Defending your enterprise from cyber threats today is an increasing challenge. Targeted attacks pose risks to sensitive data loss, financial loss, reputation damage and more. Meanwhile, advanced attacks continue to accelerate and evolve. Symantec research reveals that 5 out of 6 large companies were victims of targeted attacks in 2014, a 40% increase over the previous year, and that an estimated 1 million new malware threats are created daily.
Today’s attackers are often well funded and state-sponsored. Highly stealthy and persistent, these attackers create new techniques to hide themselves while compromising defenses and critical data. Attackers have moved far beyond targeting limited financial incentives like theft of credit card and Netflix accounts. They are disrupting power grids; taking hospital systems offline with ransomware; influencing political outcomes with deceptive, targeted attacks; and destabilizing financial market systems with financial, hacktivism, political, and nation-state cyber offensive and defensive goals in mind.
To fight these growing threats, enterprises need an intelligent next generation threat protection solution that doesn’t just address one or two capabilities but provides end-to-end protection.
At Symantec, we’ve developed the most intelligent next generation threat protection by focusing on areas like multi-dimensional machine learning and deep learning. I’ll go into more detail later how Symantec is leading the industry with these, but first, let’s look at what intelligent next generation threat protection entails.
How we define next generation threat protection
There’s seems to be a lot of confusion over what next generation threat protection really is and isn’t. It’s time to debunk some of the myths out there.
To help customers and the industry understand what next generation threat protection means, Symantec recently defined what enterprises should look for in an intelligent next generation threat protection solution.
As an example, Symantec Next Generation Threat Protection capabilities include:
- Blocking advanced threats and zero-day attacks with multi-dimensional machine learning, advanced exploit prevention and hardening;
- Proactive attack prevention with real time intelligence from Symantec’s global threat analytics and expert threat researchers;
- Deep forensics and fast remediation of advanced attacks with the latest EDR technology using a single agent;
- High performance and low false positives.
These four capabilities are the essential building blocks for what true next generation threat protection is and should be defined.
Multi-dimensional machine learning to protect against advanced threats
How can multi-dimensional machine learning help protect your enterprise?
Machine learning (ML) is a class of algorithms that can learn concepts through automated analysis of large amounts of data. Many security firms use ML “classifiers” to detect new attack artifacts like malicious files or URLs. For example, to build a malicious file classifier, they might gather large numbers of legitimate and malicious software files and analyze them to extract their behaviors (such as, this program attempts to delete files in the system directory, or this file tries to change a security setting, etc.). They then feed this training data into a ML system, which learns to discern good files from bad by learning characteristics of behaviors associated with each category of software.
The problem with these systems is that their decision-making is based on behaviors that are entirely under the attacker’s control. For example, an attacker can simply change their threat to use a different sequence of behaviors and an existing ML classifier is vulnerable to fail to detect it. Or the attacker can adjust the size of their threat’s binary file and shuffle around a few instructions, and their new threat will no longer trigger the classifier. Ultimately, this singular reliance on attacker-controllable features (such as behaviors or software instructions) makes these ML systems extremely brittle to attack.
How is Symantec’s machine learning approach different?
Symantec has pioneered an entirely new approach to security using multi-dimensional machine learning that combines both traditional features (like those described above) with a “wisdom of the crowds” cloud approach that computes the safety of any single software file and URL on the Internet by analyzing their adoption patterns across Symantec’s hundreds of millions of active customers.
By analyzing trillions of real-time, daily interactions between Symantec’s customers and software files and websites across the Internet, Symantec’s ML systems learn which software and websites are adopted by different demographics of users—power users, novices, enterprises, frequently attacked users, users in different geographical regions, etc., and which software and websites are avoided by these same demographics. This approach—looking at the context of who adopts or avoids software and websites—rather than what the software/website itself looks like or how it behaves, provides a completely independent evaluation of an artifact’s safety that is nearly impossible for an attacker to control. Symantec’s adoption-based ML systems know whether a file has been adopted by thousands of users, or has never been adopted by a single user. It knows whether a file is being avoided by power-users, or being adopted at high rates by frequently-infected users. These interactions provide a huge amount of context into the safety of a new file or URL.
Symantec uses this population adoption-based ML approach both on its own, as well as in conjunction with more traditional ML approaches that consider a software file (or URLs) behavior and structure. The result is an ML system that considers both what a software file (or URL) does as well as its real-time interactions with Symantec’s customers, and as such is far more resilient to attack and also far more sensitive (while reducing false positives).
The other issue for security firms that rely entirely on endpoint based ML with no cloud component is that the entire software stack is available to the attacker for potential manipulation—on the endpoint. Symantec uses ML where it matters—on the endpoint, and in the cloud that attackers cannot compromise, while also optimizing for scale and speed, making it effective across a variety of enterprise conditions.
And Symantec, with the world’s largest sensor network, is uniquely positioned to deliver such an innovative ML approach. No other vendor has the level of global visibility required to compute such context-based ratings.
Better data, better protection
Data and algorithms are key to “tuning in” protection; and having better data is the first hurdle to cross. Without the right data, you may be missing visibility that cannot be extrapolated. Without the right algorithms, you can’t focus on the relevant data. And lastly, without the right experts, you can’t make sense of it all. Fortunately, Symantec combines all these attributes and capabilities.
So what does all this mean for signature definitions?
With the advancement of proactive machine learning technologies like cloud intelligence, signature definition sizes have dropped significantly. To use an analogy, they are not larger than a few image downloads when browsing the web.
Beyond machine learning, deep learning
Symantec is taking machine learning even further with deep learning.
Simply defined, deep learning is a state of the art machine learning technique that uses artificial neural networks, inspired by the human brain, to learn in a manner similar to the way we learn. Deep learning networks are capable of progressively abstracting from raw data inputs to higher-level concepts. It is this hierarchical generalization capability that endows them with robust statistical properties capable of learning from very little labeled data, reconstructing partial inputs, detecting anomalies, etc.
Symantec has a Center for Advanced Machine Learning (CAML), a team of security machine learning experts who perform research and development in advanced ML techniques, including deep learning.
Symantec Cynic—an example of how we apply machine learning in the context of cloud-based sandboxing
Symantec Cynic, a part of Symantec Advanced Threat Protection, is a cloud-based dynamic malware analysis service that provides the ability to detect advanced threats. Unlike most sandbox analysis products, which focus on offering a variety of virtual machines or customer-specific images to detonate and detect malware, Cynic uses advanced machine learning-based analysis combined with Symantec's global intelligence to detect even the most stealthy and persistent threats.
Today, 28 percent of advanced attacks are "virtual machine-aware" which means they don't reveal their suspicious behaviors when run in typical sandboxing systems. To combat this, Symantec Cynic executes suspicious files on physical hardware to uncover those attacks that would evade detection by traditional sandboxing technologies.
Cynic takes the results from all of these technologies and provides the verdict and analysis results to users, along with valuable threat intelligence.
Innovative thinking produces innovative results
As part of Symantec’s ongoing commitment to innovation, our vision is built on the four key pillars of threat protection, information protection, cyber security services and unified security analytics. We are developing a comprehensive big data analytics platform for collecting vast security telemetry that analyzes it for local and global threats, and then converts the insights into secure outcomes. And our advanced machine learning and deep learning technology innovations are vital components of our vision.
Recently, AV-TEST.org announced that Symantec Endpoint Protection won the Best Protection 2015 award for corporate endpoint security. Furthermore, Symantec was recently named a leader in three critical areas in the 2016 Gartner Magic Quadrant report: Data Loss Prevention, Managed Security Service Providers, and Endpoint Protection Platforms.
These achievements prove that Symantec is recognized as a leader in this space and how our continuous innovation advances the industry. And while it’s an honor to receive these recognitions, we’re still focused on doing what’s best for our customers: defining and delivering true next generation threat protection.