Stop Targeted Attacks

Before They Stop Your Business

Introduction
IT security has always been a concern for businesses. For a long time security meant preparing
for a massive attack, like a Trojan Horse or a virus. It wasn't all that long ago that only the largest
of companies had to worry about falling prey to sophisticated cyber attacks. This is no longer the
case. According to the January 2014 Symantec Intelligence Report, attacks were fairly even split
among organizations of all sizes and industries.
While large-scale massive attacks are still prevalent and continue to evolve in cunningness, the
days of merely worrying about these sorts of threats are simple and straightforward compared to
today's landscape.
Targeted attacks and advanced persistent threats are distinct threat types, and they require their
own set of unique protection capabilities be deployed if an enterprise is to truly protect its entire
infrastructure.
To prevent attacks organizations need a security strategy in place to deflect both mass malware
and targeted attacks. A targeted attack is, as its name implies, one that is aimed at a specific user,
company or organization. These attacks are not widespread like a virus or worm, but rather are
designed to attack and breach a specific target, with the ultimate goal of collecting various types of
data.
To truly protect themselves from a targeted attack, businesses must change their view of security
from top to bottom. From strategic planning to implementation, organizations must stop believing
endpoint antivirus and firewalls are enough and instead think in terms of proactive, multi-layered
protection. An effective layered approach protects all vulnerable areas.
This typically includes signature-based protection as well the security intelligence to provide
contextual awareness and adaptive monitoring across three key vulnerable (and often valuable)
areas:
Endpoints
Gateways
Data center

2014 QuinStreet, Inc.

A sub-par protection plan opens the door to infections and creates significant costs, whether measureable
in quantifiable dollars or something less tangible, like employee morale. A breach in your security will often
result in lost or compromised data, expensive equipment replacement, lost productivity and loss of
customer confidence. A breach also means reallocated resources, time lost, lots of backtracking, lost
productivity, and ultimately lost revenue. There is both a short-term and a long-term impact.
A security breach at any of those points will have a significant negative impact. In fact, even an infection
that hasn't reached the level of a breach can impact productivity as it too will soak up IT resources and
add real costs to your business.

Targeted Attack Trends

Targeted attacks are on the rise. Neither company size nor industry affords protection. According to
the January 2014 Symantec Intelligence Report, small companies of 250 employees or less were
targeted in 39 percent of attacks in January 2014, while those with 2,500 or more employees were
targeted 38 percent of the time. The remaining 23 percent targeted enterprises in between. More than
40 percent of attacks were on manufacturing and nontraditional services firms (e.g., hospitality,
recreational, and repair services), while finance, insurance and real-estate (13.7 percent), professional
services (11.4 percent) and wholesalers (11.0 percent) also fell prey.
No company is immune from a targeted attack. If you think just because you have some sort of
perimeter protection and you haven't yet been hit, you're ok, think again. Targeted attacks are stealthy
complicated beasts. Oftentimes they sit silently, collecting information, for more than 10 months before
they are discovered. Additionally, it's important to understand that smaller companies are often used
as a gateway to attacking a larger company with which they have an established relationship.
And don't think stopping the hackers from getting in is an easy solution either. It is near-impossible to
know who's targeting you, as hackers are an increasingly diverse group - not one profile applies to
them all - or what they're targeting you with because the tools attackers use adapt so rapidly to IT
environments.
Thus, it's imperative to cover all bases to protect your entire infrastructure. That includes gateways,
endpoints, and data centers. Proactive, independent steps must be taken to protect these key touch
points.
Consider the data center, for example. The data center will always be a prime target for attacks. This
is where your most important information lives and the heart of your functionality. Protecting the
servers, both physical and virtual, on which data resides is critical. While most attacks aim for a weak
point of entry, the true prize they're eyeing is in the data center. Although a breach is less likely to take
place directly at the data center level than at a compromised endpoint or gateway, the data center
requires security solutions to stop malware that may be trying to spread from endpoints or another
weak point in the network.
The dynamic nature of today's data center complicates this further. Optimized security for each unique
type of server - web, file, application, database and so on - is needed as well as bearing in mind that

"servers" are virtual as well as physical. Without protection for all of these server types, the data
center continues to be potentially at risk.
The techniques used against servers today range from sophisticated penetration techniques to
unintentional configuration mistakes by admins. Cybercriminals frequently target servers during the
incursion, discovery, and capture phases of a data breach.
Hence, traditional protection technologies and policies often employed, such as antivirus or patch
updates, while still an important layer of defense, are often not up to the task of securing today's data
center. Today's threat landscape warrants augmenting with real-time and proactive security to provide
sufficient protection for servers to address greater confidentiality, integrity, and availability
requirements of each system.
A note of caution - while it may seem tempting and cost effective to bypass protecting gateways and
endpoints, and instead put all of your security dollars into building a fortress around the data center, it
is far from the most effective course of action. As important as it is to protect your assets directly, it is
equally important to prevent targeted attacks from penetrating at all. No single layer of security can
accomplish that on its own.
There is no denying endpoint protection is critical, and organizations are wise to ensure it is part of
their security arsenal. Endpoint security is becoming a more common IT security function and concern
as more employees bring their own mobile devices to work and companies allow its mobile workforce
to use these devices on the corporate network.
Without some sort of endpoint security, there would be no protection in place for the corporate network
when accessed via remote devices, such as laptops or other wireless and mobile devices. Each
device with a remote connection to the network creates a potential entry point for security threats.
Endpoint security is designed to secure each endpoint on the network created by these devices. The
increase in employee-owned devices is further fueling these potential vulnerabilities exponentially. A
typical endpoint security configuration consists of security software (e.g., antivirus, antispyware and
firewall protection) located on a centrally managed and accessible server or gateway within the
network, along with client software installed on each of the endpoints (or devices). The latter becomes
an increasingly complex endeavor as employees circumvent policies and access the network from
potentially unsecured devices.
Thus, as comprehensive as end-point protection seems, it is important to bear in mind that given the
nature of today's threats, endpoint protection is often not enough. It is important to also secure the
gateways as well as the data center itself.
Web protection is but one type of gateway protection. For web protection to truly be effective, you
must secure email as well. Gateway protection secures nodes on a network that serve as an entrance
to another network. The computer routing the traffic from a workstation to the outside network that is
serving the web pages is serving a gateway function. In the past, a proxy server sufficed, but with the
growing variety of web-borne malware, that is no longer enough. True web protection is able to identify
new threats before they cause disruption in your organization.

However, focusing purely on the gateway is not enough. White listing, black listing, URL filtering and
so on are helpful and necessary, but it is important to bear in mind that the web is a pass-through
point and hackers are increasingly cagey. Spyware and other easily downloaded malware can quickly
penetrate your network if not caught. It is also important to have a web gateway solution that is able to
scan all outbound communications, as this can provide an early warning of a malware infection in
progress.
In addition, no matter how well you protect the your web servers and other web-based access points,
they are not the endpoints, and the data center itself must also be protected to both stop a target
attack from striking and, should it get in, stop it from doing damage.
Email protection is considered one type of gateway protection. For email protection to truly be
effective, you must secure web connections as well. Email has always been an easy gateway for
hackers. First it was merely the annoyance of spam that had to be dealt with. The biggest problem
with spam was its impact on productivity and bandwidth. Today, the security threats that come in via
messaging are far more nefarious. Security threats take the form of spoofed addresses and phishing,
malware infected files such as PDF or Office documents, embedded URLs and more.
Having protection in place to ensure a targeted attack does not enter your network via a gateway,
whether email or a web connection, is imperative. The gateway is but one component, however, and it
is a mistake to overlook the endpoint and the data center itself.

Protection Your Organization Needs to Keep Your IT Assets Safe

Just as a chain is only as strong as its weakest link, an organization's security infrastructure is only as
tight as the loosest vulnerable point. Thus it is important to protect your endpoints, gateways and data
center from targeted attacks.
Individually, the security of each component offers many advantages to the security of the
organization as a whole, but none are without limitations. Securing a single component will not bring
end-to-end security to the enterprise. Rather all three areas must be protected from targeted attacks,
ideally with a layered umbrella approach that treats the organization as a single entity.
Take endpoints for example. Protecting your endpoints, has always been important, and the criticality
continues to increase as a more employees bring consumer mobile devices to work, and companies
allow their mobile workforces to use these devices on the corporate network. Endpoint security
protects the corporate network when accessed via remote devices, such as laptops or other wireless
and mobile devices.
Generally, endpoint security is a security system that consists of security software located on a
centrally managed and accessible server or gateway within the network, in addition to client software
being installed on each of the endpoints (or devices). The server authenticates logins from the
endpoints and also updates the device software when needed.
Effective endpoint protection blocks threats as they travel over the network and try to take up

residence on a system. While endpoint security software differs by vendor, you can expect most
software offerings to provide antivirus, antispyware, firewall and also a host intrusion prevention
system. All of these offerings stop malware in its tracks. Ideally, endpoint protection should go beyond
antivirus and offer layered protection at the endpoint.
Stopping malware before it reaches gateways or the data center is certainly preferable to identifying a
compromise that has already taken place. However, while a good endpoint security package can
handily protect endpoints, endpoints are not the not the only IT assets presenting vulnerable to a
targeted attack. Nor is even the most inclusive security package immune to ever-evolving threats.
Endpoint security, as important and effective as it is, is but one component of a comprehensive and
layered security strategy.
There's no escaping the web. Both having a web presence and using the web for daily operations are
necessary components of an effective business strategy.
The web, as well as email, is a gateway into the corporate network. This makes it vulnerable to a
targeted attack as it is an easy conduit for a hacker to get to the organization's servers. Protecting this
gateway from the multiple types of constantly mutating web-borne malware is critical. The most
popular way to do this is with URL filtering. A URL-filtering solution filters out undesirable URLs to
prevent employees from visiting sites known to be malicious sites as well as sites that violate company
policy.
Unfortunately, this is not enough for the current threat landscape. Rather than relying on what has
already been proven to be malicious, a proactive approach is more effective. An ounce of prevention
always goes further than a pound of cure.
A predictive approach based on context, (e.g., age, frequency or location) better exposes threats
otherwise missed. Relying on a pool of knowledge about potential threats is also a useful indicator.
Ideally, the security tools in place at the web gateway will identify and block new and unknown
malware, stopping it in its tracks before it reaches an endpoint or finds its way into the data center.
Oftentimes, however, these tools are more value when they are not stand-alone. The ability to
leverage the knowledge and technique from one security protection layer to another increase the odds
of stopping a targeted attack in its tracks. In addition, being able to scan all outbound web traffic can
help provide an early warning in case of infections on unmanaged or unprotected endpoints.
Love it or hate it, email is a vital component of any organization's communications strategy. Email is
used for both internal and external communications. For external communications in particular, it is
often the easiest way to transmit files in any format.
In the early days of email, bandwidth-hogging and time-consuming spam was an organization's
biggest worry. Today, antispam is the tip of the iceberg. Email is a gateway into the corporate network.
The ease with which a file can be attached to an email and a transmitted throughout the organization
makes it an easy conduit for a targeted attack. An infected attachment or an embedded link to a

nefarious site can do a great deal of damage in a very brief amount of time.
Thus, in addition to focusing on spam, which brings with it its own set of challenges, security software
for the messaging gateway should ensure that the attachments are clean and malicious URLs are
removed. One that can remove potentially malicious active content from documents attached to an
email and send a clean version of the document to the user is even better.
Basic antispam and antivirus functionality should not be overlooked either. Whitelisting/blacklisting and
filtering at the server level all help reduce spam.
To minimize the impact of falling victim to address spoofing or allowing spoofed messages to be
passed on, look for messaging protection that is capable of blocking links and can check for emails
with malicious, shortened links, and then stop them before they reach a recipient.
Bear in mind, however, that email is but one component of the gateway layer of a security strategy. It
is critical to have not just messaging protection in place but also protection for threats that could come
in through the web. In addition, merely protecting gateways are not enough. Enterprises must be sure
to also protect endpoints and the data center itself.
The data center is the Holy Grail for many enterprises. Neglect to protect it or under-protect it, and no
matter how much endpoint security or gateway protection you have in place, it's only a matter of time
before a targeted attack is able to successfully breach the arsenal in place and have access to your
most valuable data, regardless of whether it resides on physical and virtual infrastructure in the data
center.
To stop a targeted attack, IT has historically relied on traditional protection technologies such as
antivirus and whitelisting. To secure today's physical and virtual data centers, this is no longer enough.
Server protection must cover in-depth confidentiality, integrity, and availability requirements of each
system. Oftentimes security must be customized for each server, be it web, file, application, or
database, due to data sensitivity or regulatory constraints.
Granular, policy-based controls are one solution to this. In addition, a combination of host-based
intrusion detection, intrusion prevention, and least privilege access control enables organizations to
proactively safeguard heterogeneous server environments and the information they contain.
While it may seem tempting and cost effective to bypass protecting gateways and endpoints, and
instead put all of your security dollars into building a fortress around the data center, it is far from the
most effective course of action. As important as it is to protect your assets directly, it is equally
important to prevent target attacks from penetrating at all. No single layer of security can accomplish
that on its own.

Bridging the Gap

Securing your enterprise against today's threats means rethinking the security measures you currently
have in place. Basic antivirus protection doesn't cut it in this world of rapidly mutating malware and
virulent targeted web attacks. In today's threat landscape, a multi-layered approach to security is

needed to protect your endpoints and gateways and ultimately your data canter.
You know firsthand that a sub-par protection strategy not only opens the door to more infections but
also creates real costs. A breach in security is serious business. As we noted previously, lost or
compromised data, expensive equipment replacement, lost productivity and loss of customer
confidence have a rippling and crippling impact on the core business, and you are often the one
feeling the pain.
Whether you've been officially tasked with improving security or are frustrated with the current
situation and eager to develop a more secure IT environment, the first step is to assess what is
currently being done. The following questions should be considered:
What

are you currently doing and using for security?

What

does the data center environment look like? Where are your endpoints and gateways?

Do

you have remote employees? What is your policy on BYOD?

What

critical data are you tasked with protecting?

Only after those questions have been answered, and buy in and budget from senior management is
received, is it time to seek out a solution.

Next Steps - How Symantec Can Help

Seeking a security solution is no easy task. There is no shortage of vendors from which to choose.
Some are generalists, offering a wide range of security services, while others are specialist or niche
players with one or two areas of security expertise.
When it comes to IT security, more often than not, you get what you pay for. Thus, going with a
smaller, niche-oriented vendor, perhaps one that is even best of breed for a given niche, may save
you money upfront and may even deliver the highly configurable functionality you seek in a given area.
However, in the medium term, it will result in a more complicated security architecture that will cost
more over the long term and be less secure due to the need to bridge solutions together in a cohesive
fashion and plug any potential gaps that are created. Ad hoc fixes to missing functionality will further
complicate and create additional security holes leaving the organization more vulnerable to a targeted
attack.
On the flipside, a comprehensive solution from a single vendor is in effect putting all of your eggs in
one basket. Finding a vendor that can meet all of your security needs on all fronts and allows for the
desired configurability is no easy task.
Fortunately there is such a vendor. Symantec brings decades of comprehensive intelligent security
expertise, global intelligence and a broad portfolio that offers proactive and integrated protection from
targeted attack at the endpoint, gateway and data center level. It offers a proven and holistic approach
to protection.
Symantec Endpoint Protection combines effectiveness and performance to deliver unparalleled
security across physical and virtual systems that offers both maximum performance and advanced
protection.

Symantec Endpoint Protection combines three technologies: Symantec Threat Protection, SONAR
and Insight. Collectively, this powerful trifecta outperforms traditional antivirus protection: Network
Threat Protection, Insight and SONAR caught 51 percent of all of the threats seen by Symantec in
2012.
Symantec Network Threat Protection analyzes incoming data streams via network connections and
blocks threats before they actually hit the system. Network Threat Protection sits inside of browsers
and scans more than 200 protocols to block attacks on vulnerabilities. It also monitors outgoing traffic
to ensure sensitive data stays in.
Symantec Insight, uses the collective wisdom of millions to help organizations reduce false-positives
and determine whether a file being downloaded onto a corporate network is potentially malicious.
Symantec Insight leverages factors such as age, prevalence, and source of any executable file to
provide contextual awareness and score the potential risk of virtually every file.
With Insight, the unique pieces of malware often used in targeted attacks would have a low reputation
score since the prevalence of the file would be low. This gives organizations the ability to easily block
something because Symantec Insight has never seen that particular file before.
SONAR affords a real-time protection that detects potentially malicious applications when they run on
your computers. SONAR provides "zero-day" protection, detecting threats before traditional virus and
spyware detection definitions have been created to address the threats. SONAR detects the following:
Heuristic

threats - tracks nearly 1,400 behaviors to determine if an unknown file behaves

suspiciously and might be a high risk or low risk. It also uses reputation data to determine
whether the threat is a high risk or low risk.
System

changes - to detect if applications or the files that try to modify DNS settings or a host file

on a client computer.
Trusted

applications exhibiting bad behavior - if applications are behaving suspiciously or in a

way outside of their norm.

Protecting your gateways is a critical component of IT infrastructure protection. Powered by Insight,
Symantec's reputation-based malware filtering technology, Web Gateway is more than just web
content filtering software. Web Gateway protects organizations from multiple types of web-borne
malware and gives organizations the flexibility of deploying it as either a virtual appliance or on
physical hardware. Insight offers proactive protection against new, targeted or mutating threats,
blocking not just web traffic, but also any port and protocol.
Powered by the collective wisdom of more than 210 million systems, Web Gateway is able to detect
threats as they are created. It uses context to reduce false positives and cut management overhead.
In addition, because Web Gateway integrates with Symantec Data Loss Prevention Network Prevent
for Web, it is able to prevent sensitive data from leaving the corporate network via the web, reduce risk
of data loss by automatically enforcing security policies, and change users' behavior through real-time
education on policies with notifications of policy violations. Web Gateway can also scan all outbound
communications to detect infections on unmanaged or unprotected machines and send them to

quarantine to provide easier remediation.

Key features of Web Gateway include: Web filtering software that integrates seamlessly with
Symantec Data Loss Prevention, application control capabilities, Symantec RuleSpace URL filtering
with flexible policy setting, SSL Decryption capabilities, multiple layers of malware protection, and
integration with Symantec AntiVirus engine.
Email is an essential universal tool for doing business, yet it is also a potential gateway for those
wishing to do harm. Symantec Messaging Gateway and Email Security.cloud deliver powerful email
protection, enabling organizations to secure their email and productivity infrastructure with effective
and accurate real-time antispam and antimalware protection, targeted attack protection, advanced
content filtering, data loss prevention and email encryption.
Messaging Gateway is simple to administer and catches more than 99 percent of spam with less than
one in 1 million false positives.
Targeted Attack Protection is one Messaging Gateway's key features. Disarm, a proprietary Symantec
technology, protects against targeted attacks and zero-day malware by removing active, potentially
malicious, content from Microsoft Office and PDF attachments. It then re-assembles the attachment so
that it is viewable by the end user without fear of infecting them.
While Disarm protects on premises, organizations looking for Cloud-based protection can look to
Skeptic for their messaging security needs. Part of the Symnatec.cloud offerings, Skeptic is a
proprietary heuristic technology that does not rely on signatures to detect new, emerging or even
variations of older malware. Using thousands of rules and dozens of advanced techniques, Skeptic
detects new and emerging malware through techniques such as: application reputation, junk code
analysis and "real-time-link-following," which offers protection against positively-identified viral URL
links within emails. Skeptic then looks at all the evidence before reaching a conclusion and taking the
appropriate actions. Because Skeptic is delivered as a cloud-based service, it is continually learning
based on the volume of threats it sees and identifies and is thus able to stay one step ahead of
potential threats.
It would be a glaring security omission to neglect protecting data center. After all, this is where your
most valuable business assets reside, and neglecting this layer at the very least will have serious
repercussions throughout the business, should it be the victim of a targeted attack.
Fortunately, Symantec has a solution to prevent this. Using host-based intrusion detection (HIDS) and
intrusion prevention (HIPS), Symantec provides a proven and comprehensive solution for server
security, for both physical and virtual servers.
Critical System Protection offers a host of protective measures against targeted attacks. With file,
system and admin lockdown, virtual and physical servers can be hardened to maximize system uptime
and avoid ongoing support costs for legacy operating systems. Granular Intrusion Prevention Policies
protect against zero-day threats and restrict the behavior of approved applications even after they are
allowed to run with least privilege access controls.

Critical System Protection's Least Privilege Access Control restricts user, application and network
access, effectively locking malware out because it is not allowed to run. For organizations that operate
a VMware infrastructure in the data center, Critical System Protection uses VMware's prescribed
policies for virtual server hardening, including vCenter, hypervisors and guest operating systems.
Other functionality in Critical System Protection includes integrity monitoring to identify changes to files
in real-time, configuration monitoring, targeted prevention policy and integration with IT GRC and
SIEM Solutions.

Conclusion
Keeping the enterprise secure is no easy task. Protecting your organization from unknown threats
is incredibly difficult. Choosing a best of breed vendor that offers end-to-end security goes a long
way toward keeping your IT assets safe and preventing a targeted attack from taking a penetrating
hit.
Symantec offers a comprehensive portfolio that provides layered protection based around endpoint,
gateways and data center assets. Give Symantec Endpoint Protection a try - download the
trialware version at http://www.symantec.com/offer?a_id=175265.
To learn more about how Symantec's offerings can prevent a targeted attack from impacting your
organization, go to http://www.symantec.com/endpointprotection/?om_ext_cid=biz_US_ad_Quinstreet_EndpointProtection_aid176053 or call 855-2101103 to speak with a Symantec representative