1. Symantec Security Intelligence Internet Security Threat Report Volume XVI June, 2011
Tiffany Jones
Director – Programs and Strategy Symantec Public Sector Division
Symantec Internet Security Threat Report

2. Agenda Global Intelligence Network 1 Threat Landscape Overview 2 3
ISTR XVI Key Facts and Figures 3
Symantec Internet Security Threat Report

3. Global Intelligence Network Identifies more threats, takes action faster & prevents impact
Calgary, Alberta
Dublin, Ireland
San Francisco, CA
Tokyo, Japan
Mountain View, CA
Austin, TX
Chengdu, China
Culver City, CA
Taipei, Taiwan
Chennai, India
Pune, India
Information Protection
Preemptive Security Alerts
Threat Triggered Actions
Global Scope and Scale
Worldwide Coverage
24x7 Event Logging
Rapid Detection
Attack Activity
240,000 sensors
200+ countries
Malware Intelligence
133M client, server, gateways monitored
Global coverage
Vulnerabilities
40,000+ vulnerabilities
14,000 vendors
105,000 technologies
Spam/Phishing
5M decoy accounts
8B+ messages/day
1B+ web requests/day
Symantec Internet Security Threat Report 3

4. 2010 Threat Landscape
Symantec Internet Security Threat Report

5. Threat Activity Trends AV Signatures in Perspective
3.1B
10M
We used to use virus signatures as an indirect measure of the activity on the threat landscape. However today cybercriminals are using evasion techniques to get around the traditional signature model. So although there is no longer a one to one mapping between signature and a single threat variant (today we try to write signatures as generically as possible to catch multiple variants), counting signatures is no longer a good way of representing changes in the threat landscape.
Instead we like to look at the number of unique malware variants seen by Symantec and the total number of malware attacks we blocked.
286M
10M
Signatures
Malware Variants
Malware Attacks
Symantec Internet Security Threat Report

6. Organized Crime Rings Well Meaning Insiders Malicious Insiders
Threat Landscape 2010 Overarching Actors
Organized
Crime
Rings
Well Meaning Insiders
Malicious
Insiders
Nationalists

7. Threat Landscape 2010 Trends
Targeted Attacks continued to evolve 
Social Networking social engineering = compromise 
Hide and Seek (zero-day vulnerabilities and rootkits)
Here are the trends we saw in 2010 – we will drill down into each of these areas in the following slides.
Targeted Attacks: Targeted attacks, while not new, gained notoriety in 2010 from high profile attacks against major organizations (Hydraq/Aurora) and significant targets (Stuxnet).
Social Networking + Social Engineering = Compromise: The ability to research a target online has enable hackers to create powerful social engineering attacks that easily fool even sophisticated users. It’s also proven to be fertile ground for attackers to
Hide and Seek (zero-day vulnerabilities and rootkits): Targeted attacks depend on their ability to get inside an organization and stay hidden in plain sight. Zero-day vulnerabilities and rootkits have made this possible and were featured largely in attacks in 2010.
Attack Kits get a caffeine boost: Innovations from targeted attacks will make their way into massive attacks, most likely via attack toolkits. Attack kits
Mobile Threat increase: All of these attacks are moving to mobile devices, limited only by attackers getting a return on their investment (ROI). They are not widespread today, but we see this shifting and will be something to watch closely in 2011. 
Attack Kits get a caffeine boost 
Mobile Threats increase
Symantec Internet Security Threat Report (ISTR), Volume 16

8. Threat Landscape  Targeted attacks continue to evolve
High profile targeted attacks in 2010 – Hydraq and Stuxnet – raised awareness of the consequences of APTs
Stuxnet signaled a leap in the sophistication of these types of attacks
Four zero-day vulnerabilities
Stolen digital signatures
Ability to “leap” the air gap
Potential damage to infrastructure
- As illustrated by Stuxnet, you can no longer rely on “security by obscurity” and “physical isolation”, yet many industries still do e.g. manufacturing, telecom etc.
All it takes is one weak link to establish a beachhead to further penetrate inside an organization.
High profile attacks like Hydraq and Stuxnet were extensively covered
Both attacks employed zero-day vulns with Stuxnet using a record 4 of them – almost one-third of the zero-day vulnerabilities reported in 2010
While Hydraq was quickly forgotten and, in time, Stuxnet may be forgotten as well, their influence will be felt in malware attacks to come. Stuxnet and Hydraq teach future attackers that the easiest vulnerability to exploit is our trust of friends and colleagues
Detailed review in the: W32.Stuxnet Dossier & W32.Stuxnet
More Info:
Symantec Internet Security Threat Report

9. Threat Landscape  Targeted attacks continue to evolve
Less sophisticated attacks also cause significant damage
The average cost to resolve a data breach in 2010 was $7.2 million USD.
Targeted attacks don’t have to employ zero-day vulnerabilities or target senior executives – social engineering targeting a single user with appropriate access is sufficient
Although hacking was only the third most common cause of data breaches that could lead to identity theft in 2010, it was the top cause for reported identities exposed, with 42 percent of the total
Customer-related information was the most exposed type of data in 2010, both for deliberate breaches and the identities exposed in those breaches
Messaging: The high profile Hydraq and Stuxnet breaches garnered significant media attention in 2010, but it’s important to remember that targeted attacks occur regularly and don’t always affect large mutlinational corporations or government entities. These attacks serve to highlight targeted attacks but even SMBs can be affected for simple purposes such as the theft of financial information or customer and employee records.
Average Number of Identities Exposed per Data Breach by Cause
Symantec Internet Security Threat Report

10. Threat Landscape  Social networking + social engineering = compromise
Detailed review of Social Media threats available in The Risks of Social Networking
More Info:
Whether the attacker is targeting a CEO or a member of the QA staff, the Internet and social networks provide rich research for tailoring an attack
Information gathered from social networking sites can be used to mount a targeted attack using social engineering to compromise the target
Social networking compromises also take advantage of implicit trust between members of the same social networking circle.
Users are more likely to follow links in their newsfeed posted by friends. Shortened URLs can help to further mask the true nature of the destination website.
During a three-month period in 2010, two-thirds of malicious links in news feeds observed by Symantec used shortened URLs
73% were clicked 11 times or more, with 33% receiving between 11 and 50 clicks while only 12% didn’t receive any clicks.
Recent versions of Koobface send direct messages to an infected user’s friends and also post status updates and add other text to profile pages to install fake security applications
Messaging: Companies continue to struggle to find a balance between making the most of the advantages of social networking and keeping their users happy while limiting the dangers posed by the increased exposure of potentially sensitive and exploitable information. Organizations need to create specific policies for sensitive information, which may inadvertently be posted by employees, while at the same time being aware that users visiting these sites from work computers may introduce an avenue of infection into the enterprise network
Hackers have adopted social networking
Use profile information to create targeted social engineering
Impersonate friends to launch attacks
Leverage news feeds to spread SPAM, scams and massive attacks
Symantec Internet Security Threat Report

11. Threat Landscape  Social networking + social engineering = compromise
Shortened URLs hide malicious links, increasing infections
Shortened URLS leading to malicious websites observed on social networking sites, 73% were clicked 11 times or more
Whether the attacker is targeting a CEO or a member of the QA staff, the Internet and social networks provide rich research for tailoring an attack
Information gathered from social networking sites can be used to mount a targeted attack using social engineering to compromise the target
Social networking compromises also take advantage of implicit trust between members of the same social networking circle.
Users are more likely to follow links in their newsfeed posted by friends. Shortened URLs can help to further mask the true nature of the destination website.
During a three-month period in 2010, two-thirds of malicious links in news feeds observed by Symantec used shortened URLs
73% were clicked 11 times or more, with 33% receiving between 11 and 50 clicks while only 12% didn’t receive any clicks.
Recent versions of Koobface send direct messages to an infected user’s friends and also post status updates and add other text to profile pages to install fake security applications
Messaging: Companies continue to struggle to find a balance between making the most of the advantages of social networking and keeping their users happy while limiting the dangers posed by the increased exposure of potentially sensitive and exploitable information. Organizations need to create specific policies for sensitive information, which may inadvertently be posted by employees, while at the same time being aware that users visiting these sites from work computers may introduce an avenue of infection into the enterprise network
Regular URL
35%
Short URL
65%
Symantec Internet Security Threat Report

12. Threat Landscape  Hide and seek (zero-day vulnerabilities and rootkits)
Although the short term trend in exploits of zero-days vulnerabilities is up, the long term is not
Nevertheless, zero days are being used in a more aggressive way, e.g. they featured heavily in the targeted attacks of 2010
Attack toolkits help to spread knowledge of exploits that leverage vulnerabilities
Rootkits taking more aggressive hold
Tidserv, Mebratix, and Mebroot are current front-runners
A rootkit is a collection of tools that allow an attacker to hide traces of a computer compromise from the operating system and, by extension, the user.
The current frontrunners in the rootkit arena are Tidserv, Mebratix, and Mebroot. These samples all modify the master boot record (MBR) on Windows computers in order to gain control of the computer before the operating system is loaded.
Variants of Conficker, ZeuS, as well as Stuxnet all use rootkit techniques to varying degrees
Since the objective of targeted attacks and malicious code that steals confidential information is to remain undetected to gather as much information as possible it is likely that we will see further use of these techniques in the near future.
Messaging: As malicious code becomes more sophisticated it is likely that they will increasingly turn to rootkit techniques to evade detection and hinder removal. As users become more aware of malicious code that steals confidential information and competition among attackers increases, it is likely that more threats will incorporate rootkit techniques to thwart security software.
Number of documented ‘zero-day’ vulnerabilities
Symantec Internet Security Threat Report

13. Threat Landscape  Attack kits get a caffeine boost
Attack kits continue to see widespread use – 61% of web based attacks are due to toolkits.
Java exploits added to many existing kits
Kits exclusively exploiting Java vulnerabilities appeared
More Info:
Detailed information available in ISTR Mid- Term: Attack Toolkits and Malicious Websites
While targeted attacks are focused on compromising specific organizations or individuals, attack toolkits are the opposite side of the coin, using broadcast blanket attacks that attempt to exploit anyone unfortunate enough to visit a compromised website
Mpack 31%, Neosploit 31% and Zeus 19%. Phoenix toolkit and others increasingly implement exploits targeting Java vulnerabilities
The sixth highest ranked Web-based attacks during the reporting period was also an attempt to exploit Java technologies
One of the appeals of Java to attackers is that it is a cross-browser, multi-platform technology
Messaging: Since exploits for some vulnerabilities will eventually cease to be effective, toolkit authors must incorporate new vulnerabilities to stay competitive in the marketplace. Currently, attackers are heavily targeting exploits for Java vulnerabilities. However, this could change if their effectiveness diminishes. Toolkit authors are constantly adapting in order to maximize sales of their kits
Symantec Internet Security Threat Report

14. Threat Landscape  Mobile threats
Currently most malicious code for mobile devices consists of Trojans that pose as legitimate applications
Will be increasingly targeted as they are used for financial transactions
More Info:
Security Issues for Mobile Devices and a review of Apple iOS and Google Android
163 vulnerabilities
2010
115 vulnerabilities
2009
42% increase
Recently, with the growing uptake in smartphones and their increasing connectivity and capability, there has been a corresponding increase in attention, both from threat developers and security researchers.
Symantec documented 163 vulnerabilities in mobile device operating systems in 2010 compared to 115 in 2009
As with desktop computers, the exploitation of a vulnerability can be a way for malicious code to be installed on a device
While it may be difficult to exploit many of these vulnerabilities successfully, there were two vulnerabilities that affected Apple’s iPhone iOS operating platform that allowed users to “jailbreak” their devices
Currently most malicious code for mobile devices consists of Trojans that pose as legitimate applications. These applications are uploaded to mobile app marketplaces in the hopes that users will download and install them.
In March 2011, Google reported that it had removed several malicious Android applications from the Android Marketplace and even deleted them from users’ phones remotely
With the financial motivation of most malicious code, it is likely this will also be a driving factor for mobile threats
Some of the first threats of this kind to arrive will likely be either phishing attacks or Trojans that steal data from mobile devices
Messaging: Currently, mobile threats have been very limited in the number of devices they affect as well as the type of impact they have. While these threats are not likely to make significant inroads right away, they are probably looming over the horizon. As more financial transactions are made through mobile devices it is more likely that this will drive the development of malicious code for these devices in order to achieve return on investment.
Symantec Internet Security Threat Report

15. Internet Security Threat Report XVI - Key Facts and Figures
Symantec Internet Security Threat Report

16. Threat Activity Trends Malicious Activity by Country
NOTE: It is important to point out that attackers are not necessarily located in the same country where the malicious activity originates.
As noted in previous reports, emerging countries like Brazil, India, and Russia still figure prominently in malicious activity.
US and China continue to dominate, but the bottom 8 countries separated by only 4%
Symantec Internet Security Threat Report (ISTR), Volume 16

17. Threat Activity Trends Malicious Activity by Country
The US is the main source of bot-infected computers
Higher broadband capacity allows more attacks per second
Large-scale attacks using the ZeuS attack kit contributed to the high-ranking of China for Web-based attacks.
For the botnet associated with the Tidserv Trojan over half of all infected computers are in the US.
The United States is the main source of bot-infected computers for the botnet associated with the Tidserv Trojan with over half of all infected computers in this botnet located in the United States.
Mexico bots – very low – #33 in the world. 155 per day and only 15,827 in total with over half in Mexico City (52%) and the rest in Monterrey (9%), San Nicolas De Los Garza (8%) and Tijuana (5%)
Network attacks are closely tied to the broadband connectivity of a country. Since higher broadband capacity allows more attacks per second, compromised computers in those countries will help to boost their rankings.
Large-scale attacks using the ZeuS attack kit contributed to the high-ranking of China for Web-based attacks. These attacks compromised around 75,000 users in 196 countries.
Symantec Internet Security Threat Report

18. Threat Activity Trends Malicious Activity by Country
Spam zombies dropped significantly in China but continue to be a major source of malicious activity in Brazil.
Phishing host in a country are tied to the broadband connectivity in that country as well as web hosting providers. Many phishing sites are hosted on free web space provided by ISPs.
New regulations requiring ISPs to register servers and maintain logs in China likely contributed to this drop
Spam zombies dropped significantly in China but continue to be a major source of malicious activity in Brazil.
New regulations requiring ISPs to register servers and maintain logs in China likely contributed to this drop.
Brazil is a strong source of bot-infected computers for major botnets that send out spam messages, such as Rustock, Maazben, and Ozdok (Mega-D).
Phishing host in a country are tied to the broadband connectivity in that country as well as web hosting providers. Many phishing sites are hosted on free web space provided by ISPs.
Messaging:
Slight changes in rankings and percentages of countries below the US and China show that malicious activity is becoming more spread out. With high-profile ISP takedowns occurring in the past few years along with wider proliferation of high-speed connectivity it is likely that attackers are becoming more opportunistic than ever before and compromise computers regardless of their physical location.
Symantec Internet Security Threat Report

19. Threat Activity Trends Data Breaches by Sector
Top three sectors only accounted for a quarter of all identities exposed
The average cost to resolve a data breach in 2010 was $7.2 million USD
Customer data accounted for 85% of identities exposed
Important to point out that these are breaches that could lead to identity theft – ie. we don’t know if the info from a stolen laptop was sold. The data used is from Open Security Foundation (OSF) Dataloss DB.
In 2010, the average cost per incident of a data breach in the United States was $7.2 million
healthcare sector had the highest percentage of data breaches that could lead to identity theft, with 27%—an increase from 15% in 2009
financial sector was the top sector in 2010 for identities exposed in data breaches, with 23 percent—a decrease from 60 percent in 2009
Messaging: Single large breaches were responsible for the most identities exposed but small breaches exposing fewer identities are just as damaging to the organizations and individuals involved. This shows that enterprises and SMBs need to mitigate their risk. Four measures that can be taken are protecting the infrastructure, protecting the information, developing and enforcing IT policies, and managing systems
Average Number of Identities Exposed per Data Breach by Cause
Volume of Data Breaches by Sector
Average Number of Identities Exposed per Data Breach by Sector
Symantec Internet Security Threat Report

20. Vulnerability Trends Web Browser Vulnerabilities
Internet Explorer had the longest window of exposure
Number of vulnerabilities in Firefox dropped from 169 to 100
150 more vulnerabilities documented in Chrome than in 2009 but window of exposure was less than a day
Increase in Chrome vulnerabilities tied to rapid development including nearly 20 stable versions of the browser being released in Also related to Google’s bug bounty program
Safari benefited indirectly from this as many vulnerabilities reported in Webkit used by both Chrome and Safari
Drop in Firefox vulnerabilities may be due to the relative maturity and stability of the browser. Researchers may have abandoned Firefox to focus efforts on easier vulnerabilities in other browsers with bounty programs.
The window of exposure for Safari in 2010 was less than one days, based on a sample set of 110 patched vulnerabilities
The average window of exposure for Internet Explorer in 2010 was 4 days, based on a sample set of 47 patched vulnerabilities
Chrome had a window of exposure of less than a day in 2010, from a sample set of 191 patched vulnerabilities
In 2010, the window of exposure for Opera was one day, based on a sample set of 27 patched vulnerabilities
In 2010, Firefox had a window of exposure of 2 days for a sample set of 99 patched vulnerabilities
Messaging: As always, the number of vulnerabilities in a browser does not reflect the overall security of that browser. Browsers with the largest user base are more likely to be targeted by attackers in order to maximize their return on investment. With the doubling of web-based attacks this shows how important it is to keep browsers and all their components patched on a regular basis.
Symantec Internet Security Threat Report

21. Malicious Code Trends Top Malicious Code Families
Sality virus continues to be the most prominent sample. It spreads through USB devices and relies on the Autorun feature
In Mexico, SillyFDC is #1 followed by Gammima.AG (online game creds). Mexico is 9th in the world for malicious code activity and #1 in Brazil.
With the recent patch that disables Autorun we will see if this has any affect on Sality’s dominance next year
Ramnit is a virus that also propagates through removable USB drives so this may also be affected by the autorun patch
Estimations are that Downadup (Conficker) was on as many as 5 million PCs by the end of 2010 despite the availability of patches
In Mexico, Worms (49%) and Trojans (39%) are the most prevelant types of malware – approximately 5% higher than in other countries within LAM.
Messaging: A significant number of the top malicious code samples this year propagate through removable media such as USB drives and through file sharing. This demonstrates the need for adequate policy and defense strategy for these vectors in addition to more traditional vectors like attachments and more recently web-based attacks.
Symantec Internet Security Threat Report

22. Malicious Code Trends Threats to confidential information
64% of potential infections by the top 50 malicious code samples were threats to confidential information
Malicious code that allows remote access accounted for 92% of threats to confidential information in 2010, up from 85%
Remote access has been the most prominent threat to confidential information for some time, likely because of the convenience and versatility it provides attackers
In Mexico – 68% of all malicious code is spread through filesharing, 29% via CIFS and 29% remotely exploitable vuln
Exporting user data and logging keystrokes are effective means for attackers to harvest sensitive financial information, online banking or other account credentials, and other confidential information
Increase in threats to confidential information is another sign that financial motivation is the primary driver behind the development of malicious code.
Messaging: Threats to confidential information are a key part of the underground economy. These along with phishing attacks and data breaches are the primary means through which attackers can achieve financial gain.
Symantec Internet Security Threat Report

23. Fraud Activity Trends Phishing categories
Banks were spoofed by 56% of phishing attacks
Many -based fraud attempts referred to major events in 2010
Phishing URLs spoofing banks attempt to steal a wide variety of information that can be used for identity theft and fraud. Attackers seek information such as names, government-issued identification numbers, bank account information, and credit card numbers.
Mexico has 16% of LAM’s phishing hosts but only approximately 1% of the the world’s phising hosts
Phishing schemes also continue to use major events like the Haiti earthquake and FIFA world cup to lure users
Messaging: The continued dominance of phishing against financial institutions and the retail sector shows that attackers are likely still seeing success in this tactic. The quick monetary payout from these sectors continues to be a lucrative tactic for attackers. This is unlikely to change significantly in the near future.
Symantec Internet Security Threat Report

24. Fraud Activity Trends Underground economy servers
Credit card information and bank account credentials continue to be the top two advertised items by a large margin
Bulk rates for credit cards range from 10 cards for $17 to cards for $300
Location affects credit card prices but not bank credentials
Similar to phishing attacks, cybercriminals selling goods on the underground economy are most closely tied to those that provide the fastest financial gain as evidenced by the continued high rankings of credit cards and online banking credentials.
Credit card information can be stolen anywhere – phishing schemes, compromise of financial institutions, keystroke loggers, and physical skimmers
Supply and demand is the main driver behind credit card prices – US cards are advertised for the lowest prices while those from Asia, South America, and some European countries commanded higher prices
Advertised balances of bank accounts for sale ranged widely from $400 to $1.5 million. While the top end may be a false advertisement, there are enough accounts with balances in the thousands of dollars to indicate that they may be small and medium sized business accounts.
Attack toolkits saw a significant increase in advertisements. This is likely due to the increased availability of these kits as well as their increasingly advanced nature.
Messaging: The tools to commit cybercrime as well as its spoils are readily available to those searching for them. Increased advertising for attack kits shows that cybercriminals are profiting not just on the results of compromises but also on the tools to achieve them. This emphasizes what we’ve been saying about the underground economy being a constantly evolving, self-sustaining ecosystem.
Symantec Internet Security Threat Report

25. Fraud Activity Trends Spam by category
Approximately three quarters of all spam in 2010 was related to pharmaceutical products
Symantec estimates that 95.5 billion spam s were sent globally each day in 2010
Most pharmaceutical spam was related to “Canadian Pharmacy” websites and related brands. This spam was sent primarily by Rustock, Grum, Cutwail, and Donbot.
Since these botnets were associated with Spamit the level of pharmaceutical spam dropped temporarily but resumed again shortly after
Where some of the categories above represent 0.5 percent of spam, this still equates to almost 500 million spam s in a single day
spam related to unsolicited newsletters, sex/dating, casino/gambling, job scams, and software all increased. Sex/dating spam primarily originates from Cutwail and Mega-D.
The total amount of global spam in circulation decreased toward the end of 2010, with a number of major botnets reducing their output. A major reason for the decrease in volume of spam from botnets in 2010 is likely the shutdown of the Spamit affiliate program in the fall of 2010
In Mexico – 3% of the region’s Spam Zombies and 5% of spam overall (approx. 1% WW)
Increased throughput of Rustock was related to decrease in use of TLS (transport layer security) encryption. This may have been done to maintain message capacity while the size of the botnet contracted.
Rustock, Grum, and Mega-D all saw decreases in number of bots likely due to the Spamit shutdown but Cutwail and Maazben increased
The largest single source of botnet spam from one country was India, which accounted for 8 percent of global botnet spam followed by the US, Russia, and Brazil
Messaging: As in the past, spam-friendly ISP shutdowns have had temporary effects on spam volumes and the number of bots in some botnets. Unfortunately botnets resurface on different IP addresses or other botnets rise to fill the void.
Messaging: Spam is created in a variety of different styles and complexities. Some spam is plain text with a URL; some is cluttered with images and/or attachments. Some comes with very little in terms of text, perhaps only a URL. All of these techniques are used to attempt to evade simple spam filters showing a need for more advanced solutions.
Symantec Internet Security Threat Report

26. Best Practices for Protection
We’ve covered the five key trends we observed in 2010 (in our main report) and highlighted some of the key findings from the appendices of the ISTR.
Best Practices for Protection
Symantec Internet Security Threat Report (ISTR), Volume 16

27. Defenses Against Targeted Attacks
Detect and block new and unknown threats based on reputation and ranking
Advanced Reputation Security
Implement host lock-down as a means of hardening against malware infiltration
Host Intrusion Prevention
Restrict removable devices and functions to prevent malware infection
Removable Media Device Control
Scan and monitor inbound/outbound and web traffic and block accordingly
& Web Gateway Filtering
Discover data spills of confidential information that are targeted by attackers
Data Loss Prevention
Create and enforce security policy so all confidential information is encrypted
Encryption
Monitor for network intrusions, propagation attempts and other suspicious traffic patterns
Network Threat and Vulnerability Monitoring
This is not the place to pitch Symantec products, but this is an opportunity to talk about the types of solutions organizations need to have in place to defend against targeted attacks. These “Defenses” slides are meant to be an opportunity to have a broader conversations with customers.
These are Symantec products that tie to the solution areas
Symantec Endpoint Protection 12 – Insight reputation- based security technology. Up-to-date signatures against IE 0-day exploit via IPS and protection against Hydraq via AntiVirus. Device control capabilities
Symantec™ Critical System Protection – This HIPS system is extraordinarily powerful in defending against attacks against key repositories of Intellectual Property.
Symantec™ Web Security and Symantec Brightmail™ Gateway – Potentially infected files are scanned for infection and blocked accordingly
Symantec™ Data Loss Prevention – DLP is highly effective at cleaning up “data spills” left in place by well-meaning insiders that are frequently a target of hackers
Symantec .Cloud (MessageLabs™)– SaaS infrastructure implements disinfection and novel defenses against PDF/XLS borne attacks
Symantec™ Managed Services
Symantec DeepSight™ Early Warning Services– Actionable intelligence on changing nature of threat landscape
Symantec™ Managed Security Services – Deep bench of analysts watching for incursion throughout your infrastructure
Security Awareness Training
Ensure employees become first line of defense
Symantec Internet Security Threat Report (ISTR), Volume 16

28. Defenses Against Hide and Seek (Zero-Days & Rootkits)
Detect and block new and unknown threats based on reputation and ranking
Advanced Reputation Security
Detect and correlate suspicious patterns of behavior
Security Incident and Event Management
Leverage external services to monitor and correlate security events
Network Threat and Vulnerability Monitoring
Ensure network devices, OS, databases and web applications systems are properly configured
Determine whether or not a vulnerability is truly exploitable
Vulnerability Assessment
Implement host lock-down as a means of hardening against malware infiltration
Host Intrusion Prevention
This is not the place to pitch Symantec products, but this is an opportunity to talk about the types of solutions organizations need to have in place to defend against rootkits and zero-days. These “Defenses” slides are meant to be an opportunity to have a broader conversations with customers.
These are Symantec products that tie to the solution areas
Symantec Endpoint Protection 12 – Insight reputation- based security technology. Up-to-date signatures against IE 0-day exploit via IPS
Symantec™ Security Information Manager– Highly effective means to find correlations of network activity indicating probes/attacks into internal systems
Symantec™ Managed Services
Symantec DeepSight™ Early Warning Services– Actionable intelligence on changing nature of threat landscape
Symantec™ Managed Security Services – Deep bench of analysts watching for incursion throughout your infrastructure
Control Compliance Suite (CCS) Vulnerability Manager:  CCS Vulnerability Manager (VM) provides end-to-end vulnerability assessments of network devices, OS, databases, web applications and Supervisory Control and Data Acquisition (SCADA) systems. CCS VM also features a vulnerability risk-scoring algorithm which delivers insight into whether or not a vulnerability is truly exploitable so that remediation efforts can be prioritized accordingly.
Symantec™ Critical System Protection – This HIPS system is extraordinarily powerful in defending against attacks against key repositories of Intellectual Property.
Symantec Internet Security Threat Report (ISTR), Volume 16

29. Defenses Against Social Engineering
Scans all potentially malicious downloads regardless of how the download is initiated
Prevent users from being redirected to malicious Websites
Web Gateway Security   
Discover concentrations of confidential information downloaded to an employee’s PC
Data Loss Prevention
Monitor and protect critical systems from exploitation
Protect against misleading applications like fake antivirus
Prevent drive-by download web attacks
Network and Host Based Intrusion Prevention
Two-factor authentication to protect against socially engineered password theft
Strong Authentication
Ensure employees become the first line of defense
Security Awareness Training
This is not the place to pitch Symantec products, but this is an opportunity to talk about the types of solutions organizations need to have in place to defend against rootkits and zero-days. These “Defenses” slides are meant to be an opportunity to have a broader conversations with customers.
These are Symantec products that tie to the solution areas
Symantec Web Gateway Security   
Scans all potentially malicious downloads regardless of how the download is initiated
Prevent users from being cross-site scripted to IP addresses that contain malicious code
Data Loss Prevention
Monitor sensitive data from leaving via , IM, Web, and FTP
Blocks files transferred over , IM, HTTP/HTTPS or FTP
Discover concentrations of confidential information downloaded to an employee’s PC
Symantec Endpoint Protection – Network Intrusion Prevention protects against multiple types of threat categories, including web attacks, fake app attacks and protection against unpatched vulnerabilities.
Symantec™ Critical System Protection – This HIPS system is extraordinarily powerful in defending against attacks against key repositories of Intellectual Property.
VeriSign Identity Protection (VIP) Authentication Service:  A cloud-based authentication service that protects enterprises from unauthorized account access above and beyond simple username and password with an additional factor of authentication.  VIP Authentication Service is a cloud-based second-factor of authentication (2FA) service. It is based on open standards, offers a wide choice of credentials, and can easily integrate into enterprise applications and infrastructure. Through its innovative cloud-based delivery model and breadth of credential options, VIP offers significant cost and time savings over typical 2FA solutions. 
Security Awareness Training
Give employees the knowledge and understanding they need to better protect valuable information assets
Symantec Internet Security Threat Report (ISTR), Volume 16

30. Defenses Against Mobile Threats
Remotely wipe devices in case of theft or loss
Update devices with applications as needed without physical access
Get visibility and control of devices, users and applications
Device Management
Guard mobile device against malware and spam
Prevent the device from becoming a vulnerability
Device Security
Identify confidential data on mobile devices
Encrypt mobile devices to prevent lost devices from turning into lost confidential data
Content Security
Strong authentication and authorization for access to enterprise applications and resources
Allow access to right resources from right devices with right postures
Identity and Access
This is not the place to pitch Symantec products, but this is an opportunity to talk about the types of solutions organizations need to have in place to defend against rootkits and zero-days. These “Defenses” slides are meant to be an opportunity to have a broader conversations with customers.
These are Symantec products that tie to the solution areas
Symantec Mobile Management – Addresses:
Device Security
Guard device against malware and spam
Prevent the device from becoming a vulnerability
Content Security
Identify confidential data on mobile devices
Encrypt mobile devices to prevent lost devices from turning into lost confidential data
Device Management
Be able to remotely wipe devices in case of theft or loss
Update devices with applications as needed without physical access
Get visibility and control of devices, users and applications
Identity and Access
Authentication and authorization for access to enterprise applications and resources
Allow access to right resources from right devices with right postures
Symantec Internet Security Threat Report (ISTR), Volume 16

31. Determine Your Level of Security
Symantec offers security assessments to reveal gaps in protection
Data Loss Risk Assessment
Vulnerability Assessment
Malicious Activity Assessment
Targeted Attack Assessment
Security Advisory Services
Assessment Services
PCI Assessments
Security Program Assessments
Objective for Slide: Close for a follow-up with customer, using these assessments as opportunities to uncover potential risks.
Symantec has a number of assessments and advisory services available to help your organization determine where you could be at risk.
Four of these are free assessments:
(1) Data Loss Risk Assessment
Many organizations have little visibility into where their
confidential data is stored on the network, control over
where that data is going, or what to do once they find it. A
Symantec™ Data Loss Prevention Risk Assessment answers
those questions.
In a typical Data Loss Prevention Risk Assessment,
Symantec helps create and implement data security policies
to discover and monitor confidential data in a segment of
your shared file systems and network – all without
interfering with your current operations.
Symantec™ Data Loss Prevention Network Monitor will
inspect all network communications for confidential data
sent in violation of data security policy. Symantec™ Data
Loss Prevention Network Discover will find confidential data
wherever it is stored including file servers, databases,
document and repositories, and web sites.
Following the monitoring and discovery phase, our team
gathers with the key decision makers and information
owners from your organization for a one-hour executive level
meeting to review the results of the project. In
addition, Symantec will build an overall business case for
investing in Data Loss Prevention solutions with preliminary
best practice recommendations.
(2) Control Compliance Suite Vulnerability Assessment will identify threats you may have missed in your environment. In just one day, using actual data from your environment, you will see where your existing vulnerability programs are working and where you are still exposed. Other IT professionals have taken advantage of this offer and have found:
• Flaws in custom-built applications that could lead to SQL injection attacks
• Client side vulnerabilities that could allow an attacker to take control of a system
• Systems missing critical patches, leaving them exposed to a buffer overflow attack and remote code execution
• Rogue devices on their network that were not hardened
(3) Malicious Activity Assessment
The Symantec Malicious Activity Assessment enables you to
automatically collect, analyze, and draw conclusions on
malicious activities that are happening in your environment
right now. Through a quick, no charge, 3-day engagement,
Symantec can provide you a quick way to assess how well
your security strategies are meeting your goals . By
aggregating and correlating a limited scope of your security
source data, you can gain immediate insight into malicious
traffic, suspected bot activity and end point threats.
The Malicious Activity Assessment is delivered with the
Symantec™ Security Information Manager (SIM) framework.
Security Information Manager will provide a unique and
compelling view into previously unknown malicious
activities and offer an objective assessment of how to
improve your overall security posture.
(4) Targeted Attack Assessment
The Symantec Targeted Attack Assessment uses our
expertise in reputation-based security to discover evidence
of infection in a way nobody else can. Symantec’s
reputation-based security system leverages the anonymous
software usage patterns of over 75 million participating
customers to automatically compute safety ratings for every
software file in the world – both good and bad. You tell us
which systems you want us to scan, and we will compare
them against our database of software files to find any
evidence of infection. If we find any suspicious files, we will
start working with you immediately to isolate and fix the
problem. Consider the peace of mind that a Symantec
Target Attack Assessment will afford you.
Security Advisory Services (Paid-for Services in NAM only– Please engage Clint Sand’s team if a customer is interested)
There are three focus areas for security advisory services, as outlined below.
Application Security Services
Application Penetration Assessment
Application Code Review
Application Architecture Review
Network Security Services
Network Vulnerability Assessment
Network Penetration Assessment
Wireless Network Security Assessment
Network Architecture Review
Operational Security Services
Security Policy Assessment
Third Party / Vendor Risk Assessment
Host/Device Security Assessment
Symantec Internet Security Threat Report (ISTR), Volume 16

32. Stay Informed: Additional Resources
Build Your Own ISTR
go.symantec.com/istr
Symantec has many resources for you to stay on top of the security threat landscape and here are a few of the best tools we have:
Build Your Own ISTR: (go.symantec.com/istr)
This year, Symantec is offering its annual report on the Internet threat landscape in a whole new way. With the online “Build Your Report” tool, you can create your own custom version of the Internet Security Threat Report by selecting only those topic areas in which you are most interested. You can then print your custom report or share it on social networking sites like Twitter and Facebook.
This online tool contains data from the 4 appendices that we used to include in the full ISTR in past years. It also contains regional data for EMEA and LAM as well as best practices.
Norton Cybercrime Index:
This is a tool produced by the Norton consumer team. It’s a daily measure of cybercrime risks globally and is available online at nortoncybercrimeindex.com
Threat Intel Twitter Feed:
These are updates from our Security Response analysts around the globe – subscribing to this feed will keep you informed about the latest threats and trends that Symantec is seeing across it Global Intelligence Network.
Daily measure of global cybercrime risks
nortoncybercrimeindex.com
Stay Abreast of Latest Threats
Twitter.com/threatintel
Symantec Internet Security Threat Report (ISTR), Volume 16

33. Tiffany Jones Tiffany_jones@symantec.com
Symantec Internet Security Threat Report