Posted: 3 Min ReadProduct Insights

Learn More About Symantec Threat Risk Levels

Why You Need to Institute Threat Risk Levels Now

Organizations have depended for years on the use of content categories to protect employee web access. Categories are still a critical component to any effective Secure Web Gateway (SWG). SWGs block pornography, shopping sites, gambling, or any other site that doesn’t adhere to a company’s acceptable use policy...but more importantly, might be the entry point to malicious activity. As the number of new websites have skyrocketed on the commercial internet, even the best SWGs struggle to keep up. Swift categorization is difficult and if uncategorized sites are blocked by policy, calls are likely to flood the help desk from employees requesting access to an uncategorized site.

Symantec, a division of Broadcom Software, created Threat Risk Levels to address this problem. AI engines often don’t have enough information on a new website to assign it to a category. But there is contextual metadata, for example the web host’s IP address, a server’s behavior, or characteristics of a URL that allow us to give it a Risk Level rating of one (safe) to 10 (very risky).

So, here’s the question: What is your Risk Level policy?

Symantec, a division of Broadcom Software, created Threat Risk Levels to address this problem. AI engines often don’t have enough information on a new website to assign it to a category. But there is contextual metadata, for example the web host’s IP address, a server’s behavior, or characteristics of a URL that allow us to give it a Risk Level rating of one (safe) to 10 (very risky).

To make it happen, Symantec adds and updates Risk Levels for all the entries in our URL database -- a critical component of Symantec Global Intelligence Network (GIN). We discern the risk snapshot based on history, reported ratings and traffic. Millions of sites are short-lived, what we call “one-day wonders.” Our Context Engine uses AI to track and render opinions about the hundreds of millions of domains, subdomains and IP addresses across the web. Additionally, we use the same system to set a Risk Level for all requests not in our URL database.

So, here’s the question: What is your Risk Level policy? If your organization wants a higher security profile, we recommend starting at level six -- moderate. To further explain the value of risk levels with real-world examples and recommendations, Symantec will hold a Webinar on September 15. You can register here.

For Risk Levels seven through 10, we advise a complete blocking of these sites. If your organization must provide access to such pages, we recommend using our Web Isolation, integrated with our SWG and part of the Web Protection Suite. With Web Isolation unknown web traffic is delivered to a remote isolation environment which renders a dubious site and any associated content and sends back only a safe, visual stream to the end-user’s browser. If there’s any malicious code, it stays in isolation and doesn’t infect your network. The best part: It’s seamless to the user and runs automatically. Scratch all those calls to the help desk demanding access.

With more stringent privacy regulations in recent years, many organizations now need to protect users’ health, financial, or other personal information. This need competes directly with the emerging requirement to inspect encrypted web traffic, which cyber criminals are increasingly using to distribute malware and to collect personally identifiable information. Risk Levels enable the IT administrator to allow safe sites (rated 1 to 3) to be accessed without SSL inspection—thereby protecting user privacy—while decrypting riskier sites for additional inspection, including advanced threat detection and data leakage protection.

To see Symantec’s Threat Risk Levels in action, in June, we got a report of a malicious domain, “pozdravlenie[.]xyz”. (The word means “congratulations” in Russian, which already raises a warning flag!) However, before we got the report that the domain was malicious, we had already seen three attempted visits to the site the day before. All three requests were for a .EXE file, but our logs showed that the server had not actually returned an executable file -- in fact, it didn't really want to talk to us. However, WebPulse gathered enough metadata to progressively move the risk level from a 5 to a 6 and then finally flag each request with a Risk Level of 7 and return a category of “Suspicious”, even without seeing the actual .EXE file.

Finally, Symantec’s system allows you to look at the impact raising or lowering Risk Levels has on your organization’s website access before you choose a degree of protection. For example, generating a report for all uncategorized websites with risk level 6 allows you to see the impact when incorporating that into your policy. It’s easy to do and could save your IT department untold hours wrangling user requests.

For more details on Risk Levels, check out the white paper - The Need for Risk Levels in Secure Web Gateways.

Symantec Enterprise Blogs
Webinar

Level Your Risk with Risk Levels

You are likely using website classification and categorization to drive your web security policies...good for you! But, are you missing out on the power of Risk Levels? In this webinar- you will learn these and more: • Why Risk Levels are important to keep your users safe • Introduction to Symantec's Risk Levels

Register Now for Webinar
Symantec Enterprise Blogs
You might also enjoy
Feature Stories4 Min Read

Symantec Knows Security Continues to Evolve: The Need for Data-Centric SASE

Protecting data is not just a priority, it’s the whole point of security

About the Author

Henk van Achterberg

Product Manager Threat Intelligence

Henk is a Product Manager for Symantec Threat Intelligence as part of Broadcom Software.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.