Symantec is for the first time granting customers access to the threat detection technology used by its internal research team, making it easier to discover targeted attacks.
The platform security vendor said that its new-to-the-public Targeted Attack Analytics (TAA) technology can detect more advanced attacks that get by traditional security offerings, according to Eric Chien, technical director of Symantec security and response and a Symantec fellow.
TAA will be made available at no additional cost on the latest version of Symantec's Advanced Threat Protection (ATP) product, which Chien said is consumed primarily by mid-size and large enterprises. Chien hopes the introduction of TAA will drive further adoption of ATP and help it gain traction among smaller enterprises.
"We want to get this into our customers hands," Chien told CRN USA.
Most traditional security products – including Symantec Endpoint Protection – scan individual artifacts such as a file or part of a network stream, Chien said. But TAA is able to look at all the machines in a single enterprise and collate the telemetry with the endpoints on the back end to verify if there's an active attack taking place inside the network, according to Chien.
In addition to looking holistically across all devices to build a more concrete picture of what's going on, Chien said TAA can alert users to incidents with absolute certainty, rather than simply indicating that there's the likelihood or a probability that something's taking place.
Symantec's research team programmatically codified what they were doing as humans to create an artificial intelligence-based system that could serve as the basis for TAA, according to Chien. Symantec decided two years ago that the company would automate the last mile so that it could deliver threat detection directly to customers without having humans involved at all, Chien said.
Two years ago, Symantec could have sent out high-priority alerts around suspicious activity, but Chien said a Security Operations Center (SOC) team would have needed to go in and verify that the behavior was indeed problematic. Now, Chien said, Symantec is able to deliver real alerts inside real environments.
The hardest component to automate, Chien said, is differentiating between administrative actions and real, actual attackers since attackers often use administrative tools already on the system to wreak havoc. Symantec has taken advantage of the expertise within the company's Center for Advanced Machine Learning to differentiate between those two different kinds of scenarios, Chien said.
The technology underpinning TAA is the same toolset that Symantec used to uncover Dragonfly 2.0, an attack targeting dozens of energy companies that attempted to gain access to operational networks. Chien said that smaller enterprises could have benefited from TAA in that scenario since they are plugged into the power grid and typically make an easier target than their larger counterparts.
Smaller enterprises adopting Symantec's Advanced Threat Protection get to enjoy the benefits of a SOC without having to take on all of the employees, Chien said. Clients don't need to have folks on the ground monitoring and filtering through alerts to adopt ATP since Symantec is able to deliver actionable alerts in an automated fashion, according to Chien.
As customers begin adopting TAA, Chien said Symantec's research team will enjoy greater visibility and telemetry, enabling the company to put a fuller picture together around the risks and actions being taken by attackers. Chien said the company is already able to see incidents in 1400 customers each month regardless of if they have ATP or not.