Symantec Corp. will likely bring its reputation-based security service to the enterprise market next year.
While the company doesn’t announce release dates in advance, it’s “safe to say” Symantec will launch an enterprise version of its offering, which draws on the usage patterns of 100 million users to determine whether a file or URL is malicious in 2011, said Carey Nachenberg, a Symantec Fellow and distinguished engineer.
Nachenberg spoke to ComputerWorld Canada after a presentation at Virus Bulletin 2010 in Vancouver on Thursday.
Cloud-based security offerings have emerged over the last three years, Nachenberg said, but the reputation-based model is distinct from the fingerprinting model, which relies on captured characteristics of known malware. Reputation-based security (RBS) “leverages the collective wisdom of a user community” as its primary input for decision-making about the safety rating of files and URLs.
Symantec’s RBS takes anonymous telemetry from 100 million users of its consumer security programs, maps in a Facebook-like social graph, and holds ratings on 1.5 billion applications based on 10.7 billion associations updated every 12 hours, Nachenberg said. Among the factors that establish the rating are its prevalence (how many computers have the file) and its age. While a fingerprint-based regime can’t tell you anything about a zero-day vulnerability, “an RBS can say one thing: It has no reputation,” Nachenberg said.
There’s a “long tail” element to security threats, Nachenberg said; while there are a few viruses that infect thousands or millions of computers, the vast majority of viruses infect fewer than 20. If three people visit a Web site with malicious files, each might be served a different version. RBS allows IT security administrators to set policies blocking out, for example, software that appears on fewer than 1,000 machines that is less than a month old.
RBS can also act as corroboration for heuristic, behaviour-based and other malware defence mechanisms, said Symantec’s Vijay Seshadri. If another malware detection program identifies borderline behaviour in a file, RBS can provide context to prevent false positives, allowing heuristic programs to be applied more aggressively.
Nachenberg uses this analogy: If a heuristic program sees someone with a gun, it assumes that person is a criminal. RBS allows heuristics to see if the man with the gun is with a group of police officers or a group of thugs.
Evaluating the performance of an RBS offering with traditional methods isn’t valid, according to Seshadri. The traditional approach is to throw a number of files — say, 50 known to be good files, and 50 known to be malicious — at a program and scan them. The number of bad files it identifies as bad is its true positive performance; the number of good files identified as bad is its false positive rating.
In the real world, a software solution that detects one common malware infection, yet misses dozens of less common types of malware, can still be considered more than 95 per cent effective.
For RBS, whether the file is judged good or bad can change as the file ages and becomes more prevalent, he said. Symantec claims its RBS captures 72 per cent of malicious files and URLs, but that’s on an additive basis — files that aren’t caught by fingerprints and heuristics.
RBS also evaluates files that aren’t malware. “Knowing that a file is good is useful,” Nachenberg said. Malicious files on a computer average less than 50 in number, while good files are in the low thousands. Not scanning those thousands of files improve performance and bandwidth.
Asked about possible enterprise pushback on submitting data to Symantec’s cloud, Nachenberg said the company has been in discussion with enterprise users, including banks, who say they’ve no objection as long as no personally identifiable information is exchanged. He said when the software is registered, a randomly generated encryption code is assigned to the machine that’s not related to the serial number. The cloud collects only file ID, the anonymous machine ID, creation date, origin and signer data of the files.
Enterprises can also elect to simply leverage the data, rather than make submissions. Custom code, which would raise flags because of the small number of computers it would be installed on, can be manually white-listed.
