Learn More About Symantec Threat Risk Levels

Organizations have depended for years on the use of content categories to protect employee web access. Categories are still a critical component to any effective Secure Web Gateway (SWG). SWGs block pornography, shopping sites, gambling, or any other site that doesn’t adhere to a company’s acceptable use policy...but more importantly, might be the entry point to malicious activity. As the number of new websites have skyrocketed on the commercial internet, even the best SWGs struggle to keep up. Swift categorization is difficult and if uncategorized sites are blocked by policy, calls are likely to flood the help desk from employees requesting access to an uncategorized site.

Symantec, a division of Broadcom Software, created Threat Risk Levels to address this problem. AI engines often don’t have enough information on a new website to assign it to a category. But there is contextual metadata, for example the web host’s IP address, a server’s behavior, or characteristics of a URL that allow us to give it a Risk Level rating of one (safe) to 10 (very risky).

Symantec, a division of Broadcom Software, created Threat Risk Levels to address this problem. AI engines often don’t have enough information on a new website to assign it to a category. But there is contextual metadata, for example the web host’s IP address, a server’s behavior, or characteristics of a URL that allow us to give it a Risk Level rating of one (safe) to 10 (very risky).

To make it happen, Symantec adds and updates Risk Levels for all the entries in our URL database -- a critical component of Symantec Global Intelligence Network (GIN). We discern the risk snapshot based on history, reported ratings and traffic. Millions of sites are short-lived, what we call “one-day wonders.” Our Context Engine uses AI to track and render opinions about the hundreds of millions of domains, subdomains and IP addresses across the web. Additionally, we use the same system to set a Risk Level for all requests not in our URL database.

So, here’s the question: What is your Risk Level policy? If your organization wants a higher security profile, we recommend starting at level six -- moderate. To further explain the value of risk levels with real-world examples and recommendations, Symantec will hold a Webinar on September 15. You can register here.

For Risk Levels seven through 10, we advise a complete blocking of these sites. If your organization must provide access to such pages, we recommend using our Web Isolation, integrated with our SWG and part of the Web Protection Suite. With Web Isolation unknown web traffic is delivered to a remote isolation environment which renders a dubious site and any associated content and sends back only a safe, visual stream to the end-user’s browser. If there’s any malicious code, it stays in isolation and doesn’t infect your network. The best part: It’s seamless to the user and runs automatically. Scratch all those calls to the help desk demanding access.

With more stringent privacy regulations in recent years, many organizations now need to protect users’ health, financial, or other personal information. This need competes directly with the emerging requirement to inspect encrypted web traffic, which cyber criminals are increasingly using to distribute malware and to collect personally identifiable information. Risk Levels enable the IT administrator to allow safe sites (rated 1 to 3) to be accessed without SSL inspection—thereby protecting user privacy—while decrypting riskier sites for additional inspection, including advanced threat detection and data leakage protection.

To see Symantec’s Threat Risk Levels in action, in June, we got a report of a malicious domain, “pozdravlenie[.]xyz”. (The word means “congratulations” in Russian, which already raises a warning flag!) However, before we got the report that the domain was malicious, we had already seen three attempted visits to the site the day before. All three requests were for a .EXE file, but our logs showed that the server had not actually returned an executable file -- in fact, it didn't really want to talk to us. However, WebPulse gathered enough metadata to progressively move the risk level from a 5 to a 6 and then finally flag each request with a Risk Level of 7 and return a category of “Suspicious”, even without seeing the actual .EXE file.

Finally, Symantec’s system allows you to look at the impact raising or lowering Risk Levels has on your organization’s website access before you choose a degree of protection. For example, generating a report for all uncategorized websites with risk level 6 allows you to see the impact when incorporating that into your policy. It’s easy to do and could save your IT department untold hours wrangling user requests.

For more details on Risk Levels, check out the white paper - The Need for Risk Levels in Secure Web Gateways.