RSA: Symantec Expands Reputation-Based Technologies

In a keynote address delivered at the RSA Conference 2009 in San Francisco, Symantec President and CEO Enrique Salem said that the current blacklisting and whitelisting technologies fall short of providing adequate protection from increasingly sophisticated and widely distributed security threats. Blacklisting is too slow and requires too much bandwidth while whitelisting is often too restrictive, Salem said.

"The problem is: How do you handle the millions of programs that are each on just a few machines in the world, what we call the long tail?" Salem said. "To address this, we need a fundamentally new approach. And we believe that approach is reputation-based security."

In recent years, security threats have evolved from mass distribution of a few exploits to delivering millions of pieces of fragmented malware to numerous machines.

"Let me put that into perspective for you. In the 30 minutes that I'm speaking this morning, our software will stop nearly 200,000 attacks globally around the Internet," Salem said.

To address these problems, Salem said that Symantec had been developing reputation-based technologies derived from anonymous usage patterns from its customers, which include the software's origin, its prevalence and age, among other things. Those new technologies enable a policy-based approach that allows administrators to configure their security models based on their organizations' specific risk assessments and subsequent security needs.

Salem compared it to making a restaurant choice based on a Zagat guide. "What's most important is that you choose how daring you want to be when it comes to picking a restaurant. You should be able to make a similar choice when it comes to security," he said.

The emphasis on reputation-based technologies is part of Symantec's larger effort to help companies "operationalize," or what Salem described as efforts to integrate technologies, streamline processes and align security policies to provide greater control over security risks and more visibility into the network.

"In the past, a lot of companies tried to standardize across their infrastructure, getting everyone to use the same hardware and the same applications," he said. "I'm not sure that was ever truly possible, but now it is nearly impossible."

Often, Salem said, low-level administrators end up being the de facto policy setters, due to the fact that they configure crucial systems such as e-mail or backup security. Many companies have disparate or piecemeal security products, which makes integration, as well as response and remediation, more challenging. Meanwhile, many companies rely on IT department silos with their own systems and policies, but which require manual effort for cross-communications. And often, IT administrators don't have complete access and visibility at all times, which increases security risks and makes prioritizing tasks more difficult.

"That's how most companies operate today," Salem said. "It's time to change the game. It's time to operationalize security."

To address these challenges, Salem proposed that companies adopt systems, processes and technologies that create a more integrated, protected and secure environment and provide greater control over security risks and more visibility into the network. The paradigm shift to an operational model will entail taking a risk-based and information-centric approach that also enables quick response and situation awareness. In addition, the model needs to be workflow driven, automating day-to-day processes and closing the gaps between various departments, personnel, policies and technologies, Salem said.

"Once you're able to operationalize security, you'll see all kinds of benefits. You'll be able to tear down the silos -- at least from a technology perspective -- and automate complex processes across your organization," Salem said. "And the really powerful thing is you don't need a whole new infrastructure or an army of programmers to put those workflows in place."