With black hat hackers now outgunning legitimate organizations, the world's largest security company is adopting a new integrated approach to advanced threat protection.
"If you go back in time five years and you look at what was terrifying people in security, it was that data had a transfer price," says Brian Dye, senior vice president of Symantec Information Security. "Organized crime had a reason to go after that data."
And it did, in a big way, building out a whole black hat ecosystem dedicated to extracting data and getting it into the hands of buyers, with specialized skill sets and a training path for gifted individuals.
"If you understand what the bad guys are going after, you can do things totally differently." -- Brian Dye, Symantec Information Security
"What scares me now is that five years later, those organizations are going concerns," Dye says. "An attacking organization today can have as many as 100 to 150 people. They have a career advancement path. How many legitimate businesses in the world have more than 100 people in security? I would say less than 100."
Defending your data against determined attackers with such resources at their disposal requires a whole new approach to security, Dye says. He points to one organization, a typical one, he says, that experienced 256 billion events last year, resulting in 215,000 incidents and 3,000 security incidents.
The Focus Must Be Detection and Response, Not Prevention
"To successfully defend against the types of targeted attacks we're seeing today, you need to expand the focus from prevention to detection and response," Dye says.
"Network security alone isn't going to solve the problem. Adversaries are targeting all control points from the gateway to email to the endpoint," Dye says. "Organizations need security across these control points working together, with incident response capabilities and global information intelligence to beat the bad guys."
Symantec is approaching this problem in a multifaceted way with a range of services and solutions.
Next month, Symantec will make available its new Symantec Managed Security Service -- Advanced Threat Protection (MSS-ATP), a managed service that Dye says significantly reduces the time it takes to detect, prioritize and respond to security incidents. It's based on deep integration between Symantec's endpoint security offering and third-party network security products from partners including Check Point, Cisco Sourcefire and Palo Alto Networks.
Symantec calls this ecosystem of network security partners the Advanced Threat Protection Alliance, and Dye says it enables the detection and correlation of malicious network and endpoint activity to substantially reduce false alerts by pinpointing the important incidents.
"What does detection mean?" Dye asks. "Detection means you get a bunch of 'maybes.' That's good because you've detected an event, but it's bad because chasing down a maybe represents a bunch of OpEx."
MSS-ATP seeks to cut down the effort required to chase down those 'maybes' by correlating events and only surfacing those events that aren't blocked at the endpoint, email or gateway.
Security of the Future Requires Adversary Intelligence
Within the next two quarters, Symantec says it plans to introduce a new Security Intelligence service that leverages its Symantec Global Intelligence Network (GIN) and a team of more than 550 researchers around the world to anticipate attacks.
The GIN platform continuously collects anonymous telemetry submitted from hundreds of millions of customers and sensors - more than 3.7 trillion rows of security telemetry data, Dye says - that allow Symantec to discover new attacks and monitor attacker networks. The Security Intelligence service will use the intelligence gathered by Symantec to monitor bad guys and understand who they're attacking and why.
[Related: How to Test the Security Savvy of Your Staff]
"If you understand what the bad guys are going after, you can do things totally differently," Dye says.
For instance, if you know attackers are seeking a certain type of data, you build specific monitoring around that data and people in your organization with access to that data. If you know an attacker is seeking to insert malicious insiders into an organization like yours, you can give additional scrutiny to background checks on new people in your organization.
Also within two quarters, Symantec plans to introduce an Incident Response service that provides customers with immediate access to critical capabilities, knowledge and skill sets during incident response scenarios.
"We've been building up staff over the past six months," Dye says.
Finally, Symantec says it will tie it all together with a new Advanced Threat Protection Solution, an on-premise offering that Dye says will go into beta within the next six months and will be generally available within the next 12 months. The end-to-end solution will deliver integrated advanced threat protection across the endpoint, email and gateway.
It will leverage two new organically developed Symantec technologies: the Symantec Dynamic Malware Analysis Service and Synapse. The Dynamic Malware Analysis Service is a cloud-based sandbox environment for behavioral analysis of active content, while Synapse enables smooth communication between the endpoint, email and gateway.
"We're going to be pricing this aggressively and we're going to offer extended free trials to customers so they can see it for themselves," Dye says.
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.
Read more about security in CIO's Security Drilldown.
This story, "Symantec Lays Out Advanced Threat Protection Roadmap" was originally published by CIO.