Symantec’s Francis deSouza on Building a Higher Order of Security Intelligence


Francis deSouza Francis deSouza, President of Products and Services at Symantec, gives a keynote at RSA Conference US 2013 about the role of big data and security intelligence for protection against advanced persistent threats, breaches and sophisticated cyber attacks.

Good morning! A major international brand was recently breached by what was likely a nation state actor; and no, I’m not talking about the hack of Justin Bieber’s Twitter account last week.

I was talking to the Chief Information Security Officer of that organization, and as we were discussing the incident remediation plan, he looked at me and made two interesting observations.

First, he said that he’d been approached since his breach by many security vendors that all talked to him about the single offering they had that will protect him from advanced persistent threats.

Now, he was too smart to fall for that. But that breach had left him feeling very viscerally the asymmetry of the business we are in: the difference between the advantages that the attackers had vs. the advantages that his security team had. And he wondered out loud if it was going to be ever possible, even with his dozens and dozens of security products, for him to bridge that gap.

Now, we all know in the security business that it’s inherently an asymmetric business. The reality is: the attackers have to be right just once, whereas we on the defense have to be right every time. And that asymmetry, that difference in advantage, shows up in many ways.

A few minutes ago we had Symantec publish a white paper on our recent findings on Stuxnet. We now have evidence that Stuxnet actually had its command and control servers alive in 2005. That’s five full years before anyone had previously thought.

We also just published details of an earlier variant of Stuxnet that we’ve captured that we call Stuxnet 0.5. And Stuxnet 0.5 behaves very differently from Stuxnet 1.0 that was found in 2010.

Yes, they both targeted the Iranian uranium enrichment facilities, but the way they did it was very different. As you remember, what Stuxnet 1.0 did was it attacked the high-frequency centrifuge motors, and it disabled the plant by accelerating those motors from 1000Hz to about 1400Hz, so the plant went out of control.

Well, Stuxnet 0.5 a few years earlier tried a different attack. Instead of attacking the motors, what that malware did was it took over the valves that controlled the flow of uranium hexafluoride, the gas, into the centrifuges. Turns out, actually, that you can cause a lot of damage by messing with the high pressure in the centrifuge in a uranium enrichment facility.

The attackers have to be right just once, whereas we on the defense have to be right every time.

Now, the other thing that this finding points out though is that we are now entering close to the end of the first decade of weaponized malware. And as the new malware variants that we see, things like Duqu and Flame show, the research and the sophistication of these cyber weapons has continued to develop. And access to these cyber weapons has continued to get more and more democratized.

There are lots of other places this asymmetry of advantage shows up; it showed up for us last week, when we were running our annual internal cyber war games at Symantec. This is an internal contest we have, where we invite teams of our best and brightest from around the company to compete.

And this year for the finals that we held in Mountain View last week, we actually simulated the critical infrastructure of a country. And we brought in a lot of real components, including controllers that run industrial power plants and other industrial systems.

Now, as we were setting it up, our team discovered very quickly a number of critical security flaws in some of this equipment. Now, I’m not going to name any manufacturer, for obvious reasons, but I’ll tell you that in some of the equipment that we found the administrative password was hardwired into that system. And not only was it hardwired – now, it was an 8-character password, so I’ll give it that – but the password was 12345678, and that password was always sent in the clear.

Now, around the world across industries – airlines, power plants, banking systems, health care systems – security teams are charged and given the responsibility to defend systems that were never designed with security in mind. And on the other side of the attack they’re facing these customized weaponized malware. That gap, that advantage, seems to get bigger and bigger.

So, what I’m going to do over the next few minutes and the rest of this talk is talk about what we are seeing from a threat landscape perspective: what have we seen as the big trends over the last year, and how are we thinking about addressing this advantage gap.

Now, we’ve talked for a couple of years about the five stages of a breach.

1 The first stage where the attackers will do reconnaissance, they’ll do research on the organizations they are targeting, and in a lot of cases on the specific individuals within the organization they are targeting. We saw one attack where the attackers did a social media research on the IT professional they were targeting. They found out that that person had four children, and they led a spear phishing attack on that individual, offering him discounted health insurance for families that had more than three children. So, first stage – reconnaissance.

2 Second stage is the incursion stage: how they actually get into an enterprise. We saw an attack over the last year where a businessman had his smartphone compromised as he was going through the security line in a foreign airport. The attackers then got his corporate credentials off his smartphone and used that to enter the corporate network. So, second stage – incursion.

3 Third stage is the discovery stage. Our analysis shows that takes sometimes a few months within an organization as the attackers will map out the network as well as the critical assets on that network.

4 The fourth stage is the capture stage, where they get the assets that they were after, and the fifth stage is the exfiltration stage, where they’ll take the data out of the company.

So, what are the new trends we’re seeing across those stages?

Multi-Flank Attacks

Well, in the last year we’ve seen a growth in the number of campaigns that use what we call multi-flank attacks. What that is – is that the attacking group will run multiple attacks against an organization with the intent of confusing or distracting the security teams from the real purpose of that attack.

In one campaign we saw recently that attackers were running against a set of European regional banks, what the attackers did was they’d run a denial-of-service attack against the bank at around 5 o’clock on a Friday, and while the security teams in that bank were focused on dealing with the bandwidth starvation, the compute starvation that was happening and trying to keep their online site alive, the attackers then had a spear phishing led attack that got them into the enterprise, and they were really focused on stealing account information, credit card information, and debit card information.

Outcomes of the multi-flank attack
Outcomes of the multi-flank attack

So we’re seeing the growth in the number of these multi-flank attacks. What the attackers in that case did then was they created fake ATM cards, and then they went to an outsourced provider of money mules: individuals that took those ATM cards and went to ATMs around the world and drained bank accounts.

Those money mules weren’t working for the attacking group; they were part of an outsourced team. They, in fact, had no idea about the end-to-end operation. And in this case the attackers specified that they wanted money mules with lower than average IQ with the idea that not only would they not know about the rest of the attack, but the attackers wanted to make sure they were stacking the odds and they wouldn’t figure out the rest of the attack.

Evolving Cybercrime Ecosystem

Now, this is part of a bigger trend that we’re seeing. We’re seeing the evolution of a pretty robust ecosystem to provide the services associated with the various stages of an attack. It is now possible, for example, to contract out the development of sophisticated cyber weapons to developers in Europe, and it’s also possible to hire unskilled money mules to launder money and carry it though international airports.

Next, we’re seeing a big trend around the rising sophistication of the backend infrastructures that run these environments. In fact, it’s an interesting question, right? How do you run a large data center that gives you the compute power, the storage power and the bandwidth to run these large-scale operations when you have a lot of the law enforcement agencies of the world chasing you: the FBI, Interpol?

And what we’re seeing, in fact, to address that need is the growth of “bulletproof” hosting operations. What’s a bulletproof hosting operation? Well, it’s a sophisticated backend infrastructure, can be housed across multiple countries, and the countries are chosen such that they have a softer regulatory and enforcement environment. And then the operators will layer in many layers of obfuscation, such that it’s hard for the enterprise that’s targeted, or for law enforcement, to actually figure out who and where the attack is coming from.

Now, we’ve seen a lot of growth in the number of these “bulletproof” hosting providers over the last year, and in fact the growth has been so dramatic that it’s caused the offering to become commoditized, and actually caused a drop in the prices associated with this capability.

Forums offering 'bulletproof' hosting service
Forums offering ‘bulletproof’ hosting service

Typically, these vendors will price their offering by bandwidth and by the level of commonality, basically, of the content of the operation that you’re trying to run.

If you look here, for example (see right-hand image), you’ll see a forum posting, where they’re actually offering a bulletproof operation for anything you want except child pornography, and the pricing is $85 a month. So you can see how prices have dramatically dropped around this capability, because we’ve seen demand grow so much.

Malware Targeting Non-Traditional Systems

Another big trend that we’re tracking is the growth of malware that targets non-traditional environments, so, not PCs. You hear a lot of talk about mobile malware and certainly that’s a big trend we’ve been watching over the last year. But we’re also seeing a trend around malware that targets water utilities, power plants, lots of systems that are non-traditional systems.

It’s clear that this Internet of things has bad things in it too, and it’s attracting the activities of criminals and hacktivists. And we were reading over the last year that a leading electric car company, for example, did its first over-the-air software update. Now, that’s mostly a good thing, but it also means that we need to be more thoughtful going forward.

Rising Warfare Powers

A few dozen countries used to be capable of running cyber warfare operations
A few dozen countries used to be capable of running cyber warfare operations

Another big trend we’re seeing is what we’re calling sort of the rising powers. Now, even as late as two years ago, there was a very strong correlation between a country’s ability to conduct kinetic warfare – so, bombs and planes, and their ability to conduct cyber warfare. The reality was – it was really the top two dozen countries that were capable of running a cyber warfare operation.

Now, that’s changed dramatically over the last two years. Most countries now have a cyber command, and in fact, with the emergence of contractors that are capable of producing cyber weapons, or, in a lot of cases, repurposing existing cyber weapons, most countries also now have access to very sophisticated cyber weapons.

In fact, it’s interesting that a small country today can disrupt the operation of a country that is 1000 bigger than it in GDP over cyber warfare in the way that they, frankly, could never over kinetic warfare.

Not only are we seeing more countries enter the threat landscape, but we’re seeing organized criminals act in a more sophisticated way. A lot of their operations are becoming military grade because they have the resources, and now they have access to the same set of weapons.

And as the number of actors in the landscape increases, the motivations and the targets have become more diversified. What was a preparation for war, or, in some cases act of war, now can also be an act of espionage, an attempt to move currencies, or rig markets.

So, how do we deal with all those trends? Well, in this conference you’re going to hear a lot about big data and about security analytics, so I’m going to push it a little bit and say: you know why I love big data? I love big data because it gives us big intelligence – that’s why I love big data; otherwise it’s, frankly, just a storage cost, right?

So let me talk about what I mean. And really, there are three aspects of big intelligence that we are incredibly excited about.

The world’s cyber threat landscape
The world’s cyber threat landscape

The first aspect of big intelligence is really around expanding how situationally aware we are, really understanding what’s going on in the threat landscape.

At Symantec we’ve built what’s arguably the world’s largest big data backend for security analytics. We have sensors in over 200 countries and territories. We deal with 1.5-3 billion security events every day, and our big data analytic backend leverages 1.7 trillion pieces of information to deliver verdicts on 3.6 billion files and 100 million URLs. And we do that every 6 hours.

That’s allowed us to have an unprecedented view into what’s happening from a threat landscape perspective and deliver a quick verdict around whether a file is good or bad.

But for us that’s just been the beginning, because what we’re now doing is actually pushing on what we’re looking for. And we think the future is not about file focus, it’s not about “Is this piece of malware good or bad?” The bigger questions are going to be: who’s after you? What campaign are they running? And what are they after?

And so, what we’re now doing is getting a lot more information about attacks as they are run. We’re looking for attribution. Who’s driving this attack and how much fidelity do we have around who it is? Can we track it to individuals? Can we track it to an organization, a country? What are they after? What are the fingerprints of their attack, their specific tools that they like to use? Is there a specific campaign that they like to run? Like the people that I talked about that like to hit banks at 5 o’clock on a Friday.

And we start to build up an identity around the campaign and the attackers. And then we mine our data to say: “What are we seeing out there?” And based on this campaign, this attacker, this set of targets, let’s predict who the next set of targets are.

First thing big intelligence gives you is massive amount of situational awareness.

And so we’re able to reach out to companies and say: “We’re expecting that this type of campaign from this type of attacker will be run against you, and here is what you need to do against it.” That’s very powerful, when situational awareness moves from what file’s bad – to who’s attacking me, what are they trying to do, how are they trying to do it, and what are they targeting.

The next thing we love about big intelligence is not just knowing the outside, but knowing more about your own assets. And that’s the ability to look across your environment, both your estate that’s in your data centre, but also in your cloud that’s on your PCs but also on mobile devices, and get a good understanding on where your most important information assets are.

Because it turns out in security knowing whether this is a piece of spam or somebody’s MRI – well, that’s an important thing. We’re already pushing the envelope around using technologies, around fingerprinting, vector machine learning and big data analytics to get better and better handle on the amounts of information that companies have, because CSOs know the truth is it’s only less than 5% of all the data in your company that really matters, but that really matters and you really need to know where it is.

So, first thing big intelligence gives you – massive amount of situational awareness in a way that we’ve never done before as a security industry. Second – really understand your own assets. And then third – understand who you are. And what do I mean by that?


Well, what we’re really excited about is baselining what is normal for an enterprise, what is normal for an organization. How does your enterprise behave normally? How do your employees behave normally? Because the reality is in a lot of ways normal is the new intelligence, because if you know how you behave normally, then you can tell when you’re behaving abnormally. And that is a very powerful tool in understanding whether you’re under attack or not.

So, as we think about the future of big intelligence, we’re excited about its capabilities around situational awareness, understanding your assets and understating who you are.

No single point product will protect you
No single point product will protect you

Now, as we think about security as a whole, then big intelligence is a core part of it. All of us know, though, that as we look to the future of security, it’s not about a point product. There is no single point product that will protect you against advanced persistent threats.

And yet the reality is, if you walk down the booths at RSA, there are a lot of point products out there. You talk to companies, and they’ll tell you they’re kind of frustrated.

I was talking to the Chief Information Risk Officer at one of the largest banks in the world. They are an incredibly smart team; they spend about 300 million dollars a year on security. And he runs products, he said, from over 65 vendors. About a third of his budget is spent on the team’s operating, maintaining, integrating, patching those security products.

And he’s not happy; he’s not just unhappy because he spends so much money on integration that frankly he thinks we should do. But he’s also looking to the future saying: “Look, I can’t just keep adding products, and I can’t hire the people I need to maintain those products.” He doesn’t see that current path and course taking him to where he needs to go.

Ubiquitous protection technologies
Ubiquitous protection technologies

So, what’s the answer? As we look forward, one part of the answer is absolutely making sure that organizations, that individuals, that countries have all the right technologies they need to protect themselves in every part that they need.

Now, as every new surface area opens up, whether it was smartphones or the Internet of things, it’s important to realize the old surface areas don’t go away. There have been all these discussions around: the perimeter is dead, you don’t need firewalls; or the new perimeter is great; or endpoint security is dead. The reality is these things don’t go away. Every new thing has been incremental.

And so, first step: have all the right protections in all the right places, but drive the integration. That’s sort of the big thing we need to do here.

The second step that we need to do is actually bring in the big intelligence. And big intelligence isn’t only a problem at the perimeter, or a problem at the endpoint. The truth is every single security product in your environment needs to have those three types of intelligence: what’s happening out there, what are the important assets in our environment, and what’s normal behavior for us.

There’s a lot of discussion right now and a lot of exciting work done, for example, around next generation firewalls. We love that space, and this talks around when we’ve moved from protocols and ports to talking about applications. And that’s absolutely a step in the right direction. The next step is to be content aware; understand what is the content actually going through your firewall, and that’s true whether you’re in the perimeter or at the endpoint, or even hosting your data in the cloud.

Delivering human expertise
Delivering human expertise

So, next big ask, I think, of us as an industry, is really have that big intelligence across the environment. And then third, increasingly companies will look to security partners to deliver human expertise.

Part of it is driven just by simple supply and demand. The Bureau of Labor statistics said recently that the unemployment rate in IT security is 0%, and there was a recent study from Comp TIA that actually said that if you add it all up, the computer security segment in companies is actually under-resourced by about 30%.

So the reality is we’re either at 0% unemployment or there’s a deficit, and what that means is that companies are going to look to security partners to give them that security intelligence. Fewer said it’s the bigger security partners that can give them that security intelligence to help them with their environment, and they’ll want to consume it as a service, being able to draw down that expertise more when they feel like they are facing an attack, or they’ve just gone through an attack and are thinking about how to remediate their environment.

The computer security segment in companies is actually under-resourced by about 30%.

So, that’s how we think about security going forward. Now, a lot of you know that at Symantec we’ve actually gone though a deep review over the last few months and announced the next generation of our strategy at the end of January. A lot of the thinking that I’ve shared with you today has been pretty foundational for us. And so, what can you expect from us?

1. You can expect accelerated innovation with a focus on driving big intelligence across our entire portfolio.

2. You can expect newer, bigger offerings that are pre-integrated, so that we can take the cost out of integration away from our customers and deliver that internally ourselves.

3. A deeper focus on partnerships, both in the public and in the private sector, and even partnerships with other security companies. We’ll deliver better protection for our customers. Most of all, though, you can count on us for a renewed commitment and deep passion for giving the advantage back to the good guys. Thank you very much!


Please enter your comment!
Please enter your name here