Listen to or download the entire 11:30 podcast below:


Download file

What follows is a transcript of my discussion with Dave Cole, Director of Security Response at Symantec, where we discuss the lessons Symantec has learned over 25 years in the security business, organized crime 2.0, the evolution of Symantec?s endpoint security protection, how small to medium sized companies are supposed to defend themselves against what has become a big-business criminal enterprise, and finally, exactly what the online security landscape will look like 25 years from now (OK, more like in a year or two).

With 25 years in the computer security business, what are some of the key lessons that Symantec has learned?

One of the first things we?ve learned and I think this is true of many technology vendors out there is that there is no silver bullet. At the end of the day, there?s isn?t one technology, there isn?t one magic product that you can sprinkle out there like so much fairy dust and make the problems go away. It?s really a combination of approaches, a combination of technologies along with the people element. It?s a combination of people and technology at the end of the day that wins the game. In terms, as well, of process, and considering internal processes, particularly when you look at larger organizations. So, those are a couple of things.

The other thing that I?d mention is that, you know, it?s gotten a lot worse out there over the years in terms of the aggressiveness of attacks. We?ve moved from a variety of attacks that were really sort of like digital graffiti and vandalism to one that is overtly criminal and financially motivated. So, it?s sort of gone from being a mild storm out there to a complete online hurricane and you?ve got to layer up, you?ve got to layer up your defenses now. So, there is a mantra long time ago of defense-in-depth and it?s still very much true today, so a lot of the tried and true principles that were brought out 20-25 years ago still very much are at play today. One of the things we?ve learned it to kind of summarize it is that at the end of the day no one ever wins this. Much like complex social issues, at the end of the day, there will always be online crime. Particularly as the internet has permeated society and our lives when you make progress against one threat, you sort of push it in the other direction. So, absolutely, we?ve made progress, a lot of progress over the last 20-25 years but since the attackers have gotten more criminal and financially motivated when you shut down one avenue of attack, they simply move to another. It?s a lot like squeezing the air in a balloon.

On your web site I saw a reference to organized crime 2.0. Can you elaborate on organized crime 2.0 a little bit?

Sure, the overall concept behind this is that online crime is, frankly, organized. There are people that are working together in concert as part of fraudulent economy. So, they don?t each have to conduct the whole attack end to end, indeed, there are people out there who simply create malware, who create Trojan horses and bots and sell those to other people who might use those to infect people and steal their credentials and then in turn, the people who steal the credentials may not monetize that themselves and may not actually turn that into illicit debit or credit card transactions. They may sell these on the black market to someone else who monetize it directly. So, there are groups of folks out there working in these online fraudulent economies where they?re exchanging goods. Some of them are conducting end-to-end attacks but it?s a group of people working in concert. So what?s intended is that the online criminal world has evolved to the point where they are loosely organized or closely knitted at this point.

We got our first real view into this back in 2004 with a bust called Operation Firewall that was conducted by the Secret Service and other organizations where the shadow crew was busted up and this group was so organized that they had actually like an eBay system set up for exchanging goods and setting up trust relationships between the different fraudsters. So that was one of the first big hints that this type of organized crime was happening online.

Can you explain the evolution of Symantec?s endpoint security protection?

We started out with anti-virus and there was a day when the mantra was anti-virus and you?re protected. Then it went to anti-virus firewall pretty quickly, and then people started talking about intruder detection and so forth. What you see is continually over time, additional layers are being added such that, you know, most mature organizations today aren?t just using a firewall or an anti-virus but they?re using a security suite. So we see forward thinking organizations buying a product that has intrusion prevention, anti-virus, anti-spyware, a firewall, all inside the same client. No one wants to deploy a whole bunch of different agents out there and separately manage those, separately update them, so the evolution from point products to complete client products.

Secondarily, solutions have really moved from where they?re reactive to where they?re proactive, meaning reactive would be blocking, detecting, removing known threats, things that have a name, Slammer and Blaster and so forth to today, where we?re seeing such a flood of unknown threats, thousands of variants out there, new types of malware where they?re just being released to try and sneak under the radar of security vendors, to where blocking previously unknown threats based upon behavior, based upon using a particular vulnerability exploit is really important. The last one I?ll mention is that historical solutions really considered a machine in isolation. It wasn?t expected that you would be moving around to different wireless hot spots, you weren?t connecting your smart phone, your camera, thumb drives into it, you know, you were using a 3 ? inch floppy or something along those lines. Today?s machines are very different, I mean, most corporate workers, particularly mobile workers, just have their laptops and they?re shuttling them around and connecting in thumb drives and so forth and connecting to hot spots. Or maybe they have dedicated broadband access but you have to assume that, you know, your device isn?t going to be sitting inside the protective castle walls of your network perimeter so this ups the ante for defenses and it also means things like adjusting security to what zone you?re in, whether you?re in an unknown wireless hotspot or whether you?re within the network perimeter. And things like device control and analyzing USB connections are incredible important today and those things really didn?t exist before.

With this explosion of threats, how are small to medium size companies supposed to defend themselves?

A lot of the tried and true principles are really independent of organization size. But one of the things I?d say for a small to mid-size business is really look for completeness and in an all-in-one solution. So again, what I?d target is if you?re going to put something at the network perimeter, really consider a unified threat management of clients, something that combines in spam, anti-virus, anti-spyware, web filtering and so forth into one package so you don?t have to manage a whole bunch of different devices. Something like Symantec Client Security that bundles in your anti-virus, your intruder prevention, your anti-spyware, firewall into one agent so you don?t have to separately manage and update these. So, very much using these layered, easily managed defenses that are sort of all-in-one that make your life easier.

Secondly, ease of management, in general, would be one of the things to look for so selecting technology that you?re scarce IT resources can effectively manage is incredibly important. We know that these organizations don?t have the huge IT budgets or staff to manage this stuff. Choose a product that you?re comfortable with, that you can use, that you can manage effectively without devoting a lot of time to day-to-day updating and management. And then, lastly, choose a company that has good support to where you feel like you?re getting the attention you need and deserve as a small to mid-size business. So, I think, coming back to it, look for that completeness, the all-in-one type solution, ease of management and choose an organization that?s providing you the level of support that you think you need.

I know that it?s basically just about impossible to predict what security will look like 25 years from now, but what do you see as the future of threats to security?

One of the things we call-out is that historically threats have been global in nature. There?s been a few regional threats, but it?s been pretty global, meaning, if you were to take a group of security administrators from across the globe 5 years ago or even today and sit them in a room and talk about Slammer, Blaster, Nimda, Code Red, they would all pretty much understand what you were talking about. What we?re seeing now is that threats are getting much more regional in nature, they?re getting specialized to areas like Asia, to the U.S., to Latin America, and as a result, the threats are getting a little more deceptive. We?re seeing a lot more focus on people exploits as opposed to vulnerability exploits. So, Trojan horses, phishing, fake security and other misleading applications that are intended to deceive people and if you?re trying to deceive someone, it doesn?t make a whole lot of sense to send an Italian person a message in Chinese. So, we see this regionalization, and this focus on deceiving people as opposed to simply trying to exploit the operating system flaws like has been done in the past.

And you will certainly see a lot more focus on third-party application exploits, which is a natural evolution. People have gone from exploiting the network to exploiting the operating system, exploiting third-party applications, web browsers such as Internet Explorer or Mozilla. But where we see this ending up is that a lot of the attacks will be exploiting people?s lack of Internet street smarts and their online savvy. So, again, Trojan horses, spam, phishing attack, sort of pushing that envelope.

The last couple of things I?d mention is the trend toward virtualization that is just starting to be understood from a security perspective. It?s fairly early in that arena so as organizations move to wholly adopt virtualization for a number of reasons, for costs purposes, management purposes and so forth, we?ve yet to fully understand the impact of what virtualization is going to have on the security landscape. So that will be interesting to watch. And lastly, we?re starting to see the evolutions of threats that are service specific. So, take a look at the wild world of Web 2.0, and social networks like MySpace, or Facebook, take a look at things like SecondLife and these virtual worlds that are out there. We?ve seen some pretty interesting custom worms that exist only inside those services and only affect people using those services so, again, attacks in the future may not just be regional specific but they may also be specific to the online communities and services you?re using.