Advertisment

Why Black-list, try White-list

author-image
CIOL Bureau
Updated On
New Update

Symantec Research Lab is in a way the epicenter of this security major's back-stage action in innovation, generation of new ideas, and development of next-generation technologies.

Advertisment

Its projects include both long-term investigations and short-term innovations for all of Symantec's businesses. Messaging Security solutions in particular claims to ensure that critical IT systems, and the information assets they contain, are protected from risks such as viruses, spam, and data leakage.

Symantec's strategy for its integrated messaging security solutions is known as Enterprise Messaging Management. The basket contains Information Foundation 2007, Enterprise Vault, Mail Security 8300 Series Appliance, Mail Security for MS Exchange, for Domino, IM Manager, Hosted Mail Security, Mobile Security, Messaging and Collaboration Security Services, Archiving and Retention Services, Data Migration Services to name a few.

Joe Pasqua, VP of Research, Symantec Research Labs was in India for a short visit this week. Pratima Harigunani of CyberMedia News catches up with him on what's brewing in the petri-dish of Symantec when it comes to messaging security, the trends and threats that it is grooming up for, the response to competitive salvos and also how it is preparing to counter concerns over portfolio integrations of acquisitions made and underway.

Advertisment

What kind of work is currently hot at SRL specifically in the realm of messaging security?

The team is working on a number of technologies to enhance approaches already present in our products like the ones from Vontu. We are also researching on performance and scalability of some products. Boundary-less enterprise, SAAS models, long-term market trends in data loss prevention and messaging continue to keep us going. The challenge today is how to enable enterprises work without the walls and still maintain the security and integrity aspects.

Any significant changes that intrigue you in terms of how the whole messaging landscape is evolving?

Advertisment

Yes, one thing I find particularly interesting is the time we spend on scanning good messages, just to spot and pick out the bad ones. It is harder to spot and leaf through a good message instead of a bad one. So why not work the other way around?

We are hence working on improving the overall scanning performance than what was possible traditionally. This would cover more messages per second, higher throughput and closer work with the product team.

Where else are your trying this 'flip-it' approach and how right has it turned out to be so far?

Advertisment

There are a number of projects that are attacking the same problems in a different way. Innovative technologies and virtualization are some of them.

Virtualization? How?

Virtualization is the latest trend and the future too. But there are drawbacks on management, administration, cost issues etc. The challenge is how to keep the virtualization environment safe because it comes in many forms.

Advertisment

It's not just desktop virtualization but things like storage etc too. In terms of research, we are looking ways to use virtualization to insulate from malware.

Imagine a malicious program attacks, we can keep it in a virtualized cocoon, gauge its real impact and then let it take off. The core technology of virtualization can have new applications as a security tool.

Convergence of threats is now a palpable reality. Are we ready to tackle a new scenario?

Advertisment

Yes it is. But the problem is not only that they are converging but a bigger problem is the way that they are doing so. This is being done in a way you have never thought of before.

We are trying to look at these problems more generically and looking at detecting the result of the convergence of threats instead. So we don't just look at the software or threat but the behavior, i.e. not just what they are, but what they do.

The fingerprint of bad behavior is assuming more importance than the fingerprint of bad software. So we try to find and block these behaviors rather than just creating a list of what's happening.

Advertisment

How serious is the threat transition from mass to personalized attacks, technological to commercial and text to PDF?

There are a slew of projects going on, and in a number of different ways on the personalized front. Simply, because there is no one answer here. Today, malware detection works by finding a threat, making a list, taking fingerprints, scanning them, doing the match-making and then resorting to appropriate action. But the number of malware is growing geometrically and the number of signatures is rising astronomically.

A single signature in the past could protect hundreds or thousands of users but not any more. So what if instead of identifying bad programs, we identify good ones and create a White-list rather than a Black-list.

People across the world and business have tried this concept of White-listing but no one, to my knowledge, has been able to make it work.

Approaches have tried and failed. We are testing some technologies here with very promising results so far. Now we have to work on how to turn them to market and product level technology.

How much of concern arising from products and acquisition spree from competition like the McAfee ePolicy Orchestrator is a spur for action at SRL?

Our research direction works in alignment with major trends, including the technology trends and also where our competitors are going. But technology and trends are the bigger pieces in the puzzle we love to crack.

We surely always keep an eye on where the competitive technology is going but a lot of our action and output comes out of the first two directions. We want to differentiate and innovate in ways of lasting competitive value and hence taking on projects of high impact.

Symantec has been under the grey cloud of concern off and on when it comes to simplifying and integrating acquisitions. Could you delve on how Project Hamlet handles that issue?

Well, it's not specific to Hamlet but overall Symantec has been learning important lessons to integrate acquisitions. One of them is that too much or wrong integration is not a good thing. In the past, we used to throw open covers of technologies from both the sides and integrate at gut-level.

Too low-level of integration consumes too much detail and time. We have learnt this through hard lessons. So now we are again looking at going the other way round and do it at high-level with a new collaboration architecture.

Could you share more on this collaboration architecture and how much of it is already seeing the light of the day?

Whether its existing or new acquisitions, here we build a bridge that helps the two technologies integrate at data or operational level. It is a roadmap of three phases that will bring all products into our fold, thus integrating them at high-level and not the gut-level.

It's all ready, in the infant stage and several products and technologies are being integrated under this new architecture now. Now acquisition integration would happen much efficiently.

tech-news