If a cybercriminal wants access to your computer, he has some options. He can use brute force, by jamming harmful data down your Internet connection. He can find a security hole in a widely used software application and sneak in that way. Or he can get you to invite him in by sending you an innocuous-looking link that, when clicked, installs spyware or keyloggers without your knowledge.
With all those different avenues of attack available to hackers and cybercriminals, how can just a single approach to security keep your computer safe? The old-school way of doing things — in other words, relying on antivirus alone — isn’t enough to keep today’s threats at bay, which is why a layered approach is so important.
“Any security company that does not take a layered approach is not doing its job, and you don’t want to be relying on them,” says Robert Reynolds, Senior Manager of Product Marketing for Norton. “The goal of the layered approach is to prevent a threat from ever getting onto your system in the first place. If you can block it before it gets inside, that’s the best possible outcome. But if a threat manages to embed itself in your system and start operating, it’s like it’s moved into your house and taken up residence there. That’s a much worse outcome.”
“What we’re really doing is bringing multiple disparate technologies together in a way that will help protect people better,” says Jordan Blake, Principal Product Manager for Norton. “We have a number of different tools. We use the right one, or combination thereof, for the right job.”
When most people think about security software, they’re really thinking of antivirus protection. It’s a straightforward, easily understandable approach to security that’s been around since the early days of the Internet. And despite its age and limitations as a stand-alone solution, it’s still an important part of the mix.
“Antivirus protection works like this: Norton technology looks at a file and compares it to a set of definitions we have. Then we look for a match between the file’s code and the code we have stored in our threat database,” Blake says. “From there, we can block or quarantine the file, or erase the nastiness it leaves behind.”
But security technology has evolved far beyond antivirus in recent years, mainly because the threats have grown far more sophisticated and stealthy.
“Antivirus is just a small slice of the protection Norton security provides,” Reynolds says. “Yes, it’s definitely important, but it’s less than half of what we do.”
One of the biggest challenges of the antivirus approach is the need to continuously update definitions. Computer viruses, just like biological ones, mutate quickly to avoid the systems designed to keep them out. The old way to deal with that was to put a team of definition writers on the case. They would write new and updated definitions designed to catch newer viruses and mutations of older ones, and then those definitions would be pushed out to millions of computers worldwide.
But there are challenges with that approach. For one thing, it’s inefficient to force users to download all that data on a regular basis. For another, it’s possible that some users might not be getting those updates, without even knowing they’re missing anything.
That’s why Norton takes a cloud-based approach to antivirus.
“With the cloud intelligence we’ve added, we can publish new virus definitions and have them available to our customer-base immediately, rather than waiting minutes or hours for those definitions to be pushed out to our users,” Blake says.
What if a Norton user encounters a threat that’s so new, it isn’t in Symantec’s database? Antivirus wouldn’t work, because there would be no baseline to compare it to.
This is where the layered approach really starts to pay off. Norton technology is also based on the idea that if you can understand what a file does, you can determine whether or not it’s a threat — and act accordingly.
“When you normally run a piece of software on a computer, it has instructions for what the computer should do,” Blake explains. “If those are malicious instructions, the computer is going to do untrustworthy things. So Norton tries to figure out what the software does without actually running it on your computer.”
There are certain things that malware — say, a botnet, or spyware — does that legitimate applications won’t do. A piece of malware may open up Microsoft Outlook and start sending copies of itself to every single one of your contacts. It may copy itself in the AutoRun section of the Windows registry, ensuring that it will run whenever your computer boots. It may even open up a communication channel without your permission or knowledge, and then automatically start feeding information to an IP address in a foreign country.
And because legitimate programs don’t do these things, Norton software can figure out if a new file is a threat or not simply by letting it run in a sealed-off virtual machine environment — or “sandbox” — and watching what happens. The file in question doesn’t have any way to distinguish between the sandbox and a real, unprotected system, so it does whatever it’s designed to do — all without harming the user’s computer or data.
“Based on the behaviors we see in the sandbox, we can make a determination as to whether that software is trustworthy or not,” Blake says.
What’s more, the behavioral approach is immune to the near-constant code tweaking that can be effective against antivirus protection. That’s because at this stage Norton technology is looking at what the threat actually does, and isn’t too concerned with matching snippets of code to the contents of a large database.
“It doesn’t matter if there are a million variants of a particular threat,” Blake explains. “As long as the core behaviours it exhibits are understood to be bad, then we can identify it as being malicious and take steps to block it.”
A good pedigree can open doors — and that’s as true for software as it is for people.
Norton’s engineers know this, which is why they built the reputation analysis layer to look into the history and background of every file you download from the Internet. It does this in two ways: by examining the metadata attached to these files, and through the reputation information gleaned from the millions of systems that Symantec monitors.
“The reputation analysis layer is less interested in the actual bits and bytes of a particular file,” Blake explains. “Instead, Norton technology is more interested in things like where you downloaded this file from, how old the file is and how many Norton users have also downloaded it.”
In fact, Norton technology can look at a file for the first time and know a few things about it right off the bat.
“For example, if you were the first person to download a particular file, Norton Security would find that interesting,” Blake says. “That would tell us a few things all by itself. For example, we could assume it probably isn’t a Microsoft operating system file, or an Internet browser like Google Chrome, or anything like that. If Norton Security hasn’t seen it before, it looks suspicious right away. And if no developer has signed it with a known key, then we can automatically rule out a large swath of reputable sources.”
This is a key component of Norton Security’s ability to identify previously unknown zero-day threats. It can usually quarantine something brand new, while Symantec works to develop insight on it. As Blake explains, this is never an issue for files like Google Chrome, because the fact that those files are always signed means they automatically have a good reputation, even if they’ve only been downloaded once.
Sometimes threats don’t need deception or trickery to wind up on your computer. We’re conditioned to being careful about where we click, which attachments we open, what hyperlinks we follow. But it’s also possible for a hacker to force-feed malware to your computer, through a simple unprotected Internet connection.
That’s where the Norton IPS layer comes into play. IPS protects your computer’s network connection from intruders, and in the process, stops 60 percent of the threats directed at your computer.
“IPS is designed to block things coming across the network that Norton Security knows are threats,” Reynolds says. “For example, anytime your browser makes a call to a webpage, the Web server says, ‘Okay, here’s the webpage you just requested.’ Then the server delivers it right to your machine. Bad guys will often include scripts in webpages that pretend to be something other than what they really are.”
“The Norton IPS layer protects browsers, because that is a common vector for modern attacks, and it protects the operating system,” Blake adds. “In the context of a Web browser, it’s going to protect you from attempted exploits against weaknesses in the browser itself or its plug-ins.”
In other words, hackers often find holes in popular software applications that can be used as “back doors” into a user’s computer. Whenever you’re on the Internet, your computer is constantly uploading and downloading data. With the right tools and knowledge, a hacker can simply insert a piece of malware directly into that data stream, where it will eventually be carried onto your computer and take up residence there. They can then use that to take control of your computer and use it for their own nefarious purposes.
That’s exactly what IPS is designed to stop, by aggressively patrolling and filtering through the data floating across your network connection. And it does that job very well indeed.
“IPS is extremely effective because it’s built to make sure nothing takes up residence on your computer in the first place,” Reynolds says. “It captures in the neighborhood of 60 percent of all threats that your machine is faced with.”
As impressive as those technologies are all on their own, Norton engineers have been able to optimise their strengths by designing them with information-sharing in mind. The layers all talk to each other about the new threats they’re encountering in the wild. That way, new threats can be blocked almost as soon as they appear.
“Norton Security is exceptional at the hand-offs,” Reynolds says. “If IPS sees something it doesn’t know about, it’ll check with the reputation database. If nothing looks out of the ordinary, Norton Security can decide to either let the file pass through or to look at its behaviour before letting it proceed.”
This approach has several advantages. For one thing, it makes each layer stronger because they all have access to the data collected by the other layers. For another, it limits the amount of processing effort Norton Security has to expend when it scans data flowing into your computer. And that means better performance.
“When data comes into a PC, it flows in so fast that you could theoretically slow someone down by forcing their security software to run check after check on every bit of that data,” Reynolds says. “The security software would monopolise resources to the point of making the computer unusable. But we’ve got really good at making sure these layers of technology are not impacting your machine’s performance, which you can see by looking at the test results.
“This kind of technology is actually heavy lifting in terms of research and development,” he adds. “You need a certain level of expertise to do it. Smaller companies and freeware developers don’t have it, because they don’t have the resources to develop it. But Symantec does.”
It takes a non-stop operation to stay one step ahead of the more than 80,000 new malware threats that appear every day. Meet the seasoned security experts on our STAR team, who spend their days battling on the frontline of digital crime.
With a team of over 1,700 customer care experts dotted around the globe, Norton ensures easily accessible support no matter your location. In fact, we’re so confident in our award-winning protection and quality support services that we offer a money-back guarantee.
We have an extensive security history and our pioneering spirit continues today. Our digital world is constantly changing, so at Norton we never rest. We’ve protected our customers and their data for 25 years — and we’re going to keep doing just that.