Professional Documents
Culture Documents
Introduction
IT security has always been a concern for businesses. For a long time security meant preparing
for a massive attack, like a Trojan Horse or a virus. It wasn't all that long ago that only the largest
of companies had to worry about falling prey to sophisticated cyber attacks. This is no longer the
case. According to the January 2014 Symantec Intelligence Report, attacks were fairly even split
among organizations of all sizes and industries.
While large-scale massive attacks are still prevalent and continue to evolve in cunningness, the
days of merely worrying about these sorts of threats are simple and straightforward compared to
today's landscape.
Targeted attacks and advanced persistent threats are distinct threat types, and they require their
own set of unique protection capabilities be deployed if an enterprise is to truly protect its entire
infrastructure.
To prevent attacks organizations need a security strategy in place to deflect both mass malware
and targeted attacks. A targeted attack is, as its name implies, one that is aimed at a specific user,
company or organization. These attacks are not widespread like a virus or worm, but rather are
designed to attack and breach a specific target, with the ultimate goal of collecting various types of
data.
To truly protect themselves from a targeted attack, businesses must change their view of security
from top to bottom. From strategic planning to implementation, organizations must stop believing
endpoint antivirus and firewalls are enough and instead think in terms of proactive, multi-layered
protection. An effective layered approach protects all vulnerable areas.
This typically includes signature-based protection as well the security intelligence to provide
contextual awareness and adaptive monitoring across three key vulnerable (and often valuable)
areas:
Endpoints
Gateways
Data center
A sub-par protection plan opens the door to infections and creates significant costs, whether measureable
in quantifiable dollars or something less tangible, like employee morale. A breach in your security will often
result in lost or compromised data, expensive equipment replacement, lost productivity and loss of
customer confidence. A breach also means reallocated resources, time lost, lots of backtracking, lost
productivity, and ultimately lost revenue. There is both a short-term and a long-term impact.
A security breach at any of those points will have a significant negative impact. In fact, even an infection
that hasn't reached the level of a breach can impact productivity as it too will soak up IT resources and
add real costs to your business.
"servers" are virtual as well as physical. Without protection for all of these server types, the data
center continues to be potentially at risk.
The techniques used against servers today range from sophisticated penetration techniques to
unintentional configuration mistakes by admins. Cybercriminals frequently target servers during the
incursion, discovery, and capture phases of a data breach.
Hence, traditional protection technologies and policies often employed, such as antivirus or patch
updates, while still an important layer of defense, are often not up to the task of securing today's data
center. Today's threat landscape warrants augmenting with real-time and proactive security to provide
sufficient protection for servers to address greater confidentiality, integrity, and availability
requirements of each system.
A note of caution - while it may seem tempting and cost effective to bypass protecting gateways and
endpoints, and instead put all of your security dollars into building a fortress around the data center, it
is far from the most effective course of action. As important as it is to protect your assets directly, it is
equally important to prevent targeted attacks from penetrating at all. No single layer of security can
accomplish that on its own.
There is no denying endpoint protection is critical, and organizations are wise to ensure it is part of
their security arsenal. Endpoint security is becoming a more common IT security function and concern
as more employees bring their own mobile devices to work and companies allow its mobile workforce
to use these devices on the corporate network.
Without some sort of endpoint security, there would be no protection in place for the corporate network
when accessed via remote devices, such as laptops or other wireless and mobile devices. Each
device with a remote connection to the network creates a potential entry point for security threats.
Endpoint security is designed to secure each endpoint on the network created by these devices. The
increase in employee-owned devices is further fueling these potential vulnerabilities exponentially. A
typical endpoint security configuration consists of security software (e.g., antivirus, antispyware and
firewall protection) located on a centrally managed and accessible server or gateway within the
network, along with client software installed on each of the endpoints (or devices). The latter becomes
an increasingly complex endeavor as employees circumvent policies and access the network from
potentially unsecured devices.
Thus, as comprehensive as end-point protection seems, it is important to bear in mind that given the
nature of today's threats, endpoint protection is often not enough. It is important to also secure the
gateways as well as the data center itself.
Web protection is but one type of gateway protection. For web protection to truly be effective, you
must secure email as well. Gateway protection secures nodes on a network that serve as an entrance
to another network. The computer routing the traffic from a workstation to the outside network that is
serving the web pages is serving a gateway function. In the past, a proxy server sufficed, but with the
growing variety of web-borne malware, that is no longer enough. True web protection is able to identify
new threats before they cause disruption in your organization.
However, focusing purely on the gateway is not enough. White listing, black listing, URL filtering and
so on are helpful and necessary, but it is important to bear in mind that the web is a pass-through
point and hackers are increasingly cagey. Spyware and other easily downloaded malware can quickly
penetrate your network if not caught. It is also important to have a web gateway solution that is able to
scan all outbound communications, as this can provide an early warning of a malware infection in
progress.
In addition, no matter how well you protect the your web servers and other web-based access points,
they are not the endpoints, and the data center itself must also be protected to both stop a target
attack from striking and, should it get in, stop it from doing damage.
Email protection is considered one type of gateway protection. For email protection to truly be
effective, you must secure web connections as well. Email has always been an easy gateway for
hackers. First it was merely the annoyance of spam that had to be dealt with. The biggest problem
with spam was its impact on productivity and bandwidth. Today, the security threats that come in via
messaging are far more nefarious. Security threats take the form of spoofed addresses and phishing,
malware infected files such as PDF or Office documents, embedded URLs and more.
Having protection in place to ensure a targeted attack does not enter your network via a gateway,
whether email or a web connection, is imperative. The gateway is but one component, however, and it
is a mistake to overlook the endpoint and the data center itself.
residence on a system. While endpoint security software differs by vendor, you can expect most
software offerings to provide antivirus, antispyware, firewall and also a host intrusion prevention
system. All of these offerings stop malware in its tracks. Ideally, endpoint protection should go beyond
antivirus and offer layered protection at the endpoint.
Stopping malware before it reaches gateways or the data center is certainly preferable to identifying a
compromise that has already taken place. However, while a good endpoint security package can
handily protect endpoints, endpoints are not the not the only IT assets presenting vulnerable to a
targeted attack. Nor is even the most inclusive security package immune to ever-evolving threats.
Endpoint security, as important and effective as it is, is but one component of a comprehensive and
layered security strategy.
There's no escaping the web. Both having a web presence and using the web for daily operations are
necessary components of an effective business strategy.
The web, as well as email, is a gateway into the corporate network. This makes it vulnerable to a
targeted attack as it is an easy conduit for a hacker to get to the organization's servers. Protecting this
gateway from the multiple types of constantly mutating web-borne malware is critical. The most
popular way to do this is with URL filtering. A URL-filtering solution filters out undesirable URLs to
prevent employees from visiting sites known to be malicious sites as well as sites that violate company
policy.
Unfortunately, this is not enough for the current threat landscape. Rather than relying on what has
already been proven to be malicious, a proactive approach is more effective. An ounce of prevention
always goes further than a pound of cure.
A predictive approach based on context, (e.g., age, frequency or location) better exposes threats
otherwise missed. Relying on a pool of knowledge about potential threats is also a useful indicator.
Ideally, the security tools in place at the web gateway will identify and block new and unknown
malware, stopping it in its tracks before it reaches an endpoint or finds its way into the data center.
Oftentimes, however, these tools are more value when they are not stand-alone. The ability to
leverage the knowledge and technique from one security protection layer to another increase the odds
of stopping a targeted attack in its tracks. In addition, being able to scan all outbound web traffic can
help provide an early warning in case of infections on unmanaged or unprotected endpoints.
Love it or hate it, email is a vital component of any organization's communications strategy. Email is
used for both internal and external communications. For external communications in particular, it is
often the easiest way to transmit files in any format.
In the early days of email, bandwidth-hogging and time-consuming spam was an organization's
biggest worry. Today, antispam is the tip of the iceberg. Email is a gateway into the corporate network.
The ease with which a file can be attached to an email and a transmitted throughout the organization
makes it an easy conduit for a targeted attack. An infected attachment or an embedded link to a
nefarious site can do a great deal of damage in a very brief amount of time.
Thus, in addition to focusing on spam, which brings with it its own set of challenges, security software
for the messaging gateway should ensure that the attachments are clean and malicious URLs are
removed. One that can remove potentially malicious active content from documents attached to an
email and send a clean version of the document to the user is even better.
Basic antispam and antivirus functionality should not be overlooked either. Whitelisting/blacklisting and
filtering at the server level all help reduce spam.
To minimize the impact of falling victim to address spoofing or allowing spoofed messages to be
passed on, look for messaging protection that is capable of blocking links and can check for emails
with malicious, shortened links, and then stop them before they reach a recipient.
Bear in mind, however, that email is but one component of the gateway layer of a security strategy. It
is critical to have not just messaging protection in place but also protection for threats that could come
in through the web. In addition, merely protecting gateways are not enough. Enterprises must be sure
to also protect endpoints and the data center itself.
The data center is the Holy Grail for many enterprises. Neglect to protect it or under-protect it, and no
matter how much endpoint security or gateway protection you have in place, it's only a matter of time
before a targeted attack is able to successfully breach the arsenal in place and have access to your
most valuable data, regardless of whether it resides on physical and virtual infrastructure in the data
center.
To stop a targeted attack, IT has historically relied on traditional protection technologies such as
antivirus and whitelisting. To secure today's physical and virtual data centers, this is no longer enough.
Server protection must cover in-depth confidentiality, integrity, and availability requirements of each
system. Oftentimes security must be customized for each server, be it web, file, application, or
database, due to data sensitivity or regulatory constraints.
Granular, policy-based controls are one solution to this. In addition, a combination of host-based
intrusion detection, intrusion prevention, and least privilege access control enables organizations to
proactively safeguard heterogeneous server environments and the information they contain.
While it may seem tempting and cost effective to bypass protecting gateways and endpoints, and
instead put all of your security dollars into building a fortress around the data center, it is far from the
most effective course of action. As important as it is to protect your assets directly, it is equally
important to prevent target attacks from penetrating at all. No single layer of security can accomplish
that on its own.
needed to protect your endpoints and gateways and ultimately your data canter.
You know firsthand that a sub-par protection strategy not only opens the door to more infections but
also creates real costs. A breach in security is serious business. As we noted previously, lost or
compromised data, expensive equipment replacement, lost productivity and loss of customer
confidence have a rippling and crippling impact on the core business, and you are often the one
feeling the pain.
Whether you've been officially tasked with improving security or are frustrated with the current
situation and eager to develop a more secure IT environment, the first step is to assess what is
currently being done. The following questions should be considered:
What
What
does the data center environment look like? Where are your endpoints and gateways?
Do
What
Only after those questions have been answered, and buy in and budget from senior management is
received, is it time to seek out a solution.
Symantec Endpoint Protection combines three technologies: Symantec Threat Protection, SONAR
and Insight. Collectively, this powerful trifecta outperforms traditional antivirus protection: Network
Threat Protection, Insight and SONAR caught 51 percent of all of the threats seen by Symantec in
2012.
Symantec Network Threat Protection analyzes incoming data streams via network connections and
blocks threats before they actually hit the system. Network Threat Protection sits inside of browsers
and scans more than 200 protocols to block attacks on vulnerabilities. It also monitors outgoing traffic
to ensure sensitive data stays in.
Symantec Insight, uses the collective wisdom of millions to help organizations reduce false-positives
and determine whether a file being downloaded onto a corporate network is potentially malicious.
Symantec Insight leverages factors such as age, prevalence, and source of any executable file to
provide contextual awareness and score the potential risk of virtually every file.
With Insight, the unique pieces of malware often used in targeted attacks would have a low reputation
score since the prevalence of the file would be low. This gives organizations the ability to easily block
something because Symantec Insight has never seen that particular file before.
SONAR affords a real-time protection that detects potentially malicious applications when they run on
your computers. SONAR provides "zero-day" protection, detecting threats before traditional virus and
spyware detection definitions have been created to address the threats. SONAR detects the following:
Heuristic
suspiciously and might be a high risk or low risk. It also uses reputation data to determine
whether the threat is a high risk or low risk.
System
changes - to detect if applications or the files that try to modify DNS settings or a host file
on a client computer.
Trusted
Critical System Protection's Least Privilege Access Control restricts user, application and network
access, effectively locking malware out because it is not allowed to run. For organizations that operate
a VMware infrastructure in the data center, Critical System Protection uses VMware's prescribed
policies for virtual server hardening, including vCenter, hypervisors and guest operating systems.
Other functionality in Critical System Protection includes integrity monitoring to identify changes to files
in real-time, configuration monitoring, targeted prevention policy and integration with IT GRC and
SIEM Solutions.
Conclusion
Keeping the enterprise secure is no easy task. Protecting your organization from unknown threats
is incredibly difficult. Choosing a best of breed vendor that offers end-to-end security goes a long
way toward keeping your IT assets safe and preventing a targeted attack from taking a penetrating
hit.
Symantec offers a comprehensive portfolio that provides layered protection based around endpoint,
gateways and data center assets. Give Symantec Endpoint Protection a try - download the
trialware version at http://www.symantec.com/offer?a_id=175265.
To learn more about how Symantec's offerings can prevent a targeted attack from impacting your
organization, go to http://www.symantec.com/endpointprotection/?om_ext_cid=biz_US_ad_Quinstreet_EndpointProtection_aid176053 or call 855-2101103 to speak with a Symantec representative