........................................

SYMANTEC™ EMAIL SECURITY.CLOUD

TECHNICAL BRIEF:

Technical Product Overview

Symantec™ Email Security.Cloud with

Skeptic™ Whitepaper
Who should read this paper
This white paper outlines the technical approach we use to deliver
Symantec™ Email Security.cloud and protect your business from email-
borne spam, phishing, malware, and targeted attacks without the need
for on-premise software or hardware. A working knowledge of email and
information security principles is recommended.
 Symantec™ Email Security.Cloud with Skeptic™ Whitepaper
Technical Product Overview

Content

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Global Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Cloud Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Security Technology and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Service Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Industry Leading Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
 Symantec™ Email Security.Cloud with Skeptic™ Whitepaper
Technical Product Overview

Overview

The need for an effective email defense is very real. Due to the prominence and use of email in business operations, cyber criminals,
spammers, and malware authors continue to focus considerable effort on developing email-based forms of attack. In the last few years, these
attacks have become more targeted and sophisticated, exhibiting convergence across multiple communication protocols. A common
approach is to use email to lure users to websites, which install malware that infiltrates corporate networks and steals information. Once
data has been extracted, it can be utilized or sold through what has become a very well organized underground economy.

1
Nearly one in 125 emails today contains some form of malware threat. Advanced toolsets used by cyber criminals are able to automatically
mass-produce malware variants designed to overwhelm and evade traditional signature-based antivirus scanners. Some attackers also use
highly targeted approaches that are designed to defeat signature-based systems by flying under the radar. Either way, the battle has reached
a point where traditional antivirus signature scanning techniques alone are not enough.

Without effective defenses, organizations risk costly business disruption, data leaks, and loss of customer confidence. However, mounting an
effective defense can consume scarce resources and expertise. Symantec™ Email Security.cloud helps to protect your business from email-
borne malware and does not require on-site hardware or software. Delivered from the cloud, the service is built on excellent customer service
2
and a meaningful service level agreement (SLA) that examines accuracy, effectiveness, and availability. The SLA is underpinned
by significant service credits that demonstrate the confidence of Symantec's ability to deliver a robust email security service.

This white paper outlines the technical approach we use to deliver Symantec Email Security.cloud and meet our aggressive service level
targets.

1- https://www.symantec.com/security_response/publications/monthlythreatreport.jsp
2- Service Level Agreement http://www.symanteccloud.com/documents.aspx

1
 Symantec™ Email Security.Cloud with Skeptic™ Whitepaper
Technical Product Overview

Global Infrastructure

Symantec Email Security.cloud service uses infrastructure managed in the cloud designed to block email-borne malware threats before they
reach your network. The service is delivered through a global infrastructure of highly available data centers located around the world. These
data centers are load balanced and housed in highly secure, well-established telecommunications centers located at major Internet exchange
points.

Redundancy within and across data centers enables us to offer a service level agreement target of 100 percent service uptime. In addition,
we aim to run our email servers at below capacity, providing ample headroom to handle unexpected spikes in traffic.

As of December 2012, Symantec cloud infrastructure processes more than 5 billion emails a month on behalf of our customers, ranging from
Fortune 500 companies to small businesses. Handling such a large amount of email traffic for such a broad range of global customers
enables us to identify and block new emerging threats faster.

Cloud Security Platform

Email Security service uses a sophisticated multilayer architecture that combines multiple scanning engines. The following techniques are
used at the perimeter of our platform to provide a first layer of defense:

Traffic Shaping

Symantec™ Traffic Shaper uses techniques that analyze traffic patterns at the TCP/IP protocol level to evaluate potentially malicious IP
addresses. IPs that are considered a threat are identified, and the number of connections allowed to the Email Security infrastructure is
reduced. This dramatically shrinks malicious email volumes while enabling legitimate email to reach its destination.

Traffic management technology analyzes IP interaction over a period of time after connection limiting steps are taken. It is known that
standard business mail servers have different patterns of connections than those of a Bot that is delivering either malicious code or spam.
Taking a holistic approach that goes beyond evaluating current known reputations and includes studying connection patterns over time
allows the system to more intelligently determine how many connections should be accepted by the infrastructure.

2
 Symantec™ Email Security.Cloud with Skeptic™ Whitepaper
Technical Product Overview

SMTP Heuris
Heuristics
tics

Connection management works at the SMTP connection layer using techniques to verify legitimate SMTP conversations. Multiple component
technologies are deployed in this layer of the platform to study the methodologies used by different servers connecting to our infrastructure.
Using SMTP heuristics and signature components at the connection layer allows for Email Security to proactively shut down SMTP
conversations identified as being illegitimate.

Recipient V
Validation
alidation

Recipient validation uses email address checking to reduce the overall volume of emails for registered domains and discards connections for
which the recipient addresses are identified as invalid or non-existent. In addition to reducing the volume of illegitimate email, this helps to
block dictionary attacks against your mail infrastructure.

Collectively, traffic shaping, SMTP heuristics, and recipient validation dramatically reduce the volume of mail that hits the scanning layers.
This allows us to apply in-depth analysis techniques at the scanning layers without compromising mail delivery times.

Spam Scanning

The first scanning layer utilizes both dynamic and customer defined block lists to filter out traffic from known bad hosts and other unwanted
email. Symantec™ Messaging Gateway for Service Providers presents real-time automated spam filtering backed by the Symantec™ Global
Intelligence Network. More than 2.5 million decoy email accounts focused on collecting fraud, phishing and spam samples make up part of
the Global Intelligence Network known as the probe network. The probe network has a global presence, including targeted deployments for
foreign language content, and can gauge global spam and phishing activity. This network gathers more than 30 million probe messages per
day.

3
 Symantec™ Email Security.Cloud with Skeptic™ Whitepaper
Technical Product Overview

Intelligent Data FFeeds

eeds

The Skeptic™ scanning layer provides further defense against spam, malware, and phishing attacks. Understanding a file's history and
reputation goes a long way to determining whether a file should be deemed malicious or not. Symantec Insight™ is reputation-based security
technology that puts files in context, using their age, frequency, location, and more. In-depth heuristic analysis of a file is expensive in terms
of time and processing. The most expensive file to scan is one we already know is clean. By leveraging a feed of clean data from Insight,
Email Security customers can take advantage of the intelligence captured from over 210 million systems in over 200 countries.

The breadth of Symantec's security expertise and intelligence is highlighted further by the use of data from Norton™ Safe Web. Safe Web is a
reputation service from Symantec that analyzes web sites and their content. Data from Norton Safe Web and other external sources is used
to detect and block emails containing links to known malicious websites for the purposes of phishing, malware distribution or other malicious
activity.

Symantec™ Pro
Protection
tection Engine ffor
or Cloud Ser
Services
vices

Symantec™ Protection Engine for Cloud Services is a fast, scalable, and reliable content scanning engine. It uses patented technology to
deliver industry leading malware protection. Email Security uses a multilayered antivirus architecture that combines Protection Engine for
Cloud Services with Skeptic, providing defense in depth and limiting reliance on a single detection method.

Sk
Skep
eptic
tic Heuris
Heuristic
tic T
Technolog
echnologyy

Although signature based scanners are effective in some areas, they have limited ability to detect new, unknown virus threats. Email Security
3
is designed to provide 100 percent protection from known and unknown viruses as defined in the SLA. To help us to achieve our service level
target we use predictive heuristic technologies built into a proprietary defense layer called Skeptic.

Skeptic employs heuristic technologies to determine if an email contains any components of malicious code. For example, Skeptic uses email
structure analysis to examine headers and attachments. Skeptic then runs complex deep analysis scans within emails and attachments to
find out more information. Skeptic also performs advanced code analysis, which operates on findings showing that malware writers reuse
portions of their own code across new and different malware.

Skeptic uses multiple patented technologies and thousands of rules to analyze and detect unknown threats. Unlike commercial antivirus
scanning engines, Skeptic cannot be downloaded and tested by cyber criminals. A few of the techniques deployed by Skeptic to detect threats
in email communications include:

Real-time Link Following technology evaluates URL links in emails to test if they point to malicious websites. Links potentially differ from
conventional email virus threats in that the URL itself does not contain malicious code but instead the http page that the URL directs users to
contains malicious payload.

Sandbox techniques in both full and partial forms are used to detect malware that exhibits easily detectable destructive behavior.
Code analysis techniques are used to detect malware that is trying to evade sandboxing or which is trying to obscure itself.

Reverse virus scanning allows new file-infecting viruses to be identified by detecting changes of formerly known good files. Symantec
maintains a database of known good software, such as Windows executables and other popular software, which allows positive identification
of good files and reduces virus false positives.

3- http://www.symanteccloud.com/documents.aspx

4
 Symantec™ Email Security.Cloud with Skeptic™ Whitepaper
Technical Product Overview

File recognizers use Symantec’s own large library of recognizers for known good ‘variable’ software. Examples include self-extracting zip files,
self-extracting PGP encrypted files, flash files, etc. These files vary each time because they carry data that can change. Our service examines
and compares files to the known valid versions of these files in order to reduce false positives and aid in the identification of new file-
infecting viruses.

Historical recognition uses Symantec’s historical attachments data. Our data (which spans over 12 years), allows us to compute the
probability of a file being clean based on the length of time it has been in circulation without ever being marked as malicious by antivirus
software.

Statistical analysis techniques detect malware trying to hide using new compression or encoding techniques.

Data file fingerprinting is used to recognize when a data file looks suspicious. This is accomplished using a combination of several
techniques. These types of files are often targeted trojan viruses which are designed for industrial or state-sponsored espionage.

Malformed email recognition is performed to detect deliberately malformed emails. These emails are used by malware creators to bypass
scanners using an email that the scanner will usually not recognize as having a valid attachment. Skeptic decodes these and scans resulting
attachments.

Skeptic uses scalable server arrays managed in the cloud to perform heuristic analysis techniques on over 7 billion emails each month. The
more traffic it scans, the smarter it gets.

Security Technology and Response

Email Security.cloud leverages protection technologies developed by the Symantec Security Technology and Response (STAR) team. STAR is a
worldwide team of security engineers, threat analysts, and researchers that provide the underlying functionality, content, and support for all
Symantec corporate and consumer security products. With eleven global response centers located throughout the world, STAR leverages the
vast intelligence of the Global Intelligence Network (the technology backbone of Security Response) to develop and deliver the world's most
comprehensive security protection.

The team provides an additional layer of protection for all Email Security customers by examining proactive alerts generated by Skeptic.
Looking at email content and traffic patterns, Skeptic can proactively alert our security research and response teams about suspicious
messages or unusual trends occurring in one or many of our customers. These types of messages would not ordinarily trigger a reaction from
signature based scanning technology and could represent an entirely new threat or targeted attack that needs response.

The value of a human team behind any security service should not be underestimated. The STAR team has the added advantage of using data
gathered from multiple products and services across the Symantec portfolio to investigate and feed security intelligence ensuring our
customers get a high performing, robust email security service.

Service Administration

Administration is performed on the Symantec.cloud management portal. A single administrative logon can be used to manage multiple
Symantec cloud services, including Symantec™ Web Security.cloud.

When Email Security intercepts a virus or malware in an email, it places the infected email into a holding pen, where it is stored for up to 30
days before being deleted. This quarantine period means that the malicious email is isolated and cannot infect the intended recipient’s
computer.

5
 Symantec™ Email Security.Cloud with Skeptic™ Whitepaper
Technical Product Overview

Each quarantined email is given a unique identifier. This identifier is provided in the alerts that can be issued to administrators and users
when an email containing a suspect virus is received.

Key Reporting Capabilities

Dashboard, summary, detailed, and scheduled reporting options are included and configurable to provide visibility, accountability, and
confidence in the service’s effectiveness and your organizations email activity.

The key statistics dashboard provides a quick view of the current service performance levels and notable activities such as virus blocks or
emails that have triggered a policy.

Report requests provide a way to get more in-depth reporting, allowing you to customize what metrics and time periods are included. Reports
can be executed as a one-off or scheduled to run at regular intervals, with options to deliver via portal or straight to your inbox.

My Services is designed to give you an at a glance overview of service activity across multiple Symantec cloud security services.

Industry Leading Service

Symantec understands that our customers want a high performing security service and excellent customer service backed by a meaningful
and comprehensive service level agreement (SLA). Our confidence and our ability to deliver this is demonstrated by our market leader
4
position and our willingness to underpin our SLA with significant service credits.

Email Security service level agreement provides an aggressive set of metrics by which the service is monitored and credit back or other
remedies are provided according to the SLA if the following performance targets are not met:

• AntiVirus Effectiveness – 100 percent protection against known and unknown email viruses
• AntiVirus Accuracy - no more than 0.0001 percent false positives
• AntiSpam Effectiveness – 99 percent spam capture (95 percent for email with double-byte characters)
• AntiSpam Accuracy - no more than 0.0003 percent false positives
• Email Delivery – 100 percent email delivery
• Latency – average email scanning time within 60 seconds
• Availability – 100 percent service uptime
• Technical Support - specific response times for critical, major, and minor calls

Summary

By deploying Symantec Email Security.cloud you can block virus, malware, spam, phishing, and targeted attacks before they reach your
inbox. Email Security's content and image control services help control the flow of confidential and undesirable material through customer
defined policies. Policy based encryption services can also be enabled to help protect confidential information from unauthorized viewers
and ensure safe delivery of your most important messages. These services are available in a single integrated management console,
simplifying administration while improving your control and visibility into service effectiveness.

4- Gartner Magic Quadrant for Secure Email Gateways 2015 https://www.gartner.com/doc/3084025/magic-quadrant-secure-email-gateways

6
 Symantec™ Email Security.Cloud with Skeptic™ Whitepaper
Technical Product Overview

About Symantec
Symantec Corporation (NASDAQ: SYMC) is an
information protection expert that helps people,
businesses, and governments seeking the freedom
to unlock the opportunities technology
brings—anytime, anywhere. Founded in April 1982,
Symantec, a Fortune 500 company operating one of
the largest global data-intelligence networks, has
provided leading security, backup, and availability
solutions for where vital information is stored,
accessed, and shared. The company’s more than
20,000 employees reside in more than 50
countries. Ninety-nine percent of Fortune 500
companies are Symantec customers. In fiscal 2014,
it recorded revenues of $6.7 billion. To learn more
go to www.symantec.com or connect with Symantec
at: go.symantec.com/ socialmedia.

For specific country offices
and contact numbers, please
visit our website.
Symantec World Headquarters
350 Ellis St.
Mountain View, CA 94043 USA
Copyright © 2016 Symantec Corporation. All rights
reserved. Symantec, the Symantec Logo, and the
Checkmark Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be
trademarks of their respective owners.
4/2016 21284713-2

+1 (650) 527 8000

1 (800) 721 3934
www.symantec.com