And the power of this new data is evident to all from a micro (consumer) to macro (enterprise level). Two new attack campaigns and 137,000 new phishing campaigns have been uncovered.

“Symantec research teams have unparalleled visibility into the entire threat landscape, including the most advanced attacks, and Blue Coat researchers have been categorising, mapping, and fingerprinting the Internet with a view into the darkest parts of the web and malware tradecraft,” said Greg Clark, chief executive of Symantec.

“By fast-tracking the integration of the threat intelligence capabilities from Symantec and Blue Coat, Symantec products are now blocking 500,000 additional attacks per day for our endpoint, email, and Web security customers. Drawing out those kinds of results from data is only possible by using artificial intelligence, which gives our threat researchers a vastly augmented ability to spot attacks earlier than anyone else.”

The creation of the joint GIN brings significant enhancements to Symantec’s threat intelligence capabilities made uniquely possible by integrating Symantec and Blue Coat’s security telemetry and applying the data-crunching force of artificial intelligence that is needed when analysing numbers reaching into the trillions.

The GIN monitors more than nine trillion elements of security data, providing unparalleled visibility and protection for Symantec customers across their entire environments. Symantec now protects 175 million consumer and enterprise endpoints, 163 million email users, 80 million Web proxy users, and processes nearly eight billion security requests across these products every day.

The integration provides the foundation for Symantec’s Integrated Cyber Defence Platform, which allows Symantec products to share threat intelligence and improve security outcomes for customers across all control points. Symantec is the only vendor to connect endpoint, email, and Web protection across a single integrated intelligence platform.

The combined Symantec-Blue Coat threat telemetry has led to a series of significant protection improvements as well as discoveries of new attack campaigns. Examples cited by the company include:

Improved protection from sharing threat telemetry

Symantec and Blue Coat products are now automatically exchanging millions of malicious files and URL threat indicators daily. For example, when a ProxySG Web gateway installation at any customer site uncovers a brand new malicious file or URL, this telemetry is shared via the cloud with every Symantec Endpoint Protection and Norton Security deployment, thereby providing this same protection for all Symantec Endpoint Protection and Norton customers. Similarly, when an installation of Symantec Endpoint Protection or Norton Security discovers a new malicious file or URL, this intelligence is shared with all ProxySG installations, so that those customers can immediately benefit from the discovery of this new threat. This telemetry-sharing system is fully operational and has resulted in Symantec products blocking 500,000 additional attacks every day for the endpoint, email, and Web security customers.

New cyber espionage campaign discovered

After the cyber espionage agreement between the US and China was signed in September 2015, it was believed that the China-based cyber espionage group Buckeye had largely stopped their attack operations. Only through the combined threat intelligence of Symantec and Blue Coat did Symantec determine that the Buckeye group was still highly active, and had set their sights on a new target – Hong Kong political organisations. Symantec’s combined teams uncovered new spear-phishing emails targeting 13 political entities in Hong Kong leading up to the Hong Kong elections. These discoveries have allowed Symantec to enhance its protection capabilities against the Buckeye group’s campaigns, while also alerting customers to the re-emergence of this attack organization.

Sophisticated financial heists revealed

Symantec and Blue Coat’s combined telemetry led to the revelation that, since January 2016, a series of campaigns involving malware called Trojan.Odinaff has targeted roughly 100 financial institutions worldwide, including investment brokerage houses, consumer banks, and ATM networks. The Odinaff attack is unusual in that once attackers infiltrate a victim’s financial institution, they spend time learning about the exact capabilities of the target organisation, e.g., trading platforms, money wire capabilities, ATM networks, etc. Then the attackers execute an attack plan leveraging the specific capabilities of the compromised organisation, for example, withdrawing funds, making trades, or transferring money via the SWIFT wire transfer system. To date, the Odinaff attack group has stolen millions of dollars from victim institutions.  

Changing the game on anti-phishing

To combat the increased threat to enterprises and consumers from phishing emails, Symantec has developed technology that analyses new websites in real-time by comparing them to screenshots of known phishing sites. Leveraging machine learning and advanced image analysis, the technology is applied to more than 1.2 billion Web requests each day and has uncovered 137,000 new phishing campaigns since its release. New phishing sites identified by this system are now being blocked across Symantec’s endpoint, email, and Web security product portfolio.