Symantec taps user community to counter malware menace

An entirely different approach to security is needed to respond to the phenomenal growth in Internet crime, a Symantec Corp. executive said Tuesday.

Today a crime on the Web happens every quarter of a second, noted Janice Chaffin, group president, Symantec’s consumer business unit.She was speaking at the ‘Internet BlackMarket’ event, hosted in Toronto by Cupertino, Calif.-based Symantec.

A booth at the event visually depicted how items are traded in bulk on the cyber Blackmarket – including credit and debit cards numbers, complete IDs, government IDs and more.

Symantec security experts also provided hands-on demos of techniques used by hackers and bot herders to hack PCs and create botnets — networks of compromised computers.

As these online threats grow at an incredible rate, Chaffin said chances of one becoming a victim have also skyrocketed.

Today, research shows “one in five persons” will fall prey to cybercriminal activity, especially ID theft.

“Despite this grave situation, a quarter of global computer users have no form of protection on their machines. And our surveys also show about half of the people who use computers say they visit unsafe sites.”

READ RELATED STORIES

Slideshow: Inside Symantec’s Security Operations Centre

Slimming down your data with the Symantec diet

People have every reason to be very concerned, the exec said, citing Symantec research findings on the explosive growth of cybercriminal activity. These include:

  • A 600 per cent increase in malicious activity on the Internet from 2002 to 2008
  •  A million new threats in 2008 that Symantec had to write code signatures for.

It’s very difficult write a million new signatures a year, Chaffin noted, adding that the situation would only worsen. “By 2010, we think there’ll be around three million [new] threats.”

She said a big reason for this huge proliferation of malware is the inadequacy of security technology on the market. “Anti-virus software is 20 years old, and hackers have gone far beyond relying on simple viruses to get the job done.”

A common ploy of today’s cyber criminals, she said, is to write malware that infects only a small group. “THey then alter the malware to infect yet another small group. As they’re swift at doing those alterations, it’s very difficult to stop them by writing a signature for every piece of malware.”

Instead, she said, Symantec has come up with a new way to beat cybercriminals at their own game.

For the past three years, Chaffin said, Symantec has worked on new technology under the moniker “Project Quorum” — a reputation-based [initiative].

Symantec, she said, has applied the familiar concept of “reputation” (used by restaurant guides or Amazon.com book ratings) to the security arena.

Reputation in the cloud

Project Quorum includes an “opt-in” program for Symantec users worldwide, who can choose to send the security company non-personally identifiable information about files (applications) on their systems.

“Because more than 35 million of our global users have opted to do this, we’ve been able to classify around 500 million files on the Internet as either good or bad,” Chaffin said.

This classification, she said, takes the form of an “identity rating” that’s based on many criteria:

  • How common the program is on the Internet — how many users have it
  • When the app was released — is it new, or has it been around for a while?
  • The source of that application  

From these metrics Symantec statistically estimates whether on not an unidentified program is good or bad, she said.

“Typically, if it’s not very common, and it’s just released, it’s very likely to be malicious software.”

She said through this strategy, Project Quorum keeps each opt-in Symantec Norton community member safe. “If any of them has a program, Project Quorum knows about it, can classify it, and protect them, even before a signature is ever written.”

This reputation-based file classification feature, she said, will be in all of Norton’s 2010 products.

 “But we’ve been collecting this data from our users over several years. So we have the largest volume of information worldwide about files on the Internet. That allows us to keep users very safe.”

Chaffin said the approach adopted by Project Quorum is “unique”, as all the reputation data is in the cloud.

“No other security vendor offers this. Some talk about security in the cloud, but frankly they’re just putting their virus definitions in the cloud. In our case, we’ve put data about half a billion Internet files on the cloud.” She positioned Quorum a “new and radical approach” that would really slow down cyber criminals.

At least one Canadian analyst agrees that reputation ranking is an effective antidote to rapidly proliferating malware.

“Signature-based detection has been dying a slow death for a while now,” said James Quin, senior research analyst with Info-Tech Research Group based in London, Ont. “There is just too much bad code in existence for it to be efficient anymore.”

By contrast, Quin said, reputation-based filtering is the new frontier for anti-malware. “It has the potential to be very useful in the fight against malware.”

But for that potential to be realized, he said, a lot would depend on the end user. “They must pay attention to the advice the protection software is offers — if the user ignores the advice, all bets are off.”

Also, as a security strategy, reputation filtering isn’t unique to Symantec, Quin said.

“Trend Micro has been talking about cloud-based reputation filtering for about 18 months and McAfee for about 12 months,” the analyst noted. “Maybe those providers don’t have the critical mass behind the capability that Symantec has, but they certainly have been indicating that this [has been] part of their offering for a while.”

Security plus speed?

For many users, a big deterrent to installing security software is the belief it will slow down their system, Symantec’s Chaffin said.

“And they were right, as in many circumstances, the security software they used was slowing down their PC.”

To address this issue, she said, Symantec set an internal target resolving that its security products would never slow down a PC.

“We really delivered on that. Our 2009 products are the fastest and lightest in the industry – they have a very small footprint, the AV suite will not slow it down, something we’ve proven in many benchmarking tests done by independent labs.”

Independent benchmark tests done by Passmark on 12 different security products gave Norton Internet Security 2009 the best overall score.

But on some metrics — such as installation size, registry count, and installation of third party applications — some other vendors’ got a better ranking than Norton.

Chaffin said Norton’s 2010 offerings “are the fastest and lightest products in the world.” She said in Passmark tests, the Norton 2010 suite “beat out every single competitor in terms of size and speed.”

Apart from shrinking the footprint of its Norton Internet Security 2010 products she said, Symantec has also equipped them with sophisticated performance tools.

“These allow users to really understand what’s slowing down their PCs, and this helps them make their [machines] run faster. No other security vendor does that – it’s nirvana.”

The performance monitoring screen, she said, would tell you on exactly which day the PC started running slower, and what you did on that day. “Maybe it was something you downloaded or installed. You have the information needed to decide what to do.”

Another presenter, Kristi Thorburn, who was a victim of cybercrime, shared her experiences with with the audience.

Vern Crowley, acting staff sergeant with the Ontario Provincial Police (OPP), talked about what the OPP and other Canadian law enforcement bodies are doing to tackle the malware menance, ID theft and other buring security problems.

Share on LinkedIn Share with Google+