0
Overview and Architecture
Silviu Popescu
Symantec Product Manager at Omnilogic SRL
80 Symantec Monitored
Countries
8 Symantec Security
Response Centers
> 6,000 Managed Security Devices + 120 Million Systems Worldwide + 30% of Worlds email Traffic + Advanced Honeypot Network
Dublin, Ireland
Tokyo, Japan
Calgary, Canada
San Francisco, CA
Mountain View, CA
Reading, England
Santa Monica, CA
Alexandria, VA
Taipei, Taiwan
Sydney, Australia
Pune, India
Attack Trends
Data Breaches
Information on data breaches that could lead to identity theft. Data collected is not
Symantec data.
The government sector accounted for the majority of data breaches with 25%, followed
by Education (20%) and Healthcare (14%) - the majority of breaches (54%) were due
to theft or loss with hacking only accounting for 13%.
Attack Trends
Underground Economy Servers
Trading in credit cards, identities, online payment services, bank accounts, bots, fraud
tools, etc. are ranked according to goods most frequently offered for sale on underground
economy servers.
Credit cards were the most frequently advertised item (22%) followed by bank accounts
(21%).
Attack Trends
underground black trading
http://money.cnn.com/2005/05/23/news/fortune500/bank_info/
Finance II
http://www.theregister.co.uk/2007/04/19/phishing_evades_two-factor_authentication/
In the first half of 2007, 212,101 new malicious code threats were reported to Symantec. This is a
185% increase over the second half of 2006.
This increase can mainly be attributed to new Trojans such as staged downloaders.
The first stage of a staged downloader is usually written for a specific target or purpose, resulting in
the creation of a very large number of them.
2006 Landscape
Crimeware
Always on,
always up-todate
Host integrity
& remediation
Symantec
Network
Access Control
Applications
Behaviour
Blocking
Symantec Confidence
Online
I/O Devices
Device
controls
Memory/
Processes
Operating
System
O/S Protection
Symantec Client
Security
Network
Connection
Network IPS
Symantec Mobile
Security
Endpoint
Exposures
Client Firewall
AntiVirus
Anti-spyware
Protection
Technology
Symantec Sygate
Enterprise
Protection
Symantec Critical
System Protection
Symantec
AntiVirus
Device Control
Intrusion
Prevention
Firewall
Antispyware
AntiVirus
Device Control
Intrusion
Prevention
Firewall
Antspyware
AntiVirus
Symantec Endpoint
Protection 11.0
Symantec Network
Access Control 11.0
AntiVirus
Antispyware
AntiVirus
Source: Thompson Cyber Security Labs, August 2006
Firewall
Antispyware
AntiVirus
Firewall
16M
Installations
Antispyware
AntiVirus
Intrusion
Prevention
Firewall
Antispyware
AntiVirus
yFDC
l
l
i
S
.
ticks
rives
2
s
d
3
y
e
r
l
W
emo
rm ovab
o
m
m
W
e
e
l
r
New
ovab
onto
f
m
l
e
e
r
s
t
i
ets
ying
p
next
o
targ
sticks
s
c
i
y
y
r
e
b
o
devic
eads SB mem
r
e
p
h
t
s
hen
as U
w
h
s
c
n
u
u
s
ally r computer
c
i
t
a
a
om
aut nected to
con
Device Control
Intrusion
Prevention
Firewall
Antispyware
AntiVirus
Deployment &
Integration
Email report
distribution
Centralized event
logging
Customizable report
filters
Real-time event
viewing
Command system
Network security
status view
Notifications view
Event export to SSIM &
3rd-party SIEM
solutions
Embedded and MSSQL
support
Administration
Centralized, webbased console
Simplified user
interface for SMB and
enterprises
Policy Actions
Integrated
management of all
agent components
Role-based access
Single console to
define & manage AV,
FW, NAC and other
policies
Administrative
domains
Authenticate admin
users via AD
Group-based policy
application
Customizable agent
package installation
settings
Reusable policy
objects
Centralized setting of
exclusions and
exceptions
Remote agent
installation
RSA SecurID
authentication
Device Control
USB, Fireware, Bloototh, Infrared, SCSI, ...
System lockdown even the admin can not change ...
Thank You