Symantec recently announced the latest release of its consumer protection technology which includes a new malware technology code-named “Quorum”. Essentially the technology uses visibility (or lack thereof) of behavior of executable code across a community to aid in the determination if a given piece of code is “good” or “bad”. We are working on our full analysis and recommendations for our enterprise clients but here are my initial high-level observations.
Despite Symantec’s rhetoric, the idea of using visibility of executable code across a community for better security decision making isn’t new. Prevx (which I wrote up in Gartner research as a Cool Vendor in 2006 because of its community approach to endpoint intrusion prevention) has been using “herd” intelligence across its community for years. McAfee’s Artemis announced more than a year ago uses a similar approach.
The good news is that Symantec understands that signature-based detection alone is increasingly ineffective and that it needs to do more at the application level. Rather than take an approach solely rooted in whitelisting or building a global whitelist, Symantec is instead using the Quorum technology to focus on the vast greyspace between blacklists (which can’t keep up) and the whitelists (which also struggle to keep up and are too restrictive for many end-user desktops – especially consumers which have no IT department to manage the whitelist).
By using visibility into code behavior (usage, propagation patterns, prior user history, system calls and so on) across a larger population, Symantec is able to build more accurate models as to whether a given piece of code is “good” or “bad”. No behavioral modeling-based approach for security is perfect, but it is a fact that the more data points you have, the better the model you build and the fewer false negatives and, more importantly, false positives that result when the model is used to make security decisions. Quorum taps into the large Symantec installed base for precisely this reason.
There are no silver bullets in security, but Quorum is a welcome innovation in endpoint protection which has fallen woefully behind the bad guys by relying too heavily for too long on an increasingly ineffective blacklisting-based protection model at the application level.
Category: Beyond Anti-Virus Endpoint Protection Platform Next-generation Security Infrastructure Tags: Beyond Anti-Virus, Defense-in-Depth, Endpoint Protection Platform, Next-generation Security Infrastructure, Whitelisting