top

.stream

.christmas

Co-authored by Ken Durbin, CISSP and Kevin McPeak, CISSP, ITILv3

(Continued from part three in our series on Canada's Digital Privacy Act, where we were discussing how NIST CSF can be tailored to assess against a specific requirement like the DPA.)

We are now going to focus on the Identify Function of the CSF. As we learned in the previous blog, the CSF Core is made up of the “Identify, Protect, Detect, Respond, and Recover” Functions. Each is divided into Categories, Subcategories, and Informative References.

Identify is divided into 5 Categories and 24 Subcategories, thus allowing an organization to get very granular in their assessment against this Function. There are too many Subcategories to cover in this series, so we’ll only focus on the 5 Categories. A detailed listing of all Functions, Categories, and Subcategories can be found in Appendix A of the NIST CSF Document (https://www.nist.gov/document-3766).

What is the purpose of the Identify Function? There’s a saying in Cybersecurity that says, “You can’t protect what you can’t see.” This helps explain why Identify is the first Core Function. You have to know what you are trying to protect. Identify helps you discover all hardware and software assets, but it doesn’t stop there. It covers nonphysical components that take into account your business/mission context, support resources, and your understanding of Risk. As such, Identify is divided into the following Categories:

• Asset Management: Identify Data, Personnel, Devices, systems, and facilities
• Business Environment: Identify and prioritize an organization’s mission, objectives, stakeholders, and activities
• Governance: Identify policies, procedures, and processes to manage and monitor regulatory, legal, risk, environmental, and operational requirements
• Risk Assessment: Identifies the cybersecurity risk to organizational operations
• Risk Management Strategy: Identifies priorities, constraints, risk tolerances, and assumptions used to make risk based decisions

Identify and the Digital Privacy Act:

In 2017, the Digital Privacy Act (DPA) will go into effect. The intent of the DPA is to encourage Canadian organizations to properly safeguard any private data they collect. Canadian organizations will be required to:

• Report any security breach involving private information to Canada’s Privacy Commissioner if it is “deemed to create real risk of significant harm”
• Notify all affected individuals “as soon as feasible”
• Maintain records of all security breaches

The CSF can be used by Canadian organizations to assess their cybersecurity knowledge, technical capability, and readiness to meet the legal requirements and avoid negative consequences for non-compliance with DPA.

If we look specifically at the Identify Function, we can see several potential ways it helps assess against the DPA. I use “potential” because it’s up to each organization to determine which Categories and Subcategories are important to their business needs. Following are some examples:

• Asset Management: If you don’t know where data is stored and which assets are involved, how will you know if there’s a breach? An improved Asset Management solution may be needed
• Governance: This is the Category that ensures an organization understands DPA and its requirements
• Risk Management Strategy: Do you know your tolerance for Risk as it pertains to DPA? Is there a process in place to manage that risk? 

Taking the time to review each Identify subcategory to determine if it will help you comply with DPA will create a “DPA Current Profile.” A Risk Assessment against those Subcategories will create a “DPA Target Profile,” which can then be used to guide your efforts to comply with the Identify components of DPA.

Up next…the Protect Core Function of the CSF. 

For more information on how to prepare for DPA, please visit: go.symantec.com/ca/dpa 

Symantec strives to have a positive impact in the communities where we operate. Together with the Symantec Foundation, we support nonprofits around the world through cash, in-kind donations, and employee volunteerism. In order to effectively pursue our philanthropic strategy, we identify organizations and philanthropic focus areas aligned with our key business priorities and objectives, which include online safety.  

For example, in FY16, Symantec awarded 26 grants totaling $2,585,900 to fight cybercrime and support online safety.

However, our impact must go beyond monetary donations. In 2015 alone, we saw a record setting total of nine megabreaches of personal data, and the reported number of exposed identities jumped to 429 million[1]. Cybercrime does not discriminate.  Whether young, old, tech savvy or not, strengthening individual online safety awareness ensures we can all benefit from technology in a safe and sustainable way.  

The activism, advocacy, and passion of employees on the ground is what enables us to transform our philanthropic strategy into tangible, real-world results. For example, through Symantec nonprofit partners and their own ambitions, our employees are constantly donating their time and expertise to serve as ambassadors of online safety, educating people of all ages, of all backgrounds how to spot and avoid everyday risks online.

For example, do you know why to treat your password like a toothbrush? Read our wrap-up of online safety activities to find out…

Pune and Common Sense Media Offer Online Safety Trainings  

Symantec nonprofit partner, Common Sense Media, recently presented a WebEx training on online safety for Pune and Chennai employees. Following the training, employees hosted a lively and engaging cyber security workshop for children ages 5-14 where they reviewed similar online safety modules, focusing on information relevant to the children. The children were enthusiastic, but also surprisingly aware and interested in cyber security.

Japan Celebrates Hour of Code

In partnership with Code for Everyone, Symantec Japan took part in the Hour of Code Japan 2016 Tokyo Expo as part of Computer Science Education Week presenting an Internet security class to parents, kids and educators.

Approximately 100 parents and children, and 120 educators visited the event, learning about computer programming and online safety. Symantec Japan presented more than 20 Internet security sessions to parents and educators. Additionally, the Norton team demonstrated the role of Norton products including parental control features and the Public Sales team held sessions for educators on key child online safety threats and solutions.

Saudi Arabia Delivers Online Safety Program to Families and Employees of Saudi Electricity Company

Saudi Arabia employees continued their partnership with Saudi Electricity Company, offering online safety education to employees and families of the country’s primary electric utility company. To date, more than 100 children ages 6-18 years, along with 52 Saudi Electricity Company employees have received the online safety presentation. Symantec plans to expand this program to schools in the region in 2017.

Symantec continues its partnership with Saudi Electricity Company providing online safety education to employees and their families.

Techbridge and Symantec Herndon Engage Young Females in STEM

Symantec’s Herndon, Virginia office supported the company’s partnership with TechBridge, which focuses on STEM education for girls in the 4th – 12th grades. Techbridge engages girls in STEM by encouraging them to discover a passion for technology, science and engineering through hands-on learning.

Throughout the visit, students took part in Symantec hands-on learning. They met with technical mentors, spoke with employees about a career in technology and cyber security, toured the Security Operations Center, and participated in an activity where they took apart (and in some cases, put back together) servers from a Symantec data center.

Cape Town Combines Soccer and Online Safety for Learning + Fun with Local Students

As part of Global Service Week employees from Symantec’s Cape Town office hosted approximately 40 high school kids from underserved areas as part of a joint activity incorporating soccer and discussing key online safety lessons.

Symantec Cape Town visits local high school students for a fun and engaging day of soccer and online safety education.

EMEA Offices Cut Back on Cyberbullying and Offer Impactful Online Safety Classes

Across EMEA, employees donated their time to educate customers and community members in online safety.

In the UK, employees worked with kids between the ages of 12-17 on a workshop demonstrating the possibilities presented by a career in IT. The workshop “You Don’t Have to be a Programmer to Work in IT” broke down common misconceptions about technology careers and opened the students’ eyes to the wide variety of skills and positions needed in IT.

Additionally, as employees continually report back, the team was amazed at the level of IT and cyber security knowledge the students showed. However, a simple online safety lesson proved to be a favorite. “Treat your passwords the way you treat a toothbrush – You DON’T share it, and should CHANGE it regularly”.

Symantec UK joins local students to offer a workshop on a “Career in IT”.

In Dublin, Symantec employees joined and presented at the annual Anti-bullying Fortnight for a primary school based in the North County educating 150 students on how to identify and stop cyber bullying.

In Dublin, students are eager to share their insights and questions as part of Symantec’s workshop on cyberbullying.

Additionally, in Paris 12 employees embarked on their first-ever volunteering initiative, presenting two online safety to over 90 pupils at Les Entretiens De L’excellence creation school.

Symantec Paris holds an online safety session for over 90 pupils at Les Entretiens De L’excellence creation school.

This is just the tip of the iceberg. Throughout the year, our employees across the world continue to educate our customers, communities, educators and youth on cyber readiness and online safety. In many cases, they have taken an individual effort and expanded it to a regionally recognized program.

At Symantec, we believe that together, we have the power to change the world and make it a better, safer place. However, we cannot achieve this alone; it takes a village. We look forward to bringing you more stories on our CR blog of how we continue to maximize impact through strategic partnerships with leading non-profits, monetary and product donations, and mobilizing employees’ time and talents.

Blog Feature Image: 

iStock-532641809.jpg

From phishing schemes and malware attacks to accidental and malicious data leaks, email threats are rampant, making email one of the most the most vulnerable channels for data loss. That’s why the need for effective email security has never been greater.

Complete Email Security for Office 365 and Gmail

Today, we’re excited to announce a new cloud data loss prevention (DLP) service for Symantec Email Security.cloud customers. Our DLP Cloud Service for Email leverages and enhances your existing investment in Email Security.cloud. It adds a powerful layer of data protection that strengthens your outbound email security for Microsoft Office 365 Exchange Online and Gmail.

With Email Security.cloud you’re already benefitting from our industry-leading protection against malware, spam and unwanted bulk email. This includes deep-link following technology that spots malicious embedded links and keeps them from ever reaching user mailboxes, and policy-based email encryption that can be automatically enforced without user intervention or disruption.

Now, you get the most complete cloud email security solution that goes beyond the basic compliance-driven security of Office 365 and Gmail.

Fast, Cloud-Based Implementation

If you’ve been on the fence about investing in DLP because of the potential complexity and cost, then it’s time to reconsider. We’ve made it easy to deploy and manage by building it in the cloud – 100% SaaS – and seamlessly integrating it with Office 365 and Gmail. Say goodbye to on-site software and hardware!

With the DLP Cloud Service for Email, you get a powerful, cloud-based content detection that rigorously examines all of your outbound email traffic for sensitive data. The service analyzes message content  – header, body, and metadata - and context in real-time before any data leaves Office 365 Exchange Online or Gmail. Multiple tiers of detection can identify sensitive content containing personally identifiable information, customer records, patient health information, intellectual property, and more. Our detection service leverages Symantec’s enterprise-grade DLP technology for highly accurate detection with minimal false positives. As a result, you’ll enjoy and maximum productivity and protection for you and your users.

The DLP Cloud Console makes it easy to manage content detection policies, investigate and remediate policy violations, and monitor what’s going on with a sleek design and a user-friendly interface. It’s fully cloud-based, so you don’t have to worry about installing and maintaining any software or servers!

Move Beyond Checkbox Security

The email security battle will rage on in 2017. The consequences of a data breach can be catastrophic: economic losses, reputational damage, and broken careers often follow in the wake of security strategies that just check off the boxes. Security built in to Office 365 and Gmail may meet compliance requirements but it won’t stop the most damaging assaults – you need serious protection from Symantec. With the most complete DLP solution and the industry’s best team watching your back, we are committed to defending you every hour of every day.

Availability

Symantec DLP Cloud Service for Email with the DLP Cloud Console is available today. Symantec Email Security.cloud customers can purchase it as a standalone service or bundled with the Symantec Email Safeguard service plan.

Learn more about what’s new at: DLP Cloud Service for Email | DLP

Blog Feature Image: 

NIST CSF to SYMC Mapping.jpeg

Co-authored by Ken Durbin, CISSP and Kevin McPeak, CISSP, ITILv3

(Continued from part four in our series on Canada's Digital Privacy Act, where we were discussing how NIST CSF can be tailored to assess against a specific requirement like the DPA.)

Now we move on to the Protect Function of the CSF. As with the other Functions, Protect is divided into Categories, Subcategories, and Informative References.

Protect consists of 6 Categories and 35 Subcategories, thus allowing an organization to get very granular in their assessment against Protect. Once again, we will not be able to cover the Subcategories in this series, but a detailed listing of all Functions, Categories and Subcategories can be found in Appendix A of the NIST CSF Document (https://www.nist.gov/document-3766).

What is the purpose of the Protect Function? According to NIST, Protect “supports the ability to limit or contain the impact of a potential cybersecurity event.” In other words, what people, processes, and technologies are in place to protect that which we have deemed critical to my business or mission? When you consider all you’re protecting (data, personnel, devices, systems, and facilities) it is easy to understand why it’s the largest of the 5 CSF Functions. Following are the 6 Categories of Protect and what they cover:

• Access Control: Ensuring people are who they say they are, and are allowed to access particular data, systems, facilities, etc.
• Awareness and Training: Enabling employees, partners, and suppliers to be part of your cybersecurity plan through education and training on policies, procedures, etc.
• Data Security: Data is managed according to company standards to mitigate risk, and protect its confidentiality, Integrity, and Availability.
• Information Protection Processes and Procedures: Ensure policies, processes, and procedures are in place to manage protection of information systems and assets.
• Maintenance: Information System components are being maintained and repaired
• Protective Technology: Security solutions are deployed to protect solutions according to established policy

Protect and the Digital Privacy Act:

The Digital Privacy Act (DPA) is designed to properly safeguard private data in Canada. Canadian organizations will be required to report data breaches, notify all affected individuals, and maintain relevant records of the breach.

The Protect Function has several potential ways it can help assess against the DPA. Remember, I use “potential” because it’s up to each organization to determine which Categories and Subcategories are important to their business needs. Following are some examples:

• Access Control: Preventing a data breach means keeping the bad guys out. Can you adequately control access? Do you have multi-factor authentication in place?
• Awareness and Training: A breach can also be caused by a “well intentioned” employee. Are they properly trained? Do you have a data loss prevention solution in place to prevent accidental misuse of data?
• Data Security: The bad guys are after the data. How well is it protected? Is it encrypted at rest AND in motion? Do you have a DLP solution to detect unauthorized access?

Putting it to use:

Taking the time to review each Protect subcategory to determine if it will help you comply with DPA will create a “DPA Current Profile.” A Risk Assessment against those subcategories will create a “DPA Target Profile” which can be used to guide your efforts to comply with the Protect components of DPA.

Symantec has solutions that align with both the CSF and DPA. We would be happy to discuss how we would be able to help you reach your Protect Target Profile.

Up next…the Detect Core Function of the CSF. 

For more information on how to prepare for DPA, please visit: go.symantec.com/ca/dpa 

Blog Feature Image: 

raiseyourvoice.png

Sad. Freak. Crybaby. Loser.

These words all sound pretty harsh, right? They do not feel very good to read here, but imagine them directed at you personally. In the world of child and teen online activity, these types of words can become all too familiar to the millions of children cyberbullied each year around the world.   

In the UK, fifty per cent of adolescents have been bullied, with six out of 10 of these victims of cyberbullying[1]. More than 1 in 5 (22%) of 8-17 year olds report that someone has posted an image or video to bully them[2]. Over a third of cyberbullying victims in the UK (37%) have never told their parents/guardians that they have been cyberbullied[3]. According to the Cyberbullying Research Center, in the United States the percentages of individuals who have experienced cyberbullying at some point in their lifetimes has nearly doubled (19% to 34%) from 2007-2016.

Furthermore, the Norton Cyber Security Insights Report[4], a survey of nearly 21,000 consumers globally, shows that nearly half (48 percent) of parents believe their children are more likely to be bullied online than at school in the playground. While the majority of parents implement proactive measures to keep their children safe online, such as limiting access to certain websites and apps (43 percent) or allowing Internet access only under parental supervision (40 percent), more than 1 in 10 (11 percent) do nothing. 

This year, to honor Safer Internet Day, Norton wants to help parents stop cyberbullying in its tracks through a campaign encouraging individuals and communities to #RaiseOurVoices against cyberbullying. In Norton’s free e-book “Cyberbullying – A Conversation Guide for Parents and Kids”, the company provides parents and kids guidance on how to identify the signs of cyberbullying, empower themselves to start a conversation with their children and establish “netiquette” when the time is right.

According to the guide, some notable signs of cyberbullying amongst children include:

• Appearing nervous when receiving a text/online message or email or begin avoiding their devices or using them excessively
• Making excuses to avoid going to school, acting up at school or their grades begin to decline
• Becoming defensive or secretive about online activity or deleting social media accounts
• Withdrawing from friends and family
• Physical symptoms such as trouble sleeping, stomach aches, headaches, and weight loss or gain
• Appearing particularly angry, frustrated or sad, especially after going online/checking devices

So how can parents keep their children safe online to avoid and discourage engagement in cyberbullying?

1. Set your family netiquette: Establish a set of guidelines for how your children use technology, also known as online etiquette. These guidelines may include how much time they spend online, the websites that are safe to use or what language is appropriate when chatting.
2. Establish clear boundaries and open communication: Create a set of House Rules for children’s online communication, downloading, websites they visit, and cyber harassment. A decrease in negative online experiences is closely linked to households where there is an open dialogue with children about online safety.
3. Educate: Teach young children to use strong and unique passwords across all their accounts and never to share passwords, even with their friends. Direct them to fun and engaging educational materials such as this online safety quiz from the UK Safer Internet Center.  
4. Highlight the risks: Discuss the risks of posting and sharing private information, videos, and photographs, especially on social media websites. Everything posted online is a digital footprint for children and can be challenging to completely erase. Parents should help children avoid posting content that will compromise their security or which they may regret when they are older.
5. Walk the talk: Children are likely to imitate their parents’ behaviour, so parents are encouraged to lead by example and show their children how to safely surf online.
6. Encourage kids to think before they click: Whether they are browsing online videos, receiving an unknown link in an email or encountering banners/pop-ups while surfing the web, remind your children not to click on links that may take them to dangerous or inappropriate sites. Clicking unknown links is a common way devices are infected with malware and can reveal private and valuable information to criminals.
7. Protect: Use a robust and trusted security software solution, such as Norton Security, for all household devices - from tablets to smartphones, laptops and desktops.
8. Communicate: Most importantly, encourage and maintain an open and ongoing dialogue with your children on Internet use and experiences.

“Parents play a critical role in educating their children on the boundaries for acceptable and safe internet behaviours. An open dialogue about online experiences is the first step in protecting children online. The internet is a valuable resource for children’s development, and our children today don’t know a world without it. Preventing children from going online is not necessarily the answer, we encourage parents to establish house rules on internet usage based on their age and talk to their children about their online experiences.” - Nick Shaw, Vice President, Consumer Business Unit, Symantec.

Cyberbullying can be a challenging topic to talk about, but it doesn’t have to be. If we all – parents, children, friends, families, professionals – continue to #RaiseOurVoices we can work towards a common goal of protecting our children and stopping cyberbullying in its tracks.

In addition to Norton’s e-book guide on cyberbullying, the company created magnets for students to take home and help establish family guidelines to protect themselves online.

Blog Feature Image: 

worldpoints_bluearc.jpg

Integration with Splunk

Symantec Advanced Threat Protection (ATP) customers who are using Splunk as their SIEM tool can now take advantage of the free Symantec ATP app on the Splunk’s app store. They can export threat events across their ATP sensors to Splunk®. A default security dashboard is made available for ATP Splunk users to get a glance of all threat events. Meanwhile, customers can also create and customize a security dashboard in Splunk easily by leveraging the rich threat data from Symantec ATP. They can drill down to see any file hash that is related to a specific incident and do ad hoc queries via Splunk.

If customers have multiple Symantec ATP modules, they may also filter ATP events via Splunk console by different search fields, such as endpoint, network, email, or roaming events. In addition, the Symantec ATP Adaptive Response Add-on for Splunk would allow incident responders to blacklist or remediate malicious files and isolate compromised endpoints directly from the Splunk management console, allowing visibility into multiple control points and automating IR response tasks.

Key feature enhancement in the latest release

• Enhanced Rules for Incident Creation- Customers can now easily identify incidents based on: 1) Detections of malicious file that has not been remediated at the endpoint 2) Sandbox detections of any malicious file 3) Communication with known malicious or Command and Control sites

• Improved performance for ATP: Email- See email details and correlations immediately. Incidents and events will be created without any delays.

• Improved Detection of Suspicious Files- Symantec continuously fine tune our machine learning algorithm to  improve identification of suspicious files

• Ability to submit and detect malware in RTF files via Cynic sandbox- Customers can now submit RTF files for sandboxing as they are a common document file type

For more information, visit: http://atp.symantec.com

Resource:

Download ATP Datasheet: Splunk & ServiceNow Integration

Download ATP: Platform Datasheet

Symantec Advanced Threat Protection 2.3 Release Note

Blog Feature Image: 

SecureOne Blog.jpg

As part of our company integration, we are bringing two separate partner programs into one rock-solid program designed to give partners more opportunity for growth and profitability.  

This spring, Symantec Secure One, will be even easier to navigate based on two competencies – Core Security and Enterprise Security – for our combined enterprise portfolio. Partners will have a huge opportunity to cross-sell and up-sell, providing our mutual customers with leading solutions to solve the world’s biggest cyber security problems. 

Other key initiatives include transitioning Opportunity Registration to a front-end discount only, which ensures that the financials of doing business with Symantec will be more predictable moving forward. We’re also creating new opportunities to earn with a Platinum Performance Rebate, Renewal Incumbency, and by enabling partners to submit an unlimited number of activity proposals for Symantec Partner Development Funds.

We’ll have more details to share in the upcoming months. In the meantime, I encourage you to visit go.symantec.com/secureone where we’ll continue to share updates as we gear up to launch our partner portal.

With a $30 billion dollar opportunity in cyber security, we will see massive growth potential in our industry this year. We’re excited about this new era for our company, our partnership and our program, and we look forward to defining the future of cyber security, together.

Blog Feature Image: 

NIST CSF to SYMC Mapping.jpeg

Co-authored by Ken Durbin, CISSP and Kevin McPeak, CISSP, ITILv3

(Continued from part five in our series on Canada's Digital Privacy Act, where we were discussing how NIST CSF can be tailored to assess against a specific requirement like the DPA.)

Up next is the Detect Function of the CSF. As with the other Functions, Detect is also divided into Categories, Subcategories, and Informative References.

Detect consists of 3 Categories and 18 Subcategories, allowing an organization to get very granular in their assessment against the Detect Function. This series doesn’t cover the Subcategories in detail, however a full listing of all Functions, Categories, and Subcategories can be found in Appendix A of the NIST CSF Document (https://www.nist.gov/document-3766).

What is the purpose of the Detect Function? According to NIST, Detect “enables timely discovery of cybersecurity events.” In other words, what got through the Protection Mechanisms you implemented in the Protect Function? The word “timely” is key. To reduce the severity of a cyber event you need know as rapidly as possible that something got through your defenses. Not to get ahead of myself, but a strong Detect implementation makes the Respond Function (see next blog) much more effective.

Following are the 3 Categories that make up Detect:

• Anomalies and Events: Anomalous activity is detected in a timely manner and the potential impact of events is understood.
• Security and Continuous Monitoring: The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
• Detection Processes: Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

Detect and the Digital Privacy Act:

The Digital Privacy Act (DPA) is designed to properly safeguard private data in Canada. Canadian organizations will be required to report data breaches, notify all affected individuals in a timely manner, and maintain relevant records of the breach.

The Detect Function has the potential to play a critical role in preparing for DPA compliance. Remember, I use “potential” because it’s up to each organization to determine which Categories and Subcategories are important to align with their unique business needs. Keep in mind, at the heart of DPA is an organization’s ability to detect a breach and notify the Government and affected individuals as soon as possible.

• Anomalies and Events: Are you prepared to collect and analyze data from multiple control points to detect a security event? Are you utilizing a platform that allows correlation between the Endpoint, Network, and Gateway?
• Security and Continuous Monitoring: Do you have the ability to monitor key assets 24/7/365? Have you considered a Managed Security Service (MSS) to supplement your capabilities?
• Detection Processes: To stay on the right side of DPA, you have to know about a breach as soon as possible (and before you learn about it on the news!) and follow the proper disclosure requirements. Are you utilizing Data Loss Prevention (DLP) to detect inappropriate access to your data (and prevent exfiltration) wherever it resides?

Putting it to use:

Taking the time to review each Detect subcategory to determine if it will help you comply with DPA will create a “DPA Current Profile.” A Risk Assessment against those subcategories will create a “DPA Target Profile,” which can be used to guide your efforts to comply with the Detect components of DPA.

Symantec has solutions that align with both the CSF and DPA. We would be happy to discuss how we would be able to help you reach your Detect Target Profile.

Up next…the Respond Core Function of the CSF. 

For more information on how to prepare for DPA, please visit: go.symantec.com/ca/dpa