Articles on this Page
- 05/24/17--14:46: _Shady TLD Research:...
- 05/25/17--01:35: _Data Center Securit...
- 05/25/17--09:37: _7 Must-Haves for Yo...
- 05/26/17--07:50: _Celebrating Asian P...
- 05/29/17--17:28: _新しい DLP システムに求められる条件とは
- 05/24/17--15:16: _Harnessing the Cybe...
- 05/30/17--10:36: _Hack Attack: How to...
- 05/30/17--22:41: _Symantec CloudSOC C...
- 05/30/17--22:57: _Symantec Content An...
- 05/31/17--05:58: _Bachosens: Highly-s...
- 05/31/17--18:37: _Office 365 にメールを移行す...
- 05/31/17--19:10: _Bachosens：不为人知的高技术网...
- 05/31/17--19:16: _Cloud Workload Prot...
- 06/01/17--05:59: _Financial malware m...
- 06/01/17--06:00: _Uncovering the Next...
- 06/01/17--15:09: _Advancing Corporate...
- 06/01/17--16:04: _Symantec’s Response...
- 06/02/17--02:53: _Bachosens を使う軽微なサイバ...
- 06/02/17--10:42: _Throwing Sand at th...
- 06/02/17--11:10: _Building Subscripti...
- 05/24/17--14:46: Shady TLD Research: .Mom and our Q1 Wrap-up
- 05/25/17--01:35: Data Center Security Server Advanced は WannaCry も遮断
- システムでマルウェアが投下される、または実行されるのを防ぐ IPS ポリシー
- インバウンド SMB トラフィックを遮断する機能
- あるいは、ターゲット型 IPD ポリシーを適用する IPS 機能をフルに使って、WannaCry マルウェアの実行を遮断
- Java Console で、Windows 6.0 ポリシーを編集する
- ［Advanced］ -> ［Sandboxes］の順にクリックする
- ［Kernel Driver Options］で、［Edit］をクリックする
- ［Network Controls］に移動する
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 137、［Remote IP］: 任意、［Remote Port］: 任意
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 138、［Remote IP］: 任意、［Remote Port］: 任意
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 139、［Remote IP］: 任意、［Remote Port］: 任意
- ［Action］: Deny、［Protocol］: TCP、［Local Port］: 445、［Remote IP］: 任意、［Remote Port］: 任意
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 任意、［Remote IP］: 任意、［Remote Port］: 137
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 任意、［Remote IP］: 任意、［Remote Port］: 138
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 任意、［Remote IP］: 任意、［Remote Port］: 139
- ［Action］: Deny、［Protocol］: TCP、［Local Port］: 任意、［Remote IP］: 任意、［Remote Port］: 445
- ［Advanced］ -> ［Global Policy Options］の順にクリックする
- ［Network Controls］に移動する
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 137、［Remote IP］: 任意、［Remote Port］: 任意、［Program Path］: *
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 138、［Remote IP］: 任意、［Remote Port］: 任意、［Program Path］: *
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 139、［Remote IP］: 任意、［Remote Port］: 任意、［Program Path］: *
- ［Action］: Deny、［Protocol］: TCP、［Local Port］: 445、［Remote IP］: 任意、［Remote Port］: 任意、［Program Path］: *
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 任意、［Remote IP］: 任意、［Remote Port］: 137、［Program Path］: *
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 任意、［Remote IP］: 任意、［Remote Port］: 138、［Program Path］: *
- ［Action］: Deny、［Protocol］: TCP と UDP の両方、［Local Port］: 任意、［Remote IP］: 任意、［Remote Port］: 139、［Program Path］: *
- ［Action］: Deny、［Protocol］: TCP、［Local Port］: 任意、［Remote IP］: 任意、［Remote Port］: 445、［Program Path］: *
- Java Console で、Windows 6.0 の Basic または Hardened ポリシーを編集する
- ［Advanced］ -> ［Global Policy Options］の順にクリックする
- ［Global Policy Lists］で、［List of processes that services should not start [global_svc_child_norun_list]］を編集する
- ［Entry in parameter list］ダイアログが開く
- ［Program Path］に「*」を入力する
- ［File Hash］で、右側にある［...］ボタンをクリックする
- ［File Hash Editor］ダイアログで［Add］をクリックする
- ［File Hash Editor］ダイアログで［OK］をクリックする
- 05/25/17--09:37: 7 Must-Haves for Your Next DLP System
- Fingerprinting structured data sources
- Using fingerprinting techniques to uncover confidential information in unstructured data (such as Microsoft Office documents, PDFs and JPEGs)
- Looking for matches between keywords, expressions, patterns and file properties
- Define data loss policies
- Review and repair any incidents
- Conduct basic system administration across all endpoints, mobile devices, cloud services and on-premises systems
- Local scanning, detection and real-time monitoring for a variety of events across a range of operating systems
- Monitoring of confidential data that is being copied, downloaded or transmitted between laptops and desktops, whether it involves applications, email, cloud storage or removable storage
- Multiple scanning options (such as idle and differential scanning) to increase performance, and pop-up notifications in the event of a policy violation to help ensure endpoint users are fully protected
- The first step is a rigorous scan of databases, network file shares and other repositories, using cutting-edge technology that recognizes hundreds of different file types based on the binary signature of the file.
- Any exposed files detected are automatically secured, including quarantining or moving files, or applying policy-based encryption and digital rights to specific files.
- Custom file remediation options — and easy integration with third-party security solutions — are also key features.
- The most comprehensive DLP solution on the market
- A fully integrated system that protects your information wherever it lives—in the cloud, on mobile devices and in your data centers
- An industry innovator, named Leader and positioned highest in execution and furthest in vision in the 2016 Gartner Magic Quadrant for Data Loss Prevention
- 05/29/17--17:28: 新しい DLP システムに求められる条件とは
- 05/24/17--15:16: Harnessing the Cyber Eco-System
Enhance current security investments: A good example is utilizing the Symantec SSL Visibility Appliance to inspect SSL/TLS encrypted traffic that can be used by existing advanced threat or malware detection products. Without this, >70% of traffic would never be inspected.
Maintain a stronger security posture: A good example is utilizing the ProxySG/Content Analysis to pre-filter all potential bad web traffic before it must be sent for deeper level inspection, such as sandboxing. This dramatically improves the performance of the current installed sandbox/ATP systems.
Improve productivity: If the SOC team uses Splunk, Symantec has built a unified App to consolidate all data into one place from SEP/ATP/ProxySG, Security Analytics, WAF and more. This helps the analyst find a problem fast with direct access to Symantec systems to further validate or investigate.
- 05/30/17--10:36: Hack Attack: How to Stop Syrian Terrorists
- 05/30/17--22:41: Symantec CloudSOC CASB、Workplace by Facebook の安全な利用をサポート
- 05/30/17--22:57: Symantec Content Analysis 2.1: 検出と予防がさらに進化
攻撃ポイントが増える: シングルポイントの検出ツールは、高度な標的型の手法を用いる動的な Web 攻撃に対する備えとしては有効ではありません。
- 05/31/17--18:37: Office 365 にメールを移行する前に、適切なセキュリティ保証の確認を
- 05/31/17--19:10: Bachosens：不为人知的高技术网络罪犯野心勃勃，将目标瞄准各大型机构
- 05/31/17--19:16: Cloud Workload Protection Launches on AWS Marketplace
- 06/01/17--05:59: Financial malware more than twice as prevalent as ransomware
- 06/01/17--15:09: Advancing Corporate Social Responsibility in India
- 06/01/17--16:04: Symantec’s Response to Google’s subCA Proposal
- Symantec will modernize their platform and PKI dedicated to website certificate issuance. Symantec has previously posted that this in their current roadmap, and we require that the modernized platform adheres to best practices for CAs in security, design, and process as part of that modernization process.
- Until the modernized platform is ready and accepted into major trust stores, certificates would need to be issued through one or more independently operated third-party CAs (aka “Managed CAs”) that Symantec would partner with.
- The Managed CAs could be cross signed by an agreed upon set of existing Symantec roots, to take advantage of the existing roots' ubiquity in trust stores.
- EV certificates can be issued by Managed CAs, provided that they meet the validation requirements.
- Validity period of new certificates can be up to 39 months, or to the maximum allowed by Chrome for all CAs (currently specified in the Baseline Requirements and EV Guidelines), provided that a Managed CA fully revalidates the information. During a bridge period, Managed CAs can reuse existing validation information but lifetimes must be limited to 13 months.
- Existing certificates issued on or after June 1st 2016 would still be trusted, provided they comply with the Chrome CT policy. EV certificates issued on or after this date will continue to be granted EV treatment.
- Existing certificates issued before June 1st 2016 would go through a phased distrust based on notBefore dates.
- Chrome will offer an Enterprise Policy to allow older certificates to be trusted to help with migration to the new PKI.
- 2017-08-08 - Certificates must be issued by the Managed CA, but can re-use existing validation information (up to the limits imposed by the Baseline Requirements).
- 2017-11-01 - Certificates must be issued and have domains revalidated by the Managed CA, but can use re-use existing organization validation information (up to the limits imposed by the Baseline Requirements).
- 2018-02-01 - Certificates must be issued and have all validation performed by the Managed CA.
- In order to ensure that the expected bar is set in terms of issuance, validation and availability, we are in the midst of a rigorous RFP process which will include detailed diligence for potential SubCAs in terms of controls and compliance performance.
- Post-RFP, partnering requires Symantec to work with competitors and establish business relationships that are acceptable to all parties.
Symantec is currently the single largest issuer of OV and EV certificates, as reported by Netcraft. Potential partners (our existing competitors) may not have built out their infrastructure to handle the capacity increase they would experience with serving Symantec’s existing demand. The buildout of infrastructure and authentication capabilities will require ramp-up time. Based on conversations held so far, this ramp up time may be greater than 4 months. Additionally, Symantec serves certain international markets that require language expertise in order to perform validation tasks. Any acceptable partner would also need to service these markets. Executing on a subCA plan would therefore require us to go down one of two paths:
- Establish several relationships with multiple CAs which would require multiple contract negotiations and multiple technical integrations.
- Partner with a single SubCA, which would require such CA to build up the compliant and reliable capacity necessary to take over our CA operations in terms of staff and infrastructure.
- SubCA partners would need to potentially revalidate over 200,000 organizations in full, in order to maintain full certificate validity for OV and EV certificates – this would increase the immediate capacity required for these partners and put the timing proposed by Google at risk. As an example, full review of our Latin American partners, and full revalidation of CrossCert’s active certificate issuances has been time intensive. Applying significant resources and performing the checking and revalidation for the approximately 30,000 certificates (with far fewer organizations) issued by our former SSL/TLS RA partners has taken over 4 months. The practical revalidation effort for under this proposal should not be underestimated.
- We anticipate that designing, developing, and testing new auth/verif/issuance logic, in addition to creating an orchestration layer to interface with multiple subCAs will take an estimated 14 calendar weeks. This does not include the engineering efforts required by the subCAs, systems integration and testing with each subCA, or testing end-to-end with API integrated customers and partners, although some of this effort can occur in parallel.
- On 2017-08-31, no longer trust any certificate whose notBefore was prior to 2015-06-01. This corresponds with an expected Chrome 62 date.
- On 2018-01-18, no longer trust any certificate whose notBefore was prior to 2016-06-01. This corresponds with an expected Chrome 65 date.
- These sub-CAs must be operated by a non-affiliated organization that operates roots currently trusted in the Android and Chrome OS trust stores that have been trusted for a period of at least two years.
- The non-affiliated organization must accept full responsibility for the operation of these sub-CAs and agree that any misissuance from these sub-CAs will be treated as if it was misissuance from any of the other CAs the organization operates. Similarly, any misissuance from the other CAs the organization operates will be treated as if it was misissuance from these sub-CAs. Because the basis for trust in these intermediates will be based on chaining to the existing Symantec root certificates, rather than to a different organization’s CA certificates, Symantec must also accept responsibility for the operation of these sub-CAs and agree that any misissuance from these sub-CAs will be treated as if it was misissuance from any of the other CAs that Symantec operates.
- Symantec and its affiliates must not participate in any of the information verification roles permitted under the Baseline Requirements, such as Delegated Third Parties, including that of Enterprise RAs, or as Validation Specialists. That is, the non-affiliated organization bears full responsibility to perform all information verification controls related to the issuance of the certificates. Symantec and its affiliates may, however, seek to collect and aggregate all of the information as part of the Certificate Request process in order to expedite and simplify the verification process.
- These sub-CAs must not be used to certify any Symantec-operated or -controlled CAs, but may themselves be certified by existing Symantec-operated or -controlled CAs. That is, they can be cross-signed by the existing infrastructure, but they must not cross-sign any of the existing infrastructure or certificates.
- No Delegated Third Parties shall be used to perform the information verification functions of domain verification (Section 22.214.171.124 of the Baseline Requirements) or IP address verification (Section 126.96.36.199 of the Baseline Requirements)
- The Certificate Policy and Certification Practice Statements (CP/CPS) for the sub-CAs may use Symantec’s domains for purposes of CAA verification, as they are operating on behalf of Symantec.
- Within 90 days of the first certificate being issued by any of these sub-CAs, the operating organization shall provide a Period of Time audit report according to the “Trust Service Principles and Criteria for Certification Authorities” and the “WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security.” If Symantec desires for these sub-CAs to be recognized as capable of issuing EV certificates, Symantec shall also provide a “WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL.” All audits shall use the current version of the criteria appropriate for the audit engagement date. The period of time must include the moment of the Key Generation Ceremony, must not exceed 120 days in duration, and must not be less than 30 days in duration. Note that 90 days represents when the report shall be provided, not the end of the period of time.
- The audit report scope must include all Principles and Criteria and include all locations in which the key material exists. If a Principle or Criteria is excluded from the scope due to the non-performance of that function, the audit report and management’s assertion letter must attest that no organizations, including the operating organization, performed that role or function for the Period of Time under audit.
- An unbroken sequence of such audit reports shall be posted publicly and provided to Google no more than 90 days after the conclusion of the audit period. For the first year following the issuance of the first certificate, the audit period shall not exceed 90 days. For the second year, the audit period shall not exceed 6 months. For third and subsequent years, the audit period shall not exceed 12 months.
- Any and all subordinate CAs certified by these sub-CAs must be covered by the same CP/CPS, management’s assertion, and audit reports as the sub-CA itself. That is, any sub-CAs beneath these sub-CAs must be part of the same infrastructure and operation of the non-affiliated organization.
- In order to be trusted, issued certificates must be “CT Qualified”, as defined in the Certificate Transparency in Chrome Policy.
- Each certificate must clearly identify the degree of information that has been revalidated. To accomplish this, we propose that Symantec make use of three newly-defined OIDs, to be allocated by Symantec, and to be placed within the Certificate Policies extension, with a distinct OID for each of the following scenarios:
- Issued on new infrastructure, but reusing existing information previously validated or obtained by Symantec.
- Certificates bearing this policy OID MUST NOT be valid for longer than 400 days.
- Issued on new infrastructure, with domain information having been validated by the organization operating the Managed CA for Symantec, but containing and reusing organizational information validated previously by Symantec.
- Certificates bearing this policy OID MUST NOT be valid for longer than 400 days.
- As DV certificates do not contain organization information, no DV certificates should bear this policy OID.
- Issued on new infrastructure, with all information contained having been validated by the organization operating the Managed CA for Symantec.
- Certificates bearing this policy OID MUST NOT be valid for longer than the maximum time permitted by Chrome for all CAs at the time of issuance, which is currently defined within the CA/Browser Forum’s Baseline Requirements.
- Issued on new infrastructure, but reusing existing information previously validated or obtained by Symantec.
- Until such a time as Symantec’s new infrastructure has been accepted as trusted for TLS server certificate issuance in the root stores used by the Stable version of Chrome on the most recently released, generally available version of the supported OS platform Chrome is running on, the sub-CAs must continue to be operated according to the requirements outlined here.
- At this time, this includes the root stores of Microsoft (Chrome on Windows), Apple (Chrome on macOS and Chrome on iOS), Mozilla (Chrome on Linux) and Google (Chrome on Android and Chrome on Chrome OS). And would include any future Google root store program used by Google products and services.
- In continued collaboration with CPA Canada and the WebTrust Task Force in determining the feasibility and appropriateness of such reports, as part of the determination for acceptability of the new infrastructure, Symantec may be requested to provide a report on controls at the Certification Authority that includes a description of the auditor’s tests of controls and results, covers a period of time, and includes a description of the system. The intended users of the report must include persons who assist in decisions related to the trusted status of Certification Authorities within Chrome and Google products.
- 06/02/17--02:53: Bachosens を使う軽微なサイバー犯罪: 高いスキルで大企業を狙う野心を持ちながら、儲けはわずか
- 06/02/17--10:42: Throwing Sand at the Cloud Pays Big Security Dividends
- Superior detection rates across the range of tested threats
- Superior malware database fed by the largest real-time intelligence feeds in the industry
- Exceptional detection of evasion techniques
- More options for anti-malware engines and sandboxing techniques
- Termination of traffic
- Multi-vendor open eco-system
- Single vendor approach
- Easy to bypass
- Indicator of Compromise (IoC) verification, blacklisting, and remediation
- Flexible policy enforcement – acceptable use and risk mitigation
- Universal policy shared between on-premise appliances and the cloud
- Market-leading URL classification/categorization
- SSL Decryption
- Shadow IT visibility and control
- Largest civilian threat intelligence network in the industry
- Multiple malware scanning engines
- Dual-detection (VM & emulation) sandboxing
- Comprehensive reporting and visibility
- Proxy/Web Security Services
- Information Protection
- Cloud Workload Protection (IaaS)
- Endpoint Protection
- If you choose on-premise for your entire organization consider ProxySG + Content Analysis + Malware Analysis for dedicated sandboxing
- If you choose a hybrid approach for your primary locations/users, consider ProxySG + Content Analysis + cloud-assisted sandboxing. For remote locations/users, consider Web Security Services + Malware Analysis sandboxing
- If you want to move your entire organization to the cloud, choose Web Security Services + Malware Analysis sandboxing
Flexibility to buy and consume the best combinations of products and services
Simplified pricing and licensing
Reduction in manual touch via the automation of the end-to-end process
Improved operational and management reporting
A better overall customer experience
The flexibility to build the platform using industry best practices
The opportunity to maximize revenue through significantly higher customer lifetime value
The opportunity to realize cost savings by decommissioning multiple, duplicative solutions and consolidating disparate lines of subscription business onto a single platform
The end-to-end ecosystem comprises 27 interlinked applications within a well-integrated stack and collectively reduces subscription creation and provisioning from days to just minutes.
Price lists have been simplified from hundreds of pages to a single page, leading to a greater than 90 percent SKU reduction.
Automated order processing has moved from barely 10 percent zero touch, to over 90 percent zero touch. Additionally, Symantec has partnered with several leading channel partners to effectively market our cloud-based security solutions. This was made possible by developing several (reusable) partner APIs that allow us to interface with multiple partners, increasing the revenue generating capabilities of the platform.
Each work stream consisted of an IT lead and a business counterpart jointly working together to identify key priorities and deliverables
The development life cycle for some teams was managed using agile methodology, while other teams subscribed to a more traditional waterfall approach. Yet others chose a hybrid approach with key elements of both methodologies.
The teams outsourced development as needed, but made a conscious decision to keep design and architectural oversight within Symantec. This reinforced the objective of building the platform from the ground up. (As the platform matures, we are moving toward a fully agile program, aligned across all development and business groups.)
[This is the 20th post in our series on Shady Top Level Domains (TLDs). Links to the previous posts in the series are found at the bottom of the page.]
There was a bit of shuffling in the order of the Top Ten Shady TLDs in the first quarter, but no major surprises. (.Racing moving in and .men dropping out isn't a very big change. The big mover within the list was .loan, jumping from eighth place to second.)
|Rank||TLD||Percentage of Shady Sites *|
* As of late March, 2017. Shady Percentage is a simple calculation: the ratio of "domains and subdomains ending in this TLD which are rated in our database with a 'shady' category, divided by the total number of database entries ending in this TLD". Shady categories include Suspicious, Spam, Scam, Phishing, Botnet, Malware, and Potentially Unwanted Software (PUS). Categories such as Porn, Piracy, and Placeholders (for example) are not counted as "shady" for this research.
My off-the-cuff interpretation of this lack of real movement is that there are so many shady TLDs readily available to the spammers, scammers, and other criminals, that they don't need to aggressively explore using new TLDs...
First .Christmas, Next .Mom (Is nothing sacred?)
Back in December, we profiled abuse of the .Christmas TLD. This month, we're going to take a look at what's going on with .Mom. That's right, the Bad Guys are messin' with yo' mama!
From the all-time stats for .mom above, it looks pretty bad. However, a different picture emerges when looking at recent traffic:
|Category||Count (and %)|
|Piracy Concern||4 (20%)|
|Personal Sites/Blogs||2 (10%)|
|Society/Daily Life||1 (5%)|
Why only 20 sites? Because that's all there was in a recent week of worldwide traffic.
By our strictest standard of shadiness (the same categories as used in our "all time" calculations), .mom is only 50% shady recently -- not that bad, among the shady TLDs we've profiled.
Even adding in the "borderline" shadies (Piracy and Placeholders), that's only 75% shady.
Bottom line? It's probably not worth your time to blanket-block .mom sites, at least in current traffic. (Let the pros pick out the bad ones.)
But we can't stop there, because we need to reconcile the historic 99% shadiness with the recent lower ratio. What's the explanation?
Well, jumping back a bit, to earlier in the year (January), there were a lot more .mom domains in the traffic (over a thousand during that month), and the vast majority of them were flagged as Malware. So .mom was a lot busier (and a lot shadier) then...
P.S. For easy reference, here are the links to the earlier posts in our "Shady TLD" series:
2017 年 5 月 12 日、WannaCry（別名 WCry）というランサムウェアによる大規模なサイバー攻撃の発生が、公式にいくつも報じられました。WannaCry の標的となって被害を受けたユーザーは、世界各国に及んでいます。
Symantec Data Center Security: Server Advanced（DCS:SA）IPS は、WannaCry ランサムウェアに対する保護機能を備えています。Symantec DCS:SA Windows 版 6.0 では 3 レベルすべてのポリシー（Basic、Hardening、Whitelisting）によって、また 5.2.9 ではすべてのポリシー（Limited Execution、Strict、Core）によって、ランサムウェアが悪質な実行可能ファイルを投下できないようになっているからです。
WannaCry について詳しくは、WannaCry 発生に関するシマンテックの特設ページを参照してください。
1. Windows のセキュリティ更新 MS17-010 がインストールされているコンピュータは、WannaCry に対して安全です。
2. DCS:SA には、上記のパッチをインストールしていないコンピュータで WannaCry に備える以下の保護機能があります。
お客様のシステムで、SMB も Windows のネットワークファイル共有機能もお使いでない場合、特に外部と接するサーバーの場合は、ネットワーク攻撃の対象領域を減らすために、保護ポリシールールを設定して SMB ネットワークトラフィックを遮断することをお勧めします。カーネルとグローバルネットワークのルールを編集するだけなので、簡単です。
既定で提供される保護機能に加え、実行可能なハッシュをグローバルな No-run リストに追加すると、WannaCry ランサムウェアの既知の亜種はすべて、実行されても遮断されます。ハッシュをリストに追加する手順は、次のとおりです。
Symantec Embedded Security: Critical System Protection を使っている場合
SES:CSP で、WannaCry の保護機能が提供されています。詳しくは、https://support.symantec.com/ja_JP/article.TECH246385.htmlを参照してください。
WannaCry についてシマンテックがお届けしている詳しい情報については、WannaCry ランサムウェアに関する特設ページをご覧ください。
It's a familiar refrain: Cloud services and mobile devices have made safeguarding company data trickier than ever before. Sensitive information now travels far beyond the relative safety of in-house networks into consumer cloud storage services where it's accessed by employees using unsecured mobile devices.
This growing complexity, combined with highly motivated cybercriminals, has made managing and protecting corporate data increasingly challenging. That’s why the number of data breaches continues to rise. According to reports from IT Governance, the number of records leaked reached 3.1 billion in 2016—33 times more than in 2015.
So, what can your organization do to minimize the risk of data loss and theft? Implementing an advanced data loss prevention (DLP) system is a step in the right direction—but before you pick a solution, you need to know what to look for. Below, we’ve identified seven key features to help you find the right DLP system for your organization.
1. Increase your visibility with content-aware detection.
One of the cornerstones of sound security is the ability to detect, with great accuracy, all of the confidential information in your organization — whether that information is at rest, in use, or in motion.
By employing an advanced DLP system with content-aware detection capabilities, you can identify confidential data stored virtually anywhere and in any format, while greatly reducing false positives. An advanced DLP does this by:
For example, you could generate a policy to identify only credit card numbers in your customer base, thus ignoring your own employees’ purchases.
Additionally, the most advanced DLPs employ vector machine learning to protect intellectual property that may be challenging to describe due to subtle characteristics (think source code or financial reports). This type of rare or difficult-to-describe content is detected using the statistical analysis of unstructured data to compare it to similar content or documents.
2. Stay in control with a system that lets you define and enforce policies across an entire environment.
These days data is dispersed across a variety of devices and storage environments, so it’s imperative that organizations be able to consistently define and enforce policies.
The best DLP solutions combine a unified management console with a business intelligence reporting tool, giving you the ability to write policies and enforce them everywhere while reducing information risks. This setup allows you to:
The best solutions also provide a robust analytics tool that allows for ad hoc analysis and advanced reporting. Users can extract and summarize system data to create highly valuable reports and scorecards for various organizational stakeholders.
These features ensure consistent policy application, giving you the ability to take action, when the need arises, to safeguard sensitive data.
3. Promote secure collaboration with strong protection and monitoring for cloud-based storage and email.
The cost savings and added flexibility offered by cloud migration are enticing benefits. Yet it's critically important to reap these rewards without compromising your visibility and control of sensitive business data.
That's why the most sophisticated DLP solutions give you enterprise-grade protection and monitoring for cloud-based storage and email. These features promote secure collaboration among employees while offering deep visibility into files that users store and share on applications like Box.
For example, users can tap into powerful content discovery tools to quickly scan Box Business and Enterprise accounts in an effort to see what's being shared, stored and used — then remediate policy violations as they are discovered.
An advanced DLP solution should also be able to monitor and protect sensitive information transmitted via email, quickly detecting sensitive data and subsequently notifying users violating policy. Suspect emails should be redirected to a secure encryption gateway or blocked in real time to prevent leakage of sensitive information.
4. Maintain confidence by securing data on traditional endpoints.
The emergence of mobile and cloud hasn't lessened the need to protect traditional endpoints, which continue to serve as a critical repository for confidential business data. In fact, Bromium Labs 2016 Endpoint Exploitation Report indicates a steady rise in endpoint attacks that shouldn’t be ignored.
That’s why the best DLP solutions allow you to monitor, discover and protect information on desktops, whether traditional or virtual, as well as off or on corporate networks by offering:
5. Get peace of mind with full protection for mobile devices.
Today the line between our business and personal lives has grown very blurry, thanks in large part to our mobile devices. Users want (and expect) to be able to access sensitive business data where they want and how they want — which often means they'll use personal devices to do so. But CyberEdge reports that nearly 1 in 10 reported threats originates from mobile devices on WiFi networks.
A powerful DLP solution can help you make concessions to today's evolving business norms without sacrificing security by offering monitoring and protection functionality to all iOS and Android devices, regardless of ownership.
The ability to monitor and detect when users are downloading confidential material to their iOS and Android devices — and to prevent such transmission when necessary — is imperative for full mobile security.
6. Gain critical insight with a solution designed to handle unstructured data.
Unstructured data represents the vast majority of all data, and it's growing at a jaw-dropping rate of 70 percent annually. Given this growth, it's no surprise that organizations find it difficult to manage and protect this data effectively.
But a data governance tool that's designed with unstructured data environments in mind can offer you highly actionable intelligence into data ownership and usage. The most advanced DLP solutions give you control of unstructured data, making it less vulnerable to cybercriminals and less-than-diligent employees:
By discovering confidential files, identifying data owners and understanding access history and file permissions, you can illuminate "dark data" by shining a light on the data in your environment, ultimately gaining the ability to see who owns it, who can access it and how it's being used.
7. Extend your reach with protection for data in motion
Recent study data reveals that over 50% of all employees use personal accounts to handle work email. So it's hardly surprising that emails and the web are where most data gets lost.
By investing in an advanced DLP solution, however, you can significantly reduce the odds of this occurring by monitoring a wide range of network protocols and preventing users (both authorized and otherwise) from mishandling data.
The right DLP solution can detect confidential information over a range of protocols (HTTP, FTP, SMTP, custom port-specific protocols, etc.) while providing thorough content inspection of all communications without packet loss (some solutions will sample packets during peak loads, but this creates a greater risk for false negatives).
Additionally, inspections of business email and outbound web traffic for confidential data — with subsequent notifications for policy violation — are a fundamental feature for protecting moving data.
Cloud and mobile have conferred profound benefits on today's organizations — yet they've also raised the ante in terms of security complexity. To ensure your business is protected against data loss and theft, make sure your next DLP system offers the seven core features outlined above.
With Symantec Data Loss Prevention, you get all seven capabilities, plus:
By:Max Hotta, Sr. Principal Software Engineer
May is Asian Pacific American Heritage Month in the United States, and as we come to the end of the month, we would like to take the opportunity to celebrate our Asian-American employees and those in the APJ and India regions, for their contributions to Symantec and supporting us in becoming a global market leader in security and information management solutions. Today we share the story of Max Hotta, an engineer with Symantec who began his career over 20 years ago and describes the company’s historical inclusive and innovative culture as central to his long-time satisfaction and success.
When I began my career, most people were not familiar with cybersecurity as a field. With technology just starting to become central in our daily lives, my friends and family could not yet appreciate why online safety was important and the critical role it would play in the future.
Fast forward twenty years and I am thankful to be in one of the most influential fields of our time. According to Symantec’s 2017 Internet Security Threat Report, in 2016, there was a 36% increase in ransomware attacks, the most effective bank robbers this year were armed with computers, not guns, stealing billions of dollars through virtual attacks, and online threats reached the United States’ electoral process. This is just the tip of the iceberg. While our connection to technology on a personal and professional level increases every day, the sophistication of cyber attacks are only keeping pace and our job as the global leader in cyber security is becoming more challenging and more important.
From an industry perspective, knowing that my job is making a difference in people’s lives and the safety of our world has kept me continually engaged and excited. From a corporate perspective, Symantec has continued to retain a unique office culture where the diversity of backgrounds, cultures, perspectives, ideas never ceases to amaze me. I was born in Japan, but spent most of my life in the United States. Others were born in the United States and have lived in other countries. Some have diverse professional backgrounds, others bring a unique cultural or personal lens to the table.
In my role as an engineer for the past twenty-plus years, my daily routine has involved solving problems. When working in a team atmosphere, it is very evident how different people approach these problems, much of this stemming from one’s unique background. Teamwork is a strong innovation quality that I think drives great ideas. When people bring their respective backgrounds and experiences to the table, new and interesting ways to solve problems often emerge.
What I find is that regardless of what specifically makes someone unique, it is this convergence of contrasting ideas, perspectives and unique skills that enables our company to thrive. A simple thought during a technical discussion amongst peers may open up a whole new range of approaches and solutions. Just as cyber criminals constantly seek “out of the box” ways to target vulnerabilities, we must continually innovate and effectively collaborate to get ahead and ensure we are thinking of all ways to secure our products and customers.
Throughout my career at Symantec, I have been lucky to work with incredibly talented teams, and technology leaders at our company that have served as mentors to me along the way. The diversity of people I work with has always kept me engaged and an industry whose role is evolving every day, keeps me striving to learn more.
データの漏えいと盗難に対して最大限に備える方法のひとつが、高度なデータ漏えい防止（DLP）ソリューションを配備することです。組織を効果的に保護できよるように、DLP システムを評価する際に検討したい主な機能を 7 つまとめました。
万全なセキュリティの土台となるもののひとつが、保存データでも、使用中または移動中のデータでも、組織のあらゆる機密情報を、高い精度で検出する機能です。具体的に言うと、構造化データソースをフィンガープリントで識別する機能、あるいは逆にフィンガープリント識別の手法を用いて、非構造化データ（Microsoft Office 文書、PDF、JPEG など）のなかから機密情報を見つけ出す機能が、高度な DLP システムには必要です。キーワード、式、パターン、ファイルプロパティなどの相互一致を調べてコンテンツを検出する機能も欠かせません。
また、特に高度な DLP ともなると、特性がとらえにくいために記述が難しくなりがちな知的財産（ソースコードや財務レポートを考えればおわかりでしょう）を保護するために、ベクトル機械学習も導入されています。その手の貴重な、もしくは記述しにくいコンテンツも、非構造化データの統計的解析を利用し、類似のコンテンツや文書と比較することによって検出されます。
最近では、データがさまざまなデバイスやストレージ環境に分散しているため、一貫したポリシーを定義して実施する機能が不可欠になっています。統一的な管理コンソールと、ビジネスインテリジェンスのレポートツールとを組み合わせることで、情報リスクを軽減しつつ、ポリシーを作成し、あらゆるところで実施できるのが、最高の DLP ソリューションです。
クラウドに移行すればコストの削減と柔軟性の向上につながるというのは、誘惑的なメリットです。しかし、そうしたメリットを得ようとして、重要なビジネスデータの可視性と管理性が損なわれることがあっては、元も子もありません。最新の DLP ソリューションが、クラウドベースのストレージとメールに関してエンタープライズクラスの保護機能と監視機能を提供しているのも、まさにそのためです。
DLP の機能は、従業員間の安全なコラボレーションを支援するだけでなく、たとえば Box の場合には、ユーザーが Box で保存・共有するファイルの可視性も強化します。強力なコンテンツ検出ツールを利用して、Box Business と Box Enterprise のアカウントをスキャンすれば、共有・保存・利用される内容を把握することができ、ポリシー違反が見つかった場合には修正することができます。
高度な DLP ソリューションは、メール経由で転送される重要な情報の監視・保護機能を備えたうえで、重要データを迅速に検出し、ポリシーに違反したユーザーに通知できる機能も求められます。不審なメールは、安全な暗号化ゲートウェイにリダイレクトするかリアルタイムで遮断して、特に重要性の高い情報の漏えいを防がねばなりません。
モバイルとクラウドが出現しても、従来型のエンドポイントを保護する必要性は少しも減りませんでした。機密性の高いビジネスデータの保管場所という必須の役割を、エンドポイントは依然として担っているからです。最高の DLP ソリューションは、デスクトップの情報を監視、検出、保護する機能を備えています。従来型のデスクトップと仮想デスクトップ、また企業ネットワークの内部、外部ともその対象になります。
適切な DLP ソリューションに必要なのは、ローカルでスキャンと検出を実行する機能と、各種オペレーティングシステム上で起こるさまざまなイベントをリアルタイムで監視する機能です。アプリケーションやメール、クラウドストレージ、リムーバブルストレージを使うとき、ラップトップとデスクトップの間でコピー、ダウンロード、転送される機密データも監視できなければなりません。
強力な DLP ソリューションであれば、企業はセキュリティを犠牲にすることなく、変化の絶えない今日のビジネス基準との妥協点を見いだすことができます。所有者にかかわらず、iOS と Android のあらゆるデバイスに対する監視と保護の機能を実現できるからです。ユーザーがいつ iOS または Android デバイスに機密データをダウンロードするかを監視して検出しておき、必要に応じてそのデータ転送を禁止する機能が、十全なモバイルセキュリティには欠かせません。
真に問題となるのは、非構造化データです。全データの大半を占めており、しかも毎年 70% という驚異的な比率で増え続けています。それほどの成長率を踏まえれば、非構造化データを効率的に管理・保護することが企業にとってどれほど困難かは、想像に難くないでしょう。
そうした困難に対処できるのも、高度な DLP ソリューションの特長です。非構造化データを企業が掌握できるようにして、サイバー犯罪者の手に落ちないように、また勤勉とは言いがたい従業員の手で漏えいしないように対処できます。その第一歩となるのが、データベース、ネットワークファイル共有、その他のリポジトリに対する厳重なスキャンです。そこには、ファイルのバイナリシグネチャに基づいて、何百種類ものファイル形式を認識できる最新のテクノロジが用いられます。
最高の DLP ソリューションに次に求められるのが、検出された公開ファイルを自動的に保護し、ファイルを確実に検疫または移動できる機能、あるいはポリシーベースで特定のファイルに暗号化やデジタル著作権を適用できる機能です。ファイル修復オプションをカスタマイズできることや、サードパーティ製セキュリティソリューションとの統合が容易である点なども、重要な機能と言えます。
全従業員のうち半数が、個人のアカウントを使って業務メールを取り扱っているという調査結果があります。それを考えれば、データ漏えいのほとんどがメールと Web で起きているのは、意外でもなんでもありません。高度な DLP ソリューションに投資すれば、幅広くネットワークプロトコルを監視し、（正規のユーザーかどうかを問わず）ユーザーによるデータ誤操作を防ぐことによって、データ漏えいの確率を大きく引き下げることができます。
適切な DLP ソリューションを導入することで、幅広いプロトコル（HTTP、FTP、SMTP、ポート指定のカスタムプロトコルなど）上で機密情報を検出できるとともに、パケット損失を生じることなく、あらゆる通信について万全なコンテンツ検査を実施できます（ピーク負荷時にパケットをサンプル抽出するソリューションもありますが、これには見逃しの危険性が伴います）。
また、業務メールとアウトバウンド Web トラフィックに機密データが含まれていないかどうかを検査し、該当する場合にポリシー違反を通知する機能も、移動中のデータの保護に欠かせない基本的な機能です。
クラウドとモバイルは、今日の組織に膨大なメリットをもたらしました。しかしそれは、セキュリティ面で負担が増えることも意味したのです。データの漏えいと盗難に最大限に備えるためには、以上で説明した 7 つの主要機能を備えた次世代の DLP ソリューションをご検討ください。
The cyber security problem is hard to solve due to its sheer complexity and size. The constant cat and mouse security game has driven spending well over the $10B mark and created 1,000+ new technology startups in just the last 5-10 years alone. Venture Capital money continues to pour in and new innovations in prevention, detection, incident response and SecOps occur at a regular heartbeat.
Cyber security platform companies like Symantec are also innovating, but it’s important to recognize the importance what a vast and very creative community of companies can bring to the table in the fight against cybercrime.
To accelerate the collaboration and creativity across this eco-system, Symantec is announcing a new initiative called the Technology Integration Partner Program or TIPP for short. We’re openly inviting any cyber security company from small startups to well established security companies to join with us to put a big dent in cybercrime. Click here to apply: TechPartner@symantec.com
While many partner programs exist today, we have decided to focus on the technical integration aspect of partnership. This is the single most important aspect of making a difference in security. By working to integrate our data feeds, linking together our defensive platforms, leveraging each other’s advanced detection suites, automating workflows to increase productivity, only then can we make a real impact. The more technology companies want to integrate with our platform, the more they will be rewarded within TIPP. Technology vendors can read more about the program here: CLICK HERE
Our customers will want to hardness these integrations for the following reasons:
We’re launching with over 100 integrations out of the gate with the broadest set of security technology companies around the planet. Customers will be able to find updates on new companies and integrations within Symantec Connect.
***Vicki Gavin is the Compliance Director, Head of Business Continuity, Cyber Security and Data Privacy for The Economist Group, and was awarded the title of Cyber Security Woman of the Year in 2016. In this introductory blog on Symantec Connect, Vicki shares her thoughts on balancing technology and human interaction in the fight against cyber threats.***
Because The Economist is a high-profile media organization with hundreds of journalists working around the globe, it makes it difficult to use the traditional method of security against hackers—locking down all systems and devices.
The very nature of news gathering, after all, requires open access to all information and all types of people. Security becomes even more difficult because our journalists are often on the road by themselves, working on unsecured hotel networks and public Wi-Fi, where it’s easier for hackers to target them. They also work in war-torn areas where the public infrastructure might be in ruins and forces are actively working against them.
A few years ago, a Syrian terrorist group tried to hijack The Economist website through a phishing attack. Last year, an employee fell victim to a hacker attack. He entered his user ID and password on a fake web page, which hackers then captured and were poised to use. Thankfully, we stopped both attacks by using an effective combination of technology and people power.
Last year, we had 350 security events, 55 percent of which were malware. After implementing Symantec™ Endpoint Protection 14, we achieved some stunning results. We have seen a 60 percent drop in malware events after rolling out the solution in the United States and Asia and are anticipating a further reduction once the rollout in Europe is complete.
But technology is not enough. I equally rely on what I call my “human firewall.” I believe that cyber security starts with people; and if people are your first line of defense, you need to effectively educate them about security. I’ve developed a unique program to teach The Economist staff about the best ways to protect themselves and the company.
Learn more about Vicki’s work at The Economist in the Symantec case study here: Technology and the Human Firewall
Workplace by Facebook の安全な導入をお考えであれば、シマンテックの統合型クラウドセキュリティシステムをご利用ください。重要なデータを保護し、脅威に備えるとともに、規制標準のコンプライアンスも維持することができます。
CloudSOC は、可視性、コンプライアンス、データセキュリティ、脅威防止など、Gartner が CASB（クラウドアクセスセキュリティブローカー）の必須機能として定義している機能すべてで Workplace をサポートします。
CloudSOC Audit を今すぐに導入すれば、Workplace も含めて、従業員によるクラウドアプリケーションの利用を検出・監視して、制御することができます。クラウドアプリケーションに関する 100 種類以上のリスク属性についての重要な情報を利用して規制要件を達成でき、組織は義務付けられた監視とリスク分析を実行できるようになります。一般的なプロキシとファイアウォール、また Symantec ProxySG、Web Security Service、SEP Manager から集められたイベントログデータに基づいて、Workplace に関連する使用状況、トラフィック、場所、ユーザー、脅威に関する情報が提供されます。
Audit では、どの従業員が Workplace を使っているか、あるいは従業員が無許可の恐れのあるプラットフォームをほかに使っていないかどうか判別できます。ムダのあるアプリケーションやサブスクリプションを見つけられるので、冗長性の軽減とコストの削減にもつながります。こうした情報を利用して、組織は他のアプリケーションが使われているかどうかを確認し、公式なコラボレーションプラットフォームとして Workplace を使うよう従業員にはたらきかけることも可能です。
Workplace のようなクラウドアプリケーションを導入すると、クラウドにおけるコラボレーションは大幅に容易になりますが、機密性の高いコンテンツの共有がいきすぎる可能性も高くなります。CloudSOC は、Workplace 上で共有されるデータの統制と保護によって、安全なコラボレーションを実現します。重要なデータをネイティブ DLP で分類し、機密データを含むファイルが関連付けられているユーザーを特定して、データへのアクセス方法を管理します。Symantec DLP をお使いの企業は、CloudSOC との統合を通じて、既存の DLP をクラウドへ拡張することができます。
攻撃者は、クラウドアプリケーションも狙っています。アカウントが、マルウェアや総当たり攻撃によって侵害される可能性もありますし、悪質なインサイダーがクラウドのアカウントを悪用してデータを抜き出そうとするかもしれません。CloudSOC は、Workplace アカウントに伴う異常や、潜在的に悪質な活動を特定して、脅威を識別し、ポリシーを実施してクラウドでも組織を保護します。
現在は CloudSOC Audit で Workplace をサポートしていますが、お客様のご要望に応じて、今年後半には CloudSOC での Workplace サポート機能をさらにリリースする予定です。
新手の攻撃者が企業を狙ってしかけてくる攻撃は、ますます高度に、しかも効果的になっています。セキュリティチームがそれに追いつくのは容易ではありません。Ponemon Institute によると、組織が受け取るアラートは、毎週 17,000 件にも達するといいます。その情報をすべて選り分けるだけでも、平均すると毎週 395 時間が費やされ、その平均コストは年間で 127 万ドルという驚異的な額にのぼります。
Symantec Content Analysis は、あらゆる脅威を検出、解析、遮断
既知の脅威と未知の脅威に対して最も有効な対策を講じる最善のアプローチは、多層のセキュリティを利用することです。Symantec Content Analysis は、Fortune Global 500 企業の 70% で使われている安全な Web ゲートウェイ、Blue Coat ProxySG と連携します。シマンテックの広大な Global Intelligence Network を利用して、既知の悪質な URL をすべて遮断する一方、未知のコンテンツはオーケストレーションを通じて集中的に解析、検査、遮断します。未知のコンテンツが真に有害かどうかを判定し、セキュリティチームによる継続調査と修復が必要かどうかを調べるのが、多段階の解析プロセスを通じたフィルタ処理です。
最新リリースとなる Symantec Content Analysis 2.1 には、その前身である Blue Coat ProxyAV をお使いのお客様にとっても欠かせない機能が用意されています。もちろん、Symantec Endpoint Protection をご利用のお客様にも知っていただきたい機能です。両製品は、ネットワークからエンドポイントまで、さらに保護を強化するために統合されているからです。ここからは、Content Analysis 2.1 の最新機能をご紹介します。サンドボックス処理に対する「オンボックス」サポート、大幅に拡大された Global Intelligence Network からの脅威インテリジェンス、Symantec Endpoint Protection Manager との統合、各種サードパーティ製ソリューションをサポートするオープン API、以上の 4 項目です。ぜひこのままお読みください。
Symantec Content Analysis 2.1 の新機能
Symantec Content Analysis 2.1 は、サンドボックスの前で多層解析を用いるプレフィルタとして機能し、悪質なコンテンツを遮断します。プレフィルタによって、サンドボックスに送られるファイルは最大 37% も減少するため、パフォーマンスが向上します。サンドボックスと Content Analysis がともに「オンボックス」になって、サンドボックスのフットプリントが減ったため、初期投資を抑えつつ集中管理型アーキテクチャを構築することも容易です。スループットを引き上げたい場合には、Symantec Content Analysis とサンドボックスを別のアプライアンス 2 台に配備することもできます。
Content Analysis は、動的なサンドボックス処理と検証によって、ゼロデイ攻撃などに伴う潜在的に危険なファイルからもユーザーを保護します。サンドボックスソリューションのなかには、発動と解析のテストがまだ終わっていない段階で、危険性のあるファイルをユーザーに送るものもあります。Content Analysis 2.1 では、サンドボックス処理されるファイルは「段階的」にユーザーに送られます。テストがすべて完了し、ファイルが安全と判定されるまで、ファイル全体が送られることはありません。
広大な Global Intelligence Network によって、さらに多くの脅威を遮断
脅威解析の背後に控えているインテリジェンスが強力になれば、リスクの遮断もそれだけ効果的になります。シマンテックの強力な Global Intelligence Network と Blue Coat のインテリジェンスネットワークがひとつになったため、解析されるレコード数は 10 億から 40 億以上へと飛躍的に増加しました。Symantec Content Analysis 2.1 は、この十全なファイル評価サービスを使って脅威を識別し、各ファイルにリスクスコアを割り当てます。「既知の良性な」ファイルはユーザーに渡され、「既知の不正な」ファイルは遮断されます。未知のファイルはさらに解析処理に回され、最終的には効率的にカスタマイズされたサンドボックスに回されます。
Symantec Endpoint Protection Manager との統合を通じてエンドポイントを保護
脅威の防止には、ネットワークとエンドポイントの間で連携した動作が必要です。Symantec Content Analysis 2.1 が、Symantec Endpoint Protection（SEP）Manager と統合されたため、悪質なコンテンツが検出された時点でエンドポイントは保護されるようになります。このプロセスは、Symantec Content Analysis が Global Intelligence Network からの情報と、多段階の解析を利用して、潜在的な脅威を識別するところから始まります。未知のコンテンツが悪質と判断された場合は、その情報が SEP Manager に送られ、エンドポイントで脅威が検証されます。ここで、感染の拡大を防ぎ、自動修復を実行するために、セキュリティの専門家によって対策が講じられます。
オープン API を利用して、サードパーティ製ソリューション（FireEye も含む）と統合
オープン REST API を使えば、サードパーティ製セキュリティツールで、Symantec Content Analysis の強力な脅威解析機能を利用できるようになります。FireEye など他のサンドボックスとも統合が可能になるため、サンドボックス処理の効率が向上するとともに、コストも大幅に削減できます。Content Analysis は、FireEye の「プレフィルタ」として機能し、既知の脅威を遮断して、真に未知の脅威だけを FireEye に送ります。必要なサンドボックスが格段に減るため、このアプローチもコスト削減につながります。サンドボックス導入でよくあるように、キャパシティ過剰になる心配もありません。
Symantec Content Analysis についてもっと知る
最新バージョンの Symantec Content Analysis が、脅威の検出、遮断、解析にどれほどの威力を発揮するか、詳しくは Content Analysis のページをご覧ください。
Eastern Europe based attacker’s advanced malware bears comparison with that used by nation-state actors, but basic missteps indicate a threat actor who is skilled but lacking in expertise.
クラウドベースのメールアプリケーションや生産性アプリケーションへの移行をお考えですか。Office 365 や Gmail など、どんなサービスを使い始めるにしても、ちょっと立ち止まって、新しいプロバイダに用意されているセキュリティをまず評価してみることをお勧めします。どんな機能があって、どの部分にセキュリティの追加が必要でしょうか。どのベンダーもありとあらゆる機能と特長をアピールしているなかで、最も堅牢で信頼性の高いメールセキュリティはどれなのか、正しく見極めるにはどうすればいいのでしょうか。
そこで提案です。各ベンダーのサービスレベル保証（SLA）を確認してみましょう。SLA が厳格なベンダーほど、サービスの機能も信頼性も高いからです。サービス保証を約束できないような企業には、それなりのサービス保証しか期待できません。メールセキュリティについて、サービスの基準は以下の 5 つのニーズに集約できます。
上記 5 つの観点を、実際にはどのように評価するのか、具体的にご紹介します。
シマンテックは、たとえ 1 件でも感染があれば、多すぎると考えています。1 暦月のうちに 1 件でも感染があった場合に、検出性能に対して 100% のサービスクレジットを実施しているのは、シマンテックだけです。他社では、複数の感染があった場合も含めて、支払いが 50% を超えるサービスはありません。
メールは、企業における感染経路として依然として最上位です。しかも、メールを狙う攻撃は高機能化の一途をたどっています。たとえば、シマンテックのインターネットセキュリティ脅威レポート最新号でも、スピア型フィッシングが 55% 増加し、企業メールの侵害件数は 13 倍になったと報告しています。企業の被害額は数十億に及んでいます。また、ランサムウェアが企業に侵入する経路も、メールが最多です。
サービスの可用性が 100% を下回った場合、シマンテックはその月の料金を返金しています。SLA を見るかぎり、他のベンダーでは 95% の可用性でも十分としているようです。シマンテックは違います。可用性が 95% 未満に落ちた場合には、全額の返金を規定しています。
24 時間 365 日稼働が当たりになった今日のビジネス環境では、メールセキュリティも常時機能している必要があり、送信と同時にメールをフィルタして配信しなければなりません。1% や 2% の停止時間なら許容できるとお考えですか。プロバイダが 95% の稼働時間しか保証していないということは、年間で 18 日メールセキュリティが停止していることになります。それで大丈夫でしょうか。停止時間のせいで、顧客との連絡がとれなかったとしたら、ビジネスに対する信頼に、どれほどの影響があるでしょう。
顧客から送信された、または顧客が送信したメールすべてについて、100% の配信を保証しているのは、シマンテックのサービスだけです。もちろん、シマンテックに届いたメールにウイルスやスパムなど、フィルタの対象になるコンテンツが含まれていない場合に限ります。そして、100% の配信が達成されない場合は、契約を取り消すことができます。
メールが届かないときの損害は、マルウェアを受け取ったときと変わりません。送信したメールも、受信するメールも、100% すべてが配信されていると確信できますか。100% ではないとしたら、どのメールが届かないのでしょう。顧客との関係性にも、ビジネスチャンスにも、どれほどの影響があるかわかりません。ビジネスがコミュニケーションの上に成り立っている以上、信頼できるメール配信は欠かせない基盤です。
シマンテックは、他社と比べてほぼ 3 倍の速度でメールを配信します。実際、メールの往復時間が平均で 1 分以上になった場合は、部分的なサービスクレジットで対応しており、さらにメールの遅延が平均往復時間 3 分を超えた場合には、全額のサービスクレジットを規定しています。
まとめましょう。シマンテックは Office 365 や Google Apps などに対して、クラウドベースのメールセキュリティで市場をリードしています。それを実現しているのが、民間として世界最大の脅威インテリジェンスネットワークと、高度な機械学習、最新のヒューリスティック技術、総合的なリンク追跡（リアルタイム、クリック時とも）、そして高度な脅威検出です。シマンテックは、1 億 6,300 万人のメールユーザーを保護し、毎日 20 億通以上のメールをスキャンしています。このサービスを支えるためにこそ、シマンテックは業界でも有数に厳格な SLA を規定しているのです。
Twitterで Symantec Email Security をフォロー
Since launching in 2006, Amazon Web Services, or just AWS as it’s commonly known, has grown to be a US$14 billion behemoth delivering infrastructure-as-a-service (IaaS) to businesses in 16 geographical regions. Today, we are proud to announce that Symantec Cloud Workload Protection (CWP) is now available for purchase on AWS Marketplace, alongside other Symantec security solutions.
CWP is unique. It is the first Symantec product available as a SaaS solution purchased directly through the AWS Marketplace. Our customers can receive a single monthly bill direct from AWS for all CWP and AWS infrastructure usage.
Symantec Cloud Workload Protection automates security for public cloud workloads, enabling business agility, risk reduction, and cost savings for organizations, while easing DevOps and administrative burdens. Rapid discovery, visibility, and elastic protection of AWS workloads enables automated security policy enforcement to protect applications from unknown exploits.
CWP provides strong security for AWS instances with application protection, intrusion detection/prevention, and real-time file integrity monitoring (RT-FIM). Cloud-native integration allows DevOps to build application protection directly into deployment workflows, while support for Docker enables secure deployment of containers on AWS. In addition, access to the Symantec Global Intelligence Network (GIN) protects workloads against the latest global attacks and vulnerabilities.
Developed leveraging 14+ years of experience securing on-premises and private cloud workloads with our Data Center Security product line, CWP provides a secure migration path for enterprises just exploring the public cloud, or going “all in”. AWS benefits businesses by freeing them from purchasing and managing IT infrastructure and data centers, and also enables them to move to a more cost efficient OpEx model. We’re proud of our partnership with AWS and are pleased that we can continue to serve our customers and keep their businesses secure both on-premises and on their journey to the public cloud.
Three Trojans dominated the financial threat landscape in 2016 and attackers increased their focus on corporate finance departments
At Symantec, we have a meaningful mission to protect and enable the digital world. We have the best experts at the helm, helping defend our customers with leading products and services that are harnessed in Symantec’s security operation centers, integrated cyber defense and digital safety solutions. At the core, Symantec’s 11,000 employees around the world are credited with making a difference in identifying potential threats and protecting our customers from the next generation of attacks – they are the source of the Symantec advantage.
As such, building the security IQ and skill set of our employees is key to our ability to better protect our customers. This is the reason why we invest in building and running CyberWar Games, Symantec’s virtual world that identifies tomorrow’s threats and empowers our employees to take on the role of the adversary. By walking in the shoes of the attacker, our people are better prepared to detect, respond and defend against new and emerging cyber threats.
What is CyberWar Games?
CyberWar Games is an annual event where we look at today’s emerging technology to analyze tomorrow’s threats - it’s a recognition and celebration of our most powerful differentiator - Symantec’s combined security IQ. This experience is an opportunity to invest in our people and also in our offerings as we apply our findings to enhance our services and products for our customers. It is a safe place for our employees to practice, learn and innovate around emerging threats and use cutting-edge technology to defend against them.
Each year, Symantec’s Cyber Security Services picks a theme based on where we see the threat landscape emerging. Five years ago, we focused on nation states. In year two, we explored oil and gas and SCADA systems. Year three studied the financial services industry as it started to adopt and integrate technology at a rapid pace. And year four was focused on healthcare and the impact cyber threats had on this industry that had the potential to affect the well-being of citizens. Insights from each year’s Games are provided to the industries and the world to help protect those global institutions. For example, when we held a healthcare-focused CyberWar Games in 2015, our findings revealed new attack vectors that could impact hospitals, pharmacies and even the technology employed by the medical industry. We provided our insights to the healthcare industry and helped improve this sector’s security posture.
Our 2017 CyberWar Games challenged the best of Symantec to take on the most realistic and physically immersive challenge of their career, the global supply chain, to explore both the risks this type of major cyber attack could have on the worldwide economy and the areas of solutions needed to protect from a global scale event.
Predicting the Next Cyber Attack
As we examined the potential threat vectors that could lead to a major cyber attack, what became very apparent was the significant pressure for businesses and municipalities to digitally transform their operations to lower operating costs and increase productivity. Modernization of technology has many benefits – such as simplifying day-to-day tasks for employees, building long-term brand loyalty among customers and automating processes for real-time management and performance analysis, however, security often becomes an afterthought when responding to external pressures.
As more and more key systems and infrastructure become increasingly connected, the surface area that one might attack expands and it creates more potential windows for criminals, since a defense system is only as strong as its weakest link. This connected network of devices can access and transmit information throughout business functions and across different industries, introducing the potential for a cyber attack scenario we call the ‘digital domino effect’. While devastating to a business, the ‘digital domino effect’ could have a greater societal impact by escalating a seemingly small cyber attack to an exchange of global power and influence by targeting the production and trade of important commodities like oil, metals and agricultural products.
The ‘Digital Domino Effect’ of Connected Systems
Symantec experts took a close look at how an attacker, whether as part of organized crime or as a member of a nation state, might target connected technologies as an entry point to businesses or governments. There are several examples of how modernized business practices may be taken advantage of and manipulated - including the use of mobile technology on access control systems, ZigBee protocols that monitor and manage SCADA systems responsible for running our power and energy grids and even emerging technologies like autonomous vehicles and the Internet of Things (IoT). Each of these pillars of our economy are connected through technology, and these connections are dependent on one another and when offline, could lead to the failure of an organization or a nation.
During the scenario, teams were able to infiltrate multiple entry points within a business targeting the fabric of connected devices. They were also able to use these smart systems to string together a series of attacks creating that ‘digital domino effect’, leading to an ultimate shift in the global power and influence scale through commodities trading. Given these results, we can conclude the next significant cyber attack will likely involve targeting the connected ecosystem of a major business, municipality or nation state, setting off, whether on accident or on purpose, the ‘domino effect’ that forces a change in global power.
One of the inherent risks of adopting emerging technologies is the level of security these innovations have built into them. It can be nearly impossible to detect and respond to the unknown threats of the future because we haven’t seen them before. Immersive events like CyberWar Games allow our teams to build their skills and learn about the latest attacker tools, tactics and procedures by stepping into the shoes of the very adversaries they spend their careers defending against.
With CyberWar Games, Symantec is able to create a real-world hypothetical scenario and often times accurately predict the next potential cyber attack because of the strength of our employees, the breadth of our global intelligence network and the innovative tools at our disposal. As we move ahead and businesses adopt connected technologies to manage the global supply chain, we’ll be leading the charge in helping protect our customers against the threats of the future.
In 2013, India became the first country to place a legal requirement around Corporate Social Responsibility through the implementation of the Indian Companies Act of 2013. The act introduced a regulatory framework for carrying out Corporate Social Responsibility (“CSR”) activities in India, including a mandate that “qualifying companies” shall, amongst other things, adopt a policy for carrying out CSR activities in India, that requires spending at least 2% of net profits on CSR activities.
As required by the Act, we have developed and disclose publicly our policy for CSR in the region, including a detailed list of priority target sectors for giving. Our India operations have formed a Corporate Social Responsibility Committee (“The CSR Committee”) of the board of directors, and the CSR committee, our advisory committee (consisting of officers from different functions across Symantec) and the Board of Directors India are responsible for screening and approval of our investments under the Act. A partnership with Charities Aid Foundation India provides the local expertise to connect Symantec with opportunities aligned to our strategic areas.
India is a key region for Symantec’s business and one that our corporate responsibility strategy has traditionally been active in supporting. Through our strategic community investment program, both as part of the Act and beyond, our approach to giving worldwide and in this region is aligned to our business and focuses on driving impact across the areas where we can achieve the greatest impact including science, technology, engineering and math (STEM) education, equal access to education, diversity, online safety and environmental responsibility.
To date Symantec has contributed nearly $1 million USD to organizations in India as part of the act including nonprofits CARE India, Sewa International, the Nasscom Foundation, Idea Foundation and more.
Highlights of our activities in India under the Act and as part of our global community investment program include:
Supporting children in need
Sewa International is an international nonprofit supporting volunteerism, humanitarian relief and equality across the world and throughout India. Symantec employees have been actively involved in a variety of initiatives for the organization that support children in underprivileged and remote regions of India by strengthening education and literacy, ensuring children have the supplies they need for schooling, and contributing to STEM education through fun and engaging science-based activities.
Symantec employee Nilesh Shinge, received the 'Volunteer of the Year' award from Akshar Bharati, an initiative of Sewa, for his 'Activities and Scientific toys' work, as well as the Global Karamveer Chakra and Rex Karmaveer Global Fellowship instituted by iCoNGO in association with United Nations.
The Rex Fellowship encourages proactive citizenship and voluntary action. It helps champions of change and people striving to fulfill their passions and dreams, to network and collaborate with like- minded, ethically and socially conscious global citizens from around the world.
Symantec India’s Nilesh Shinge receives the Global Karamveer Chakra and Rex Karmaveer Global Fellowship instituted by iCoNGO in association with United Nations. The award recognizes his efforts to support children throughout the region.
Nilesh Shinge and Symantec employees volunteer to fill and provide school kits for underprivileged children in the Pune region of India.
Pune Takes 5 to Strengthen Community Education & Funding
Through our ongoing partnership with charity Seva-Sahayog, Symantec volunteers have supported multiple initiatives to bring much needed supplies to the organization's Abhyasikas (Community Learning Centers) throughout the region. The organization currently runs centers in over 50 slums in Pune.
On one occasion, Symantec employees developed library-kits for the foundation which required loading, unloading, inspecting, covering and arranging approximately 3,000 books. Symantec's CSR-India team organized another activity with Seva-Sahayog to assemble 3,000 backpacks for underprivileged school children in the region and fill them with appropriate school books and stationery. Additionally, Seva-Sahayog conducted a two-hour “Capacity-Building” workshop for 40 Symantec volunteers who wished to gain skills in developing grant proposals for nonprofits. Many charities approach Seva-Sahayog for assistance with donation requests either via email or proposals. Seva-Sahayog and its associate charities can now rely on these trained volunteers to help in drafting the donation proposals. Volunteers can complete funding applications at work, in person or through virtual volunteering.
Employees in Symantec’s Pune, India office volunteer with nonprofit Seva-Sahayog to provide crucial resources to local community learning centers and school children located in impoverished areas of the region.
Creating awareness where it's needed most
In India legislation does not protect the rights of the LGBT community who often face significant discrimination and harassment. Symantec has partnered with the Global Fund for Women, the world's leading foundation for gender equality, to advocate for LGBT rights in India.
Symantec’s investments support LGBT groups in low-income areas to teach them how to advocate and amplify their voices through digital storytelling and education. The first, Creating Resources for Empowerment in Action (CREA), is a women's rights organization in the region that brings awareness to issues such as sexuality, gender, human rights, feminist leadership, sexual and reproductive health and more. The second, Point of View, promotes women’s rights and advances social change through media, art, and culture marginalized women, including LGBTIQ individuals, sex workers, HIV positive women, and women living with disabilities.
(above and below): Symantec has partnered with the Global Fund for Women (GFW) to increase awareness of LGBT rights in low-income communities in India. Here GFW partner Point of View helps the LGBT community strengthen advocacy efforts through digital storytelling workshops beginning with conceptualization through to editing and post-production.
We believe every individual can make a difference and together our actions empower each other and communities in new and innovative ways. We remain committed to compliance to the India Companies Act, as we continue to bring together our people, our unique skills, our resources and innovative technology, to protect and benefit others.
Our primary objective has always been to minimize any potential business disruption for our customers and for browser users while also reassuring trust in Symantec certificates and our issuance practices. While we believe we achieved that balance with our original proposal to the community, the browser community (specifically, Google, Mozilla and Opera) has since converged upon a new proposal.
Google shared this new proposal for Symantec’s CA with the community on May 15. We have since been reviewing this proposal and weighing its merits against feedback we’ve heard from the broader community, including our CA customers. As part of our review, we’ve conducted a preliminary analysis of the engineering, contract and business development requirements needed to implement the subCA portion of the proposal outlined by Google. Additionally, we have had initial conversations with candidate partners (or “SubCAs”) to understand the potential timeline and integration constraints that would need to be factored into a successful adoption of a subCA approach. While we are waiting to receive detailed responses to a Request For Proposals (RFP) from these potential SubCAs, we wanted to share our initial feedback to Google’s current proposal.
First, we acknowledge the mis-issuances we’ve experienced in our CA business and we take these incidents very seriously. We believe these incidents are the exception and not the rule for our CA operations. Our CA business is led and staffed by experienced individuals around the world who serve our customers while ensuring our issuance practices comply with industry and browser requirements.
That said, we understand that any failure of our SSL/TLS certificates to be recognized by popular browsers could disrupt the business of our customers. In that light, we appreciate that Google's current proposal does not immediately pose compatibility or interoperability challenges for the vast majority of users. Indeed, while there are significant backend changes required under Google’s latest subCA proposal, we believe it is designed to minimize impact to our CA customers and browser users. Notably, Google’s current proposal preserves the treatment of Symantec EV certificates and provides a pathway for us to continue supporting our customers with industry standard certificate validity periods. Furthermore, the current proposal allows our customers, for the most part, to have an uninterrupted and unencumbered experience.
However, there are some aspects of the current proposal that we believe need to be changed before we can reasonably and responsibly implement a plan that involves entrusting parts of our CA operations to a third party.
As the largest issuer of EV and OV certificates in the industry according to Netcraft, Symantec handles significantly larger volumes of validation workloads across more geographies than most other CA’s. To our knowledge, no other single CA operates at the scale nor offers the broad set of capabilities that Symantec offers today. In addition to the vetting required to identify suitable CA partners, we believe there may be a significant ramp up period required for any CA to augment the resources needed to accommodate our certificate issuance volumes in a robust, reliable, secure, and fully compliant way. Before a technical integration and transition can begin, Symantec would need to evaluate the capabilities of interested and qualified CAs. We would also need time to put in place the governance, business and legal structures necessary to ensure the appropriate accountability and oversight for the subCA proposal to be successful.
Once we enter into a partnership with one or multiple SubCAs, Symantec and the SubCA(s) will need to perform engineering work to support the subCA model. These implementations would then need to be tested extensively.
Given the time needed to overcome these challenges, we have proposed modifications that we ask Google, Mozilla, other browsers, relying parties and the community to consider as we work to reach a final plan. Our goal is to move to an agreed-upon action plan that we can begin to implement in a reasonable timeframe that ensures a smooth transition. Detailed in-line responses to various parts of the proposal, along with clarifying questions, are provided below.
Overview / Background
Here's an update on the discussions about Symantec-issued certificates and the steps Chrome is proposing to move forward. Thank you to everybody who has contributed to the discussion so far.
On May 12, members of the Chrome team met with Symantec to discuss the set of concerns and our proposed remedy for them. These discussions were an expansion on a proposal previously shared with Symantec in April, and later shared on the mozilla.dev.security.policy list.
When the original Intent to Deprecate was posted, I proposed a plan that tried to best address issues we were aware of and provide a long-term path for comprehensive protections. We received a lot of great feedback from the Blink and wider PKI communities regarding the impact this plan would have and further issues to consider. In light of this feedback, we would like to propose a new plan that we believe ensures users are sufficiently secured while trying to minimize disruption to site operators, and providing an objective and reasonable path forward for those that have critical dependencies on certificates that chain to Symantec-operated roots.
We want to share an overview of this plan with the broader community, with more specific, detailed requirements at the end. The high-level overview of the plan is:
Symantec In-Line Response:While adhering to best practices for a modernized platform is self-evident, what process do Chrome and the community foresee as appropriate to establish this trust?
Symantec In-Line Response: This part of the proposal introduces a substantial additional authentication effort for SubCAs on top of an already challenging requirement to scale their processing capacity. Symantec has been logging all EV certificates to CT since Jan 1, 2015 and a large proportion of other certificates since prior to June 1, 2016. This distrust would affect over 425,000 certificates, of which ~130,000 have been logged to CT. Given that CT logging appears to be foundational, we would like to propose that ongoing trust be extended to any Symantec CT qualified certificate issued after Jan 1, 2015 as it currently is today in Chrome.
While the plan is not final, we believe it is converging on one that strikes a good balance of addressing security risk and mitigating interruption. We still welcome any feedback about it, as prior feedback has been valuable in helping shape this plan.
Transition to a New Symantec PKI
Chrome will require that by 2017-08-08 all new Symantec-chaining certificates be issued by independently operated third-parties (aka “Managed CAs”).
Chrome will implement a check, on-or-after 2017-08-08, to enforce this by ensuring that the certificate chain contain a whitelist of intermediates (independently operated sub-CAs or the Managed CAs).
Symantec In-Line Response: See date comments below.
If a Managed CA has fully revalidated the information, the validity period of new certificates can be up to the maximum allowed by Chrome for all CAs, which is currently specified as the maximum allowed by the Baseline Requirements and EV SSL Guidelines.
During a transition period, validation information can be reused, provided that the certificate is issued by the new infrastructure. However, the validity period of such certs must be no longer than 13 months.
If Symantec needs this flexibility, the following deadlines apply:
Symantec In-Line Response: Based on our initial research, we believe the timing laid out above is not achievable given the magnitude of the transition that would need to occur as we discussed at the beginning of this post and we propose that Google not conclude on final distrust dates for Symantec certificates at this time. We have conducted outreach to candidate partners (SubCAs) to understand the potential constraints, timelines and the integration work that might be needed. We have also formalized and issued a RFP with specific questions around timing, logistics and dependencies. We expect to have the required feedback to inform a project plan by the end of June, at which time we will come back to Google and the community regarding suggested dates that are both aggressive and achievable. In the meantime, we wanted to share some of some of the practical and constraining reasons that we believe the dates will need to be adjusted:
The use of existing or new validation information in a certificate should be signalled by using new OID in the Certificate Policies extension. See the Technical Details section for more information. If the managed CA is unable to validate the information by such milestones, then such certificates will not be able to be issued or trusted.
Chrome will continue to trust certificates issued after 2016-06-01, provided they are “CT Qualified” as defined in the Chrome CT Policy.
Enterprise Chrome users will be given a policy to allow certificates issued before 2016-06-01. This will give enterprise administrators the ability to control Chrome behavior for their organizations. This can be specified both at device-level as well as at user-level.
We’re proposing a phased distrust of all website certificates issued prior to 2016-06-01, which is the date in which Chrome both required and enforced Certificate Transparency. This provides a degree of assurance for site operators that certificates issued for the improper domain have a reasonable chance of being detected. With this, our goal is to attempt to minimize disruption to site operators, ensure reasonable notice of these changes, and avoid particularly sensitive holiday disruptions. These plans represent target dates, which may need to be adjusted based on interoperability or compatibility risk or additional information coming to light that may accelerate such distrust.
Symantec In-Line Response: As previously mentioned, Symantec has been logging EV certificates to CT since Jan 1, 2015; and a proportion of other certificates since before June 1, 2016. Given that CT logging appears to be foundational, we propose that ongoing trust be extended to any Symantec CT Qualified certificate issued after Jan 1, 2015. Doing so would reduce the incremental re-authentication effort from over 425K certificates to ~295K – a meaningful reduction in the re-authentication effort necessary under this part of the proposal.
In terms of specific feedback on certificate distrust dates and the associated distrust waterfall, we must consider the information that will be returned to us as part of our current RFP process before we revert to the community with suggested dates that would not cause undue disruption to our CA customers and browser users. In the meantime, we propose that Google not conclude on final distrust dates for Symantec certificates at this time.
Symantec In-Line Response: We would treat SubCAs as Delegated Third Parties and as such subject to audit under section 8 of the Baseline Requirements. However, given the possibility that multiple SubCAs may be required to accommodate the scope of our operations, it’s important to clarify that the actions of one SubCA should not automatically reflect on the operations of a separate SubCA. Can you further explain your rationale and intent on this point?
Symantec In-Line Response: In Symantec’s current authentication model, there is a two-step process, where validation of an order is done by one person and then that work is reviewed independently by another prior to issuance. To expedite the timing of our implementation of this proposal and to offset the ramp time needed for SubCAs to increase their authentication capacity, we suggest that Google’s proposal be modified to allow Symantec to conduct the first step of the validation, subject to 100% review of 100% of the orders by the SubCA, and issuance determination made by the subCAs.
Symantec In-Line Response: Where SubCAs use Delegated Third Parties in their existing CA operations, we propose that such SubCAs be permitted to continue to use such Delegated Third Parties with respect to performance of its responsibilities for the benefit of Symantec under this proposal. Restricting use of Delegated Third Parties by SubCAs under this proposal may limit the interest of SubCAs to partner with Symantec under this proposal and/or increase their cost to partner with Symantec under this proposal.
Symantec In-Line Response: We agree with the subsequent discussion on audit timing:
T0: Key Generation Ceremony
T+30-60: First server auth certificate issued
T+90-120: End of period (not less than 60 days after the prior T+timepoint)
T+180-210: Opinion published (not more than 90 days after end of period)
Symantec In-Line Response: Given that Symantec would partner with SubCAs that are established CAs, we do not believe these SubCAs should be burdened with audit requirements that exceed their requirements today. We believe it should not be necessary to force these SubCAs to provide audits with greater frequency than what they are currently required to do outside of the initial one outlined in the first audit bullet, which can be used to confirm that the transition was successful.
Transition to New Infrastructure
Symantec In-Line Response: Symantec is willing to provide such reports under non-disclosure agreements where they include detailed information of a sensitive nature (similar to sharing SOC2 reports with specific customers).
*****End of Google's Original Post and Symantec In-Line Response*****
We believe that we are on the path to reaching an agreed-upon plan that can be implemented in a reasonable timeframe and ensures minimal disruption for our customers. We will continue to pursue what we believe is the right course of action that allows for a smooth transition and reassures trust in Symantec certificates and our issuance practices. We welcome continued input from Google and the browser community as we work to reach a final agreement that serves the best interests of all stakeholders.
As advanced threats ramp up, an integrated approach to security is critical. If you’re considering moving to the cloud, this issue may become even more important as you sort out which security offerings will best protect your enterprise’s information.
It’s smart to carefully consider your options. We’ve all heard of the hard dollar impact of data breaches, but there’s also an impact on your brand when a breach occurs. A Ponemon study found that data breaches cause a 5% drop in a company’s average stock price the day a breach is announced, a 7% loss of customers, and 27% of consumers have discontinued a relationship with a company that suffered a breach.
Given those numbers, it’s critically important to protect your data whether you’re contemplating moving some or all of your infrastructure to the cloud. In this post, we’ll discuss exactly how you can best protect your information regardless of your pace to move to the cloud. It will cover proxy versus next-generation firewalls (NGFWs), why retaining enterprise-grade threat protection is critical when you move to the cloud, and deployment options to consider.
Advanced Threat Protection: How Proxy Beats Next-Generation Firewalls
Next-generation firewalls have their place in your enterprise’s security environment. For example, they’re effective at preventing unwanted network communications over specified protocols, based on IP address or geolocation. They can also control and lock down multiple channels of communication from inside your organization to the Internet. If you are willing to take a large hit to performance, you can extend these capabilities to include simple stream-based malware scanning. However, when it comes to securing web traffic and protecting your organization from advanced attacks, zero-day threats, and sophisticated malware, nothing compares to proxy architecture.
Here are examples of where proxy is more effective at defeating malware than a next-generation firewall:
Full file reconstruction uncovers true identity. Next-generation firewalls are stream-based, which makes them vulnerable to evasive malware. In contrast, a proxy reconstructs the full session and its contents before delivering it to users. This approach reconstructs the communication and file in order to determine if it is harmful before sending it to the final destination.
Files are detained until verdicts are delivered. A proxy can detain files from delivery until all packets are gathered, assembled, and inspected using multiple methods of interrogation and analysis against all available threat intelligence. Only then—if it is determined to be safe—is it delivered to its intended destination.
Safe and scalable handling of encrypted traffic. For many organizations, encrypted data can account for 60-70% of network traffic. This data is also increasingly becoming the vehicle for attackers to hide malicious activity. For effective threat protection, traffic needs to be visible to security tools for analysis and inspection, yet at the same time, organizations must adhere to mandated privacy policies.
Additionally, a recent academic paper compared multiple encrypted traffic inspection tools, including next-generation firewalls and other streaming-based tools, in their effectiveness of intercepting encrypted traffic. The report found that nearly all tools degraded security and many even introduced severe vulnerabilities. Only Symantec ProxySG received an “A”, while all others received either “C’s” or “F’s”.
Proxy blocks more. When it comes to full session termination, decryption, and inspection – proxy wins. A new Tolly report, which compares Symantec Secure Web Gateway to a leading NGFW solution, clearly shows how much more effective a proxy architecture is for web security. For malware tests comparing phishing, malicious URLs, and a prevalent set of known malware, Symantec Secure Web Gateway beat a leading NGFW hands down in effectiveness.
The Tolly report found that Symantec SecureWeb Gateway provides:
Figure 1: A Tolly report found that Symantec Secure Web Gateway has superior detection across the range of tested threats compared to a leading next-generation firewall solution.
Proxy Architecture = Better Protection
|Proxy Architecture with Symantec||Next Generation Firewall|
Superior malware scanning and protection
No termination and inspection
|Easily add inline data loss prevention||No ability to terminate and add inline data loss prevention (requires Proxy)|
|SSL decryption with leading cipher support||Limited cipher support with 60%+ performance degradation|
|Market leading Cloud Access Security Broker (CASB) controls||API protection only. No inline CASB capabilities|
|No hardware-needed cloud service to support roaming users or entire offices||Protection for roaming users requires VPN backhaul to customer hosted/owned firewall|
Market leading endpoint integration
|Limited remediation and no endpoint management|
Get Better Protection with ProxySG, Content Analysis, and Sandboxing
Building on the strengths of the proxy architecture, Symantec enables Advanced Threat Protection through a multi-layered approach that sends extracted content from ProxySG and the Symantec Messaging Gateway to Symantec Content & Malware Analysis to efficiently uncover malicious activity in web or mail traffic. After utilizing file reputation services, dual anti-malware engines and static code analysis, only remaining “truly unknown” files are sent to a sandbox for complete detonation.
Figure 2 illustrates how a Symantec customer effectively benefited from this approach. In this example, the customer received 63 million web requests in one day. Symantec technologies analyzed all those requests using a multi-stage process and filtered them down to only three valid alerts that were worthy of further investigation. Learn more about the newest release of Content Analysis in this blog post.
Figure 2: A Symantec customer received 63 million web requests in just one day - but which ones warranted further investigation? The combination of ProxySG, Content Analysis, and Malware Analysis sandboxing filtered the requests down to just three incidents that required the security team’s attention.
Why a Stepped Approach to the Cloud is Best
You might have multiple concerns about moving to the cloud, including being forced to take an all-or-nothing approach or lowering your expectations for security. You might also worry about maintaining productivity and performance, because you don’t want your IT administrators and security analysts to throw away their hard-earned investments in existing skills, processes, policies, or integrations.
Organizations see the value of moving to the cloud, but when it comes to security, many are not ready to go “all-in”. Policy, performance, regulations, and other requirements might require that you take a more measured approach in moving to the cloud. That’s why we believe it’s important to make the move on your terms, when you’re ready, and a stepped approach is best. Analysts have stated there are significant advantages to security professionals who take a hybrid approach of deploying cloud-based security along on-premises.
Are You Tapping into the Cloud + On-Premises Security Advantage?
Symantec offers excellent solutions for securely protecting your enterprise whether you adopt an on-premise, hybrid, or all-cloud approach. You expect enterprise-grade Advanced Threat Protection on-premises, and there’s no reason to lower your security expectations when moving to the cloud. Fortunately, Symantec delivers by offering:
Why Trust Symantec to Carry You to the Cloud?
Symantec is the world’s trusted security vendor and the clear leader in numerous security areas, including secure web gateway, data loss prevention, cloud access security brokers (CASB), email, endpoint security, and encrypted traffic management.
Unfortunately, most security providers simply provide isolated security solutions, but the cloud mandates a new model of integrated security. The Symantec Cloud Security Platform provides a unique way to securely enable cloud adoption while unifying both cloud and traditional on-premise environments for seamless security.
Mike Fey, president and chief operating officer at Symantec says, “Because of the breadth and depth of our category-leading security portfolio, coupled with the world’s largest civilian cyber intelligence network, Symantec is the only cyber security provider in the industry that can address the challenges of the Cloud Generation holistically, enabling our customers to take full advantage of the cloud while helping ensure their critical information is secure and protected.
Figure 3: The Symantec Global Intelligence Network offers an unparalleled level of visibility across endpoint, email, and web traffic to discover and block advanced targeted attacks that would otherwise go undetected.
Symantec’s superior threat intelligence, which is powered by the massive Global Intelligence Network, offers integrated cyber defense for unparalleled visibility and protection. By using the vast amounts of compute power available in the cloud, we analyze over 3.7 billion lines of telemetry which is the broadest and deepest set of threat intelligence in the industry.
It’s Your Choice: On Premise, Cloud, or In-Between
Dip your toe in and test the water or dive in head first – it’s your choice. Either way, Symantec ensures the water is safe. Regardless of the approach you choose to take, these industry-leading Symantec services are cloud-based and can support your enterprise security requirements:
Here are the combinations of solutions we recommend based on your environment’s requirements:
Concerned about the impact on your IT team’s productivity when it comes to administering these solutions? With Symantec Universal Policy, you can configure and manage your policy in one place so it spans your data centers, remote and branch offices, and mobile users. Universal Policy includes policy control for malware scanning, URL and risk scoring, SSL decryption, authentication, and more with the ease of central management. With this capability, moving to the cloud is seamless, smooth, and as secure as ever.
Moving to the cloud can pay huge security dividends for your organization, but you’ll want to make the move in a responsible way that maps to your overall IT cloud strategy and your business imperatives. Rest assured, Symantec is there for you every step of the way.
Our latest edition of the IT Showcase focuses on a business model that more and more companies are adopting—subscription models, or “pay-by-the-drink” solutions. Subscription models offer customers many benefits:
Over 50 percent of applications used by Symantec IT are now SaaS and many are being licensed as a subscription. This allows for greater flexibility in how we consume and use SaaS applications directly tied to the dollars we are spending. We’re also seeing this shift from our customers, which led Symantec to build a robust end-to-end “frictionless” subscription platform.
Here’s how we went about it and the benefits we’re seeing to-date.
We based our approach on first answering a fundamental question: would this be a transformational experience for our customers and partners, or just an enhancement? The team chose the former, designing the end-to-end platform architecture holistically, and developing a well-integrated, seamless subscription platform from the ground up. The advantages of this approach are:
The cornerstone applications of this E2E architecture are highlighted below:
Designing and building the Symantec Subscription Platform was a collaborative effort between IT, and the Engineering and Product teams, as well as key business stakeholders all working together to develop a solution that would align with the company’s future vision. We focused on five key areas to build an end-to-end platform, including: e-commerce and Digital Experience, Lead-to-Subscription, Provisioning, Subscription-to-Collect, and Record-to-Report.
Our new model also enabled multiple routes-to-market, namely direct sales, e-commerce, partner marketplaces, and customer/partner portals. One key decision we made was to leverage the platform for new business only, while migrating existing hosted solutions and business on a more staggered timeline. This helped us mitigate risk and allowed IT to work out any kinks in the platform and scale the infrastructure to handle significant revenue growth.
After the successful launch of a pilot that enabled the Symantec Subscription Platform for a single product in the U.S., the platform launched globally in November 2016 for multiple products. This is an ongoing journey. 2016 focused on the platform launch while 2017 is geared toward migrating additional lines of business toward subscription-based pricing while simultaneously enhancing platform stability and functionality.
Since going live, the Symantec Subscription Platform has posted some impressive metrics.
Managing the Process
Launching the Symantec Subscription Platform was, and continues to be, a highly collaborative program with significant and complex coordination requirements. We found benefits in the following approach.
The entire effort was initially managed by a Program Management Office with representation from IT, Engineering/Product Teams, and a business Program Lead. This collaborative approach helped resolve risks before they escalated into issues or showstoppers and also helped ensure that executive support for the end goal remained high throughout the course of the program.
The Journey Continues
With the start of a new fiscal year at Symantec, our focus has shifted to bringing existing lines of business onto the Symantec Subscription Platform. This will allow for the same benefits to expand to a much larger customer base while driving increased savings opportunities.
The move to subscription-based pricing is a seismic shift for most companies, but making the change in a thoughtful and deliberate fashion exponentially increases the chances of a successful outcome.