Symantec Announces Encryption Enhancements, File Reputation-Based Anti-Malware

Symantec is introducing removable storage data leak prevention, enhanced performance and laptop anti-theft protection, the first encryption product announcements following the simultaneous acquisition of GuardianEdge and PGP in April. Symantec also unveiled its file reputation-based anti-malware technology, Ubiquity, designed to counter the "long tail" malware distribution model, in which millions of malicious variants are distributed to small numbers of users.

Symantec plans tight integration of GuardianEdge and PGP in the future. GuardianEdge and PGP have some overlapping products and technology, but GuardianEdge, which Symantec sold as Symentec Endpoint Encryption under an OEM partnership, focused primarily on endpoint encryption and device control. One of the prime benefits of the acquisition of PGP, which has a more diverse portfolio, including e-mail and messaging encryption, is its key management technology. Symantec announced several new capabilities in its combined encryption product line.

PGP Whole Disk Encryption now can make use of Intel Anti-Theft technology, a chip-based technology that allows admins to activate a "poison pill" that effectively disables a laptop if it is stolen or lost, or if it fails to connect to the corporate network in a predetermined number of days. Anti-Theft is also an effective way to securely dispose of old laptops.

PGP Whole Disk Encryption leverages another Intel technology, the AES-NI instruction set, which enhances performance by 40 percent. This can be particularly important for the newer solid-state hard drives. Encryption technologies have taken advantage of the inherent latency in traditional drives but with the faster IO available with SSDs, the software encryption would be the bottle neck. Supporting AES-NI makes sense in cases where IT can't install encrypted drives from companies like Seagate and Samsung.

Symantec is bolstering its endpoint software by integrating Endpoint Encryption Removable Storage Edition and Endpoint DLP to allow automated policy-based encryption of information copied to USB drives, DVDs, etc. Symantec Endpoint Encryption Device Control manages the use of portable storage devices by monitoring device usage and file transfer activity, controlling access to ports, devices and wireless networks, and restricting users' ability to copy protected classes of information.The Ubiquity announcement is Symantec's file reputation-based approach to counter the enormous proliferation of automatically generated malware variants (Symantec says it found 240 million unique malware threats in 2009), which has rendered the traditional signature-based blacklisting approach less and less effective. "That model worked reasonably well when you had well-known threats," said Gerry Egan, director of product management for Symantec's Security Technology and Response Group. "With the micro distribution model of today, if a threat is only distributed to one or two devices, how do you get a copy of that?"

Symantec collects file attributes about executable files from its end-user community (1.5 billion files to date, adding about 22 million per week) and runs them through a set of algorithms to determine the likelihood that they are malicious. So, in a simple example, an executable that had been used many times without incident is likely to be legitimate, while an executable that only appears a handful times is highly suspicious.

Ubiquity will allow enterprises to set response policy on files, so that, for example, known bad files would be would be blocked and known good files allowed. Questionable files might be left to user discretion, but there would be an audit trail to provide accountability if a user decides to download a file that proves to be malicious. Ubiquity is already incorporated in Symantec's Norton line of consumer products as well as its Symantec Hosted Endpoint Protection Service, and will be introduced into its business-grade products over the next year, starting with its Web Security Gateway.