Symantec Endpoint Protection Unrivaled Security

Symantec Endpoint Protection 12. 1 Unrivaled Security
Symantec Endpoint Protection Unrivaled Security. Blazing Performance. Built for Virtual Environments. May 2011

Disclaimer “This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available.” 2

Symantec Endpoint Protection Driven by Key IT Security Trends
Focus attention on rapidly mutating malware – and the change from one virus infecting millions of users to one trojan infecting one user – and never being seen again. Also emphasize virtualization – the fact that at many of our large accounts, 70% or more of new server deployments are virtualized. We are getting increasing calls for support for securing virtual desktops as well. Targeted & Rapidly Mutating Attacks Virtualization had become the rule Social Networks and socially engineered attacks Increased Cost of Incidents Symantec Endpoint Protection Driven by Key IT Security Trends Symantec Endpoint Protection 12.1

Jan, 2007 - 250,000 viruses Dec, 2010 – over 288 million
We expect to see over 300 million unique malware samples this year. Most are minor variants on existing malware – even if we just look at signatures the numbers have risen to over 12 million signatures – about 70% were created in the past year. In a few years we will be talking about billions of viruses. Though these numbers seem so large as to be meaningless, they have important implications in terms of both security and performance. Symantec Endpoint Protection 12.1

Malware Authors Have Switched Tactics
75% of malware is “rapidly mutating” In the past, the goal of malware authors was to create an “über” worm – one piece of code that would infect millions of users over the course of months or weeks or even in just a few hours. This model hasn’t gone away – we still have mass mailing worms and viruses spreading through all kinds of devices. But the new model is one of micro distribution – trojans custom made for a few or even just for a single user. In today’s model, users are lured to an infected web site, where an attack “kit” creates a custom piece of malware for each visitor. The malware may simply be encoded differently or the actual code may vary, the point is that to a signature scanner - traditional antivirus technology – it looks like a new threat. The point is that with rapidly mutating threats, reactive approaches often are ineffective. From: A mass distribution – one worm hits millions of PCs Storm made its way onto millions of machines across the globe To: A micro distribution model. Hacked web site builds a trojan for each visitor The average Harakit variant is distributed to 1.6 users! Symantec Endpoint Protection 12.1

Insight spots rapidly changing & mutated files
How many copies of this file exist? How new is this program? How often has this file been downloaded? Is it signed? How many people are using it? Where is it from? Only malware mutates If we track every file on the internet . . . New or mutated files will stick out Does it have a security rating? Insight spots rapidly changing & mutated files Have other users reported infections? Is the source associated with infections? The rise of rapidly mutating threats lead us to think only malware mutates. Only malware mutates. Most applications don’t change very often. So if we can identify that something is new, that it just changed, it gives us a big hint as to how secure it is. Before Symantec Endpoint Protection scans a file, before it is unpacked, decompiled, decompressed Symantec Endpoint Protection asks key questions: How old is the file? How many copies of the file have we seen across the internet Is the file signed? How many people are using the file? Is the file or its source associated with infections? Insight provides the context that explains the content. How will this file behave if executed? What rights are required? Is the file associated with files that are linked to infections? Does the file look similar to malware? How old is the file? Is the source associated with SPAM? Have other users reported infections? Who created it? Is the source associated with many new files? Which lead us to think . . . Who owns it? What does it do? Symantec Endpoint Protection 12.1 6

How Symantec™ Insight Works
4 Check the DB during scans 2 Rate nearly every file on the internet 2.5 billion files 1 Build a collection network 175 million PCs How does it work Step 1 Build a collection network – a hundred million computers will do Step 2 Rate every executable file on every client – so you have a rating for nearly every potential threat on the internet. Our Sonar technology looks at hundreds of attributes for every potentially infectious file it encounters, building a security rating around the files actual behaviors. Step 3 Add data – at internet speed - we add about 31 million new files per week. This is a good time to look for subtle associations between files, infections and sources. Step 4 Heat and serve, well, at least serve the ratings that is to every client and scanner so that they don’t have to scan those files all over again. Insight is currently serving over 60 billion ratings every month. Step 5 Provide actionable data – to both users and administrators. Is it new? Bad reputation? Prevalence Age Source Behavior 3 Look for associations Provide actionable data 5 Symantec Endpoint Protection 12.1 Associations

Symantec Endpoint Protection Family
Ideal for less than 100 users Maintain your own infrastructure All data stored on premise Small Business Edition Hosted management Monthly subscription No need to manage hardware Endpoint Protection.Cloud Scales from hundreds to thousands of users Powerful central management Ideal for virtual environments Symantec Endpoint Protection Symantec Endpoint Protection 12.1 8

Symantec Endpoint Protection SBE
Fastest, Most Effective, Simple Great Performance Powerful Protection Intrusion Prevention Firewall Antispyware Antivirus Symantec Endpoint Protection 12.1 9

Symantec Endpoint Protection
Built for Virtualization Network Access Control Single Agent, Single Console Device and Application Control Reduced Cost, Complexity & Risk Exposure Increased Protection, Control & Manageability Version 12.1 Intrusion Prevention Firewall Antispyware Symantec Endpoint Protection Symantec Network Access Control Antivirus Symantec Endpoint Protection 12.1 10

Built for Virtual Environments (SEP only)
What’s New Unrivaled Security Built for Virtual Environments (SEP only) Blazing Performance Powered by Insight Real Time Behavior Monitoring with SONAR Up to 70% reduction in scan overhead Smarter Updates Faster Management Tested and optimized for virtual environments Higher VM densities Symantec Endpoint Protection 12.1 11

The Security Stack – for 32 & 64 bit systems
IPS & Browser Protection Firewall Network & Host IPS Monitors vulnerabilities Monitors traffic Looks for system changes Stops stealth installs and drive by downloads Focuses on the vulnerabilities, not the exploit Improved firewall supports IPv6, enforces policies Network IPS & Browser Protect & FW Insight Lookup Heuristics & Signature Scan Real time behavioral SONAR Before a file lands on a system, Symantec Endpoint Protection is scanning network traffic for patterns of malicious activity. It’s “generic exploit blocking” looks for attempts to target known vulnerabilities – even when the specific exploit is unknown. That same network IPS looks at patterns of traffic exiting the system for signs of infectious behavior. Symantec’s “Browser Protection” looks at threats aimed specifically at your browser. Symantec Endpoint Protection 12.1

Insight – Provides Context
Reputation on 2.5 Billion files Adding 31 million per week Identifies new and mutating files Feeds reputation to our other security engines Only system of its kind Network IPS & Browser Protect Insight Heuristics & Signature Scan Real time behavioral SONAR Before being scanned, each new files reputation is checked in our Insight database. We track over 2.5 billion files – and add new files at the rate of 31 million new files each month. Key attributes such as the file source and it’s security rating are tracked as well. Each file is given a “hash” – change anything in the file and the hash no longer matches. Symantec Endpoint Protection 12.1

Network IPS & Browser Protect
File Scanning File Scanning Cloud and Local Signatures New, Improved update mechanism Most accurate heuristics on the planet. Uses Insight to prevent false positives Network IPS & Browser Protect Insight Real time behavioral SONAR After the Insight check, if necessary, the file can be scanned with our heuristic and signature scan engines. The file’s reputation allows file scanning to be conducted with increased confidence. Heuristics & Signature Scan Symantec Endpoint Protection 12.1

SONAR – Completes the Protection Stack
Monitors processes and threads as they execute Rates behaviors Feeds Insight Network IPS & Browser Protect Insight Lookup File Based Protection – Sigs/Heuristics Real time behavioral SONAR Symantec’s new SONAR 3 runs in real time – monitoring file activity in real time for signs of malicious activity. Only hybrid behavioral- reputation engine on the planet Monitors 400 different application behaviors Selective sandbox (ex Adobe) Symantec Endpoint Protection 12.1

ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü Faster Scans Traditional Scanning
On a typical system, 70% of active applications can be skipped! ü ü ü ü ü ü ü ü ü ü Traditional Scanning Has to scan every file Insight - Optimized Scanning Skips any file we are sure is good, leading to much faster scan times Symantec Endpoint Protection 12.1 16

The Results are In: Symantec Endpoint Protection:
Detected 25% more threats than any other vendor tested. Detected 6x as many threats as Microsoft. Removed more threats than any other vendor tested including 36% more than McAfee more than 4x the number as Trend Micro. Scanned faster, used less memory and outperformed all products in its class Scanned 3.5x as fast as McAfee and used 66% less memory than Microsoft Symantec Endpoint Protection 12.1 17

Policies based on Risk Finance Dept Help Desk Developers
Only software with at least 10,000 users over 2 months old. Finance Dept Can install medium-reputation software with at least 100 other users. Help Desk No restrictions but machines must comply with access control policies. Developers Symantec Endpoint Protection 12.1

Built for Virtual Environments

Built for Virtual Environments
Optimized for VMware, Citrix and Microsoft virtual environments Easy to manage physical and virtual clients Maximizes performance and density without sacrificing security Best in class performance and security Hypervisor Scan Cache Symantec Endpoint Protection 12.1

Virtual Insight Features
Enhances Management and Reduces Scan Impact by ~90% Virtual Image Exception Used on cloned images Excludes all files Reduces scan impact Shared Insight Cache Clients share scan results Scan files once Leverages Insight Virtual Client Tagging Identifies hypervisor Set group specific policy Search for virtual clients Resource Leveling Used for all virtual systems Reduce overlap of events Scans and def updates Symantec Endpoint Protection 12.1

IT Analytics - Symantec Endpoint Protection
Ad-hoc Data Mining – Pivot Tables Data from multiple Symantec Endpoint Protection Servers Break down by virus occurrences, computer details, history of virus definition distribution Charts, Reports and Trend Analysis Alert & risk categorization trends over time Monitor trends of threats & infections detected by scans Dashboards Overview of clients by version Summary of threat categorization and action taken for a period of time Summary of Virus and IPS signature distribution Symantec Endpoint Protection 12.1

Symantec Protection Center 2.0
SEP Reporting Tactical View of frontline endpoint defenses. Current view of events and the state of SEP clients. IT Analytics Strategic View over time of endpoint defenses. Trend analysis and data mining via a consolidated view of multiple Endpoint Protection Managers. Symantec Protection Center 2.0 Single sign on management as well as cross-product reporting and dashboards of Symantec Endpoint Protection, Messaging Gateway, SNAC, PGP Universal Server. SEP provides over 50 powerful reports. IT Analytics is ideal for large enterprises needing multi-SEPM reporting as well as a Strategic View over time of endpoint defenses. It also provides trend analysis and data mining via a consolidated view of multiple Endpoint Protection Managers. Symantec Protection Center is the central management console for Symantec’s security portfolio It is a free product for existing Symantec customers Delivered as either a virtual or soft appliance that Does not replace your customers existing management console (for example SEPM, DLP Enforce or PGP Universal) Three levels of integration- Single Sign on, Data collection and action integration SPC 1.0 only included Single Sign On Symantec GIN Integration - Symantec GIN= Real time Deepsight data feeds Basic event correlation: Basic event correlation, process of collecting, and normalizing, and performing data mapping across multiple sources so that to create context around an event. Cross Product Reporting- Across three categories of reports; malware, , assets Dashboard Notifications- Role based prioritization list of security, infrastructure and global intelligence events (can see the list in the top screen shot image) Prebuilt workflow templates- Symantec Endpoint Protection - Version 2.0 only Symantec Endpoint Protection is supported As new products are compatible, and workflow templates are developed, we can deliver them to customers automatically in SPC through Live Update. The Prebuilt Workflow Templates include: - Quarantine Endpoint - Move an asset to a different SEP policy group - Update the malware definitions Run a system scan Open API: 3rd Party Integration Symantec Endpoint Protection 12.1

The Symantec Endpoint Protection Family
Feature SEP SBE 12.1 SEP.Cloud SEP 12.1 Seats 5-99 seats 100+ seats Antivirus/Antispyware • Desktop Firewall Intrusion Detection/Prevention Insight / SONAR Protection for Mac OS X Protection for Linux Device and Application Control Network Access Control Self-Enforcement ready Symantec Hosted Infrastructure Built for Virtual Environments Symantec Endpoint Protection 12.1

Symantec Endpoint Protection 12 Powered by Insight
Unrivaled Security Blazing Performance Built for Virtual Environments

Symantec Endpoint Protection 12.1

Appendix: Symantec Network Access Control 12.1

Symantec Network Access Control
Discover Checks adherence to endpoint security policies  Antivirus installed and current?  Firewall installed and running?  Required patches and service packs?  Required configuration? Fixes configuration problems Controls guest access Monitor Enforce NAC is process that creates a much more secure network Remediate What it is, high level view of how it works, Key functions of NAC, why it it is important How does this endpoint compliance process work? [Build Discover] The first step in this process is for the access point to discover the device attempting access. [Build Enforce] From there, the solution can apply an integrity check to determine if the endpoint is compliant with current security policy. [Build Remediate] If out of policy, the system can be quarantined, remediated or given federated access to the LAN. [Build Monitor] Of course, it is also important to have ongoing checks to ensure that, if a security event occurs, that the system can be discovered/remediated at a subsequent time. These steps ensure compliance on contact, but also the ability to have an ongoing connection to that endpoint. Network Access Control puts you in control of what attaches to your netwok Symantec Endpoint Protection 12.1

What to Control with Each Phase
Phase 1 Endpoint Lockdown Phase 2 Network Lockdown (partial) Phase 3 Network Lockdown (complete) Ingress Control Wireless, VPN, Key subnets Use Enforcer Managed Endpoints Self-Enforced with the SEP client Complete Access Control for LAN & remote endpoints Company-owned laptops & desktops We recommends that you start first by securing your managed endpoint that then moving on to secure unmanaged endpoints. Unmanaged Endpoints Ingress Control Wireless, VPN, Key subnets Use Enforcer N/A Complete Access for remote & LAN Guests Symantec Endpoint Protection 12.1

What Type of Enforcement to Use with Each Phase
Phase 1 Endpoint Lockdown Phase 2 Network Lockdown (partial) Phase 3 Network Lockdown (complete) Gateway Enforcement Managed Endpoints Self-Enforcement LAN (802.1X), DHCP Enforcement SO you’ve asked your customer these questions, How do you ensure your endpoints are properly protected/compliant before the are allowed to to connect to th network . And they also admittted that their perception of NAC is htat it is expensive and difficult to implement. You want to give them this pitch. Control access and set policies based on whether it is an employee or non-employee A device that is managed by your IT team or an unmanaged device ( likely a contractor or partner) If the connection is made on-site vs remote Unmanaged Endpoints Gateway Enforcement N/A LAN (802.1X), DHCP, Gateway Enforcement Start with SEP Enforcement then move to network-based enforcement Symantec Endpoint Protection 12.1

Symantec Network Access Control 3 Key Components
SEP Management Console (SEPM) Endpoint Client (SEP) Enforcer Appliance Symantec Endpoint Protection 12.1

2. Endpoint Evaluation Technologies
Remote Scanner ‘Unmanagable’ Endpoints Good Dissolvable Agents ‘Unmanaged’ Endpoints Symantec offers 3 types of endpoint evaluation technologies. Persistent agents are the strongest option and can be used on managed endpoints Dissolvable agents are the next best option an can be used on unmanaged endpoints The remote scanner can be used for endpoints where an agent cannot be installed. Better Best Persistent Agents ‘Managed’ Endpoints Symantec Endpoint Protection 12.1 client is SNAC ready Symantec Endpoint Protection 12.1

3. Enforcers Good Symantec Self-Enforcement Better
Host-based Good Symantec Self-Enforcement Better Symantec Gateway Enforcer Network-based (optional) Self-enforcement is our host-based enforcer option. This is a great option for SEP 11.0 customers that want to control ‘managed’ devices meaning devices that are procured and managed by the organizations. A side benefit of self-enforcement is that this allows administrators to control access to any network, on or off the corporate network, or devices such as laptops that routinely move between multiple networks. Gateway Typically install Gateway Enforcer at a chokepoint – like a VPN gateway or a router; in-line enforcement on any network DHCP – universal approach Endpoint only allowed to interact with Quarantine/Remediation server until Compliance is achieved; non compliant endpoints are left in quarantine address space Enforcer assigns a ‘quarantined’ IP address; requests compliance & policy data Enforcer validates policy & checks compliance status Enforcer initiates DHCP release & renew on client Client allowed access to production network LAN Enforcer – 802.1x For customers who have deployed 802.1x secure authentication technology for LAN and wireless networks Unique transparent mode provides robust NAC with minimal deployment overhead Only 802.1x-capable switch infrastructure is required Username/password is not part of admission decision: only the compliance status of the endpoint is considered The Enforcement options can be used in combination so if you have deployed 802.1x at one facility but not at another you can manage both solutions from the same management console. Symantec DHCP Enforcer Best Symantec LAN Enforcer-802.1X Symantec Endpoint Protection 12.1

How SNAC is Packaged       * *  * Central Management Console
Symantec Network Access Control v 12.1 Symantec Network Access Control Starter Edition v 12.1 Central Management Console   Symantec Endpoint Protection Manager Endpoint Evaluation Technology   Persistent Agent (SNAC Agent) Dissolvable Agent (On-Demand Agent) Add On Add On Remote Vulnerability Scanner Add On Add On Endpoint Evaluation Technology Self - Enforcement   Gateway Enforcement * * DHCP Enforcement  LAN (802.1x) Enforcement * Symantec Endpoint Protection 12.1 * Requires purchase of an enforcer appliance

Symantec Security Intelligence Integrated Global Intelligence, Analysis, and Protection
Relevancy Global Expertise More researchers Comprehensive data sources More virus samples analyzed Extensive customer support GIN Data feeds into the Symantec Protection Center dashboard. Discuss the GIN, Symantec’s visibility into the threat environment, and share how that information works its way into the products. Relevancy We track a sea of moving targets across the global threat landscape to keep your defenses razor sharp The threat landscape is littered with criminal activity, using stealth technologies to infiltrate customer networks and steal confidential information. It is increasingly more difficult to understand which external forces threaten your infrastructure, how to quickly identify which assets are at risk, the resulting impact on your business and how to prioritize incident response within your company. Due to its long-time security leadership role, Symantec is uniquely positioned to tackle the challenges of collecting malware, spyware and adware samples. At the heart of Symantec's capabilities is the world's leading scalable security infrastructure, the Symantec Global Intelligence Network, with over 120 million desktop, server, and gateway antivirus installations that allow malware, spyware and adware to be captured and transmitted back to Symantec Security Response centers for analysis. The global reach and size of this network gives Symantec unmatched coverage, allowing us to greatly improve the ability of organizations and end users across the world to protect themselves. Symantec has established some of the most comprehensive sources of Internet threat data in the world, gathered by The Symantec Global Intelligence Network - some of the most extensive sources of Internet activity data ever available to offer a complete compendium of information unprecedented in size, scope, and clarity. This data is critical to providing our analysts with the information needed to understand threat trends and the resulting impact – so that we can develop the security protection needed by our customers. The volume of data that we collect over a broad range of security threats is a differentiator – as it gives us a much better statistical base to truly understand what is happening around the world: Monitor security devices in over 70 countries by our Managed Security Services that allows us to understand key threats that are impacting corporate networks 40,000 registered sensors in over 200 countries – where we anonymize the data – but are able to determine region, country, size of company and industry. From this – we are able to see if it is a localized threat, global activity or targeted against a specific industry. 120 million virus submission systems provide the insight to determine if these are new threats, variants of existing threats, or renewed activity from existing threats. Again – this data provides us with the intelligence to determine if we have existing protection in place – or if a new signature or definition needs to be created. In addition, we have a network of additional sensors tracking data specific to Vulnerabilities: Maintain one of the world’s most comprehensive vulnerability databases, currently consisting of over 25, 000 recorded vulnerabilities (spanning more than two decades) affecting more than 50,000 technologies from over 8,000 vendors Symantec Honeynet: Virtual network of unprotected systems designed to attract malicious activity. This appears on Internet as 8,000+ IP addresses Symantec Probe Network: A system of over two million decoy accounts focused on Fraud/Phishing/Spam. Located in over 30 countries, attracts from around the world to gauge global spam and phishing activity. If you don’t know what you have – how do you know what to watch for. Accuracy Our diverse team of experts analysts provides an invaluable understanding of threats from the inside out Millions of online attacks happen every day. Fraud, worms, spyware, we see it all. But, our customers are silently protected from most of them due to the sophisticated automated tools that filter the majority of the threats. Many of today’s threats have become so complex that understanding the anatomy of a threat is the key, to creating the right protection. That is where our global team of experts make the difference. Located in North America, Asia, Australia, and Europe – our centers are staffed by researchers who represent a cross section of the most highly-regarded security experts in the industry, offering customers 24x7 coverage for important security events no matter when they happen. The information we gather is analyzed by the largest Security Organization in the world, which not only creates classic antivirus signatures but IPS signatures that work at the network level and stop infections before they actually reach the operating system. Vulnerabilities are analyzed to create Generic Signatures that provide patch like protection long before actual patches are available. Vulnerabilities are categorized and organized so informed decisions can be made. In addition, Actionable Policies and Controls are derived from generic Regulations. When we identify an attack gathered from the data in the Global Intelligence Network, the first things we ask are: Have we seen it before? How is it being distributed? What’s the impact? And what needs to be done to block and remove the threat? Protection With updates coming from a worldwide array of response centers at multiple intervals, you’re always a step ahead Before we deliver any signatures to our customers they go through a rigorous QA to ensure accuracy. Within minutes new spam senders are blocked, Within hours customers are protected from new threats. Within a day we deliver generic signatures shielding new vulnerabilities. We offer several delivery mechanisms so customers so customers can chose the best method for their environment: Filtered and relevant information is proactively sent to subscribing customers. Templates from PCI to ITIL provide in-built intelligence enabling to fast track your projects The diversity of threats and security risks handled by the Symantec Security Response organization places it at the forefront of security research. For example, Symantec's antispyware researchers benefit from the understanding and expertise of not only their group, but also that of Symantec anti-spam specialists who monitor and analyze unsolicited messages being used to deliver spyware program installers. Similarly, Symantec's intrusion experts provide analysis of the ways in which Web browser vulnerability exploitation can be used in conjunction with spyware to surreptitiously install the applications in a "silent" or "drive-by" fashion. Symantec provides multiple options to provide definition files to meet multiple customer needs. Rapid Release - updated hourly Intelligent Updaters - Published 3 times a day LiveUpdates - Virus definitions updated 3 times a day and for every major outbreak Accuracy Response Centers In-depth Analysis Signatures: AV,AS,IPS,GEB, SPAM, White lists DeepSight Database IT Policies and Controls Rigorous False Positive Testing Protection Automated Updates Fast & Accurate Variety of Distribution Methods Relevant Information Users Symantec Endpoint Protection 12.1

Symantec Endpoint Protection 12.1

Symantec Endpoint Protection Unrivaled Security

Similar presentations

Presentation on theme: "Symantec Endpoint Protection Unrivaled Security"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Symantec Endpoint Protection Unrivaled Security

Similar presentations

Presentation on theme: "Symantec Endpoint Protection Unrivaled Security"— Presentation transcript:

Similar presentations

About project

Feedback