Norton Internet Security logo

Network-Based Protection

May 6, 2012

Network-based protection is a set of technologies designed to block malicious attacks before they have a chance to introduce malware onto a system. Unlike file-based protection that must wait until a file is physically created on a user’s computer, network-based protection starts to analyze the incoming data streams that arrive onto a user’s machine via network connections and blocks threats before they hit the system.

Top Threat Vectors Symantec’s Network-Based technology protects against:

  • Drive-by Downloads and Web Attack Toolkits
  • Social Engineering Attacks – FakeAV and Fake Codecs
  • Attacks via Social Media such as Facebook
  • Detection of Malware, Rootkit and Bot Infected Systems
  • Obfuscated Threat Protection
  • Zero-day threats
  • Protection from Unpatched Software Vulnerabilities
  • Protection from Malicious Domains and IP addresses

This category consists of three distinct protection technologies:
  1. Network Intrusion Prevention Solution (Network IPS)
    The protocol-aware IPS understands and scans over 200 different protocols. It intelligently and accurately breaks apart binary and network protocols looking for signs of malicious traffic. This intelligence allows for highly accurate network scanning while delivering robust protection. At its heart is a generic exploit-blocking engine, which provides evasion-proof blocking of attacks on vulnerabilities. A unique feature of the Symantec IPS is that no configuration is needed to enable Network IPS protection capabilities out of the box. Every Norton consumer product and every Symantec Endpoint Protection 12.1 and later enable this crucial technology by default.

  2. Browser Protection
    This protection engine sits inside the browser and can detect the most complex threats that traditional antivirus and Network IPS methods are unable to detect. Many network-based attacks today use obfuscation to avoid detection. Because Browser Protection operates inside the browser it is able to watch de-obfuscated code as it executes and so is able to detect and block attacks which are missed at lower layers of inspection within the protection stack.

  3. Un-Authorized Download Protection (UXP)
    Within the Network-based protection layer, this last line of defense helps mitigate unknown and unpatched vulnerabilities, without the use of signatures, providing a further layer of insurance against zero-day attacks.

Targeting the Problems

Together these network-based protection technologies address the following problems:
  1. Drive-by Downloads and Web Attack Toolkits

    Leveraging the Network IPS, Browser Protection, and Symantec’s UXP technology, Symantec’s Network Threat Protection technologies block drive-by downloads and keep malware from ever reaching the end system. Symantec use a variety of prevention methods with these technologies including Symantec’s Generic Exploit Blocking technology (mentioned below) and Symantec’s generic web-attack toolkit detection. Symantec’s generic web-attack toolkit detection analyzes network characteristics of common web-attack toolkits regardless of the vulnerabilities being attacked delivering additional zero-day protection against new vulnerabilities as well as protection against the web-attack toolkits themselves. The best part of this protection against Web Attack Toolkits and Drive-by downloads is that the malware that would have silently infected a user's system is proactively stopped and kept off the system, something usually missed by traditional detection technologies. Symantec continues to block tens of millions of variants of malware that are not usually detected by any other means.

  2. Social Engineering Attacks

    Since Symantec’s protection technologies are looking at the network and browser traffic as it is being rendered, Symantec are able to use the intelligence of the endpoint to determine if a social engineering attack, like a fake antivirus solution or fake codec, is popping up. Symantec’s technologies work to block social engineering attacks before they are displayed, thwarting their attempts to trick the end-user. Most of the other competitive solutions do not include this powerful capability. Symantec’s solution stops millions of attacks that, if left to execute, other traditional signature-based technologies would normally not detect. Symantec blocks hundreds of millions of social engineering attacks with the network threat protection technology.

  3. Attacks targeting Social Media Applications

    Social Media applications have become a way to instantly share personal and professional updates and interesting videos and information to thousands of Symantec’s friends. This instantaneous quest for updates and the breadth of those networks also mean it is key focus of hackers to also use this to infect you. Some of the common hacker techniques include compromising accounts and sending out spam or malicious links, tricking users into taking fake surveys, or Facebook “Likejacking” attacks where a user is lured into clicking on a link to watch a video while an invisible ‘Like” button follows your mouse cursor around. You instantly Like the update whether you intended to or not.

    Symantec’s IPS technology can protect against these types of attacks often thwarting them before the user is ever tricked into clicking on something. Symantec stops rogue and malicious URLs, applications and scams with the Network based protection technology.

  4. Detection of Malware, Rootkit and Bot Infected Systems

    Wouldn’t it be nice to know where infected computers are in your network? Symantec’s Network IPS solution provides this capability and includes detection and remediation of threats that might have been able to bypass other protection layers. Symantec detect malware and bots trying to ‘phone-home’ or get updates to spread more malicious activities. This gives IT managers, who have a clear punch-list of infected systems to investigate, the assurance that their enterprise is secure. Polymorphic and challenging threats using rootkit methods to hide such as Tidserv, ZeroAccess, Koobface and Zbot, can be detected and stopped using this method.

  5. Obfuscated Threat Protection

    Today’s web-based attacks use complex methods to hide or obfuscate attacks. Symantec’s Browser Protection sits inside the browser and can detect highly complex threats that traditional methods usually do not.

  6. Zero-Day and Unpatched Vulnerabilities

    One of Symantec’s more recent protection additions is Symantec’s added layer against zero-day and unpatched vulnerabilities. Using signature-less protection, Symantec intercept System API calls and protect against malware from being downloaded — what Symantec call Symantec’s Un-Authorized Download Protection (UXP). This is the last line of defense within Symantec’s Network Threat Protection technology and helps mitigate unknown and unpatched vulnerabilities without the use of signatures. This technology is enabled automatically and has been shipping since the debut of Norton 2010.

  7. Protection From Unpatched Software Vulnerabilities

    Malware is often silently installed on systems by exploiting software vulnerabilities. Symantec’s Network Protection solutions provide an additional layer of protection called Generic Exploit Blocking (GEB) technology. Regardless if a system is patched or not, GEB ‘generically’ protects against the exploitation of underlying vulnerabilities. Vulnerabilities within Oracle Sun Java, Adobe Acrobat Reader, Adobe Flash, Internet Explorer, ActiveX controls, or QuickTime are commonly found in today’s threat landscape. Symantec created Symantec’s Generic Exploit Blocking protection by reverse engineering how the vulnerability could be exploited and then looking for the characteristics of the exploitation on the network, essentially providing a network-level patch. One single GEB or vulnerability signature can protect against thousands of variants of malware that Symantec or other security vendors have not seen before.

  8. Malicious IP and Domain Blocking

    Symantec’s Network-based Protection also includes Malicious IP and Domain blocking capabilities preventing malware and malicious traffic from ever coming from known malicious websites. By leverage analysis from the Security Technology and Response team to find malicious websites and update them via LiveUpdate, Symantec delivers real-time protection against the continually changing threats.

  9. Improved Evasion resistance

    Additional encoding support has been added to improve detection efficacy and improve evasion resistance in attacks when encoded with common techniques like base64 and gzip.

  10. Network Audit Detection for Policy Use Enforcement and Data Leakage Identification

    Network IPS can be used to identify applications and tools that may violate corporate use policies or be used for stop Data leakage protection via the network. It is possible to detect, alert or prevent traffic such as Instant Messaging, Peer to Peer, Logging in to open share, Social media and other 'interesting' traffic.

  11. STAR Intelligence Communication Bus

    The Network Protection technology doesn’t work by itself. This engine shares intelligence with Symantec’s other protection technologies using the STAR Intelligence Communication Protocol (STAR ICB). The Network IPS engine communicates with the Symantec SONAR engine as well as the Insight Reputation engine allowing for more informed and accurate protection that no other security company can deliver.

0 comments: (+add yours?)

Post a Comment