My Briefing on Symantec Quorum – Impressed But Not Convinced

On July 9 I wrote a post about Symantec’s soon-to-be-released reputation based technology they are currently calling Quorum.  My post was a bit tongue in cheek asking how something unknown could have a reputation, but it appeared to have been taken seriously by the folks at Symantec who pinged me back on Twitter and offered to help me better understand the product and the value of the reputation based approach.  I took them up on the offer and one of their product management folks walked me through the technology.

First let me say that I respect the earnestness and professionalism that the Symantec people had in seeking to correct what they thought were my perceptions of the product.  In return, I will refrain from providing any details of what they shared with me as they are rolling out the product as we speak and I certainly do not want to inadvertently include any information that they have not yet taken public.  I don’t want to damage my reputation score.

What I will share is my general conclusion: which is that while I was impressed with the technology I was not ultimately sold on was the benefit to larger enterprise customers that have to stand against a barrage of precision guided exploits and new attacks on a daily basis. 

The Symantec solution is extremely complete and obviously very thoughtfully constructed.  They have clearly considered a lot of the angles in reputation based technology, including safeguarding against methods to artificially influence reputational scores.  In my opinion, the technology will be a good addition for consumer customers and small businesses that should benefit from reputational comparatives given they have a small number of machines or only one machine to watch.   It also allows Symantec to leverage their large user base as well as integrate and showcase their data storage capabilities to their security customers.  Like I said – in regards to the implementation I was really quite impressed. 

For large enterprises, particularly those customers who are under what we call the dynamic persistent threat scenario, I am not convinced that the prevalence data from a broad community will fill the existing gaps in malware detection. These are organizations that fend off deliberate and precisely targeted attacks designed to extract critical financial data or confidential strategic information by exploiting new attack vectors, recently identified exploitable flaws, or variants of known attacks to evade the traditional defensive software that relies on prior knowledge of attacks for detection.  While these customers might find a community based prevalence score interesting, they frankly are of a profile where such a score – or lack thereof – is not sufficient to make determinations of the potential malicious nature of applications.  The fact that it has been installed in a number of other organizations does not mean that it is acceptable to be installed on their endpoints.

I am grateful to the Symantec team and their willingness to share the details of the product.  I exited the process very confident that while the reputation based technology may help Symantec in the consumer market it has not addressed the shortcomings their tools have in detecting attacks where there is no prior knowledge or the dynamic persistent attacks that many organizations battle on a given day.  In fairness, I am admittedly biased and these shortcomings are not specific to Symantec and are shared by endpoint security vendors as well as their customers. 

Tomorrow I will make my case and detail how I think the Triumfant approach is more applicable and ultimately, more practical.  For example, we already have organization specific prevalence baked into our model.  And we build automated remediations for what we find.  Have a look tomorrow and see if you agree.