Symantec Ups the Ante with Quorum Technology

Symantec's new Norton-branded offerings use a new technology to plug the gap between whitelists and blacklists.

This month's update of Norton Antivirus and Norton Internet Security products from Symantec Corp. suggests that security software vendors are increasingly seeing things in terms of black and white -- and now gray.

The 2010 editions of Norton Antivirus and Norton Internet Security use a new "Quorum" technology that some security watchers say fills a gap between "whitelist" and "blacklist" strategies. Quorum's purpose isn't to compile a "graylist" of possible malware suspects so much as a gray screening. Quorum assesses the "uniqueness" of a file (or its attributes) to determine whether it's a new malware variant. It uses a reputation score to rate files based on age, signature, or prevalence.

What's more, Quorum tries to take the idiosyncratic into account: it looks at the source from which a file was downloaded -- did it come from an unknown or otherwise suspicious site (e.g., one that's hosted in a known malware netblock) -- as well as the surfing habits of the user who downloaded it (does a user tend to visit questionable or suspicious sites?) in creating a reputation score.

On Symantec's Norton Protection blog, Carey Nachenberg, vice president and fellow at Symantec, notes that the company's approach "is dependent on the collection and submission of anonymized application data from customers who choose to participate in Norton Community Watch. This data includes application hashes and other metadata about each executable such as how it arrived on the machine, the publisher name, and the program's name and path."

The volume of the required file metadata, Nachenberg notes, "is extremely limited -- typically just tens of kilobytes of data per machine per month." The "reputation telemetry data" from participating machines is uploaded to Symantec's back-end servers daily. The technology then computes the file reputations that are at the heart of the new technology.

"Our process is similar to some other well-known systems, such as Netflix's recommendations, or Google's PageRank algorithm," Nachenberg claims, comparing the relevancy scores to recommended titles. "We constructed a huge data center for continually calculating and recalculating our trust ratings."

Those ratings are calculated for every file "downloaded, installed, or run on every Norton Community Watch user's machine. Every file in Quorum is assigned a classification (good or bad) and a confidence level that indicates our confidence in that classification. Unlike traditional fingerprinting which either detects or does not detect a file, this new approach refines each file's reputation over time as more data is available about our community's usage of each file."

Industry watchers seem intrigued by the idea. Consider Gartner security analysts Neil MacDonald and Peter Firstbrook, who note that existing endpoint security strategies just aren't getting the job done.

"In the face of increasingly sophisticated cybercrime, enterprises are finding that endpoint protection strategies based solely on signature-based blacklisting are often ineffective. Signatures can't keep up with the explosion in malware variants and miss targeted attacks," they write in a recent Gartner research publication. "Whitelisting and application control technologies offer hope … but it is hard to make them work for all desktops and all users. In some cases, the whitelists are too restrictive; in others, the whitelists struggle to keep up with changing end-user workstations."

With Quorum, Symantec is taking a decidedly different approach, the analysts argue: "In contrast to vendors that have focused on a whitelisting approach, Symantec's 'Quorum' technology focuses on filling the many shades of gray between whitelisting and blacklisting by using the characteristics of executable code and the user's Web hygiene across its installed base to make inferences about a particular code's 'reputation.'"

Symantec isn't exactly a trailblazer here, MacDonald and Firstbrook stress, citing a similar offering from Prevx as well as cloud-based malware monitoring services such as Artemis and the Smart Protection Network from Symantec competitors McAfee and Trend Micro, respectively. Nevertheless, the Gartner report suggests, the industry is likely trending Quorum's way. "Eventually, all endpoint protection vendors must offer a strategy for assessing pieces of code that are not explicitly whitelisted or blacklisted," they write.

One concern with a technology like Quorum is the possibility of false positives. MacDonald and Firstbrook don't discount this issue, but suggest that -- assuming the benefits of using Quorum (e.g., improved malware detection) outstrip its costs (e.g., occasional false positives) -- Symantec could offer an alternative to the "global whitelist" efforts championed by players like Bit9 and Signacert.

"If Symantec's technology offers a workable alternative to a whitelisting approach, it will put pressure on vendors trying to build proprietary global whitelists," they point out, adding that -- notwithstanding the promise of Quorum or similar proactive technologies -- a shared global whitelist would likely benefit everyone.

"Nonetheless, a global whitelist built and shared by the entire security industry would be in every independent software vendor's interest. All security measures should include explicit whitelists, such as a categorized database of known good applications, identified by hash codes, digital signature or the source of the code," they conclude. "However, there will always be some applications that don't appear on the whitelist. The Quorum database could be used to fill this gap. We believe organizations should favor endpoint vendors that use a combination of whitelisting, blacklisting and 'graylisting' techniques."

Must Read Articles