Quantcast
Channel: Symantec Connect - ブログエントリ
Viewing all 5094 articles
Browse latest View live

微软“周二补丁日” — 2017年6月

0
0
微软在六月份的星期二补丁日共发布了94个漏洞,其中有18个漏洞评为严重级别。

続きを読む

2017 年 5 月の最新インテリジェンス

0
0
WannaCry の突発的な流行がニュース見出しを賑わせた一方、フィッシングの比率も 2017 年に入ってからの最高値を記録しました。

続きを読む

マイクロソフト月例パッチ(Microsoft Patch Tuesday)- 2017 年 6 月

0
0
今月は、94 個のセキュリティ情報がリリースされており、そのうち 18 件が「緊急」レベルです。

続きを読む

Introducing Advanced Protection against Sophisticated Email Threats

0
0
An integrated approach to fighting stealthy attacks
Background Image on Blogs "Quilted" Page: 
Publish to Facebook: 
No

Email security remains more of a challenge than ever for organizations. Not only is email still the preferred mode of attack, but clever cohorts of malicious actors are improvising to develop new evasions of traditional email security defenses.

How secure is your email? Here’s what you need to know:

  • The data paint a troubling picture of the threat landscape with the incidence of malware-laden emails attaining a new high. One out of every 131 emails nowadays is malicious (ISTR 22). In comparison, 5 years ago, it was 1 out of 244.
  • The WannaCry ransomware attack wreaked havoc recently. While it did not spread through email, most other ransomware attacks do. In fact, the number of ransomware “families” tripled and attacks increased by 36% last year (ISTR 22).
  • Attackers are always improvising and they are launching successful attacks through email scams like targeted spear phishing and Business Email Compromise (BEC), that exploit social engineering methods. According to the Federal Bureau of Investigation, total exposed dollars globally was more than $5 billion last year due to BEC scams while phishing attacks grew by 55% (ISTR 22).

Shortcomings of traditional email security tools

The “traditional” email security tools that companies still use to deal with newer, more advanced threats aren’t working.

  • Basic email security solutions use signature based methods which cannot keep up with the more than one million new malware variants we saw every day last year (ISTR 22).
  • While some security solutions profess to use a sandbox, they are limited to virtual machine detonation, which are easily evaded by “VM-aware” malware. Last year about 20% of the malware was “VM-aware”.
  • Increasingly, sophisticated attackers are “living off the land” meaning they employ macros or other scripts to pull off their attacks. Active content in attachments like Microsoft Office documents are not inspected by basic email security solutions, which leave organizations vulnerable to stealthy attacks.
  • Traditional email security solutions do not export the Indicators of Compromise (IoC) gleaned from analyzing malicious emails. That means security teams cannot perform security analytics on these IoCs.
  • Point solution email security vendor products do not integrate with the rest of the security infrastructure like proxies and endpoint security, slowing down the ability of security teams to respond.

In this ongoing battle of wits with the bad guys, security practitioners need to augment their traditional approach to email protection with newer multi-layered detection methods, such as machine learning, predictive and behavior analysis, and sandboxing. And they need to arm themselves with email security solutions that will stop advanced threats in their tracksotherwise they remain dangerously vulnerable to data breaches.

Symantec’s One-Two Punch

When it comes to advanced threat protection, Symantec can help with content and malware analysis tools that block targeted attacks and offer the threat intelligence security teams will need to direct their rapid response operations.  Our new combined solution consists of Symantec Messaging Gateway and Content & Malware Analysis.

  • Symantec Messaging Gateway: This on-premises messaging security solution delivers inbound and outbound messaging security, advanced threat protection, real-time anti-spam and anti-malware protection, and data loss prevention in a single platform.
  • Symantec Content & Malware Analysis: An advanced content filtering and malware analysis platform that supplies your defenses with multiple layers of scanning, static file code analysis, and dynamic sandboxing and validation to detect and block unknown threats.

This one-two punch protects the perimeter with the sort of on-premises email security that will stop the new and more sophisticated threats that I referenced earlier. We can block even the stealthiest threats using sandbox detonation of suspicious files and URLs and evaluate their behavior, uncovering advanced threats that would otherwise evade detection.

An additional customer benefit: the trove of threat intelligence that Symantec gleans each day from its Global Intelligence Network – the largest in the industry. We have visibility into more than 175 million endpoints and 57 million attack sensors in 157 countries and that gives us unrivaled insight into the constellation of emerging threats. Combine that with the advanced threat technologies we offer and security teams are going to be better equipped than ever to combat emerging threats and targeted attacks.

Let’s take a deeper technical dive:

Key capabilities:

  • Prevent new and sophisticated email threats such as Business Email Compromise, spear phishing and ransomware with multi-layered detection technologies such as advanced heuristics, machine learning, and behavior analysis.
  • Get the strongest protection against spear phishing through deep inspection of potentially malicious URLs before an email is delivered.
  • Help protect against targeted attacks and zero day malware by removing active, potentially malicious content from Microsoft Office and PDF attachments. The clean document is reconstructed, reattached to the email, and sent to its destination.
  • Block stealthy advanced attacks with powerful virtual and OS emulation sandboxing that is customizable to reflect your actual environment and capture more malicious behavior than other sandbox solutions.
  • Get in-depth insights into targeted and advanced attack campaigns with rich threat analysis on every malicious email entering your organization, including data points such as URL information, file hashes, threat risk scores and targeted attack information
  • Quickly correlate and respond to threats by exporting rich threat intelligence to your Security Operations Center via integration with third-party Security Information and Event Management (SIEM) systems
  • Prevent leakage of sensitive information and meet your compliance and privacy requirements with built-in granular content filtering, integration with market-leading Symantec Data Loss Prevention (DLP) and policy-based encryption controls that block, quarantine, or encrypt sensitive emails.
  • Additional integrations with Symantec Endpoint Protection and Symantec ProxySG, to analyze, stop and remediate across network, endpoint and messaging channels.

Join us for a webinar on June 29, 2017, to learn how the combined solution addresses today’s advanced email threats: CLICK HERE TO REGISTER

Naveen-SWG-webinar.png

Learn more about

TOR Hidden Services for Home Device and Services Security and Privacy

0
0
Part 1: How to Secure Home DVR Cameras
Publish to Facebook: 
No
Twitter カードのスタイル: 
summary

Security conscious people want to protect their assets as best they can at a price that doesn't break the bank. Some are reluctant to add video cameras to their home because so many camera providers require a connection to "the cloud". Who would seriously want a stranger to have access to their home cameras? Some security conscious folks have opted to purchase cheaper, non-cloud dependent DVR camera systems but are reluctant to place a NAT forward on their firewall because, as we know from experience, any device placed on the open internet long enough will eventually be found, scanned and compromised. That six digit pin code on the cheap DVR camera system will be brute forced in short order. So what to do? In this post I hope to address the needs of a particular type of security conscious individual that has these requirements:

1.Ability to have a home/business Camera DVR system that does not send content to a cloud provider.

2.Ability to leverage cheaper home/business camera DVR systems.

3.Ability to view DVR cameras over an encrypted internet channel.

4.Ability to hide the location of the DVR system from prying eyes.

5.Ability to view cameras from a Windows client, Macintosh client and Android Phone. (Sorry Apple fans, Apple phones won’t currently work with my solution below because they don’t officially allow TOR proxy on their phones.)

Many folks I speak to want to access their cameras remotely, but don’t want others to pry into their privacy. A VPN on the home gateway has been one possible solution in the past, but it has its own set of drawbacks. Instructions to setup VPN gateways are easily found online for many different VPN hardware providers. My single biggest concern with VPN hardware providers, is what happens when the firmware becomes outdated and the hardware manufacturer won't update it in a timely manner or not at all. When a manufacturer will no longer update the firmware, folks are left with only one option, buy a newer device. There is also the hassle of setting up VPN credentials and having to login to a VPN just to look at your cameras, which can become tiresome over time.

A better solution is to setup your DVR as a destination point using TOR as a Hidden Services proxy with an authentication cookie.  What is TOR hidden service?  What is an authentication cookie? For details see https://www.torproject.org/about/overview.html.en for an explanation of how TOR works and how it is normally used. For an explanation of TOR Hidden Services see: https://www.torproject.org/docs/hidden-services.html.en . A lesser known feature of TOR hidden services allows for an extra layer of security to make hidden services inaccessible unless the client has a special piece of information. See: https://www.torproject.org/docs/tor-manual.html.en and look at HiddenServiceAuthorizeClient section.

At a high level, TOR tries to mask your physical location and make you as anonymous as possible. When someone wants to host a service privately, a TOR hidden service allows for a TCP/UDP port to be served on the TOR network. For example, a journalist may setup a file transfer service to anonymously transfer information out of an oppressive regime. With a normal TOR hidden service, TOR will not completely mask your physical location from a highly dedicated adversary, since an addressable onion site and open port can be probed and your TCP/UDP service may eventually be compromised with clues to your physical location.  But a little feature in TOR hidden services allows users to make their hidden service discoverable only to clients which possess an authentication cookie. This authentication cookie is provided during the TOR hidden service address lookup request; a TOR client will not be able to rendezvous with the hidden service without the cookie. By utilizing TOR hidden services and an authentication cookie, the authorized user will be the only person who will find and access the camera on the TOR network. Here is how it works at a high level with details below.

1. A user configures their camera DVR behind their firewall as usual with an ip address, for example 192.168.0.10. The user performs the normal DVR setup and shares the DVR port on their local area network on port 8181. This camera DVR becomes accessible to computers in the home network on 192.168.0.10:8181

2. Next, a machine on the local area network is used to host a TOR proxy, let's call it TORVR. Let's use a raspberry pi in this example. A raspberry pi would have TOR installed and a TOR hidden service configuration is added that points incoming traffic requesting port 8181 to forward traffic to port 8181 on ip address 192.168.0.10.

3. The configuration on the TORVR computer would specify a secret TOR hidden address and cookie. When TOR is launched on the TOR proxy, it will automatically create the onion address/cookie pair information.

4. The client that will be accessing the cameras must also have TOR installed with an edit made to its torrc configuration file to include the cookie associated with the TORVR's onion address.

5. When the TOR client opens a browser connection to the TORVR site, for example http://abcdefghijklmnop.onion:8181, the TOR client takes care of finding the site by providing the cookie during TOR hidden service lookup. The Tor browser will provide anonymized traffic access to the user’s home cameras without revealing to any intermediaries where your home base is located. This location anonymity is very useful when you are in another country or at a security conference and don't want folks to sniff your traffic and easily find out whereabouts your home is.  Remember that the only reason your TOR hidden site was able to be connected to was because you had the authentication cookie. Anyone else trying to access http://abcdefghijklmnop.onion:8181 would not be able to find the onion site, let alone connect to it on port 8181. Other users without the authentication cookie for your TOR specific onion hidden service will be unable to find your host. If the address can't be found and the port can't be probed for either pin brute forcing or vulnerability scanning, then your cameras are yours alone to use.

6. Last thing, when TOR software gets upgraded, you can upgrade. You are not dependent on one hardware manufacturer. No need to keep upgrading hardware unnecessarily.

highlevel.png

How to technically configure a TOR Hidden Service with Authentication Cookie requirement on a Raspberry Pi

The Raspberry Pi will act as a TOR hidden service proxy. This configuration will setup a port 8181 forward to the internal DVR IP and port number.

1. Setup a raspberry pi computer with your favorite Raspberry pi distribution. Doesn't really matter which one. This has been tested on Raspberry Pi 2, 3 and Zero W, as well as Ubuntu on AMD64 system.

2. Install TOR on your raspberry pi

     a.apt-get install tor

3. Edit file /etc/tor/torrc

     a.Add "HiddenServiceDir /home/debian-tor/hidden_service/"  and save  # This specifies that the tor keys will be stored in /home/debian-tor/keydir

     b.Add "HiddenServicePort 8181 192.168.0.10:8181" and save  # This assumes your internal DVR system is on 192.168.0.10 and using port 8181

     c.Add "HiddenServiceAuthorizeClient stealth user1" and save # this will specify that TOR should create a private cookie so that only those who possess the cookie will be able to find and interact with the TORDVR Hidden Service.

4. Added lines should look like this:

     HiddenServiceDir /home/debian-tor/hidden_service/

     HiddenServicePort 8181 192.168.0.10:8181

     HiddenServiceAuthorizeClient stealth user1

5. On the Raspberry pi start tor

     a.sudo service tor start

6. Look in the /home/debian-tor/hidden_service/ directory and you will find a file named hostname

7. Copy the contents of hostname for use in your tor client torrc file.

     a.The content in file /home/debian-tor/hidden_service/hostname will look similar to this:

          i. abcdefghijklmnop.onion  a+abcdefg+123456789abcd # client: user1

8. See TOR browser configuration instructions below.

How to configure your Microsoft Windows based TOR Browser to see your TORDVR Hidden Service with an Authentication Cookie

1.Tor browser will need to be configured to pass the cookie specified in line 6.a.i above abcdefghijklmnop.onion  a+abcdefg+123456789abcd

2.Go to the location where you placed your Windows Tor Browser folder and navigate to:

     a.Go to directory: \Tor Browser\Browser\TorBrowser\Data\Tor

fileexplorer.png

3.Edit torrc file

     a.Add "HidServAuth abcdefghijklmnop.onion  a+abcdefg+123456789abcd" and save # do not include the quotes.

torrc.png

4. Run Tor Browser and type http://abcdefghijklmnop.onion:8181 to see your DVRs web camera on your internal computer 192.168.0.10:8181

dc9badge.png

How to configure your Android Device to access your TORDVR Onion Address

1.Go to Google Play Store and install Orbot: Proxy for Tor

orbot1.png

2.Open Orbot:Proxy for Tor

orbot1_open.png

3.Click settings button on top right hand side.

orbot1_open_settings.png

4.Click on Hidden Services

hidden_services.png

5.Click on Client Cookies

hidden_service_cookies.png

6.Click Bottom right hand button to add a client cookie

click_6.png

7.Enter values for the onion site "abcdefghijklmnop.onion" and client cookie "a+abcdefg+123456789abcd". Omit the quotes. Click Save

setcookies7.png

8.Your Orbot app should look like this:

orbot8_cookies.png

9.Restart Orbot for the changes to take effect.

10.Click on Orfox

orfox10.png

11.Browse to http://abcdefghijklmnop.onion:8181

dc9_android.png

Congratulations! You can now access your camera over an encrypted network from anywhere with strong authentication.

So now you have access to your home private IP based DVR system without the use of NAT on your gateway firewall and without exposing the port to the entire internet 24/7. The port 8181 is not capable of being probed, so no random scan will find your cameras open to the internet. I've included this detailed post for cameras, but there are plenty of other great uses for TOR. I've used this hidden service for other services I don't want to leave open to the general internet. What will you come up with? Share on this post. Stay tuned for my next post on using TOR to enhance security of other home devices and services.

In case of Email Outbreak for same subject or same attachment name; block emails going to internet

0
0
Method to block the emails going outside the organization in case of email outbreak. Organizations want to block the emails going out to avoid blacklisting the domain on ISP as a result of outbreak
Publish to Facebook: 
No

Problem Statement:

Organizations wants to block the outbound emails which is going outside the organization when outbreak is triggered and allowing inbound email. This is required to avoid blacklisting the email domain on ISP due to email outbreak with same subject or attachment.

As SMSMSE has limitation to bifurcate the email message recipients as external and internal and block outgoing only; to resolve this problem we can leverage exchange transport rule capability in addition with SMSMSE outbreak management and Content Filter Rule.

Steps to apply the solution:

When an outbreak is triggered; for e.g. same attachment name; the attachment name would be updated in match list “Outbreak Triggered Attachment Names”.

  1. Here we have enabled the Outbreak rule to update the match list1.png
  2. Enable CF rule “Quarantine Triggered Attachment Names” for outbound emails only;2.png
  3. Select Action as “Log Only” with “Add X-header(s)” as shown below;3.png

Now we have to create the Exchange Transport Rule to block the outbound emails (Emails going out to internet) using above X-Header value

4. Open Exchange Management Shell and run the following command.

New-TransportRule -Name SMSMSEOutbreakManagement -SentToScope:NotInOrganization -HeaderContainsMessageHeader "X-SymOutbreak" -HeaderContainsWords "Outbreak" -RejectMessageReasonText "Rejected as a result of outbreak"

The Rule would look like in below image in Exchange Control Panel

4.png

Now the entire system is ready to handle the Outbreak and in turn block the emails with outbreak terms going outside the organization.

The NDR email is sent to sender user when an outgoing email is sent with Outbreak triggered term.

6.png

Here we have no limitation of having internal and external recipients in To field. Exchange will take care of blocking only external recipients using Exchange transport rule which we created in step 4.

Work Flow:

For e.g. an Outbreak is configured for Same Attachment Name.

  1. An outbreak is triggered for same attachment name
  2. As configured Outbreak manager would update the match list “Outbreak Triggered Attachment Names”
  3. For further email sent to outside recipient with the same attachment name the CF rule “Quarantine Triggered Attachment Names” would add the X-Header “X-SymOutbreak: Outbreak”
  4. The Exchange transport rule “SMSMSEOutbreakManagement” would block the emails going to external world.

For Subject use “Quarantine Triggered Subjects” CF rule with similar configuration as “Quarantine Triggered Attachment Names”

e.g.

5.png

CASB Can Prevent Incidents Like the Massive US Voter Data Exposure

0
0
Publish to Facebook: 
No
Twitter カードのスタイル: 
summary

As reported yesterday and subsequently grabbing headlines across news outlets, a cyber risk analyst discovered extensive personal information, including political preferences, on more than 198 million US citizens hosted on a publicly-accessible cloud server. The server had no security or password requirements and the data was available to anyone who found the URL. 

Public cloud services provide extensive security for their infrastructure but the organizations who use these platforms are responsible for securing access to their accounts and data. In this case a data firm contracted by a political party didn’t have basic security protections in place after a security settings update on June 1, which resulted in the exposure of deeply personal information on over 60% of the US population. The data was discovered on June 12 and the server was secured June 14.

Cloud services are an excellent business resource. They are flexible, scalable, and inherently great for enabling collaboration. Putting data into the cloud and allowing open access to anyone with the right URL happens. Users may do it on purpose, assuming these links won’t be found by anyone other than the recipient of the URL – a method of ‘security by obscurity’. It can be a simple mistake; users may not realize they are exposing data publicly because they are not familiar with the settings in a particular cloud platform. Even sophisticated users can make mistakes; for example, security settings are often ‘inherited’ within file sharing structures and a change in security settings in one place can cascade into unintended changes in other areas.

However it happens, exposing sensitive data via public URLs creates a high risk situation for an organization because anyone who finds the URL can access the data. The incident in the news this week is just one example of many.

A Cloud Access Security Broker (CASB) that can monitor, secure and control use of cloud applications could have prevented this mistake. Such a CASB could have: identified that this data was Personally Identifiable Information (PII), one of the most confidential and regulated data types; identified that this confidential data was exposed to public view; automatically prevented users from uploading PII data into a publicly accessible folder; and alerted the administrator of the cloud service that users were storing PII data in it.

The critical need to prevent and remediate these types of data exposures is motivating organizations to adopt CASB at a rapid pace. Gartner predicts CASB will grow five times faster than the overall information security market from 2015 to 2020.* And it is growing even faster than that at Symantec, which is why we are investing so much into developing our CloudSOC CASB solutions for both SaaS and IaaS and integrating those solutions with our extended family of enterprise security products such as DLP and encryption. The cloud is driving collaboration and innovation at a furious pace and security that can both protect and enable use of the cloud has become a critical requirement.  

Learn more about CloudSOC to make sure your organization doesn’t make the same mistake.

* Gartner. Forecast Snapshot: Cloud Access Security Broker, Worldwide, 2017. 16 March 2017

Click to Tweet: 
CASB Can Prevent Incidents Like the Massive US Voter Data Exposure #CASB #CloudSOC #databreach

The Power of a Community-Minded Approach to Business

0
0
Symantec Recognized As a National Leader in Community Impact by the Civic 50
Publish to Facebook: 
No

For the third consecutive year, Symantec has been recognized by Points of Light, the world’s largest organization dedicated to volunteer service, as one of the most community-minded companies in the United States. The Civic 50 provides a national standard for superior corporate citizenship and showcases how companies can use their time, skills and other resources to improve the quality of life in the communities where they do business.

As the leader of global Corporate Responsibility (CR) at Symantec, our team continually thinks about the approaches and opportunities to maximize our benefit to society; how we can take the actions and make the commitments that inspire, ignite and unite our employees, customers, business and society as a whole.

As I highlighted in a recent article, the definition of a business’ responsibility to communities is expanding. Today leaders in community engagement and CR recognize that everyone benefits when business looks at its responsibility to serve communities not as what can “I” - the business – do, but what can “we” do – viewing businesses as part of a much larger network that has the potential to create impact. For example, viewing the company as a collection of thousands of individuals (e.g. employees), as part of an industry made up of thousands of companies, as part of a broader business community, all of which together have the power to bring awareness to and significantly impact community issues. When we look at our potential to benefit society from this perspective, community engagement becomes a value driver in many ways. For example, at Symantec:

  • We hold ourselves to the highest standards, designing ethically-sound programs that are integrated into our business, delivering benefits to all of our constituents—from our customers to our shareholders to the world at large. We have developed a community investment strategy that is based on focus areas aligned with our key business priorities and objectives including: science, technology, engineering, and math (STEM) education and equal access to education, diversity, online safety and environmental responsibility.

Our signature CR program, the Symantec Cyber Career Connection (SC3), was launched in 2014 and is a collaborative effort leveraging the expertise and resources of Symantec (as a world-leading cybersecurity provider), nonprofit partners (with their tried and tested programs in skills development and job placement) and our customers and partners (who provide mentoring, internships, job placement) to address the global cybersecurity workforce gap.  

Additionally, through our software donation program executed with TechSoup, in FY16 we donated $20.8 million of software (retail value) to 22,796 nonprofits across 55 countries, so they could focus on their mission and worry less about the security of their information.

  • Our investment in the community is driven in large part by the passion of individuals. We believe in the power each employee to make a difference and together—from our Green Teams to community relations committees to local volunteer programs—our actions empower each other and communities in new and innovative ways. In FY16, we logged more than 28K volunteer hours of employee volunteer time. This amount equals 2.5 hours for each of the 11,430 employees with whom we ended the year.

From mentoring students in STEM and professionals in our SC3 program to helping resource strapped nonprofits protect their organizations to advocating for a fair and equal industry, Symantec’s philanthropic activities provide our employees with meaningful ways to put their skills to use and to grow professionally.

  • While the drive of individuals is key, we also recognize that providing the platforms and policies to support community giving helps engage individuals and strengthen our efforts. Through our Take 5! initiative we challenge employees to offer at least five hours of service each year, through our Dollars for Doers program employees can donate money for time volunteered and double (or even triple) this through our Matching Gifts policy, and our Global Service Week encourages all employees to come together for one week of service each year. Through philanthropy and community engagement, we connect the world to Symantec, helping our customers and partners understand who we are and what we stand for, driving trust and confidence in Symantec’s business and products.

It is an honor to be recognized for the third consecutive year as a leader in community engagement alongside the United States’ and our world’s top companies. We are all proving that doing good is good business and the extended impact of hands-on support as well as financial contributions. For example, Civic 50 honorees use community engagement to drive key business functions, including employee engagement (88 percent), diversity and inclusion (84 percent), marketing and PR (84 percent), and skill development (72 percent). Demonstrating that ultimately we are all part of one community, and helping each other by strengthening the communities in which we live and work, can only help ourselves, our businesses, and our industries.

The Civic 50 winners are public and private companies with U.S. operations and revenues of $1 billion or more, and are selected based on four dimensions of their U.S. community engagement program: investment, integration, institutionalization, and impact. The Civic 50 survey was administered by True Impact, a company specializing in helping organizations maximize and measure their social and business value. The survey instrument consists of quantitative and multiple-choice questions that inform the Civic 50 scoring process. The Civic 50 is the only survey and ranking system that exclusively measures corporate involvement in communities.

To learn more about The Civic 50, to see a full list of the winners and to access the highlights, trends, benchmarking data and best practices from the 2017 Civic 50, please visit www.Civic50.org

Article Image 1_Career Village.pngArticle Image 2_Surf Smart India_1_0.jpg

その他の投稿者: 

Symantec IT Showcase: Best Practices to Leverage Remote IT Teams

0
0
Background Image on Blogs "Quilted" Page: 
Publish to Facebook: 
No
Twitter カードのスタイル: 
summary

Introduction:CIO Sheila Jordan

We’re back with our fifth in a series of IT Showcase blogs that chronicle our IT transformation journey over the past three years.

Our topic today is how best to use and manage your offshore teams, authored by Himanshu Shah, IT Vice President of our India operations. With so many companies using offshore teams, it is important to keep these teams connected, engaged and enthusiastic about achieving a company’s vision. Below we share some key learnings we gained along the way.

Best Practices to Leverage Remote IT Teams

Following the insourcing of our IT organization, we began building significant headcount strength in our offshore centers, and now more than 40 percent of our global IT workforce is located outside of our Mountain View, CA headquarters. A distributed organization like ours requires a leadership framework that allows us to optimize across IT. 

As we embarked on this effort, we aimed much higher than simple cost optimization. Our goal was to ensure business stability and drive IT transformation to grow the business while at the same time reduce cost. We needed a responsive, agile, and complementary organizational model to support multiple acquisitions, transform business systems, and build our hybrid cloud strategy. We also had to ensure that our “away” teams were connected, educated and motivated to deliver excellence, keeping in mind that we did not have the ability to increase management resources. 

Here are the success insights from this transformation that allowed us to reach and continue to improve our model:

  1. Leadership:  The first step to ensure success started with my seat at the CIO table. Being part of the IT leadership team enabled an open communication channel between IT leadership and remote geographies. My participation on the leadership team was complemented with direct and open dialog around challenges experienced in these regions. At my first leadership offsite in January this year, we openly addressed cultural and time zone challenges that we had to overcome by building a participatory culture.
  2. Organizational Design:  Many of our teams are built to be geographically agnostic. As an example, our offshore team based in India manages and supports our entire ERP environment. This team works with business groups around the planet, manages global regulatory patching, and enhances our ERP platforms independent of headquarters. Similarly, our databases, network, service desk, quality assurance and other critical business systems are managed remotely. One thing that became very clear is that it does not make sense to have one employee working alone in any location. Our strategy is to build centers of excellence defined in one region, and this approach has worked well.
  3. Cultural Congruence:  Bi-directional travel provides knowledge, connection with the business/IT community, and understanding of cultural diversity. For example, when IT Vice Presidents Mark Sherwood and Joey Fazio (based at our headquarters) visited India this spring, not only did they inspire the team by spending quality time with them, but they also enjoyed a first-hand experience of rituals in India through skits that delved into clothing, food, celebrations, music and geography. These fun cultural interactions helped the team create common understanding and appreciation of cultural norms, and were shared with all IT employees through our CIO’s weekly blog communication to help extend the connections. Another big step in building congruence is simultaneous celebrations. To mark the success of our integration project, all of our major sites brought in food, balloons and raised a toast simultaneously—through the use of our collaboration technologies, of course—with the team worldwide during a recent IT All Hands meeting.
  4. Interconnected Virtual Site Leadership: This program tracks and enhances the overall employee experience at all of our major global locations. Engaging with business groups, the virtual site leadership team communicates progress of major IT initiatives and service improvements across locations, and helps site leaders understand any new business challenges encountered globally. This creates an interactive, two-way proactive conversation that helps our IT organization ensure their work is resonating with employees. It also provides valuable insights to local technical and operational nuances that we otherwise might not be aware of, such as variations in the network experience.
  5. Innovation: Our IT Hackathon events not only foster the innovation culture we have a Symantec but also enable cross-geography camaraderie. For example, our distinguished architect at headquarters partnered with our extended architects in Pune, India to create a cross-geography innovation team. This team of three inspired 400 employees in various IT functions to submit more than 125 ideas. Our approach created a “perfect code storm” for our engineers to creatively model these ideas into working proofs-of-concept. These programs help to foster innovation by igniting minds and allowing for continuous innovation.
  6. Quality of Work: Our teams away from headquarters contribute at high levels of the IT value chain. They implement global corporate networks, CRM solutions on Salesforce.com, e-Commerce portals, Oracle ERP solutions, collaboration platforms, and business intelligence solutions. Exposure to these platforms and participation in global projects is enhanced with training, knowledge sharing, travel and collaboration. This investment ensures that we provide challenging and career-enhancing opportunities for team members, keeping them motivated to grow and deliver excellence. 
  7. Stakeholder Connection:   Our ERP support team based in Pune conducts regular business workshops with our finance teams in Ireland, Singapore, the Americas and India to identify business process improvement opportunities. This model is also leveraged for sales operations and product licensing groups. Our approach improves overall business processes and enhances the business’ experience of working with the global IT teams.

In summary, bringing the right leadership to “away” locations and building a globally-oriented and geographically agnostic organization with solid cultural ties creates a winning culture of innovation, and delivers high quality outcomes to advance our business.

その他の投稿者: 

Federal Budget 2018: How will it Impact Cyber in State and Local Governments?

0
0
Publish to Facebook: 
No
Twitter カードのスタイル: 
summary

Presidential budget requests can always be a little hard to decipher. By the time congressional leaders make their changes, the budget that gets passed usually looks little like the one that was first proposed. With that said, the budget request provides insight into the administration’s priorities.

With President Trump having released his 2018 budget request the question for state and local governments is simple: How will this affect us? It is always difficult to speculate, but based on early reactions, the cuts at the federal level will impact state and local governments who rely on federal funding for a wide variety of programs.

As Route Fifty explains, “Trump’s $4.1 trillion spending plan for fiscal year 2018 maintains proposals he put forward in a March blueprint to reduce funding for a number of programs that funnel federal dollars to localities, helping them pay for costs ranging from housing, to water infrastructure, to sidewalk repairs.”

So, what does this mean for technology, in particular cybersecurity? As with any spending cuts the affected agencies will have to make changes and shift priorities, so a lot depends on how state and local leaders view the benefits of cyber and what they can factor into their budgets.

Looking Toward Risk

While the budget discussion carries on, state and local governments could actually take a page out of the federal government to improve cybersecurity now. In the recently signed cyber executive order, President Trump called on all federal agencies to conduct a risk assessment using standards from the National Institute of Standards and Technology (NIST). The agencies would then issue a report of potential vulnerabilities and subsequent mitigation plans.

State and local governments are not bound by that executive order, but it presents some sound advice. The NIST Cybersecurity Framework (CSF) offers organizations a guide to take a deep look at the security posture across their enterprise. It enables state and local governments to see where they can get the largest return on investment for cybersecurity spending, and prioritize accordingly. This might be the most effective approach to implementing the most impactful cybersecurity strategy for those state and local governments who must deal with a shortfall in funding.

Partnering with the Federal Government

The Trump budget proposal calls for a lot of major cuts to spending, but it does push funding toward cybersecurity. The Department of Homeland Security (DHS), for example, will receive $3.27 billion for the National Protection and Programs Directorate, which is responsible for protecting physical and cyber infrastructure from threats.

Additionally, legislation is floating around Congress to try and maintain that cyber support down to the state and local level.  HR 1344 and S 516, sponsored by Democratic Rep. Derek Kilmer of Washington state and Democratic Sen. Mark Warner of Virginia, respectively, look to establish grant programs to help enhance the role states play in cybersecurity. This will include potential grant funding issued by DHS for activities such as adopting cybersecurity best practices, building the cybersecurity workforce, protecting critical communications infrastructure, mitigating threats to key resources and coordinating across jurisdictions.

If enacted, these bills would provide some support to state and local government, in addition to whatever might trickle down from DHS and other “winners” of the federal cybersecurity budget request. State and local governments, however, will still need to be strategic in their approach. Focusing on the risk element in their cyber strategies, in coordination with the guidelines set forth by the NIST CSF, is a smart place to start.

その他の投稿者: 

Petya ransomware outbreak: Here’s what you need to know

Breaking Down the ‘Identify’ Function of the NIST Cybersecurity Framework

0
0
Background Image on Blogs "Quilted" Page: 
Publish to Facebook: 
No
Twitter カードのスタイル: 
summary

The “Identify” function of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) lays the groundwork for all cybersecurity actions that will follow. After all, it’s only possible to protect what you know exists.

In the second part of Symantec’s webinar series demystifying the NIST CSF for Healthcare, Symantec’s Axel Wirth and Vishal Gupta highlighted the key components of what really is the foundation of the framework.

More than anything the “Identify” function calls on healthcare organizations to look at every component of their cybersecurity enterprise. That not only includes hard security assets such as servers and networks, soft assets such as software, data and people but also concerns like governance, risk management approach and business use.

In order to be successful in protecting their assets, healthcare organizations must first identify every component of their enterprise. By looking at every aspect to make sure it meets a certain standard – and fixing those that do not – healthcare organizations gain a complete picture of every asset under their watch and assure the best possible security posture.

Too often, Wirth and Gupta explain, it is assets that healthcare organizations do not know they have – or do not understand the accompanying risk – that lead to breaches. The results have been largely disastrous.

Nearly 90 percent of all healthcare organizations have suffered at least one data breach in the past two years, with the average cost per hack totaling more than $2.2 million for the industry, according to a 2016 study from the Ponemon Institute. And things are apparently getting worse.

Last year saw a 20 percent increase in the number of breaches with 16 million records exposed, leading to a record year for payments of HIPAA penalties, according to HIPAA Journal. Cybersecurity breaches are not only dangerous – causing PHI and sensitive information to be exposed, damaging the hospital’s reputation, and potentially putting patient safety at risk - but as the numbers show, incredibly expensive.

To combat this, the healthcare industry will turn to the National Institute of Standards and Technology’s Cybersecurity Framework, a tool that is expected to be used by 50 percent of all organizations by 2020.

Gupta said that healthcare organizations need to look for solutions that can help them gain end-to-end visibility across their enterprise. That is especially true in systems that use a wide variety of platforms, software applications and different resource locations (a combination of on premise technologies and in the cloud.)

A successful implementation of the ”Identify” function enables an organization to:

  • Define the current state of their enterprise, identify gaps and a define path forward to address them
  • Define mitigation priorities
  • Define processes that are reliable and reproducible
  • Meet the needs of all stakeholders
  • Make managing complex systems easier
  • Have methods for communicating with all critical parties

The “Identify” function of the NIST CSF is one of the foundational pieces of guidance and lays the basis for healthcare organizations. Implementing the recommendations is a complex task, but without proper execution, healthcare organizations will be nullifying the results of the other parts of the framework. For the healthcare industry to reduce the rate of cyber breaches and other cyber events, and in turn avoid the impact and cost of breaches, it should turn to the NIST CSF and make completing the “Identify” function a top priority.

Join Symantec on July 13 for the next part of our ongoing series on the NIST CSF. Our experts will explore the “Protect” function of the CSF, highlighting the elements that healthcare officials need to know before adopting the CSF. You can also view previous webinars and more information from Symantec on the CSF at our resource page.

Petya ランサムウェアの猛威: 現時点で知っておくべきこと

0
0
Petya ランサムウェアが、複数の国で大規模な組織に被害をもたらしています。

続きを読む

赛门铁克针对勒索软件Petya发布全球预警

Data Center Security Server Advanced Petya Update

0
0
Publish to Facebook: 
No

Petya Situation Update

On June 27, 2017, there were multiple public reports of an ongoing large-scale cyberattack involving a variant of the ransomware named Petya. These attacks are targeting and have affected users in various countries across the globe.

Am I protected from the Petya ransomware?

Symantec Data Center Security: Server Advanced IPS provides protection against Petya Ransomware.  All three levels of Symantec DCS:SA policies Windows 6.0  Basic, Hardening and Whitelisting as well as all 5.2.9 policies (Limited Execution, Strict, and Core) prevents the initial infection into an environment however analysis is still ongoing to insure all methods of lateral movement are also blocked.  What is known is Eternal Blue and MimiKatz based approaches would be stopped however researchers are still investigating lateral movement approachs within the malware.  As more information is known this blog will be updated.

For more information about Petya, see Symantec's Petya Outbreak page.

What protections does Symantec provide for our endpoint customers?

There are two basic ways that customers can be protected against this threat:

DCS:SA provides a range of protection against this threat on computers:

  • IPS policies prevent the malware from being dropped or executed on the system
  • IPS policies prevent Mimikatz from attacking LSASS.
  • Ability to block inbound SMB traffic
  • If not using full IPS protection policy then apply a targeted IPS policy to block execution of the Petya malware

Additional Protection Details

For customer systems that are not using SMB or Windows Network File Sharing capabilities, and especially for externally facing servers, it is best practice to reduce the network attack surface by configuring  prevention policy rules to block SMB network traffic. This can be easily done by editing the Kernel and Global network rules

  • From the Java Console, edit a Windows 6.0 Policy
  • Click Advanced -> Sandboxes
  • Under Kernel Driver Options, click Edit
  • Under Network Controls
  • Add the following Inbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any
  • Add the following Outbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445
  • Navigate back to Home in the Policy Editor
  • Click Advanced -> Global Policy Options
  • Under Network Controls
  • Add the following Inbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any, Program Path: *
  • Add the following Outbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445, Program Path: *
  • Save the Policy

For additional protection to what is delivered out of the box, the execution of all known variants of the Petya ransomware can be blocked by putting the executable hashes in the Global No-run List.  To add a hash to the list:

  • From the Java Console, edit a Windows 6.0 Basic or Hardened Policy
  • Click Advanced -> Global Policy Options
  • Under Global Policy Lists, Edit the “List of processes that services should not start [global_svc_child_norun_list]”
  • Click the Add button to add a parameter list entry
  • In the “Entry in parameter list” dialog
    • Enter ‘*’ for the Program Path
    • For File Hash, click the “…” button on the right hand side
    • In the File Hash Editor dialog, click Add
      • Enter either the MD5 or SHA256 hash of the file
      • Click Ok on the File Hash Editor dialog window
    • Click Ok on the Entry in parameter list window
  • Add a parameter list entry for each hash value
  • Save the policy

Creating Cultural Change by Empowering our Allies

0
0
From Chennai to Springfield - Celebrating PRIDE
Publish to Facebook: 
No

By:Cass Averill, Endpoint Protection Training Czar and C Moulee, Sr Knowledge Engineer Norton Partner Solutions

No movement makes significant progress without the voices of allies to help boost the message.   And at the end of the day, we are all allies to someone and these skills can be employed regardless of the group you are an ally to.

This week marks the end of LGBT PRIDE month in many countries across the world, where members of the LGBT community and those who support them come together to celebrate progress and bring awareness to the struggles and challenges we still face to create the cultural change for a truly equal society.

While these celebrations all have the same core mission, behind this lies a varied and complex landscape of LGBT diversity across the world. For example, 21 countries have passed marriage equality legislation. While in the US you can join Pride parades across the nation – in cities large and small – joining celebrities, professional athletes, politicians, business leaders, and academia showing their public support for LGBT diversity. At the same time advocacy, awareness and acceptance of LGBT equality is still not widespread in many other parts of the world such as India where it is often difficult to find an open dialogue on LGBT diversity, including in mainstream media. 

Unknown_1.jpeg

Ally workshops delivered by Symantec’s PRIDE employee resource group are educating and expanding LGBT advocates across the company. In India, ally workshops serve as a key resource for local employees to learn more about LGBT issues and advocacy.

As part of Symantec’s investment in corporate responsibility, we are advocates for human rights and equity across the technology industry, working to build awareness and champion causes that ensure an inclusive experience for our employees, customers and entire value chain. We have been a historical leader in LGBT diversity through our partnership with the Human Rights Campaign, advocating for marriage equality, the Equality Act and standing out against North Carolina’s “bathroom bill”. In 2016, we launched our first Transgender Inclusion Guidelines, providing support to employees looking to transition genders as well as guidelines and support for their teams, managers, and HR.

We have been one of the first companies to successfully launch Pride ERGs in India and are serving as a resource and example for others in the region. Across the world, our PRIDE employee resource group (ERG) is central to our leadership in engaging employees and building cultural awareness. They have influenced corporate policies, serve as ambassadors in the community, and most importantly educate and build awareness among our employee base. 

Educating our Allies

Most recently, select PRIDE chapters (Springfield, Pune, Chennai) began offering Ally Workshops as a way to engage, educate and inspire supporters of LGBT equality across the company. As leaders for LGBT diversity at Symantec, we realized that the largest cultural shifts were dependent on engaging and educating our allies.

So what have we covered and learned so far?

  1. No movement makes significant progress without the voices of allies to help boost the message.  And at the end of the day, we are all allies to someone and these skills can be employed regardless of the group you are an ally to. For example, we are continually looking to engage allies from other ERGs across the company such as females and veterans. In Springfield, ally workshops were conducted in partnership with our Symantec Womens Action Network (SWAN) demonstrating the intersection of allyship between LGBT people and women. In India, we brought in a feminist writer who is also an LGBT ally. She drew parallels between women’s rights and LGBT rights in an Indian context.
     
  2. Allyship education differs across regions. In India, we have launched one of the country’s first LGBT employee resource groups and we are now serving as a best practice resource for others. Our workshops therefore began with awareness building - LGBT 101 – looking at the role of LGBT diversity in India’s history and culture, the business case for LGBT inclusion, background on Indian history/culture and do’s and don’ts with regards to creating an inclusive workplace. In Springfield, through Ally Education workshops we looked at what an ally is, how to act like an ally (e.g. how to navigate difficult or uncomfortable situations), and investigated (through role-playing exercises) how these actions and common scenarios play out in the work place when allies stand up and speak out for LGBT diversity.
     
  3. The power of learning from others. Hosting engaging speakers across all industries is key to our ally workshop program. For example, in Chennai, we hosted an in investment banker who shared his office culture and experience being an ally. Additionally, we hosted Malini Jeevarathinam, a queer filmmaker who directed a documentary Ladies and Gentlewomen about Lesbian women in Tamil Nadu. In Springfield we hosted Oblio Stroyman, Executive Director of Trans*Ponder and an experienced relational therapist and community educator on LGBTQ issues since 2006, to come in a speak about the nuances of LGBTQ diversity, inclusion and allyship. We also hosted Margaret Merisante, feminist comparative mythologist, teacher of Women's Mythology, host of the Joseph Campbell Foundation Mythological Roundtable of Eugene, writer, and blogger to come and speak about women’s equality and how to be an ally to women. The two of these community experts were able to work together in showing the intersection between gender and sexuality and how we can all step up to be better allies to each other.

US Pride Workshop.jpg

Springfield’s Cass Averill discusses how to navigate uncomfortable and difficult situations in a recent Ally Education workshop offered by the employee resource groups PRIDE & SWAN.   

The response to our workshops has been overwhelmingly positive, with attendees requesting more - more time, more conversation, more practice.

What’s in store for ally workshops in the future? As we continue to engage PRIDE and other ERGs across Symantec, our hope is that we can continue to build, expand and strengthen our allies within and outside the company.

PRIDE is not just a term, it represents a continued cultural evolution and shift at Symantec to create a truly incluisve workplace for our employees, customers, entire value chain; to stay true to our corporate responsibility and mission to make the world a better, safer place.

Petya 勒索軟體疫情爆發:您不可不知的資訊

페티야 랜섬웨어 사태: 페티야 렌섬웨어란 무엇인가

Critical System Protection protects IoT against Petya

0
0
Publish to Facebook: 
No

petya_blog.jpg

This screen has popped up on critical infrastructure around the world this past week. Unfortunately, attackers have successfully hit corporations worldwide – this time by not only encrypting important files, but by also encrypting the master boot record rendering the system useless.

Petya, i.e. WannaCry 2.0, has been retrofitted with additional mechanisms to spread to other computers on the same network. The Internet of Things is particularly vulnerable given the fixed and therefore unprotected nature of these devices halting things from chocolate factories to energy grids and industrial control systems. The epicenter is in Ukraine, but has afflicted Europe, Asia, Africa, and the USA.

Machines are infected either by using a dropper (program that installs malware) or by the worm-like functionality of spreading to your computer from a nearby infected computer.

Critical System Protection Protects the Internet of Things

Symantec IOT customers leveraging Critical System Protection (CSP) are protected against both methods. By use of the CSP behavioral engine, protected devices already have a set of least-privilege policies that enforce any action on the system to be checked via specialized policies – and if abnormal, will be stopped.

CSP successfully blocks the initial infection via dropper due to the software installation policy restrictions and executable modification prevention. In fact, all three of our out-of-the-box strategies (Basic, Hardened and Whitelisting) will protect against the initial infection.

Petya’s retrofitted spreading mechanisms are clever; they attempt to use stolen administrator credentials on Psexec and WMIC (Windows Management Instrumentation Command-line) to install software. However, even with administrator privileges, CSP prevents infection by blocking the behavior of installing remotely via Psexec or WMIC.

Even with the additional methods implemented over WannaCry, both dangerous malwares can be prevented with Critical System Protection without an administrator, an internet connection, or generally any involvement. Of important note is the ability to reliably prevent this, as well as future attacks due to CSP’s unique approach to secure your devices.

What makes CSP the best fit for IoT endpoint security?

CSP is an ultra light-weight (<1% CPU) and compact (~20MB footprint) application that can be installed on a Linux, QNX, or Windows machine, with broad compatibility back to Windows 2000. At a high-level, CSP learns the behavior of all applications and enacts policies to dictate what applications, files, programs, can or cannot do; this concept is known as confinement jailing or sandboxing.

These sandboxing policies are often hand-crafted by the administrator, but can also be automatically profiled using machine learning on hygienic processes – as such, zero-day attacks, unusual memory allocations, or unrecognized network traffic can be prevented on a per application basis. Of particular note is that this goes beyond application whitelisting, because even if a signed malware happens to execute, CSP automatically isolates the process and blocks it from maliciously interacting with any other part of the system.

As attackers use fixed-function nature of IoT devices against itself, Symantec Critical System Protection is the answer in pioneering the use of fixed-function behavior to spearhead unbeatable security in a form-factor purpose-built for Industrial and Embedded IoT devices, (industrial control systems, SCADA, DCS) and more.

SEP 14.1: Prevention Evolved - better security through tunable machine learning

0
0
Publish to Facebook: 
No

             In late 2016 – we launched Symantec Endpoint Protection 14 which set the standard for how classical layered protection can be augmented with breaking innovations like multi-dimensional machine learning . We delivered the best endpoint protection solution in the industry; one that has won multiple awards in independent 3rd party tests as well as in the analyst community. Recent outbreaks like WannaCry and Petya have caused wide spread havoc in the world – but customers running SEP 14 have been proactively protected and safe from this menace. We could not be happier for our customers as well as in the validation of our conviction that the best protection comes from a layered defense in depth approach having safeguards at every stage of the infection lifecycle – incursion, infection, infestation and exfiltration.

Picture1.png

           But enough about SEP 14!! As much as we love our creation, it is time to talk about our next release – SEP 14.1.  SEP 14.1 was conceived under the premise all malware outbreaks in an enterprise network comes from unknown files that are continually being introduced into your environment. Unknown files are not always necessarily malicious – but they start out being suspicious before either trending good or trending bad. By catching these files early and taking appropriate action – one can avoid dealing with a bigger problem later.

          Better detection can be always be achieved if one is willing to make a lot of mistakes (false detections). A “false” is a condition where a product can mistakenly convict a good file or fail to convict a bad file – the first condition is called a false positive and the second – a false negative. This is essentially the tradeoff that first-gen ML anti-malware competitors made –  achieve higher detection by compromising accuracy. Falses are the bane of any security product and at the scale at which we operate (over 125 million endpoints worldwide) having a high false rate can cause significant cost and productivity overruns. Therefore, SEP 14 was tuned to provide a high degree of protection (over 99.9%) while having very low “falseing” (< 0.1%) out of the box. The machine learning engine at the heart of SEP14 can be tuned to detect more malware however we must be careful to control the corresponding increase in falseing.  SEP 14.1 solves this problem!! 

          SEP 14.1 achieves better prevention by having better visibility through higher detections. We have introduced a new configuration called Intensive Threat Protection (ITP).  Intensive Threat Protection directly controls the sensitivity (or intensity) of the machine learning detection engine in the product. With 5 different settings – ranging from conservative (Level 2: SEP 14 level) to Aggressive (Level 5: which can stop anything remotely suspicious).

Picture2.png

          SEP 14.1 decouples the notion of monitoring from that of blocking. It can detect at a certain level and block at a another level. This will ensure that you the admin, is not disruptively blocking new files without understanding their behavior, reputation and prevalence. Thus minimizing the chance of a false action.Your endpoint policy can have high monitoring and blocking levels for low change environments like a call center, and a less intensive blocking threshold for your developers that write new applications. 

Picture3.png

          Furthermore, we are opening our massive GIN (global intelligence network) to give you deep insights on every new file that is discovered in your environment – including risk scores, global prevalence, local prevalence and historical stats for each detection.  This allows the product to uncover up to 20% additional detections over and above what SEP 14 achieves.

          But that is not all … 14.1 builds on the improvements that were done in SEP 14 around content size optimization. SEP 14 achieved up to 70% savings on content footprint over SEP 12. SEP 14.1 with its ML based platform takes this one step further. We are introducing a “low-bandwidth” policy that will put your endpoints in a state where they need less frequent content updates given that the ML engine can be tuned to run at a higher detection intensity. This mode will be useful in bandwidth constrained environments.

          Net-Net, with 14.1 you have a highly tunable ML detection platform that can bubble up new suspicious files in your environment before they become actual threats … served with rich context from our GIN … laid out in a modern intuitive UX … with better detection than SEP14 … at an FP rate that is still orders of magnitude lower than the competition. Ergo .. prevention evolved!!

Note: SEP 14.1 is currently in limited preview with some of our early customers and slated for general availibility soon..  

Viewing all 5094 articles
Browse latest View live




Latest Images