1

Proactively Discovering Malicious Activity On Your Network

Mark Guntrip Product Marketing, Symantec

1487 - Proactively Discovering Malicious Activity on Your Network

Mark Feeney Manager, IT Security, AMETEK

SYMANTEC VISION 2014

Agenda

1487 - Proactively Discovering Malicious Activity on Your Network 2

The Best Place to Detect Malicious Behavior 1

Different Viewpoints 2

AMETEK Real-World Case Study 3

SYMANTEC VISION 2014

The big question…

“Where is the best place to detect malicious behavior?”

1487 - Proactively Discovering Malicious Activity on Your Network 3

SYMANTEC VISION 2014 1487 - Proactively Discovering Malicious Activity on Your Network 4

SYMANTEC VISION 2014

The big question…

1487 - Proactively Discovering Malicious Activity on Your Network 5

0 5 10 15 20 25

Server

Cloud

Network

Endpoint

Gateway

At what point do you believe advanced threats are stopped or identified?

SYMANTEC VISION 2014

What does this question mean to different people?

1487 - Proactively Discovering Malicious Activity on Your Network 6

Where my core data

resides

What I think malicious activity is

Where I believe I might be

vulnerable

Within the bounds of my control

I’m blocking threats

before they get in

SYMANTEC VISION 2014

What does this question mean to different people?

1487 - Proactively Discovering Malicious Activity on Your Network 7

Where my core data

resides

What I think malicious activity is

Where I believe I might be

vulnerable

I’m blocking threats

before they get in

I’m blocking threats

before they get in

SYMANTEC VISION 2014

Shortened URLs

1487 - Proactively Discovering Malicious Activity on Your Network 8

Where my core data

resides

What I think malicious activity is

Where I believe I might be

vulnerable

Within the bounds of my control

I’m blocking threats

before they get in

SYMANTEC VISION 2014

Real Time Link Following

1487 - Proactively Discovering Malicious Activity on Your Network 9

SYMANTEC VISION 2014

Active Content

1487 - Proactively Discovering Malicious Activity on Your Network 10

What I think malicious activity is

Where my core data

resides

Where I believe I might be

vulnerable

Within the bounds of my control

I’m blocking threats

before they get in

SYMANTEC VISION 2014

Disarm Technology

• Problem: attacks using malicious, attached email documents

– Primarily used in spear phishing emails – Advanced Persistent Threat (APT)

– Contain malicious active content, or exploit payloads targeting parser vulnerabilities

1487 - Proactively Discovering Malicious Activity on Your Network 11

• Solution: reconstruct attachment documents from scratch before presenting to the user

SYMANTEC VISION 2014

Content Download

1487 - Proactively Discovering Malicious Activity on Your Network 12

Where my core data

resides

What I think malicious activity is

Where I believe I might be

vulnerable

Within the bounds of my control

I’m blocking threats

before they get in

SYMANTEC VISION 2014

Symantec Insight

1487 - Proactively Discovering Malicious Activity on Your Network

6.3 billion files

300 million machines

2 million URLs

Insight makes decisions based on who downloads what from where…

When one machine downloads a file, all reputations must be re-calculated!

Not just how many times a file is downloaded.

That’s over 100 billion associations that must be refreshed every few hours!

13

SYMANTEC VISION 2014

Drive-by Download

1487 - Proactively Discovering Malicious Activity on Your Network 14

What I think malicious activity is

Where I believe I might be

vulnerable

Within the bounds of my control

I’m blocking threats

before they get in

Where my core data

resides

SYMANTEC VISION 2014

Network Threat Protection

• Threat Protection Efficacy from Drive-by Downloads

• Prevent browser exploitation

• Blocks attacks where endpoint protection may not be in place such as BOYD support

• Detect internal malware proliferation

1487 - Proactively Discovering Malicious Activity on Your Network 15

64% of Symantec malware blocks due to network threat detection

SYMANTEC VISION 2014

Devices Outside The Network

1487 - Proactively Discovering Malicious Activity on Your Network 16

What I think malicious activity is

Within the bounds of my control

I’m blocking threats

before they get in

Where I believe I might be

vulnerable

Where my core data

resides

SYMANTEC VISION 2014

Cloud Security

1487 - Proactively Discovering Malicious Activity on Your Network 17

SYMANTEC VISION 2014

Unmanaged Devices

1487 - Proactively Discovering Malicious Activity on Your Network 18

What I think malicious activity is

Within the bounds of my control

I’m blocking threats

before they get in

Where I believe I might be

vulnerable

Where my core data

resides

SYMANTEC VISION 2014

Protect Technologies

• Gateway/cloud

– Email Security – on-premise and cloud – strip active content, follow links

– Web Security – on premise and cloud – detect botnet activity, protect remote devices when they are off-network

– Protect unmanaged devices

• Server/Endpoint

– Prevent malicious content from installing

– Detect malware post-infection

1487 - Proactively Discovering Malicious Activity on Your Network 19

Within the bounds of my control

SYMANTEC VISION 2014

Shift in viewpoint

1487 - Proactively Discovering Malicious Activity on Your Network 20

Protect Detect Respond Recover

Realization

Customer Needs Shift

Breach is Inevitable

From Protection Only To Protection +

Detection and Response

Understanding Where Important

Data Is

Stopping Incoming Attacks

Finding Incursions

Containing & Remediating

Problems

Restoring Operations

Identify

I’m blocking threats

before they get in

SYMANTEC VISION 2014

Detecting and stopping malware activity

1487 - Proactively Discovering Malicious Activity on Your Network 21

I’m blocking threats

before they get in

SYMANTEC VISION 2014

Gateway

• Command &Control Communications

• Botnet activity

• Inactive botnets

1487 - Proactively Discovering Malicious Activity on Your Network 22

I’m blocking threats

before they get in

Bo

tnet

D

ete

ctio

n

Infe

cte

d C

lien

t D

ete

ctio

n

Ap

plic

atio

n

Co

ntr

ol

Mal

war

e C

on

ten

t Sc

ann

ing

UR

L Fi

lte

rin

g

Mal

war

e D

om

ain

s

& IP

s

Web Client

systems

Inspects packets, IPs, URLs, files,

active content, applications, behavior

Symantec Web Gateway

SYMANTEC VISION 2014

Detecting and stopping malware activity

• Managed Security Services

1487 - Proactively Discovering Malicious Activity on Your Network 23

I’m blocking threats

before they get in

Desktops

Symantec MSS

• Network

• Server

• Endpoint

• Data

• Compliance

Restriction

• Organization

• Asset Value

• System

Function

•Threats

• Vulnerabilities

• Malcode

• File & Site

Reputation

SYMANTEC VISION 2014

Shift in viewpoint

1487 - Proactively Discovering Malicious Activity on Your Network 24

Protect Detect Respond Recover

Realization

Customer Needs Shift

Breach is Inevitable

From Protection Only To Protection +

Detection and Response

Understanding Where Important

Data Is

Stopping Incoming Attacks

Finding Incursions

Containing & Remediating

Problems

Restoring Operations

Identify

How AMETEK Found, Watched & Beat a Malware Campaign

Mark Feeney Manager, IT Security - AMETEK

1487 - Proactively Discovering Malicious Activity on Your Network 25

SYMANTEC VISION 2014

• $3.6B global manufacturer of electronic instruments and electro-mechanical devices

• AMETEK is a component of the S&P 500 Index. (AME)

• Over 120 Manufacturing and 80 sales and services locations

• 30 Countries

• 4 Data Centers. Boston MA , Horsham PA, Leicester UK, Singapore

• 14,000 employees worldwide

1487 - Proactively Discovering Malicious Activity on Your Network 26

SYMANTEC VISION 2014

Timeline

• FBI, San Diego Sept 2013

• Just a little “noise” June 2013

• Aahh. There it is! Oct 2013

• FBI, Boston

• Ongoing process begins Nov 2013

1487 - Proactively Discovering Malicious Activity on Your Network 27

SYMANTEC VISION 2014

Key Takeaways

• If the FBI wants to talk to you, talk to them

• Don’t be afraid to ask your vendors for help

• If you haven’t already, upgrade to SEP 12.1

• Reduce lateral movement

• Eliminate password reuse

• Look to gateway security measures to maximize visibility

• Devices outside your control are still critical

• Plan to Protect, Detect, Respond, Recover

1487 - Proactively Discovering Malicious Activity on Your Network 28

SYMANTEC VISION 2014

For more information on Symantec future plans for malware and targeted attack detection: Gateway, Cloud and Targeted Attacks: Symantec’s Vision, Strategy and Roadmap 10.15 – 11.15AM AUGUSTUS BALLROOM 2

1487 - Proactively Discovering Malicious Activity on Your Network 29

Thank you!

30

YOUR FEEDBACK IS VALUABLE TO US!

Please take a few minutes to fill out the short session survey available on the mobile app—the survey will be available shortly after the session ends. Watch for and complete the more extensive post-event survey that will arrive via email a few days after the conference.

To download the app, go to https://vision2014.quickmobile.com or search for Vision 2014 in the iTunes or Android stores.

1487 - Proactively Discovering Malicious Activity on Your Network