Blogs

    Publish
     
      • 12 Things to Look for in a Managed PKI Solution, Part 1

        Mar 28 2018, 11:26 PM

        by Lee-Lin Thye 0

        This is the first part of a four-part series covering twelve fundamentals for choosing a managed PKI solution, and questions to ask in the buying process.

        The purpose of this blog is to make you aware that not all Managed PKI providers are the same. In fact, there are some pretty significant differences between DigiCert’s offerings relative to the competition that you wouldn’t see by comparing data sheets. DigiCert’s key advantage is that the Symantec Managed PKI was designed as a service from the ground up as opposed to the competition, that have built their service from legacy on premise software. While the data sheets might look similar, over the next few weeks, we will highlight some of the fundamental advantages of Symantec Managed PKI.

        When it comes to Public Key Infrastructure (PKI), organizations have two deployment options: 1) they can opt for an in-house on-premise solution, or 2) a cloud-based service like Symantec Managed PKI*. There are many benefits to a Managed PKI Service, including faster time to deployment, lower total cost of ownership, and leveraging operational excellence.

        On Premise vs Managed PKI

        1. Shared vs. Dedicated customer PKI roots

        DigiCert performs an independent 3rd party audited Root Key Generation Ceremony (RKGC) for every customer we bring on to the service. In fact, DigiCert performs over 1000 key signing ceremonies every year; more than any other Managed PKI provider in the world. Some providers will “partition” their PKI, and host multiple customers under the same Root. The Root CA is your trust anchor; and it shouldn’t be shared.

        2. Timeliness

        One of the key benefits of a Managed Service is that your Certificate Authority (CA) can be operational much faster than trying to set one up on premise. DigiCert can bring a new customer on to our Managed Service in as few as 10 days from the processing of your Purchase Order. Under special circumstances, we can have it operational even sooner. Competing service providers are typically operational in 8-12 weeks, and don’t always meet that deadline.

        3. Access to Public trust

        In addition to your own private root of trust, DigiCert’s standard offering also provides you with access to a public root, and an Adobe Approved Trust List (AATL) , all accessible and managed from the same web based Administrative portal.  Access to these additional roots enables organizations to meet a variety of additional Enterprise use cases that require external trust. For example, trusted e-mail digital signatures, Adobe document signing, etc. Competing solutions typically only offer private roots of trust, or require you to issue publicly trusted user certificates from a separate portal.

        4. Broad revocation support

        DigiCert supports both Online Certificate Status Protocol (OCSP) and traditional Certificate Revocation Lists (CRL) as part of our standard service. Some of the competing solutions will only offer CRL based checking, and charge extra for OCSP.

        Questions to Ask

        Here are some questions to ask your potential Managed PKI service provider:

        •Do you offer you a shared “partitioned” PKI root, or do you only offer dedicated PKI roots?

        •Do you perform a root key generation ceremony for every customer you bring on to your service?

        •How quickly is the service operational from the time you process my purchase order?

        •Do you have a proven track record of meeting your stated timelines?

        •Can you offer me different roots of trust for all of my Enterprise use cases from a single Administrative portal?

        •Do you include both OCSP and CRL based revocation checking capabilities as part of your service, or is it an additional charge?

        Part 2 in this series will cover some of the DigiCert advantages around Administration and Deployment. Would you need to open a support ticket every time you make an Administrative change to the CA?  I'll cover this and two other fundamentals for choosing a PKI provider in the next post.

        *On October 31, 2017, DigiCert, Inc. acquired from Symantec Corporation the business of providing and supporting Symantec’s Website Security and PKI products and services.

        • Products
        • DigiCert Complete Website Security
        • Managed PKI
        • Products and Solutions
        • PKI
      • The Dark Overlord: A New Cyber Threat Puts Schools at Risk

        Nov 08 2017, 3:35 PM

        by khaley 1

        The education sector is learning the lessons of weak data security the hard way: Cyber thieves have attacked more than three dozen school districts this year, exploiting poorly-defended systems to steal valuable information or take over their networks and hold them for ransom.

        It’s a familiar problem. The education field is seeing above average phishing attacks, malicious malware and SPAM than other sectors in the economy, according to Symantec’s 2017 Internet Security Threat Report - Government. No surprise, then, to learn that information security led the EDUCAUSE 2018 Top 10 IT Issues list for the third year in a row.

        But as malicious hackers continue to target school districts, the US Department of Education is now warning of an even more insidious form of cyber-extortion.

        New Challenge Looms

        Schools have previously been targeted by ransomware attacks, where malicious hackers encrypt an organization’s data and hold it hostage until they get paid. In this latest scheme, attackers flat out steal data and then try to sell it back to their victims. Unless the ransom gets paid, the attackers threaten to sell the purloined names, addresses, phone numbers and other student data.  

        As a way of applying added pressure on the schools, attackers also send email or text messages to parents and students raising the prospect of violence at their school. In one case, over 20 parents received these kinds of threatening messages. 

        One district was forced to shut down 30 schools for three days as a preventive measure. So far, law enforcement has not deemed any of these threats of violence to be credible. But the psychological damage is real with falling attendance at the targeted schools. Meanwhile, news of these incidents has resulted in copycat incidents leading to bogus threats to disrupt other schools. 

        The criminal gang behind these attacks calls itself the Dark Overlord. They have been described as foreign, but at least one member of the group has an excellent command of English. Most likely, the group is comprised of multiple members; at least one hails from an English-speaking country. These attackers have previously targeted healthcare organizations, movie studios and manufacturers. 

        Fighting the Dark Overlord

        What can you do to blunt the threat posed by the Dark Overlord?  First, don’t pay the ransom. There is absolutely no guarantee that the fraudsters will release data you pay to set free. You can’t trust criminals.

        Secondly, keep these attackers out of your school from the start. And that means stepping up the work of securing your network and the data that resides on it. The Department of Education just issued some pretty good advice.  They suggest:

        • Conducting security audits to identify weaknesses and update/patch vulnerable systems;

        • Ensuring proper audit logs are created and reviewed routinely for suspicious activity;

        • Training staff and students on data security best practices and phishing/social engineering awareness; and

        • Reviewing all sensitive data to verify that outside access is appropriately limited.

        Also, the FBI has spotlighted the practice where some attackers use anonymous FTP servers - most likely set up earlier and then forgotten by IT organizations - to gain access to an organization’s network. Unless there is a legitimate need to keep those servers in your organization, disable them now.

        You don’t need to be afraid of cyber attackers. They may be evil, but they are not evil genius. They simply take advantage of mistakes we make. But we can fix the errors. It just takes diligence to follow best practices, put good security practices and products in place, and to be prepared.  

        • Thought Leadership
        • Products
        • Private Certification Authority Service
      • Symantec Employees Provide 6,000 Hours and $41,000 to Causes in Need

        Oct 27 2017, 6:07 PM

        by Tess Hetzel 0

        Photo: @LRBed Blood donation event in Waterloo, Canada 

        At Symantec, the activism, advocacy, and passion of employees on the ground is what transforms our corporate responsibility strategy into tangible, real-world results. We’re committed to building a culture that enables employees to apply their time and talents to the issues they care most deeply about, and offer programs to maximize volunteer and philanthropic efforts.

        These include our Matching Gift; Dollars for Doers; Nonprofit Board Service; Symantec Service Time Programs, which provides employees with up to five paid working days for volunteering, and Global Service Week, a full week of service during which employees are encouraged to commit to at least 30 minutes (and up to eight hours) of community service with a charitable project of their choice.

        Starting October 9, 1,500 employees across the globe donated their time and talents to make Symantec’s second annual Global Service week a smashing success. With more than 70 events in 11 countries resulting in 6,280 hours with nonprofits and charities—we achieved a 57 percent increase from 2016 efforts. From Saudi Arabia to Reading, Johannesburg to Warsaw, Sydney to Tempe, employees worked together to make a difference in their communities. Global Service Week is one of the many ways we empower employees to help us meet our goal of reaching an average of four volunteer hours per employee by 2020.

        In addition to the hours spent playing games with kids at the Boys and Girls Club, teaching seniors about technology, building solar lights for those in energy poverty, participating in blood drives, donating and sorting clothing for low-income women starting their careers, and serving meals to the homeless, nonprofit recipients also received $41,420 through Symantec’s Dollars For Doers program, which provides a cash grant of $15 USD for every hour of volunteer service up to $1,000 per year per employee.

        Symantec employees chose projects and causes that spanned several different focus areas: 31 percent volunteered with an environmental cause, 19 percent volunteered with a cause that helps women, minorities and low-income populations, and 14 percent volunteered with a cause focused on STEM and equal access.

        Six Symantec sites, our Dublin, Dubai, Johannesburg, Reading UK, Saudi Arabia, and Singapore offices, built solar powered light bulbs in partnership with Solar Buddy. (Cape Town will be doing this next week) The light bulbs are on their way to Papua New Guinea (PNG) where only 10 percent of PNG residents are connected to the electricity grid, leaving seven million people forced to rely on dangerous kerosene, campfires, and expensive battery operated torches. Thanks to the volunteer support of Symantec employees these solar light bulbs will help give children and families living in energy poverty, access. Children will be able to do homework after dark, parents can continue to work on their small business, and women and girls can walk around their villages safely.

        Photo: @Jdeuria Puppy Cuddling in Sydney, Australia

        The majority of employees chose a hands-on project, like Mohsin Najmuddin in Pakistan, who planted fruit trees at a charity school named "Hilal Public School" located in a remote area far from Karachi and provided lunch for the students. “It was a great experience. We taught the benefits of tree plantation to the students and asked them to own those trees and to look after them. We also did a general knowledge question answer session with the students and distributed gifts among them,” Mohsin said.

         Photo: @LouiseRHanlon Solar Buddy event in Singapore

        For June Lee in Singapore, Global Service Week was the first time she heard of Beyond Charity, a nonprofit dedicated to helping children and youths from less privileged backgrounds break away from the poverty cycle. June helped deliver food to families in need and through the process she learned how much the charity did for the community. June had always wanted to volunteer but wasn’t sure where to spend her time or how to get involved. With Symantec’s support and through GSW she found the process to join simple. “I wanted to volunteer, but didn't know where and how. Global Service Week provides the opportunity to reach out to people and now I’m more aware that there are still many people who really need our help,” she said.

        Jeff Reitzes who volunteered at the Habitat for Humanity (HfH) ReStore in Concord, California, also chose a hands-on project. ReStore is a store that sells donated building materials, furniture, appliances, beds, mattresses and other household items, with the proceeds going to fund HfH projects. Jeff put together furniture for display, moved items from the trucks to the warehouse and the store, took sold items to customers' cars and did lots of other odd jobs. Of the experience he said, “I had a great time and worked with a lot nice people. It was VERY nice for Symantec to let me take the day off of work to do this volunteer work. I will definitely do it again outside of Global Service Week.” 

        In the United States, four Symantec offices partnered with Together We Rise, a non-profit that supports children in foster care. One of the organization’s main programs, Build a Bike, provides free bicycles to make the foster care transition a little easier. Symantec employees in Boxborough, Mountain View and San Francisco built bicycles for young foster children to experience the simple joys of childhood, and for foster teens to help get them to jobs and classes. The Washington, D.C. office also worked with Together We Rise, providing Sweet Cases to foster children – new duffel bags filled with essentials like a teddy bear, blanket, hygiene kit and more.

        Photo: @NatalieBlackwel Giving the gift of light in Dublin

        We’d like to congratulate our event organizer winners who each won a $500 award for their efforts: Amber Tarin, who brought a team to the Utah Food Bank, and Benjamin Cook, who organized a blood drive in Melbourne, Australia. Our Twitter Photo Contest winners this year are Charlie Cam, Maqbool Khan, Ajay Kumar, Saad Sheikh, and Nina Singhal, and we’d like to thank all of the employees who shared their experiences with us on Twitter.

        Global Service Week was a fantastic opportunity for employees around the world to come together with old friends and new, to volunteer with a cause they care deeply about. We thank all of our organizers, executives, and employees for their efforts this year and are proud of the tremendous impact made in communities across the globe. 

        • Products
        • #CR
        • Authentic Document IDs for Brew
        • #GlobalServiceWeek
        • Corporate Responsibility
        • #volunteer
        • #CSR
      • A Safe and Secure Shelter

        Oct 13 2017, 1:21 AM

        by Tess Hetzel 0

        Product donation is Symantec’s largest mechanism to support the nonprofit community and help nonprofits fulfill their missions. In partnership with TechSoup, each year we provide cybersecurity solutions to more than 25,000 organizations across 55 countries worldwide, allowing them to secure their most important data wherever it lives. Since launching the software donation program in 2002, Symantec has helped more than 93,000 nonprofits solve today’s biggest security challenges and protect against the ever-evolving threat landscape.

        Founded in 1976, Citizens Against Physical and Sexual Abuse (CAPSA), works to provide safe, caring, and confidential shelter, advocacy, and support for victims of physical and emotional domestic violence and sexual assault; and to reduce incidents of abuse through prevention education. Serving a small community in Northern Utah, the organization is up against significant odds—nationally one in four women, and one in seven men, will experience domestic violence in their lifetimes.

        CAPSA is an organization that continually has more needs than resources in trying to help those suffering from abuse. Even with limited resources and funding, the nonprofit is able to provide advocacy, counseling, safety planning, and both temporary and long-term shelter for almost 1,000 people each year. The group also educates thousands of youth a year, channeling tens of thousands of volunteer hours towards this cause.

        Above: CAPSA owned housing, built by volunteers and clients, which help keep clients safe as they begin the process of rebuilding their lives.

        Data security is critical for CASPA

        With this type of work, CAPSA has some demanding computer, network, and information system challenges and needs. According to James Boyd, CAPSA’s Development Director, “The feeling of safety and security is something we’re trying to provide our clients. We’re dealing with people who sometimes come in afraid for their lives, afraid someone will find out their location. In fact, the Center for Disease Control and Prevention put out a study that indicates when someone leaves an abusive relationship, the chances of being killed increases significantly. We have a safe and secure shelter, we teach people safety planning, and as an organization, we need to know our data is secure. Maintaining the security and safety of our confidential and sensitive data is a big part of what we need, and a big part of what we need to be able to provide our clients.”

        James went on to describe how a data security breach would affect the grants that sustain the organization financially. “If our data was breached, I’m confident that most, if not all, of our grants would pull out. That would mean immediately losing services for clients—thousands of people each year wouldn’t get support or services they need,” he said.

        CAPSA began using Symantec's Endpoint Protection (SEP) for small businesses a couple of years ago after experiencing considerable downtime as workstations became compromised. Due to limited funds, in the past they used free or trial versions of anti-virus software, and were continually hit with malware attacks. Their email accounts were hacked, sending out private information and spam emails, negatively affecting their reputation, and more importantly, putting lives in danger.

        Their part-time information systems manager David Sullivan spent multiple days after each attack reinstalling a clean version of the operating system and software. This tedious and time-consuming process also left employees without their computers for several days. David then started looking for a solution that would protect their confidential information, keep the organization running smoothly, and could be both deployed and maintained easily.

        David chose SEP, through Symantec’s software donation partnership with TechSoup. “Symantec’s Endpoint Protection has done a superb job of keeping our sensitive and confidential information safe, preventing malware and other issues that cause down time in our computers and systems. The ease in which I was able to deploy SEP, and the way it can be centrally managed through an online portal has been wonderful. It has helped our staff stay focused on the individuals and families they support, and has helped me focus on providing the information systems improvements that help them best do their jobs.”

        Saving lives one-by-one

        James also estimates that through SEP, each year the organization saves $1,000—which directly equals sheltering one more individual per year. That one person is someone like the young mother who walked through the snow and slush barefooted with her two children last winter to escape abuse. “Luckily she ran into a stranger who knew about us and was able to get her to CAPSA. We helped her work to overcome barriers that often times cause people to go back to violent situations. We helped her get a job, helped her get housing, and gave her and her older child therapy. She’s now living in a CAPSA-owned house and she’s doing well. To see that whole cycle is amazing,” says James.

        Domestic violence happens more than we realize: according to CAPSA half of all homicides in the U.S. are domestic violence related. In Utah, CAPSA relies on Symantec to keep their systems and their clients’ information secure, while the organization and its volunteers work tirelessly on their mission of providing safe, caring, and confidential shelter for victims of abuse, ultimately saving people’s lives.

        Learn more about some of the many nonprofits utilizing Symantec products through Symantec’s partnership with TechSoup:

        • Products
        • #CR
        • Authentic Document IDs for Brew
        • #TechSoup
        • Corporate Responsibility
        • #CSR
        • #productdonation
      • Information for Replacement of Symantec SSL/TLS Certificates

        Mar 29 2018, 8:58 PM

        by connect 0

        Recently, Symantec announced that DigiCert, a leading provider of scalable identity and encryption solutions for the enterprise, will acquire Symantec's Website Security and related PKI solutions.  This announcement comes at a time when it’s absolutely critical that businesses are safeguarded from the advanced cyber security threats infiltrating the web. 

        Through this acquisition, customers will benefit from a company that is solely focused on delivering the leading identity and encryption solutions they require as well as an enhanced technology platform, unparalleled support and market-leading innovations.  Symantec Website Security and DigiCert share a strong commitment to customer service, and ensuring continuity for our customers and their businesses is a top priority.

        In response to browser concerns and in preparation for this transition, Symantec Website Security is focused on maintaining your business continuity and avoiding any compatibility issues with regards to the proposed schedule by Google Chrome and Mozilla.  As such, we are proactively reaching out to any customers who may be impacted.

        Google Proposal Background

        On July 27, 2017, Google posted a time-sensitive plan regarding Symantec-issued TLS server certificates. There are critical dates that will impact your operations:

        • Effective December 1, 2017, all Symantec SSL/TLS certificates must be issued from a new PKI infrastructure in order for such certificates to be trusted in Google Chrome.

        • On or around March 15, 2018 (Chrome 66 Beta), Google Chrome will show a warning for sites secured with SSL/TLS certificates issued before June 1, 2016.Your security is not at risk and data encryption will function normally, but your site visitors will be disrupted by a warning in Chrome.

        • On or around September 13, 2018 (Chrome 70 Beta), Google Chrome will show a warning for sites secured with SSL/TLS certificates issued by Symantec’s existing PKI infrastructure.Your security is not at risk and data encryption will function normally, but your site visitors will be disrupted by a warning in Chrome.

        On August 1, 2017, Mozilla stated that it intends to follow the timeline proposed by Google and Google reconfirmed the plan above in its most recent post on September 11, 2017.

        Action to Take Now

        With these dates in mind, we are evaluating all certificates to ensure that your business will remain uninterrupted and will comply with the browser requirements.  By December 1, 2017, our Certificate Authority partner, DigiCert, will begin to provide operations on our behalf that satisfy all of the requirements of Google and Mozilla.

        For those customers with certificates issued prior to June 1, 2016, we are recommending they be replaced by March 15, 2018. We have begun outreach to affected customers and will work directly with them to make the transition as seamless as possible.

        For more information on how to find certificates purchased directly from Symantec that you can replace now, please refer to the appropriate KB Article:

        For customers who did not purchase certificates directly from Symantec, please work with your Symantec Website Security Partner to arrange replacement.

        For those customers who leverage Symantec Complete Website Security, Symantec Trust Center Enterprise, Thawte Certificate Center Enterprise, and GeoTrust Enterprise Security Center, DigiCert will be starting its pre-authentication efforts soon so that come December 1, 2017, any enterprise certificates (new as well as those needing replacement) will be instantly issued.  This pre-authentication effort will be done at no additional cost to you.

        Certificates That Should be Reissued Later

        Some customers will have certificates that should be reissued by DigiCert once it begins operations on our behalf. As we assess the implications of Google’s proposal and upcoming dates, we do not believe you need to take action on additional certificates until that time. DigiCert will begin to provide authentication services on Symantec’s behalf by December 1, 2017, which will provide time for you to reissue and prevent any potential Chrome disruption to your customers before September 2018.  DigiCert will be conducting the full validation at this stage, and upon replacement, certificates will enjoy their full validity within the guidelines of the CA/B Forum.

        We will provide a progress update as soon as we have more information, and specific recommendations on the best timing to reissue your remaining certificates.

        For customer support, please visit https://go.symantec.com/contact.

        Thank you,

        Symantec Website Security

        • DigiCert SSL TLS Certificates
        • Products
        • Products and Solutions
      • Why Business Needs the Global Goals

        Oct 20 2017, 8:47 PM

        by Tess Hetzel 0

        By Delphine Millot, MPA, VP and Head of International Public Affairs at Grayling

        As a member of the UN Global Compact, Symantec was included in a new report by DNV GL highlighting companies pioneering progress towards the Sustainable Development Goals (SDGs). Symantec was praised for its outstanding work towards gender equality (SDG #5) through unique efforts to recruit women to Symantec’s board of directors and women-specific education programs in cyber security.

        The clock started ticking 18 months ago to start delivering on the 2030 Global Sustainable Development Agenda. Efforts are based on the so-named SDGs, a list of 17 goals and 169 targets covering the economic, social and environmental dimensions of sustainable development embraced by the 193 member governments of the United Nations.

        Governments are calling out businesses directly to play an active role in achieving the SDGs, as their success relies heavily on action and collaboration by all actors. None of the SDGs will be met without increased efforts from all sectors, and the trend on several goals, such as climate change and inequality, is actually going backwards. This is where business can make an impact – as a capable actor with the resources needed to deliver the SDGs alongside governments.

        If the global goals need business, the opposite is also true: business needs the global goals. The Business & Sustainable Development Commission found that achieving the SDGs could be worth at least US$12 trillion a year in market value by 2030 and create 380 million jobs in the process. Recognizing and capitalizing on the connections between social, environmental and economic progress has the power to unleash the next wave of global growth and redefine capitalism.

        A strategic approach to Corporate responsibility (CR) allows a company like Symantec to be pro-active, develop consistent CR initiatives and build a business model that can be sustained and bring shareholder value over the long term. Such an integrated approach brings credibility and authenticity to a CR program, which in turn enhances transparency and facilitates stakeholders’ engagement.

        In this context, companies can use the SDGs as an overarching framework to shape, steer, communicate and report their CR strategies, goals and activities.

        Symantec and the Global Goals

        Management approach

        Symantec looks at the SDGs as an opportunity to align core business activities and innovation efforts with society's needs. From a business perspective, this allows Symantec to reap the early benefits of high-integrity branding with their consumers, investors, employees and the marketplace. The SDGs therefore offer Symantec a pathway to attract talent, unlock new markets and develop new products and services to empower in-need customers on issues such as cyber security.  

        Symantec is a great example of a company that has integrated sustainable development into every aspect of its business. Symantec’s approach to corporate responsibility is set by the highest levels of management, who receive regular progress briefings on the company’s programs, including quarterly updates on diversity, ethics, environmental performance and community investment.

        Symantec also defined specific, measurable and time-bound key performance indicators (KPIs) as the basis for driving, monitoring, and communicating progress on the SDGs. An example is Symantec's commitment to increasing the diversity of its workforce at all levels of the company by 15% by 2020.

        Finally, Symantec reports annually on their corporate responsibility, including diversity metrics, goals and efforts. The CR reports are used as a tool to stimulate accountability and trust through integrated performance management.

        Progress on the SDGs

        SDG #4: Quality Education

        SDG #4 is focused on providing inclusive, equitable, and quality education. The talent gap in cyber security is expected to grow to a staggering 1.5 million by 2020 and there is a vibrant community of underrepresented young adults - including people of color, women, and veterans - that could fill at least 60,000 of these positions if properly trained. Symantec has invested more than six million dollars to engage and educate 745,446 students in STEM (Science, Technology, Engineering and Mathematics) education. Through education, mentorship, volunteering and partnering with leading STEM advocates, Symantec hopes to change the status quo, close the gender and diversity gap in STEM and build a robust talent pipeline. The Symantec Cyber Career Connection (Symantec C3) program was designed to do just this, providing a pathway for underrepresented young adults and veterans to receive targeted education, training, and certifications that position them to fill in-demand cyber security jobs and enter long-term careers.

        SDG #5: Gender Equality

        Around the world, women are underrepresented in the field of technology. As a result, women are missing out on this promising career path, and the field is missing out on their contributions. Symantec is committed to gender equality and the advancement of women in technology. To this end, they have created a goal to increase the percentage of women globally by 2020 and a sub-goal to increase the percentage of women in leadership (Director-level and above) to 30% by 2020.

        Symantec is a founding signatory of the Women’s Empowerment Principles (WEP), a partnership initiative of UN Women and UN Global Compact (UNGC) considered globally as the recognized principles and standards for women’s equality. And, through partners like The Anita Borg Institute and TechWomen, Symantec provides stand out females across the world mentorship, professional training and networking to prepare them for a promising future in cyber security.

        SDG #13: Climate Action

        Planetary warming continued in 2016, setting a new record of about 1.1 degrees Centigrade above the preindustrial period, according to the World Meteorological Organization. Stronger efforts are needed to build resilience and limit climate-related hazards and natural disasters. Symantec integrates environmental stewardship into their operational, product, and supply chain strategies. A sharp focus on environmental performance supports their business objectives and, at the same time, contributes to the urgent action needed to combat global climate change. Symantec took an important step regarding its energy and greenhouse gas (GHG) reductions by establishing a new goal to reduce the company’s GHG emissions by 30 percent by 2025. 

        Sustaining efforts over the long run

        They key to achieving the Sustainable Development Goals will be sustaining efforts over the long run – and corporations, governments, and nonprofits must all work together to achieve real impact. A business survey undertaken in May 2017 shows that business expects the United Nations and governments to incentivize companies to drive positive change. One incentive, publicly recognizing individual companies’ efforts, is important in two different ways. First, this positive recognition rewards companies’ innovative efforts and makes their stakeholders aware of these efforts. Perhaps even more importantly, this public reporting also disseminates best practices across a wide range of stakeholders. This sharing of best practices, and the ways in which corporations, governments and nonprofits are finding ways to lead in there own ways, is critical to making sure we deliver on the Global Goals by the 2030 deadline and beyond.

        void(0)Currently a Vice President at leading communications agency Grayling, Delphine Millot has twelve years of international experience in corporate reputation and public policy. Based in New York City, she heads Graylings International Public Affairs Practice, supporting a wide range of clients on their global communications strategies and advocacy campaigns. Before re-joining Grayling in 2015, Delphine led the business expansion in Africa, Middle East and Europe of a US trading firm, before joining a food start-up working with international hotel groups, restaurant chains and universities to lead the way towards health and environmental stewardship. Delphine completed her Masters of Public Administration (MPA) at Columbia’s University School of International and Public Affairs, with a specialization in sustainability management. 

        • Products
        • DigiCert Code Signing
        • Corporate Responsibility
        • Code Signing Certificates for Microsoft Office and VBA
      • Certificate Authority Authorization Checking: What is it, and why should you care?

        Aug 30 2017, 6:12 PM

        by Lee-Lin Thye 0

        Certificate Authority Authorization checking: what is it, and why should you care?

        The Public Key Infrastructure (PKI) ecosystem relies on root certificates issued by various certification authorities (CAs) like Symantec. This is what browsers use to decide which websites can be trusted, and which ones are not trusted.

        Up to now, any CA can issue a TLS certificate for any domain. That’s how the system works, and it’s good in the sense that it gives website owners and operators options to change CAs at their discretion. The downside to this is that certificate issuance can happen without the knowledge of website operators, either by mistake or intentionally by malicious actors.

        A number of technologies have been created in an attempt to highlight instances of “unknown” issuance, such as Certificate Transparency. These have been effective in making the internet a safer, more trustworthy place but they are reactionary measures – only .allowing website operators to address the issue after it’s happened.

        But is it possible to prevent certificates from being mistakenly or inappropriately issued? Yes. Enter: Certification Authority Authorization (CAA).

        CAA prevents unknown certificate issuance by:

        1.Allowing domain owners to specify which CAs are authorized to issue certificates for their domains; and

        2.Giving CAs the ability to check this authorization before issuing a certificate.

        In this article, we’ll explain how CAA works, and why making CAA checking mandatory is a good move for both customers and CAs.

        What is Certification Authority Authorization?

        A Certification Authority Authorization (CAA) record is a DNS Resource Record which allows a domain owner to specify which CAs are authorized to issue certificates for their domain(s) and, by implication, which aren’t.

        The idea is that a CA will check the CAA record(s) for a domain before issuing a certificate. If it finds that a domain has no CAA record, then it’s free to issue a certificate for it if all other authentication checks succeed. However, if it does encounter one or more CAA records, then the CA can only issue a certificate if it’s named in one of the records, indicating that it is authorized to issue a certificate for that domain. The whole process is designed to prevent CAs from unauthorized certificate issuance requests by unauthorized parties or bad actors.

        Sounds great. Why isn’t everyone doing this?

        Symantec has been checking CAA records for years, but it’s not a common practice. There are two reasons why CAA checking isn’t widely practiced:

        1.Many domains don’t have a CAA Resource Record; and

        2.Checking CAA records is not mandatory.

        Because it may take some work to create a CAA record, it’s a matter of customers or website operators consciously opting-in, not opting-out. Many domain owners use a DNS hosting provider and CAA is not yet supported in some DNS implementations.

        This is why CAA records are expected to be used by most high-value domains. These enterprises keep CAA records for their domains because they limit inappropriate (or malicious) certificate requests, and makes it easier to enforce company policies i.e. only using a particular set of CAs.

        The limitations of CAA checking

        Of course, CAA checking has its limitations.

        First, a newly-issued CAA record does not invalidate any previously-issued certificates that may have been issued by a different CA than the one named by the domain owner. Second, it doesn’t flag whether a certificate presented by a web server is a legitimate certificate for that domain.

        Furthermore, in order for CAA checking to be effective, all CAs need to be doing it; it doesn’t work if only one or two CAs are checking CAA records as matter of process. CAA checking must be widely adopted if it is to serve its purpose, but the good news is that more than ninety percent of CAs (who are members of the CA/Browser Forum) are in favor of it.

        The times are changing: CAA checking will become mandatory

        In February 2017, the CA/Browser Forum passed a ballot (on which Symantec voted in favor) requiring all CAs (even those who aren’t a member of the Forum) to check for a CAA record as part of the certificate issuance process for each domain. In accordance with RFC 6844, CAs can no longer issue a certificate for a domain unless:

        1.The CA does not find any CAA records for the domain

        2.The certificate request is consistent with the applicable CAA Resource Record(s)

        The rule is effective as of 8 September 2017. You can read the ballot in full here.

        A good outcome for all companies

        Mandatory CAA record checking requires CAs to abide by the rules set out in specific CAA records, giving domain owners more control over certificate issuance. This makes it easier for companies (especially larger ones) to enforce a certificate issuance policy across business units. With CAA records applicable to every domain, a company can specify a set number of CAs, knowing no other CA can issue a certificate to its domains.  This will help reduce the risks of certificate issuance by unauthorized CAs and help create a more secure and transparent online ecosystem.

        For more information on CAA with Symantec Certificates go to Symantec Knowledge Center

        • Products
        • Certificate Authority
        • TLS
        • Thought Leadership
        • CA
        • Symantec Website Security
        • SSL
        • DigiCert Code Signing
        • certificates
      • A New Chapter: DigiCert to Acquire Symantec’s Website Security and Related PKI Solutions

        Mar 29 2018, 8:53 PM

        by Roxane Divol 0

        Today, Symantec announced in a press release an agreement under which DigiCert will acquire Symantec’s Website Security and related PKI solutions. At a time when it’s absolutely critical that businesses are safeguarded from the advanced cyber security threats infiltrating the web, through this acquisition customers will benefit from a company that is solely focused on delivering the leading identity and encryption solutions they require.

        DigiCert is a leading provider of scalable identity and encryption solutions for the enterprise. The fast-growing company currently has a number of high-profile enterprise and IoT customers. DigiCert enjoys a strong reputation and high customer loyalty with a focus on industry-leading customer support, innovative market solutions, and a meaningful contribution to improving industry best practices. DigiCert has earned several awards for its innovation and growth strategies, and this summer was named one of Computerworld’s Top 100 places to work in IT.

        The addition of Symantec’s website security and related PKI solutions to DigiCert’s offerings will provide customers with an enhanced technology platform, unparalleled support and market-leading innovations. DigiCert will have incredible talent and experience to lead the next generation of global website security and will gain capabilities to take advantage of opportunities in IoT and bring new approaches to the SSL market.

        Symantec Website Security and DigiCert share a strong commitment to customer service, and ensuring continuity for our customers and their businesses is a top priority. Once the transaction is complete, we will work to transition our customers to a new platform that meets all industry standards and browser requirements and provides the foundation for future innovation in the CA space.

        Importantly, we feel confident that this agreement will satisfy the needs of the browser community. DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users.

        Last but not least, I’d be remiss to not personally thank each and every one of the hard-working and dedicated employees of the Website Security team. We are tremendously excited about the opportunities ahead and deeply committed to the success of this transition for the Website Security business, its employees, and our customers.

        Best Regards,

        Roxane Divol

        Executive Vice President & GM, Symantec Website Security 

        • Products
        • DigiCert Code Signing
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • Products and Solutions
      • Threat Isolation: Why You Can Now Browse Without Fear

        Oct 20 2017, 8:33 PM

        by Mark Urban 1

        The battle between malicious hackers and enterprise security practitioners has become an ever escalating arms race.

        Organizations would invest in ant-virus, anti-spam, and host intrusion prevention services to bolster their security. And it would work - for a time. Attackers reacted by upping their game and started to make progress again. Then, advanced malware sandboxes came along to catch more sophisticated attacks.

        Before long, however, bad actors found new ways to slip their malware past even the most sophisticated network defenses, confounding beleaguered defenders with advanced persistent attacks, spear phishing and other exploits.

        And now cybercriminals have started to use encrypted channels, multi-vector and multi-phased attacks.

        When enterprise security practitioners use forensic tools to conduct breach investigations, they often trace breach sources back to employees who clicked on very clever phishing emails or have been led to a risky website that quickly downloads some zero-day malicious content to their devices. The bad guys have become experts at using techniques like social engineering to trick employees into making security mistakes. It can be subtle – a new, clever web site with a bit of bad JavaScript here, a malicious style sheets there, or maybe a document with just the last fragment malicious payload that activates after a day or two.

        The arms race script will repeat and change in ways we can’t know today.  But we’re looking to drive innovation in a different way – for the good guys.  

        Turning Point in the Malware Battle

        The advent of web and email isolation technology provides enterprises with a powerful tool to seal off their networks from infection, approaching security in a dramatically different way.

        The technology works by positioning itself between the users and the internet so that potentially malicious content gets executed in a secure, containerized environment, “isolating” the user from all code and content, good or bad. It works in the background, so there’s no impact on user experience.  They can interact with the website or the email content as if the isolation process was not even occurring.

        Early adopters in the healthcare, finance, government and telecommunications sectors are already deploying the technology to combat malware-laden threats arriving over the internet. But it is still early in what’s shaping up to be a major transition in the way security organizations fight malware. Indeed, Gartner, which included web isolation as one of the 10 most important technologies in the information security field, expects about 50% of enterprises will adopt isolation technology by 2021.  

        Since most attacks begin with malware delivered either through email, URL links or malicious websites carried over the internet, the very act of moving the browsing process directly from the end-user’s device and isolating it in a network container eliminates the threat of a potential infection.

        “This is a fundamentally different approach where malware can't get to the users any longer,” said Mark Urban, Symantec’s VP of Product Strategy and Operations. “I think this can be a game-changing technology.”

        It’s also why Symantec last week announced an agreement to acquire Israel-based Fireglass, whose leading edge technology creates virtualized websites that let users browse content without having to fear that viruses might infect their devices and corporate networks.

        Fireglass's isolation technology deploys virtual containers which process web browsing sessions remotely. It delivers the end user a “visual stream” that is completely safe from malware. By placing traffic in a cloud or on-prem isolation container, no  ransomware or other malicious content and malware can wind up infecting endpoints or systems.

        “There’s no ability for code or content to reach users,” Urban noted. “It’s just a visual stream. Users can see it, click it, and interact with it just like normal. But nothing actually gets downloaded into their computer or executed into a browser except the visual image, which is harmless. All the HTML, Java, CSS – all the code – gets executed in a safe virtual container.  In some ways, it’s the ultimate protection because bad stuff can’t reach the end user.”

        The computing architecture in web and email isolation serves as a proxy that essentially isolates the users and devices inside the enterprise and carefully manages their connections to the outside world. It applies different technologies that analyze information and content to ensure that malware can’t get into the network.

        “There is no silver bullet. But having a multi-layer approach to detection – with anti-virus scanning , advanced malware sandboxes, and behavioral analytics – is critically important,” Urban said. “ And isolation technology adds the latest high-impact capabilities to the mix, allowing employees to interact with higher-risk sites and emails which in a safe and secure manner.”                                                                       

        Isolation offers organizations a way to strike a balance between IT’s desire to keep their computing environment safe and employees, who need to access information over the public internet. Millions of hosts - domains, subdomains, or IP addresses - pop up every day and many have life spans of less than 24 hours. Many organizations choose to set their Secure Web Gateways to block users from going to types of uncategorized sites because of the risk they represent, even though many are legitimate destinations for business purposes.

        “The age-old challenge for security organizations is to find the right balance between keeping users happy and keeping their computing environment safe,” according to Urban.

        “In a perfect world, these organizations would block everything that’s even a little bit risky, and users would be OK.” he continued, “but in the real world, users do complain and security has to strike a balance between risk and access.” With web and email isolation, Urban added, users can get to the information they need and the business is protected from any threats lurking in the shadows. “The isolation path gives them a lot more flexibility,” he said.

        What Does Fireglass Do?

        The core technology can be delivered on-premises or as a cloud-service. It intercepts and executes web requests in a remote secured environment and will offer users safe access to uncategorized websites, without risk of malware infection, since each website interaction is isolated from the network.  The same isolation benefits hold true for files delivered from the web - users access files through isolation instead of downloading them to their machines.

        Businesses can then let their users interact with these sites and documents to accomplish their tasks, knowing that any malware introduced via these sessions will remain isolated from their network and not infect their environment.

        The upshot: A more open environment, happier users and better threat prevention. Now that’s a winning combination.

        • Products
        • DigiCert Complete Website Security
        • Thought Leadership
        • Symantec Website Security
      • Integrations, Integrations, Integrations…

        Jul 20 2017, 7:12 PM

        by peter_doggart 3

        In June 2017, we officially announced the new Symantec Technology Integration Partner Program (#TIPP), bringing together the Blue Coat and Symantec worlds and creating the largest and broadest technology partner eco-system in cyber security.

        In this blog, I wanted to share what this means for our customers as well as our technology partners and showcase a new tool we call the Integration Cyber Defense Map  - Download the Map 

        Defending ourselves from cyber threats is hard. If you look at a typical enterprise, they will have acquired around 30-60 security vendors over the years, but unfortunately maybe only half of those would have been deployed. Why? Cyber-security requires discipline, a long-term viewpoint and for all these systems to work together to make operational sense. And that simply hasn’t happened. It’s a shame that many of these systems are just left on the shelf and not fully utilized.

        One can argue whether deploying 10 vendors is better than 60, but in any case, it is critical that cyber security systems be able to share data and context about what they know, what has been blocked and why, what they have detected as suspicious and so on. The Symantec Integration Cyber Defense Platform together with TIPP sets up this framework

        To help our customers understand how the Integrated Cyber Defense platform can help, we have created an interactive map of all internal and external partner technology integrations.

                                                                       

        This showcases many hundreds of integrations across our entire product portfolio and how they map to our own 24 product areas as well as our 23 partner solution categories and our 100+ TIPP partners.

        If you are a Symantec End Point or ProxySG customer, simply mouse-over that product to see all the current active partner solutions and then drill down to learn more. Alternatively, if you have deployed deception technologies, another EDR solution, simply mouse-over and find quickly which Symantec products work together. Access the Map Here.

        We have a very strong pipeline of additional integrations for 2017 so this map will be updated frequently.

        For our technology partners, we have also worked hard to make this the best program in the industry, with access to a rich set of APIs’, product support, demo licensing for engineering and certification, documentation as well as access to our community portal; Symantec Connect, with direct access to over 700,000 users.

        Any customers and partners wanting to learn more about TIPP, click here. https://www.symantec.com/partners/programs/technology-integration-partners

        • Endpoint Protection Small Business Edition
        • PacketShaper
        • Endpoint Encryption
        • Managing Mobility
        • Endpoint Virtualization Suite
        • Endpoint Virtualization
        • Content & Malware Analysis
        • Symantec Website Security
        • Cloud Workload Protection
        • IT Management Suite Documentation
        • Web Security.cloud
        • Symantec Security Information Manager
        • Network Access Control
        • Network Forensics & Security Analytics
        • Protection Engine for Network Attached Storage
        • Cyber Security Exercise
        • Advanced Threat Protection
        • Endpoint Detection and Response (EDR)
        • Symantec Mobility Device Management
        • Virtual Secure Web Gateway
        • Endpoint Protection Cloud
        • Data Loss Prevention and CASB - Symantec DLP Cloud and Symantec CloudSOC
        • Cloud-Delivered Web Security Services
        • Web Application Firewall & Reverse Proxy
        • Command Line
        • WebFilter Intelligence Services
        • Protection Suite Enterprise Edition
        • Protection for SharePoint Servers
        • CacheFlow
        • Control Compliance Suite
        • DeepSight™ Technical Intelligence
        • Symantec Mobility Suite
        • Data Center Security
        • Email Security.cloud
        • Data Loss Prevention
        • Data Loss Prevention Cloud Service for Email
        • Messaging Gateway
        • Advanced Threat Protection for Email
        • Management Center
        • Endpoint Management
        • Symantec Mobility Threat Protection
        • Encrypted Traffic Management
        • Client Management Suite
        • Symantec Protection Suites (SPS)
        • Partners
        • Endpoint Suite
        • CloudSOC CASB Gateway
        • Protection Engine for Cloud Services
        • Web Gateway
        • Products
        • Authentic Document IDs for Brew
        • Certificate Lifecycle Platform
        • Endpoint Protection
        • Symantec Mobility Application Management
        • Embedded Security Critical System Protection
      11 pages