Enhanced Application Visibility and Control with your Symantec Secure Web Gateway

If a Secure Web Gateway is the flagship of the network security fleet, Threat Intelligence is the radar and sonar that helps navigate troubled waters. Threat Intelligence enables a Secure Web Gateway to recognize and block known threats, and also stop potential new ones. Good intelligence can greatly improve security efficacy. Weak intelligence will open the door to attackers while increasing the over-blocking of false positives. However, what you may not know: the Best intelligence can enable you to do much more than you’d expect from a Secure Web Gateway, providing a stronger and easier means of getting application visibility and control.

Matt Willden, product manager of Intelligence Services, Symantec Enterprise Division, recently addressed how Symantec is working to give companies the tools to improve their application visibility and control policies to ensure both the strength of network security and employee access to the apps they need to best do their jobs.

Q: With the growth of remote work over the last year, there has also been an increase in the need to handle apps and various new situations regarding network security. Could you give a lay-of-the-land type assessment of the security arena today?

A: There has never been a more pertinent time for having good intelligence. As we all know, we’re going through a pandemic, but even as we start to see light at the end of the tunnel, we’re still seeing reports of increased (network) demand. Maybe that will go down when we return to a more normal environment, but we’re also getting reports that employers will enforce, or allow work-from-home situations to continue post-pandemic. All of this is to say that there are lots of new situations that corporations have to deal with when you have such a large workforce working remotely.

Q:  Can you talk about the various intelligent services that Symantec’s platform offers inside the Symantec Secure Web Gateway?

A: We know that there are more threats than ever and the web is getting more and more attacks. Apart from email traffic, web attacks are competing for the most prevalent attack surface. 

In my opinion, we think you need three factors to be effective in this scenario.

1. You need access to the full picture in order to extract the pertinent metadata that fuels detections.
2. You have to have an incredibly wide array of information sources to ensure the metadata’s bits and pieces make up a statistically significant data point (i.e., different market verticals)
3. You need a comprehensive feature set powered by the previous two points so that the intelligence can be used in a meaningful way

Once you have that, the reality is your ecosystem fuels your feature set. Symantec has one of the most comprehensive ecosystems on the planet and that fuels one of the most comprehensive feature sets you can deploy today.

Q: Talk about Symantec ProxySG and the role it plays in improving visibility and control policies.

A:  Symantec ProxySG, which is our main deployment, is a proxy-based architecture that actually intercepts the (unwanted) traffic. It’s capable of specific responses and intercepting the traffic in real-time to make policy decisions. With it, we can reassemble the communication files and all the different response headers—All the minutiae in real-time—and then make a decision before it passes our gateway. This all feeds back into our telemetry system so we have this feedback mechanism where we can get this data, correlate it, aggregate it and protect our customers. It just builds on itself. There aren’t many systems on the market that can capture the data we have and protect our customers. 

Q: What would you say are some other characteristics of Symantec’s threat protection offerings that would appeal to customers looking to improve their network visibility?

A: We have risk levels, which I think is our bread and butter of best-in-class threat protection. But we also have categories, which are the bread and butter of every content filter, and we also have application visibility. All of that is delivered through a cloud-based intelligent service that is constantly up to date; because it’s updated hundreds of times a day, it gives customers all this granularity to create a comprehensive policy that’s unique to your situation. 

Q: You’ve spoken of the need for visibility to be more “granular”, or get more into specific details to prevent and fight back against network attacks. What would you say gives Symantec an edge over other security service providers in this area?

A: For one thing, we tend to focus on those high-value targets like banks, large financial services, enterprises, and governments. Our customers, and consequently our telemetry, come from all over, and that gives us the unique ability to see really weird traffic that comes in and rate it. Our proxy architecture gives us the ability to extract more granular data and for greater efficacy. For example, instead of just looking at a category and saying, “Oh, this is just social media, or this is a chat,” we can have up to four different categories assigned to a URL. More to the point, when we are categorizing a URL, we like to think of it as pruning a tree. If there is a leaf or a flower that’s maybe not so great, you can prune that off, improve the health of the tree and not have to cut off the tree at the root. 

Q: How does Symantec go about ranking and assessing risks so that enterprises can make better decisions about which control policies to employ?

A: Our Threat Risk Levels assign a risk score of 1 to 10, and we support real-time evaluation of risks. This creates a powerful, streamlined policy combination like saying, “Block uncategorized traffic if the risk level is greater than 5.” This helps customers, as they move closer to the actual attack vector because the risk scores don’t use a cat-and-mouse game of finding the specific caches or finding a specific pattern. In fact, they use statistical metadata and machine learning to get it before we even know about it.

One way we accomplish this is by employing a Context Engine that takes in all the various data points in the background and gives it a score, we also have a Voting Systems that does a real-time calculation for anything not found in a database, and we also leverage GeoLocation, which is one of those tools that you perhaps don’t even know you have, but it provides you with a really unique way to minimize risk and increase compliance on your network. 

The point is that in your intelligent service, you have to have a way to take in real-time attacks. Symantec was one of the first on the market with this and remains one of the best today. 

Q: What other advice would you give to an enterprise looking for a way to improve upon its application visibility and control policies?

A: The thing you don’t want to do is fall into a homogeneous security policy situation where yours is just the same as Company B down the road. That’s a shady actors’ favorite thing.