symantec ubiquity
DESCRIPTION
Symantec Ubiquity is an award-winning, next generation security technology that is built on community-based reputation for fighting evolving malware. A result of more than four years of development, Ubiquity enables Symantec to harness the anonymous software usage patterns of more than 100 million Symantec customer computers, and deliver protection against micro-distributed, mutating threats, that would otherwise completely evade traditional security solutions.TRANSCRIPT
![Page 1: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/1.jpg)
Symantec Ubiquity
Symantec Ubiquity
September 2010
![Page 2: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/2.jpg)
The Problem
A quick look at Cyber security 2009 by the numbers
⁻ 12 new 0day vulnerabilities
⁻ 14 new public SCADA vulnerabilities
⁻ 321 browser plug-in vulnerabilities
⁻ 4,501 new vulnerabilities
⁻ 17,432 new bot C&C servers
⁻ 30,000 domains hosting malware
⁻ 59,526 phishing hosts
⁻ 2,895,802 new AV signatures
⁻ 6,798,338 bot infected computers
2
240,000,000million new malware variants
3,200,000,000attacks blocked by Symantec in 2009
In the time it takes to give this presentation, we will block more than
540,000 attacks!
Symantec Ubiquity
![Page 3: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/3.jpg)
The Problem
Protection is a constant challenge
• As we improve and innovate our technologies, malware authors adapt and innovate too
• Their techniques are easy –exploit, encrypt, deploy and repeat
3
Like a game of cat and mouse…
Symantec Ubiquity
![Page 4: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/4.jpg)
The Problem
Malware authors have switched tactics
From:
A mass distribution of a relatively few threats e.g.
Storm made its way onto millions of machines across the globe
To:
A micro distribution model e.g.
The average Vundo variant is distributed to 18 Symantec users!
The average Harakit variant is distributed to 1.6 Symantec users!
4
240M+ distinct new threats discovered last year!
What are the odds a security vendor will discover all these threats?If you don’t know about it, how do you protect against it?
Symantec Ubiquity
![Page 5: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/5.jpg)
The Problem
Millions of file variants (good and bad)
• So imagine that we know:
– about every file in the world today…
– and how many copies of each exist
– and which files are good and which are bad
• Now let’s order them by prevalence with
– Bad on left
– Good on the right
5Symantec Ubiquity
![Page 6: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/6.jpg)
Unfortunately neither technique works well for the tens of millions of
files with low prevalence.
(But this is precisely where the majority of today’s malware falls)
Today, both good and bad software obey a long-tail distribution.
Bad Files Good Files
Pre
vale
nce
Whitelisting works
well here.
For this long tail a new
technique is needed. Blacklisting works
well here.
The Problem
No Existing Protection Addresses the “Long Tail”
Symantec Ubiquity 6
![Page 7: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/7.jpg)
Traditional, signature based detections just can’t keep up
Symantec Ubiquity
![Page 8: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/8.jpg)
We need something different
Symantec Ubiquity
![Page 9: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/9.jpg)
Ubiquity is something different
Symantec Ubiquity
![Page 10: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/10.jpg)
Ubiquity™ A revolutionary technology that provides safety
ratings for every program on the Internet, based on the collective wisdom to Symantec's
more than 100 million users.
10Symantec Ubiquity
![Page 11: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/11.jpg)
How often has this file been downloaded?
Where is it from?
Have other users reported infections?
Is the source associated with infections?
How will this file behave if executed?
How old is the file?
How old is the source?
Is the source associated with SPAM?
Is the source associated with many new files?
Does the file look similar to malware?
Is the file associated with files that are linked to infections?
Who created it?
Does it have a security rating?
Is it signed?
What rights are required?
Who owns it?
Ubiquity
What does it do?
Is the source associated with infections?
How will this file behave if executed?
Have other users reported infections?
![Page 12: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/12.jpg)
The Idea
Unique programs are almost always suspicious
You probably want to know if you are the first
person to run a program or if the file was just
created
12Symantec Ubiquity
![Page 13: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/13.jpg)
Only malware mutates
13Symantec Ubiquity
![Page 14: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/14.jpg)
Identify what is unique
Supplement with risk ratings
End up with a highly confident assessment
14Symantec Ubiquity
![Page 15: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/15.jpg)
Ubiquity - How it works
2
Prevalence
Age
Source
Behavior
3
4
Assemble into a DB and data
mine
Serve the rankings during
scans Rate every
file on every client
5 Provide actionable data
1 Build a collection network
Associations 15Symantec Ubiquity
![Page 16: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/16.jpg)
Not a replacement technology
It makes our other technologies more powerful
Exceptional Detection
Unmatched Accuracy
Ubiquity
Policies based on actual risk
Blazing Performance
Security based on real data
Why Ubiquity?
16Symantec Ubiquity
![Page 17: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/17.jpg)
It blocks unknown malware
It ratchets up the “resolution” of our heuristics and behavior blocking
It kills targeted and mutated malware, once and for all
– Let’s see why…
Exceptional Detection
Detection
Symantec Ubiquity 17
![Page 18: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/18.jpg)
Spotting Unique Threats
Hackers mutate threats to evade fingerprints
In Context, mutated threats stick out like a sore thumb
It’s a catch-22 for the virus writers
– Mutate too much = Easily spotted
– Mutate too little = We’ve seen it before
Exceptional Detection
Symantec Ubiquity 18
![Page 19: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/19.jpg)
Blazing Performance
Ubiquity Traditional Scanning
On a typical system, 80% of active applications can be skipped!
Blazing Performance
Symantec Ubiquity 19
![Page 20: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/20.jpg)
Users – Given the tools to
make choices
Empower Users
20Symantec Ubiquity
![Page 21: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/21.jpg)
Finance Dept:
Only software
with at least
10,000 users over
2 months old
Data Driven Policies
Help-desk
employees can
install medium-
reputation
software with at
least 100 other
users.
Applications with
a low reputation
forbidden from
accessing
documents
identified by DLP
as containing
financial data.
Policies based on actual risk
21Symantec Ubiquity
![Page 22: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/22.jpg)
Conclusion
Ubiquity Changes the Rules of the Game
• Amplifies the protection of our current technologies
• We no longer rely solely on traditional signatures
• Use data from tens of millions of users to automatically identifyotherwise invisible malware
• Shifts the odds in our favor –attackers can no longer evade us by tweaking their threats
22Symantec Ubiquity
![Page 23: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/23.jpg)
Conclusion
Where is Ubiquity in use today?
• Deploying into all our flagship products
– First used in blocking mode in the Norton 2010 products.
– Currently also used in Symantec Hosted Endpoint Protection
– Will soon be available in the Symantec Web Gateway product
– Will follow in others
• Is also used within Symantec back office systems
– To enrich and validate traditional malware analysis
– Fast tracks new malware detections
– Provides a safety check to further mitigate false positives
23Symantec Ubiquity
![Page 24: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/24.jpg)
Conclusion
Results
– Ubiquity’s reputation database now contains accurate safety ratings on more than 1.5 billion good and bad executable files.
– New files are being discovered at the rate of 22 million each week.
– Ubiquity data confirms the original premise that malware today is largely micro-distributed – more than 75 percent of malware discovered by Ubiquity affects less than 50 Symantec users.
– Today Ubiquity serves an average of more than 45 billion application safety ratings every month for customers.
– Ubiquity was recently named the winner of the network security category in the 2010 Wall Street Journal Technology Innovation Awards
… and this is just the beginning!
24Symantec Ubiquity
![Page 25: Symantec Ubiquity](https://reader033.vdocuments.mx/reader033/viewer/2022052600/55855100d8b42a0a3a8b4bec/html5/thumbnails/25.jpg)
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you!
25Symantec Ubiquity