Symantec Unveils Symantec Endpoint Protection 14 With Multi-Layered Protection
In the battle for the endpoint, the new generation security products have been making the most noise. Their claim that machine learning is more effective than signature detection in finding zero-day malware is doubly effective: firstly it is true, but secondly it implies that first generation vendors do nothing more than signature detection. This bit is false – and we can expect a serious fightback from the 1st gen vendors.
The fightback has already started. A few weeks ago, Sophos launched a new product called Intercept X. And today, Symantec announced the single largest upgrade to its flagship Symantec Endpoint Protection: SEP14. It is an extensive evolutionary upgrade that verges on a new product. We can expect more announcements from other 1st gen vendors in the coming months.
In a conversation with SecurityWeek, Symantec’s Global VP of Endpoint Products Javed Hasan explained that SEP14 is built to three requirements: “superior protection, higher performance, and an orchestrated response.” This is achieved by overlaying multiple technologies in an innovative fashion; something he noted that ‘single technology’ vendors could not achieve.
‘Single technology’ is likely to emerge as the marketing epithet levied by 1st gen vendors against the new machine learning based new gen vendors, in the same way as some new gen vendors dismiss 1st gen vendors as simply ‘signature detection engines’. ESET senior research fellow David Harley recently did very similar. “If there is a generational difference, it’s that the fossils [his term for first gen vendors] don’t rely on a single algorithmic approach, any more than they rely on static signatures; whereas the new boys tend – in their marketing, at any rate – to promote an either/or view, claiming to be signatureless while promoting ML (for instance) as a technology so obviously perfect that malware just fades away.”
This multi-technology capability of the ‘fossils’ lies at the heart of SEP14. It is easy to maximize malware detection by simply calling everything malware; but the high volume of false positives would make this unworkable in a business environment. The real problem is to maintain high detection while minimizing false positives. “We have always held SEP to a standard of very low false positives,” Hassan told SecurityWeek. “Internally we measure it at 0.1% of falsing.” This false rate is achievable with a system using signature detections, but less achievable with machine-learning detection (machine learning delivers probabilities rather than binary yes/no results). Conversely, machine learning probabilities are more likely to detect unknown malware that doesn’t yet have a signature.
SEP14 now seeks to maximize the best of both approaches without limiting performance. Put very simply, SEP14 comprises a machine learning agent on the endpoint with signatures removed to the cloud. “We still use signatures,” said Hassan, “but we have put the majority of them in the cloud. The big use of signatures is now around lower falsing rather than higher detection.” Now machine learning on the endpoint detects a dubious file which is then checked against what Hassan describes as the world’s largest civilian blacklist and whitelist databases.
Interestingly, he claims that a cloud hash look-up is actually faster than checking the hash against a locally stored database of signatures. “The cloud lookups are so small that the speed of detection actually increases — either we scan on disk, or we look it up,” he explained. “Scanning on disk takes longer than the cloud lookup. Not everything detected by ML requires a cloud lookup — it’s only to confirm those detections where the ML probability level leaves room for doubt.”
It is this double-checking against machine learning algorithms and a signature database that keeps the SEP14 false positive rate very low — around 2% at the most compared to 15% at the least for some of the machine learning new gen competitors (Hasan noted that all of the figures he quoted would be verified by third party testing already undertaken and due to be published in the coming weeks).
But this approach still has a security weakness that SEP14 seeks to avoid. For machine learning to detect a dubious file, that file has already landed on the disk. In effect, the infection has already occurred; which is what endpoint security should really seek to prevent. “What we have added in this release,” explained Hasan, “is exploit mitigation technology which detects the methods of targeting vulnerabilities used by attackers. There are relatively few techniques used in exploits. What this technology does is stop them.”
Sophos introduced a similar approach last month, and suggested that there are only about 24 separate basic exploit methodologies. This gets more complicated by multiplying different approaches for different platforms (Word, PDF, etcetera) but is nevertheless tiny compared to the size of a general malware signature database.
It is the combination of machine learning and exploit mitigation on the endpoint that provides maximum protection, while signature corroboration in the cloud minimizes false positives. This arrangement has two further advantages: zero-day malware detected by ML on the endpoint is immediately sent to the cloud to provide protection for all customers, while daily updates to the endpoint are reduced. “The number of updates drops by about 70% with SEP14 compared with SEP12,” said Hasan. “Updates don’t fully go away, but they’re reduced to something about the size of a large email per day.”
Hasan had one final rabbit to pull from the hat — orchestration. “We’ve opened it up,” he said, “so the customer can orchestrate SEP14 with other products or through the use of scripts. You can pull out data from SEP14 and use scripted controls, so you can respond to events happening elsewhere if you want to change the security posture of an endpoint.”