Big Data Analytics and the Smart Protection Network

If there’s one thing I’ve learned about the threat landscape today, it’s this: it’s always growing, and it’s always changing. Both mobile computing and the cloud are changing the threat landscape, while old threats like malware and spam continue to grow and proliferate.

Every day, we receive 430,000 files for analysis, of which 200,000 are unique. That results in 60,000 new signatures for detection every day.

However, we don’t stop there in order to protect our customers. Starting in 2005, we began looking into e-mail reputation in order to address the spam problem. As we did this, we realized that we have a goldmine of potential threat intelligence: unwanted e-mail is also used to spread malware and launch targeted attacks.

We not only stopped spam fron reaching our customers, but we also did in-depth analysis on the spam runs we did see. This allowed us to discover new threats, as well as patterns within these threats.

More and more e-mails didn’t contain the malware as an attachment, but pointed to a malicious website instead. Based on this we started to invest heavily in web reputation, and this technology is now one of our main weapons against cybercriminals today.

We receive almost 8 billion URL queries per day from our customers – and we reply immediately what the queried URL is about, whether it’s malicious or not, and its category. Our products use this to block URLs; but we also use this to gather more information about attacks. Because of this, we’re able to find out about new attack models, command and control servers, and targeted attacks.

These three elements have made up the foundation of the Smart Protection Network, but as the threat environment evolves, so too must Trend Micro’s response.

We have now added mobile application reputation to our capabilities. The number of mobile malware we’re seeing is skyrocketing. Last year, mobile malware for Android was under the radar, but we predicted that we’d see 120,000 mobile malware samples by the end of 2012. For that, we have been called scammers and charlatans. Today, with over 30,000 Android malware already detected, our prediction is likely to be proven correct.

In addition, the Smart Protection Network is now able to protect against vulnerabilities/exploits and malicious network traffic. By correlating our global threat intelligence across all the threat vectors, we see more, correlate more, detect more and protect our customers better against the wide variety of attacks.

This rising number of threats also means the risk of false positives is growing; because of this we have added whitelisting to the Smart Protection Network. Our database of over 140 million known good applications helps us to find the right balance between aggressive malware detection and false positive avoidance.

Thanks to our leadership in the reputation and correlation area, we get many requests from law enforcement to help them identify and jail criminals. This is something that is very satisfying for our team of threat researchers.

In addition to our customers and law enforcement, we also provide threat intelligence to our partners like RSA, helping protect millions of users around the world.

The correlation provided by the Smart Protection Network has helped us to deliver better security. Thanks to our threat expertise and our investment into the Smart Protection Network, we are able to provide improved protection for our customers.

The infographic below illustrates how Smart Protection Network works to protect our customers from threats:

And below is a link to our CTO Raimund Gene’s video blog, talking about the expanded Smart Protection Network: