Symantec Opens The Floodgates, Makes Its Threat Detection Tool Available To Customers For First Time

Symantec is for the first time granting customers access to the threat detection technology used by its internal research team, making it easier to discover targeted attacks.

The Mountain View, Calif.-based platform security vendor said that its new-to-the-public Targeted Attack Analytics (TAA) technology can detect more advanced attacks that get by traditional security offerings, according to Eric Chien, technical director of Symantec security and response and a Symantec fellow.

TAA will be made available at no additional cost on the latest version of Symantec's Advanced Threat Protection (ATP) product, which Chien said is consumed primarily by mid-size and large enterprises. Chien hopes the introduction of TAA will drive further adoption of ATP and help it gain traction among smaller enterprises.

[RELATED: 9 Security Trends To Watch For At RSA 2018]

"We want to get this into our customers hands," Chien told CRN.

Most traditional security products – including Symantec Endpoint Protection – scan individual artifacts such as a file or part of a network stream, Chien said. But TAA is able to look at all the machines in a single enterprise and collate the telemetry with the endpoints on the back end to verify if there's an active attack taking place inside the network, according to Chien.

In addition to looking holistically across all devices to build a more concrete picture of what's going on, Chien said TAA can alert users to incidents with absolute certainty, rather than simply indicating that there's the likelihood or a probability that something's taking place.

Symantec's research team programmatically codified what they were doing as humans to create an artificial intelligence-based system that could serve as the basis for TAA, according to Chien. Symantec decided two years ago that the company would automate the last mile so that it could deliver threat detection directly to customers without having humans involved at all, Chien said.

Two years ago, Symantec could have sent out high-priority alerts around suspicious activity, but Chien said a Security Operations Center (SOC) team would have needed to go in and verify that the behavior was indeed problematic. Now, Chien said, Symantec is able to deliver real alerts inside real environments.

The hardest component to automate, Chien said, is differentiating between administrative actions and real, actual attackers since attackers often use administrative tools already on the system to wreak havoc. Symantec has taken advantage of the expertise within the company's Center for Advanced Machine Learning to differentiate between those two different kinds of scenarios, Chien said.

The technology underpinning TAA is the same toolset that Symantec used to uncover Dragonfly 2.0, an attack targeting dozens of energy companies that attempted to gain access to operational networks. Chien said that smaller enterprises could have benefited from TAA in that scenario since they are plugged into the power grid and typically make an easier target than their larger counterparts.

Smaller enterprises adopting Symantec's Advanced Threat Protection get to enjoy the benefits of a SOC without having to take on all of the employees, Chien said. Clients don't need to have folks on the ground monitoring and filtering through alerts to adopt ATP since Symantec is able to deliver actionable alerts in an automated fashion, according to Chien.

As customers begin adopting TAA, Chien said Symantec's research team will enjoy greater visibility and telemetry, enabling the company to put a fuller picture together around the risks and actions being taken by attackers. Chien said the company is already able to see incidents in 1,400 customers each month regardless of if they have ATP or not.

TAA should provide end users with more indications and insight around what they want to focus on from a security standpoint, according to Andrew Piland, chief operating officer at San Diego, Calif.-based solution provider Datel Systems. And having Symantec's name on it should provide channel partners with more credibility when attempting to pitch customers on different security offerings, Piland said.

"Everybody knows Symantec. It's a huge company with a huge name," Piland said. "For them to share any of this is a nice thing for the community in general."