Technology Leadership

The Norton Data-Driven Intelligence Network

How big data drives Norton protection — even against zero-day exploits

The Big Data Revolution is going on all around us. From gaming to fitness to drone delivery, companies in every sector of our economy are using data to drive new products and to improve existing ones.

It may seem like an overhyped trend that will have its time in the sun and soon disappear. But for Symantec, data collection and analysis has been business as usual for years.

Over the last 25 years, Symantec has built a rich and widespread intelligence network, constantly gathering data on Internet security threats from over 40 million endpoints worldwide, in over 150 countries. That data is what drives Norton protection and enables it to stop even brand-new, “zero-day” threats that nobody’s ever seen before.

Where does all that data come from? Some of it comes from the millions of Norton users around the world, many of whom send in raw data about the threats they encounter every day.

“Our customers have the option to join the Norton Community, and those users contribute to the development of better Internet security by sending us anonymous data about the security threats their computers encounter,” says Kevin Haley, Director Product Management of Symantec’s STAR team. “When Norton security stops a piece of malware, your computer will send us information about what just happened, what the file was, when you found it, and where it came from. This helps us understand both the distribution and the prevalence of emerging security threats worldwide.”

Honeypots and decoys

Of course, not every Norton user chooses to join the Norton Community and report anonymised threat data back to Symantec. And there’s no guarantee that a Norton customer will be among the first to encounter a new security threat.

That’s why Symantec also takes a more proactive approach to collecting the very latest threat information, essentially by setting traps out in the wild.

For example, take email. Email may not be glamorous, but Haley says it’s still a common transmission vector for security threats — which is why “we’ve got about 5 million decoy email accounts out there, collecting around 8 billion emails every month.” Those dummy accounts scoop up all the newest phishing, spoofing and social engineering attacks designed to trick unsuspecting Internet users into giving away sensitive personal information, for example. Which in turn gives our security researchers the data they need to really understand what’s happening.

But email is just one piece of the puzzle. Even scarier are the more active attempts by hackers to gain control of your computer in one way or another, either to collect information about you or to use your machine for nefarious purposes without your knowledge or consent.

“As a security company, the earlier you find out about emerging threats, the better,” says Robert Reynolds, Senior Manager of Product Marketing. “And sometimes the only way you can do that is to open yourself up to getting them.”

Which is exactly what Symantec does, via its network of 40,000 completely unprotected computers — also known as “honeypots” — that are set up to operate as listening posts and then distributed around the world.

“We embed them in carefully-chosen places around the world to gather data firsthand, so that we can better understand what’s actually going on there,” Reynolds continues. “Essentially, we set them up, leave them wide open and wait for them to start collecting data.”

And it never takes long for that data to start rolling in. Reynolds explains that any unprotected computer connected to the Internet won’t stay unnoticed for more than a few minutes. Once the hackers spot it, they’ll try to shove data through any open port that’s available to them — and that data will almost certainly include security threats of some kind. Before long, that computer could easily be turned into a “bot,” which is a program that runs automated or repetitive tasks over the Internet. They’re often used for activities like taking down other websites, committing click fraud against ecommerce sites, or worse.

Those unprotected computers, or honeypots, keep meticulous logs of everything that happens to them, forwarding the data along to Symantec’s security teams the whole time.

“Taken together, all the information we collect this way is really helping us build better and more timely protection,” Haley adds.

From raw data to useful knowledge

Having the data is critical, but it’s only the first step. That data must then be turned into useful knowledge that, in turn, can help improve the quality of protection Norton customers receive.

But when you collect as much data as Symantec does, you need a solid plan to sort through it all if you don’t want it to go to waste.

“There was a time when we were taking in so much data that we could barely analyse it all,” Reynolds says. “Now we take a ‘big data’ approach to the problem of security.”

For example, Symantec’s security teams frequently use a technique called machine learning. “Machine learning is a process that can discover commonalities inside of large amounts of data that the human eye couldn’t see,” Haley explains. Exactly how this happens depends on the nature of the data collected and the exact question under consideration, but the gist of it is that the machine learning algorithms detect subtle patterns in the data and then break those data points out into different classifications — like threats and non-threats, for example. “By applying machine learning techniques and by knowing what to look for, our analysts can catch the very latest threats without ever having seen them before,” he continues.

Symantec’s security analysts then pore over the results, quickly develop and apply updates to the protection technologies by Norton, and then send the updates directly to our users’ computers. Reynolds explains that this is how Symantec is able to consistently deploy rapid responses to both zero-day and emerging threats.

“Often, we’ll hear about some group of bad guys that popped up on the black market, selling an exploit for a vulnerability we’ve never seen before, often targeting a popular, widespread application,” he says. “Once we get a chance to see what they’re actually doing, we’ll realise that we’ve already seen this threat before. We may even have already developed some signatures for it."

Size matters  

So what’s to prevent competing companies from following Symantec’s lead and developing a security technology-based worldwide network of intelligence-gathering computers — an engaged user base that represents 150 different countries — and cutting-edge analytical techniques?

In a word: scale.

“We are an always-on operation with labs around the world — in southern California, Ireland and Japan,” Haley says. “Our work follows the sun. There is always a team of Symantec people somewhere in the world that is actively engaged in ensuring that the protection offered by Norton Security is as up to date as it can possibly be.”

And that level of dedication doesn’t come cheap. It takes a lot of resources to be able to support an R&D operation like that, which means a large customer base and a steady revenue stream. Not every Internet security company will have that.

“I think that’s unique to us, and I think it’s because of the scale of our company,” Haley says. “I don’t believe that anyone else has the scale we enjoy from our vast customer base, on both the consumer and enterprise sides of the business.”

“A smaller company will not be able to replicate what we do,” Reynolds agrees. “We can get solutions in place quickly to protect our customers in a way other, smaller companies just can’t match.”

In the end, the success of the Norton team is tied tightly to its customers. They provide the revenue that allows Symantec to invest in its extensive research and development infrastructure. They deliver so much of the raw data that drives the innovation that Norton products are known for. In fact, to hear Haley tell it, Norton customers are equal partners in the fight against online security threats.

“At the heart of our R&D efforts, you’ll find our customers,” he continues. “Every day they send us more and more data. They may send us a file they suspect is malware; if it is, we learn all we can from it so that we can make sure our customers are protected from it.

“Having a customer base like that is an invaluable advantage, and is something only a company the size of Symantec can deliver.”

Security Experts

It takes a non-stop operation to stay one step ahead of the more than 80,000 new malware threats that appear every day. Meet the seasoned security experts on our STAR team, who spend their days battling on the frontline of digital crime.

Service & Support

With a team of over 1,700 customer care experts dotted around the globe, Norton ensures easily accessible support no matter your location. In fact, we’re so confident in our award-winning protection and quality support services that we offer a money-back guarantee. 

Heritage & Reputation

We have an extensive security history and our pioneering spirit continues today. Our digital world is constantly changing, so at Norton we never rest. We’ve protected our customers and their data for 25 years — and we’re going to keep doing just that.


Follow us for all the latest news, tips and updates.