Symantec brings reputation-based security to business

Symantec has announced that it will introduce reputation-based 'Insight' technology to its enterprise and small business endpoint security tools before the end of the year.

Announcing Endpoint Protection Suite 12 at RSA Conference in San Francisco, Symantec said that it would open its new product up to public beta in April.

'Insight' - already a feature in Symantec's Norton consumer products - moves beyond the traditional signature-based approach to protecting devices and networks from malware.

Unmesh Deskmukh, business development director of endpoint security sales at Symantec described how the rate at which malware is morphing has signature-based detection "in a spin."

In January 2007, he said, Symantec identified 250,000 viruses. By contrast, in December 2010 it identified 286 million - most being slight variations on existing threats.

The average threat mutates every 15 times it is picked up by a Symantec customer, he said.

"Signature-based scanning is not going to keep up," he said.

So rather than rely on signatures, 'Insight' relies on the reputation gleaned by the attributes of a given executable file - what date the file was created, how many other of Symantec's 175 million endpoint devices have already encountered it, its source and behavioural traits.

The system assigns a score based on this criteria, from which the user can make a more informed decision as to whether to execute the file.

"It's like a restaurant or hotel rating system," he said.

Deskmukh said this should give security vendors the upper hand.

"If a malware writer creates a threat that mutates too little, it is easy [for signature-based scans] to discover and fingerprint," he said. "If it mutates too much - Insight finds it."

Deskmukh agreed that to a certain extent, 'Insight' is fighting a war already won on the desktops of consumers with existing deployments of reputation-based tools. But he said the tiny percentage of threats that might otherwise have got through undetected are still of great concern to chief security officers in the enterprise.

"We tend to spend more time fine-tuning the enterprise products, so we introduce technology into consumer products first, typically," he said.

Performance and other virtual gains

Deskmukh said Version 12 of the endpoint suite should also result in better performance - as the software can now glean what files haven't changed since the last scan and omits them from its workload.

The product has also been optimised for virtual environments - its management console finally capable of managing multiple virtual instances.

Also, files found to be 'clean' by a scan of one virtual machine can now automatically be added as an exception across multiple other virtual machines to reduce the potential for 'AV storms'.

"We have also randomised scans so that the entire system isn't burdened by scans," Deskmukh said.

The company said it would release the product at an unspecified date in the second half of 2011.

Brett Winterford travelled to Tokyo as a guest of Symantec.