AMSTERDAM: Symantec has pledged to create a centralised information-sharing big data hub to help customers spot and pre-empt top-shelf custom-built malware.
Symantec chief technology officer Stephen Trilling said the company hopes the centre will collect and analyse data from a variety of sources, including customers and competing companies' systems, at a press keynote attended by V3.
"Targeted attackers are very persistent: they take months or years and will find gaps in any security system. Our vision is to help counter this, and that over time all data on these threats will be shared," he said.
"This can be done by storing it in local data stores, but in a perfect world it will be a giant central big data store. This is because the more we can correlate the data, the more we can find attacks we otherwise wouldn't. It's all about scale. The bigger the better."
Trilling argued that the strategy is an essential step as current isolated systems are ill equipped to deal with targeted attacks. "What drove us to this was that we realised the old model was going to fail," he said.
"Recently we found the average breach is discovered after 243 days. That's two thirds of a year. These targeted attack campaigns are not quick. Targeted attacks are about getting in the servers.
"The point of these campaigns is that they're not volume based, they're going for the crown jewels of a specific company. The crown jewels are different things for different companies, but they're usually proprietary, core intellectual property. This is the area of attack that appears to be growing the fastest."
The Symantec chief said the company has already begun working on the project and that many governments and enterprise businesses have expressed an interest.
"It will collect metadata such as an email address, a file hash, URLs or a list of attempted logins. It's all metadata, nothing confidential," he said. "Governments and enterprises are both interested in this because our ability to spot threats will be greater than ever."
Symantec is one of many firms to tote the benefits of a cloud-based security solution when combating advanced threats. HP announced similar plans to create an open attack data-sharing service earlier in the year. The plans have been met with mixed reactions, with many European commentators pointing out the dangers of handing over data to US-based companies in a post-PRISM world.
The NSA PRISM campaign was revealed earlier in the year when whistleblower Edward Snowden leaked documents proving that the agency was using companies such as Facebook, Google and Microsoft to monitor web users.
Trilling moved to counter these concerns, promising that any data used would be anonymised so it would be useless if stolen or siphoned by a hostile intelligence agency. "We don't need to collect any confidential corporate data, we're only collecting technical data about files," he said
"We don't need to collect the content of the email, we just need the information relevant to a targeted attack. We are also looking at ways to provide on-premise databases for companies that may not want to send all the data to a central data store," he said.
Trilling also downplayed concerns that competing vendors would be hesitant to share their data, arguing that many already are actively sharing information.
"For them the benefit is they get to be part of this ecosystem and better protect their customers. It sounds idealistic but there is already a surprising amount of collaboration with competitors to achieve the greater good. A lot of people working in this industry are invested in finding ways to do a better job protecting the cyber ecosystem," he said.
Increasing the sharing of attack data has been a central goal of many governments. Within the UK it has been a key part of the government's ongoing Cyber Security Strategy. The strategy has seen the launch of several data-sharing initiatives, such as the Cyber Security Information Sharing Partnership (CISP), since launching in 2011.