1. Revolutionizing Endpoint Security
Kevin Murray, Sr. Director, Endpoint Security
September 27, 2007

2. Agenda Security 2.0 1 Trends at the Corporate Endpoint 2 Announcing… 3
A Complete Enterprise Security Solution 4
Call to Action! 5

3. Security 2.0 New technologies are changing the way we communicate
Businesses are sharing information across their extended enterprises and engaging in more complex electronic interactions
New technologies are also introducing new security risks
No longer focused on just the device – it’s about the information and interactions
Phishing, ID theft, malicious users and non-compliance are all risks
Must keep the threats out, and ensure the information stays inside
Symantec is bringing together an ecosystem of products, services and partners that help create a safe and connected world
Symantec’s mission is to deliver solutions that protect customers’ connected experiences
In September 2006 we held the Security 2.0 event. What was this about? We were busy managing the communication around the merger of Veritas and Symantec and we wanted to make sure that the market knew that we are the leaders – and Security 2.0 was a Visionary thing for the market to know that we are the thought leaders here.
There is a new wave of threats coming and we are ahead of it. JWT likes to say we are happy to see MS involvement in the security market – though they seem to be solving yesterday’s problems.

4. stopped giving out personal information stopped paying bills online
Security 2.0: The Facts
fear of eavesdropping
fear of online fraud
53%
14%
stopped giving out personal information
stopped paying bills online
Sources: Gartner; Cyber Security Industry Alliance, June 2005

5. Protecting Information
External Threats Such As Viruses, Spyware & Crimeware
Exploiting System Vulnerabilities
Internal Threats Such As Data Theft and Data Leakage
Exploit Lack Of Supervision For Corporate Information Flow
Non-Compliance With Policies Or Regulations (SOX, FISMA, etc)
Lack Of Adequate Controls Or Evidence Collection
Protecting information, but from what?
You probably know us as the company that protects computer systems and data from “bad stuff” – that is external threats like viruses, spyware, etc. But more and more these days, we are seeing the threat of the *insider.* A threat that takes the traditional notion of Trust and challenges it. What if an employee, with lots of administrative privileges, is trusted one day, but is about to resign? How do you stop that trusted employee from doing “untrustworthy” things? I’ll also talk to you about how we can help you with compliance – mostly on the security compliance side, but also show you how we help with overall IT compliance.

6. Endpoint Security & Information Foundation
Provides A Real Time Defense Against Malicious Activity
Information Risk Management
So, today, I’ll introduce you to our Enterprise Security framework – a way of thinking about your security strategy holistically, in three layers that help you tackle the management of risk and the challenges around compliance.
[Build]
First, the Endpoint Security layer. Consider this the bare minimum of systems that most organizations must procure and employ to manage the flow of information through the enterprise. In most cases, regardless of size, customers have varying types of clients, servers, app servers, servers, file servers and databases. And we employ basic security tools to keep those systems protected, such as antivirus. The idea being to build a solid security foundation by securing the endpoint.
Well, most customers have also gotten very good at making information available to end users, whether through transparent access to messaging systems, file servers or databases, the flow of information is at an unprecedented level due to advances in IT. [Build] This additional layer, Information Security, is where the organizations critical assets really lie. And so, the challenges in protecting that information from all kinds of risks have increased as well.
Endpoint Security
Cell Phone
Laptop
Desktop
File Server
Application Server
Messaging Server
Database Server

7. A Complete Enterprise Security Strategy
Security Management
Policy Management
Vulnerability Management
Information Management
Event & Log Management i !
Information Risk Management
[Build 3 times]
Finally, all this information must be managed – from everyday IT policies to terabytes of events and system logs, the need for intelligent tools to manage these increasing volumes of data have increased as well. Customers are crying out for a way to make sense of the data, and to help them take action on correlated data throughout the enterprise – this layer of Security Management helps our customers make sense of the data, manage the information and get ahead of regulation, all managed by Policy in a unified and simplified fashion.
Endpoint Security
Cell Phone
Laptop
Desktop
File Server
Application Server
Messaging Server
Database Server

8. Endpoint Security

9. Business Problems at the Endpoint
Number of Zero Day threats
Endpoint management costs are increasing
Cost of downtime impacts both productivity and revenue, productivity hit largest in enterprise
Costs to acquire, manage and administer point products are increasing, as well as the demand on system resources
Complexity is increasing as well
Complexity and man power to manage disparate endpoint protection technologies are inefficient and time consuming
Source: Infonetics Research - The Cost of Network Security Attacks: North America 2007
(Note that zero-day graphic builds after last text bit)
Infonetics Research
Shows the average annual cost of downtime caused by security attacks.
3 types of security attacks: DOS attacks, client malware, and server malware
Purple is revenue and Blue is Productivity
Small is <100
Medium is – annual cost is $230,000
Large is over $31.26M
When revenue generators are not able use their computer or connect to the network down this impacts the company’s revenue
Measuring both the revenue and their productivity – gives cost
Describe Zero Day threats
Time line from original vulnerability announced “V” to 12 mos later when the exploit was created “E”; then AV companies wrote signature and then the customer had to deploy. We got really good at shortening the time between when the exploit was created and when our signatures were published. Then the bad guys got smart and started to create exploits within about 6-7 days; we knew that we needed new technology to help here. We created Generic Exploit Blocking (GEB) (this is a part of SCS today) which creates a generic signature for a particular vulnerability so as new variants come out we are already protected.
What about vulnerabilities which are not announced. Then zero day solutions came about – you need security looking for suspicious activity. Unusual behavior. This is when we know we had to buy Whole Security (Confidence Online) who services protect based on behavioral characteristics. Ie Word is sending 100k s. This is not normal behavior. The trade off here is the noise you don’t want a lot of messages Is this ok, is this ok. Have to manage the false positives
Zero Day Process
1. Vulnerability Discovered
2. Some time later – Exploit released. The clock starts ticking
3. AV vendors write sig
4. hackers get smart and release code closer and closer to the Vuln Disc date
5. We get better with GEB = > Closer
Available in SCS
6. Sometimes 0-day
Exploit found in the wild for a vulnerability never seen before
7. We acquired even better technology that is behavior based – WholeSecurity
Growing number of known and unknown threats
Stealth-based and silent attacks are increasing, so there is a need for antivirus to do much more

10. What do these bars signify?10 10

11. Causes of Sensitive Data Loss
The leading causes of sensitive data loss:
User error3
Violations of policy12
Internet threats, attacks and hacks8
In one form or another, human error is the overwhelming cause of sensitive data loss, responsible for 75 percent of all occurrences. User error is directly responsible for one in every two cases (50 percent) while violations of policy - intended, accidental and inadvertent - is responsible for one in every four cases (25 percent). Malicious activity in the form of Internet-based threats, attacks and hacks is responsible for one in every five occurrences.
ITPolicyCompliance.com, “Taking Action to Protect Sensitive Data”, Feb. 2007 11 11

12. As Threat Landscape Changes, Technology Must as Well
From Hackers & Spies…To Thieves
Silent
Overwhelming Variants
Highly Targeted
Few, Named Variants
Indiscriminate
Noisy & Visible
OLD
NEW
[Build through larger graphic]
A few years back, it was well understood that hackers really jut wanted notoriety from there exploits – to gain recognition from their “peers” on creating such impressive “proofs of concept” when it came to viruses.
[Build to show tagline]
However, we have seen a marked shift from this “graffiti” approach to one of stealth, and one of financial gain. Hackers today don’t want to be discovered, they want to attack silently and leave no trace – to steal sensitive information like credit card data, passwords, login info, etc. Simply put, they want to get rich.
Moving from Disrupting Operations To Damaging Trust and Reputations

13. Protection From External Malicious Threats
Protection Starts At The Corporate Endpoint
Broad Range Of Client Devices : Laptop, Desktop, Cell Phone
Broad Range Of Threats : Virus, Worms, Spyware … Crimeware
Crimeware
Spyware
Worm
Virus
As I stated before, you probably know Symantec from our history in protecting customers from “bad stuff” happening to their computers. Like viruses, worms, spyware and the like. We know from experience that protection starts at the corporate endpoint. Whether a cell phone, a laptop or a desktop system, these client systems require increased protection today more than ever. We’ve seen an evolution in how hackers have modified their wares – as such Symantec has responded in kind. We’ve pioneered technologies and methods to counter these changing hacker tactics – but let me tell you what we’ve seen recently.
Windows Smartphone
Symbian Device
Laptop PC
Desktop PC 13 13

14. Is Endpoint Protection Enough Protection?
“What Are The Most Common Sources Of Automated Internet Worm Attacks ?”
43%
Employee Laptop
39%
Internet Through Firewall
34%
Non-Employee Laptop
27%
VPN Home System
As we shored up our resources on fighting the evolving hacker threat, we also saw the market need for greater control. Note that many of the threats getting into the corporate network are coming from machines that IT thought they had covered. Perimeter firewall, VPN, and then interestingly enough, *non-employee laptops.* Huh? How could that happen?
It’s quite simple – employees have a desire to do business with more and more partners every day, whether guests in a conference room, temp workers, contractors, etc – some customers report allowing internet access to those “unmanaged devices.” Not that you would allow such a thing. ;-) 8%
Don’t Know 8%
Other
Source: Enterprise Strategy Group, January 2005 ESG Research Report, Network Security And Intrusion Prevention

15. Endpoint Security Policy
The Need for Complete Endpoint Security: Endpoint Protection + Endpoint Compliance
Worms
Unknown Attacks
ID Theft
Viruses
Protection
Patch Updated
Service Pack Updated
Personal Firewall On
Antivirus Signature Updated
Antivirus On
Compliance
Endpoint Security Policy
Status
[Build Protection]
Most customers know us for our Endpoint Protection – essentially keeping the bad stuff out.
[Build Compliance] But, part of what customers now need to ensure the overall health of their network, is endpoint compliance.

16. Symantec Endpoint Compliance Process
Discover
Endpoint Attaches to Network
Configuration Is Determined
Step 1
Monitor Endpoint to Ensure Ongoing Compliance
Step 4
Enforce
Compliance of Configuration Against Policy Is Checked
Step 2 ü ✗
Monitor
IT Policy
How does this endpoint compliance process work?
[Build Discover] The first step in this process is for the access point to discover the device attempting access.
[Build Enforce] From there, the solution can apply an integrity check to determine if the endpoint is compliant with current security policy.
[Build Remediate] If out of policy, the system can be quarantined, remediated or given federated access to the LAN.
[Build Monitor] Of course, it is also important to have ongoing checks to ensure that, if a security event occurs, that the system can be discovered/remediated at a subsequent time.
[Build Altiris] and with our recent acquisition of Altiris, we also add the ability to patch systems easily from a single vendor. We have had this capability in SNAC for some time now, but with Altiris, we are able to offer an extended remediation zone.
These steps ensure compliance on contact, but also the ability to have an ongoing connection to that endpoint.
Remediate
Take Action Based on Outcome of Policy Check
Step 3
Patch Quarantine Virtual Desktop

17. Symantec Network Access Control
Ensures endpoints are protected and compliant prior to accessing network resources
Choose quarantine, remediation or federated access
Enforce policy before access is granted
Execute updates, programs, services, etc
Limit connection to VLAN, etc
Broadest enforcement options of any vendor
Remote connectivity (IPSec, SSL VPN)
LAN-based, DHCP, Appliance
Standards-based, CNAC, MSNAP
This process is delivered via Symantec Network Access Control. An innovative solution that ensures endpoint compliance, and ensures it through utilizing the broadest array of enforcement options. [Build text] Whether fitting into an existing infrastructure, say Cisco or Microsoft, Symantec gives you Network Access Control capabilities right out of the box. Without the need to upgrade every switch router, server or VPN concentrator to get you there. We work within your environment to get your endpoints compliant in the fastest time.
Pervasive Endpoint Coverage
Unmanaged Guests, Contractors, Home Computers
Central, Scalable, Flexible Policy Management
Distributed servers, redundancy, data base replication, AD integration
Universal enforcement
(W)LAN, IPSec VPN, SSL VPN, Web Portal
Integration with Existing and Emerging Standards
802.1x, Cisco NAC, Microsoft NAP, TCG’s TNC
Automated Remediation Process
No user intervention required
Learning mode and discovery tools 17 17

18. Symantec On-Demand Protection
Layered security technology solution for unmanaged endpoints
Web-based Applications
Thin Client/Server Applications
Traditional Client/Server Applications
Traveling Executives
Public Kiosk
File Share
Partner Extranet
Ideal for use with:
Outlook Web Access (OWA)
Web-enabled applications
Most complete On-Demand security solution
Virtual Desktop
Malicious Code Prevention
Cache Cleaner
Mini personal firewall
Host Integrity
Adaptive Policies
Of course, there is another aspect to ensuring endpoint compliance – the unmanaged endpoint device. As stated before, IT is receiving pressure to open up access to partners, guests, and others. But while IT typically wants to accommodate such requests, the increase in risk to date has been unmanageable. This triggered the need for “on-demand” security – that is, security that could be implemented on demand, regardless of device type, location, browser, etc.
Symantec On-Demand Protection gives IT that extension to the unmanaged device. A simple solution that is ideal for use with web-enabled applications like Outlook Web Access, On-Demand Protection keeps the wandering endpoint from becoming a greater security risk, as they connect to the network. 18 18

19. Network Access Control + On-Demand Protection
Complete endpoint compliance regardless of network access method
Managed Devices: laptops, mobile phones
Unmanaged Devices: Guest, contractor, partners, kiosks
OWA
Kiosk
Partner
Temp
The combination of Symantec Network Access Control and Symantec On-Demand Protection allows IT to provide unprecedented service levels, through granting access to more devices and extended user communities than ever before. It also gives IT greater control over the endpoint, ensuring that they are compliant with policy at every turn.
[Note that user types have been reflected in first build: guest. Temp worker, OWA, etc]
Windows Smartphone
Symbian Device
Laptop PC
Desktop PC 19 19

20. Today’s Endpoint Problems Addressed by Too Many Technologies…
Client Firewall
O/S Protection
Buffer overflow & exploit protection
Anti crimeware
Device controls
Network IPS
Host integrity & remediation
Protection Technology
Antispyware
Antivirus
Network
Connection
Operating
System
Memory/
Processes
Applications
Worms, exploits & attacks
Viruses, Trojans, malware
& spyware
Malware, Rootkits, day-zero
vulnerabilities
Buffer Overflow, process
injection, key logging
Zero-hour attacks, Malware, Trojans, application injection
I/O Devices
Slurping, IP theft, malware
Endpoint
Exposures
Always on, always up-to- date
Data & File System
One major problem that customers face when determining their endpoint security strategy is trying to decipher what protection technology they need to address which exposures. Honestly, it seems to take a PhD to make sense of this.
Let’s take a look at the exposures that the endpoint is susceptible to – attacks like Viruses, Trojans and worms are typically handled by basic antivirus solutions and some have gone so far to include anti-spyware to handle spyware and adware. As network-based attacks, rootkits, buffer overflows and other types of attacks you can see that additional technologies [Build] have become a necessary addition to the basic malware coverage.

21. …even from Symantec Endpoint Exposures Protection Technology Symantec
Client Firewall
O/S Protection
Buffer overflow & exploit protection
Anti crimeware
Device controls
Network IPS
Host integrity & remediation
Protection Technology
Antispyware
Antivirus
Symantec Confidence Online
Symantec Sygate Enterprise
Protection
Symantec Network Access Control
Symantec
Solution
Symantec AntiVirus
Endpoint
Exposures
Always on, always up-to- date
Zero-hour attacks, Malware, Trojans, application injection
Applications
Slurping, IP theft, malware
I/O Devices
Buffer Overflow, process
injection, key logging
Memory/
Processes
However, even Symantec has addressed these exposures somewhat piecemeal – using multiple products to address this ever-evolving landscape. Symantec offers a variety of solutions to combat this diverse array of attacks and exposures – and quite frankly, customers have told us that we need to make it easier for them to manage all these exposures.
Malware, Rootkits, day-zero
vulnerabilities
Operating
System
Worms, exploits & attacks
Network
Connection
Viruses, Trojans, malware
& spyware
Data & File System

22. Ingredients for Endpoint Protection
AntiVirus
Worlds leading AV solution
Most (33) consecutive VB100 Awards
Virus Bulletin – Aug 2007
So what are we doing about it? Well, we determined that we needed to build a better mousetrap, and that we had the best ingredients to make it happen in a single solution.
We started with the world’s leading antivirus solution. Our track record speaks for itself – 30 consecutive Virus Bulletin 100% certifications – and as of April 2007, 31 consecutive passes. No other vendor has this track record of success.
In addition, we have won many awards as noted on the right side here, consistently.
Antivirus

23. Ingredients for Endpoint Protection
Antispyware
Best rootkit detection and removal
Raw Disk Scan (VxMS) = superior rootkit protection
Source: Thompson Cyber Security Labs, August 2006
As for spyware, one of the best things that came out of the Veritas merger was that we gained access to incredibly fast and effective scanning technology from the Backup side of the business – this technology, called “Raw Disk Scan” is already in our Consumer line of products, and catches the most Rootkits – more than any other vendor. Take a look at Microsoft in this chart – once touted as the “best” anti-spyware, the “Giant” software they acquired and subsequently included in Vista (and XP SP2), has proved ineffective at catching Rootkits.
Further detail:
Rootkit detection – integrated Veritas technology so we best at detecting and removing rootkits we can scan at a deeper level.
1. Installed without user’s knowledge
2. Gains admin or system-level privileges
3. Hides from detection / buries deep within the operating system
4. Used as a method to circumvent existing security tools and/or measures (optional point)
Antispyware
Antivirus

24. Ingredients for Endpoint Protection
Firewall
Industry leading endpoint firewall technology
Gartner MQ “Leader” – 4 consecutive years
Rules based FW can dynamically adjust port settings to block threats from spreading
Firewall
Another great thing was acquiring Sygate in October of Gartner has raved about their managed firewall capability for 4 consecutive years. Not only is it effective technology, but it is extremely light and streamlined, so we based our next-generation architecture on it. The rules-based firewall is a dynamic solution, adjusting to protect the network from threats as they attempt to spread.
Antispyware
Antivirus

25. Ingredients for Endpoint Protection
Intrusion Prevention
Combines NIPS (network) and HIPS (host)
Generic Exploit Blocking (GEB) – one signature to proactively protect against all variants
Granular application access control
Proactive Threat Scan (TruScanTM) - Very low (0.004%) false positive rate
Detects 1,000 new threats/month - not detected by leading av engines
Intrusion Prevention
Firewall
25M Installations
Only 50 False Positives
for every 1 Million PC’s
When we looked at Intrusion Prevention, we realized that we needed to combine layers for IPS to be truly effective. In Symantec Client Security, we introduced Generic Exploit Blocking – an innovative way to protect against variants and polymorphism, with a single “vulnerability-based” signature. But what we realized was that we need to address Zero-day attacks in a truly “signature-less” fashion. Around the same time we acquired Sygate, we also acquired a small company called Whole Security. Their technology is heuristic based, and fine-tunes itself to reduce false positives that heuristics are prone to. We introduced this in the Consumer products, and the success has been overwhelming – as illustrated in the slide.
Further detail:
Symantec SONAR Technology, which unlike all other heuristic-based technologies, scores both good and bad behaviors of unknown applications. The unique algorithms of this proprietary technology provides more accurate detection without the need to set-up rule-based configurations or the worries of false positives.
Based on an installed base of over 25 million users, our behavior-based technology has proven to be extremely accurate and effective. We have found that since its deployment, this proactive technology has detected approximately 1,000 new threats per month that were not yet detected by any of the leading antivirus engines. Moreover, it does this with an incredibly low false positive rate of only % (less than 50 for every 1 Million users).
Antispyware
Antivirus 25 25

26. Intrusion Prevention (IPS)
Intrusion Prevention System (IPS) Combined technologies offer best defense
Intrusion Prevention (IPS)
The key thing to understand is that not all Intrusion Prevention is the same. Most vendors will claim that they have it, but may only have one aspect of it.
We realized that we needed to deliver IPS in two flavors – Network-based and Host-based. The simple difference being NIPS looks at network traffic to and from the system, and host-based looks at application and system behaviors to provide greater protection. We introduced several technologies separately in this space, and now we are bringing them together to increase protection.
[Greater detail is self-explanatory – walk them through each of the features listed under each category.]
(N)IPS
Network IPS
(H)IPS
Host IPS
Generic Exploit Blocking
Vulnerability-based (Sigs for vulnerability)
Proactive Threat Scan
Behavior-based (Whole Security – TruScanTM)
Deep packet inspection
Signature–based (Can create custom sigs, SNORT-like)
Application Control
Rules-based (System lockdown by controlling an application’s ability to read, write, execute and network connections)

27. Ingredients for Endpoint Protection
Device Control
Prevents data leakage
Restrict Access to devices (USB keys, Back-up drives)
W32.SillyFDC (May 2007)
Device Control
Intrusion Prevention
targets removable memory sticks
spreads by copying itself onto removable drives such as USB memory sticks
W32.SillyFDC
automatically runs when the device is next connected to a computer
Firewall
Yet another benefit of the Sygate acquisition was that we gained the ability to protect from attacks and data leakage that occurs through the use (or abuse) of I/O devices such as USB memory keys, media players, etc.
One recent example of an attack using this method was “W32.SillyFDC” which used a USB key as the means to deposit a Trojan horse onto a system.
With our technology, you can determine which of these devices have write access to the system, and even what data can be written to the I/O device. We do it by Device Class ID, offering many possibilities on how to create different policies based on device type.
Antispyware
Antivirus

28. Ingredients for Endpoint Compliance
Network Access Control
Network Access Control
Network access control – ready
Agent is included, no extra agent deployment
Simply license SNAC Enforcement
Device Control
Intrusion Prevention
Firewall
Most IT professionals are familiar with or considering Network Access Control (or NAC) in their environment. With Sygate, we gained the industry’s most flexible NAC solution. We fit into the customer’s environment, we don’t force the customer to change around us.
With the most enforcement options available, we have managed to carve out a great spot for us in the market here, in fact winning several awards in addition to some very large customer accounts.
(NAC – ensures that the endpoint is in compliance before it is allowed to connect to the network. Works for employee, contractors and guests. We have very flexible implementation options)
Antispyware
Antivirus

29. Network Access Control
Introducing…
Network Access Control
Symantec Network Access Control 11.0
Symantec Endpoint Protection 11.0
Device Control
Intrusion Prevention
Firewall
And now, my big announcement – I’d like to introduce “Symantec Endpoint Protection 11.0” and the next version of SNAC, “Symantec Network Access Control 11.0.” We are taking all these essential ingredients and combining them into a single agent, managed from a single console. This solution is the result of years of development and integration, combining the most essential protection and compliance technologies into a single centrally-managed solution.
Antispyware
Antivirus

30. Single Agent, Single Console
Results:
Symantec Network Access Control 11.0
Symantec Endpoint Protection 11.0
Reduced Cost, Complexity & Risk Exposure
Increased Protection, Control & Manageability
The result to the customer is Increased Protection, Control and Manageability with Reduced Cost, Complexity and Exposure.

31. Beta Customer Value Data
Single console
Customers who participated reduced man-hours by 75%
Security Related Reporting
One customer expects to save 97% of the man hours on weekly security related reporting
Application Control
One customer:
anticipates a 50% reduction in calls to the support center
and the avoidance of re-imaging over 100 PCs per week
Recovering over 600 man hours a week from analyst and technicians’ time. 
Another:
anticipates recovering over $2.0 million from network outages caused by un-authorized peer to peer applications
Controlled beta conducted the Alchemy Solutions Group from April – September “Value Delivery Research” available soon, in October 2007.
Single console
Ability to manage complete IT Security Operations from a single console with zero latent visibility to the endpoint will reduce the current state man hours an average of 75% for those customers who participated
Security Related Reporting
One customer expects to save 97% of the man hours on weekly security related reporting.
Application Control
One customer anticipates a 50% reduction in calls to the support center and the avoidance of re-imaging over 100 pc’s per week as a result of deploying Application Control.
Recovering over 600 man hours a week from analyst and technicians’ time. 
Network outages caused by un-authorized peer to peer applications is costing one customer over $2.0 million annually. -- limiting access to only approved applications at the endpoint and will be a key enabler in recovering this avoidable expense.  
End User -Self Diagnostics
Empowering the user community to safely manage mundane desk top security related issues will reduce calls to the help desk by at least 60% for those customers who participated

32. Memory Footprint Comparison (using final shipping product)
Baseline Memory Usage
Symantec AntiVirus Corporate Edition
62 MB
Symantec Client Security
129 MB
Symantec AntiVirus + Symantec Sygate Enterprise Protection
72 MB
McAfee Total Protection SMB
71 MB
Trend Micro OfficeScan Client/Server
50 MB
Symantec Endpoint Protection 11.0
24 MB!
[Make sure you are in Slide show mode – the “????” disappear after a mouse click]
So how do we lower cost?
We are lowering costs through reduced number of products to manage, and reduced memory usage
With this reduction, we are seeing an average of over 80% reduction in memory usage
Microsoft Forefront Client Security is not on here since their offering is only AV, and AS (which runs at around 20MB), with some future Firewall manageability; adding third-party IPS and Device control puts it well above the 21MB indicated for SYMC Endpoint Protection 11.0
How did we manage to add more technology and still reduce  from 129MB to 21MB usage.? What did we do?  
SAV and Consumer share a lot of code (all the engines.)  The engine teams (STG) focused a lot on minimizing memory requirements in the consumer 07 releases.  We are seeing a lot of the benefits of the new slimmer versions of the engines and common code.
Similar to the work done by the engine teams, we made improvements to our own components to optimize their use of memory.
Sygate’s FW is much smaller than the consumer/SCS FW.
WholeSecurity was already very tiny.
Task Manager 21-25MB
Perf Mon will show more like 40MB
????
Average of 80% reduction in memory usage requirements 32 32

33. Average of 80% reduction in memory usage requirements
Dispelling Myths
Symantec Endpoint Protection Component Processes in Memory
Baseline Memory Usage
Smc.exe
8,464 kb
SmcGui.exe
5,640 kb
ccSvcHost.exe
5,532 kb
RtvScan.exe
2,936 kb
ccApp.exe
0,746 kb
Total
24,218 kb
We have identified two reasons why competitors and some partners and SEs doubt our claim in memory consumption.
1) Right after installation, Symantec Endpoint Protection will scan the machine and download the latest patterns/definitions. During this time, the memory consumption is higher. If a tester tries to validate our numbers right after the installation he/she will get distorted figures.
2) Symantec uses the advanced memory optimization features offered by Windows XP, 2003 Server and Vista. These features are not available in Windows While the reduction in memory consumption is considerable it is not as high as in the current versions of Windows. If a tester tries to validate our numbers on Windows 2000 Workstation or Windows 2000 Server he will not see same reduction.
Average of 80% reduction in memory usage requirements 33 33

34. Symantec Endpoint Protection
Unmatched Protection
Symantec Endpoint Protection
Secure
Simple
Seamless
Unmatched combination of technologies
Much more than antivirus
Backed by the industry standard Symantec Global Intelligence Network
Single agent
Single console
Single license
Single support program
Fits into your network
Easily configurable, use only what you need
Combines essential Protection and compliance functions
Symantec Endpoint Protection is Secure, Simple & Seamless. The unmatched combination of endpoint protection technologies, improved Client and administrator UI and seamless integration with Network Access Control gives customers the ability to gain unprecedented control over their endpoints. 34 34

35. New Client User Interface
Client User Interface (UI)
Client UI focused on ease-of-use for end-users
Enable users to quickly view settings and navigate
The improvements in the UI will help with client education. This will ultimately reduce helpdesk calls as users have greater visibility into the status of their individual system security. Of course, the Client UI can be hidden from the user and is configurable by the admin (show/not show)
Green is GOOD. Red is BAD.  35 35

36. How do we Increase Protection, Control and Manageability?
Much more than traditional Antivirus by including “advanced” technologies right in the core agent
Combines world-class endpoint technologies
Control
Ensures Network access is secure, regardless of access method employee, guest, contractors, auditors
Manageability
Scalable multi-server architecture
Based on world-class Sygate managed firewall
Key talking points:
Manageability increases due to basing the console on the award-winning Sygate Enterprise Protection managed firewall. Gartner continually recognized this platform as the best managed firewall
Control is increased through Network Access Control, helping admins gain control over who is on their network
The increase in protection is obvious, especially through the addition of WholeSecurity’s behavior-based IPS (zero-day protection) and Device Control from Sygate

37. Enterprise Grade Management Console
Role Based access
Hierarchical views
Integration with Active Directory
More eye candy.

38. Reporting Comprehensive Reporting 50+ canned reports
Customizable Dashboard
Monitors
Comprehensive Reporting
Sample reports built and customizable
---Risk reports---
Infected and at Risk Computers
Risk Detection Action Summary
Risk Detection Count
New Risks Detected in the Network
Top Risk Detections Correlation
Risk Distribution Summary
Risk Distribution Over Time
Comprehensive Risk Report
Proactive Threat Detection Results
Proactive Threat Distribution
Proactive Threat Detection Over Time
Action Summary for Top 10 Risks
Number of Notifications
Weekly Outbreaks
---Audit---
Policies Used
---Behavioral Blocking---
Top 10 Groups with Most Alerted Behavioral Logs
Top 10 Targeted Blocks
Top 10 Devices Blocked
---Compliance---
Network Compliance Status
Compliance Status
Clients by Compliance Failure Summary
Compliance Failure Details
Non-compliant Clients by Connection Type
---Computer Status---
Virus Definition Distribution
Computers not Checked in to Server
Symantec Endpoint Security Product Versions
Intrusion Prevention Signature Distribution
Clients by Memory, Processor, and OS
Client Online Status
Clients with Latest Policy
Client Hardware information by Group
Security Status Summary
Proactive Protection Content Versions

39. Migration Made Easy – Replace, Deploy, Configure
Deployment & Uninstall
Deploy and Configure with Altiris CMS
Uninstall, run other tasks, i.e., backup
When looking to deploy an upgrade to Symantec Endpoint Protection 11.0 it gets really easy using Altiris Client Management Suite. Customers can combine several tasks into the rollout, including backup, uninstalling other security software and deploying & configuring the client.

40. Migration Assistance online

41. Summary of Endpoint Packages
Available September 27, 2007!
Individual products:
Symantec™ Endpoint Protection 11.0
Symantec™ Network Access Control 11.0
Symantec™ Network Access Control Starter Edition 11.0
Bundles / multi-product packages:
Symantec™ Multi-tier Protection 11.0
Symantec™ Endpoint Protection Small Business Edition 11.0
So to sum up our offerings – we introduced two new products today, and are offering them in a few different packages:
Individual products:
Symantec™ Endpoint Protection 11.0
Symantec™ Network Access Control 11.0
Symantec™ Network Access Control Starter Edition 11.0
Bundles / multi-product packages:
Symantec™ Multi-tier Protection 11.0
Symantec™ Endpoint Protection Small Business Edition 11.0
We make it easy to buy and try to combine the things that make the most sense for what customers and partners want to acquire. 41 41

42. If Customer Owns (any):
Entitlement Summary
If Customer Owns (any):
They Get:
•  Symantec AntiVirus Corporate Edition
•  Symantec Client Security
•  Confidence Online for Corporate PC’s (Whole Security) •  Symantec Sygate Enterprise Protection
Symantec Endpoint Protection 11.0
•  Symantec AntiVirus Enterprise Edition
Symantec Multi-tier Protection 11.0
•   Symantec AntiVirus with Groupware Protection •   Symantec Client Security with Groupware Protection
Symantec Endpoint Protection Small Business Edition 11.0
•   Symantec Network Access Control (LAN and/or DHCP)  
Symantec Network Access Control 11.0
•   Symantec Network Access Control (Gateway and/or CNAC)
•   Symantec Sygate Enterprise Protection (with Self Enforcement)
Symantec Network Access Control Starter Edition 11.0

43. Redefining Endpoint Security
Symantec Endpoint Security
Solution
Endpoint Protection
Endpoint Compliance
Endpoint Protection proactively protects laptops, desktops and servers from known and unknown malware such as viruses, worms, Trojans, spyware, adware and rootkits by combining these capabilities:
Antivirus
Antispyware
Desktop firewall
Intrusion Prevention (Host & Network)
Device & Application Control
Endpoint Compliance securely controls entry into networks
Ongoing endpoint integrity checking
Centralized endpoint compliance policy management
Automated remediation
Host based enforcement of access policies
Monitor and report
System configuration checking, remediation & enforcement
Definition
But moving beyond today, I wanted to illustrate the depth of our Endpoint Security product line. We’ve taken great strides to simplify our offerings, while also ensuring broad coverage for a diverse array of devices, such as mobile devices, critical servers and unmanaged systems.
Complete Endpoint Security is comprised of two areas: Endpoint Protection and Endpoint Compliance. Symantec has the best and most complete offering in the market, and customers trust us to continually deliver the most innovative, high-quality solutions.
Symantec Endpoint Protection
Symantec Network Access Control 11.0
Also available in a Starter Edition
* SNAC-ready out of the box
Key Products
Symantec Mobile Security
Symantec Critical System Protection
Symantec On-Demand Protection (for OWA & Web Apps)
Other Products

44. But, what about…? Endpoint Exposures Protection Technology Symantec
Solution
Microsoft
Solution
Endpoint
Exposures
Always on, always up-to- date
Symantec Endpoint Protection & Symantec Network Access Control 11.0
Host integrity & remediation
Symantec Network Access Control
Forefront Client Security + Vista
Windows Firewall
MSRT
Microsoft NAP*
Zero-hour attacks, Malware, Trojans, application injection
Anti crimeware
Symantec Confidence Online
Applications
Device controls
Slurping, IP theft, malware
I/O Devices
Buffer Overflow, process
injection, key logging
Memory/
Processes
Buffer overflow & exploit protection
Symantec Sygate Enterprise
Protection
[This slide is completely optional – it prepares the speaker to address the occasional question regarding Microsoft entering the enterprise endpoint security space. The slide is designed to point out Microsoft’s shortcomings in offering, and gives the speaker the leverage to show how truly “incomplete” MS is at this, and to also reiterate our expertise in knowing what complete endpoint protection really is.]
Speaking points:
[Build] But some customers are asking us how we are going to compete with a few 900 Pound Gorillas entering the enterprise security market place. We know through our extensive experience in this space that it is not an easy problem to solve. As illustrated previously, many exposures have typically required many technology approaches. As these “gorillas” enter the market they may tout their market muscle but as you can see from this offering, there are many holes in this particular offering.
For SEs:
Device Control:
Yes it is true that you can disable some devices with GPO with a workaround and manually importing templates. Microsoft does not consider this a true policy
DEP
DEP can stop certain buffer overflows from occurring but only if you have the matching processors that support this technology. But buffer overflows are only a small aspect of vulnerability exploiting malware. PTS detects malware regardless of the technologies it uses.
Symantec has been protecting customers from malware for over 10 years – with over 120 million systems that trust us every day for that protection.
Malware, Rootkits, day-zero
vulnerabilities
Operating
System
O/S Protection
Worms, exploits & attacks
Network
Connection
Network IPS
Client Firewall
Viruses, Trojans, malware
& spyware
Antivirus
Symantec AntiVirus
Data & File System
Antispyware
* Future

45. A Complete Security Portfolio for Organizations of Any Size
Symantec Enterprise Security
Enterprise (100 +)
Small Business (10-100)
Security Management
Security Management
Symantec Managed Security Services
Symantec DeepSight Threat Management System
Symantec Security Information Manager
Symantec Managed Security Services
Symantec DeepSight Threat Management System
Symantec Security Information Manager
Information Risk Management
Information Risk Management
Symantec Mail Security
Symantec Enterprise Vault
Symantec Database Security & Audit
Symantec Mail Security for Microsoft Exchange
Symantec Enterprise Vault
So you now know our Endpoint Security line of business – but what about filling out the entire Enterprise Security portfolio? As you can see, our broad array of solutions is there to assist you with your security projects – whether products, solutions or services, we are there to provide you with what you need to build a comprehensive Enterprise Security strategy.
Endpoint Security
Endpoint Security
Symantec Multi-tier Protection
Symantec Endpoint Protection
Symantec Critical System Protection
Symantec Mobile Security Suite
Symantec Network Access Control
Symantec On-Demand Protection
Symantec Endpoint Protection Small Business Edition
Symantec Endpoint Protection Starter Edition
Symantec Network Access Control Starter Edition
Symantec Mobile Security Suite 45 45

46. Symantec™ Global Intelligence Network
4 Symantec SOCs
74 Symantec Monitored Countries +
40,000+ Registered Sensors in 180+ Countries + +
8 Symantec Security Response Centers
>6,200 Managed Security Devices +
Advanced Honeypot Network
120 Million Systems Worldwide
30% of World’s Traffic
200,000 malware submissions per month
Millions of security alerts per month
Millions of threat reports per month
Hundreds of MSS customers
Redwood City, CA
Santa Monica, CA
Calgary, Canada
San Francisco, CA
Dublin, Ireland
Pune, India
Taipei, Taiwan
Tokyo, Japan
Twyford, England
Munich, Germany
Alexandria, VA
Sydney, Australia
Six key international locations
Santa Monica, Calif. (Response headquarters)
American Fork, Utah
Sydney, Australia
Calgary, Canada
Dublin, Ireland
Tokyo, Japan
Worldwide sensor network from DeepSight
180 countries
>20,000 sensors
AV submissions from 120,000,000 customers
This is a powerful slide as it illustrates how Symantec offers the most complete information on threats from around the world to the media. It’s a great visual of how strong Symantec’s information and expertise it. You should be sure to explain what “18,000 sensors in 180 countries” exactly means and how we can watch what is happening around the Internet.
You may also want to add that Symantec’s Managed Security Services also adds another view of the Internet.
Global technical support
Springfield, Oregon
Toronto, Canada

47. For More Information… www.symantec.com/endpointsecurity
Remember to visit us online – this site is your single source for information on our new products. Check it out at:
And make sure you try out the beta – you will love it!

48. Thank You! www.symantec.com
Kevin Murray
(408)
Copyright © 2007 Symantec Corporation. All rights reserved.  Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.  Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising.  All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law.  The information in this document is subject to change without notice.

49. Other areas to cover as optional49 49

50. Servers Are Endpoints Too
Data Center Servers Are Exposed To A Broad Range Of Threats
Malicious Code… Malicious Users
Loose Privileges
System Devices
Buffer Overflow
Back Door
We’ve talked a lot about “client” systems so far – what’s important to note is that servers are endpoints too. Servers are just as susceptible to hacking, theft and other attacks – primarily from the inside. Since a company’s critical data resides on these systems, it is critical also that they are protected with the same diligence.
File Server
Server
Application Server
Database
Server

51. Symantec Critical System Protection 5.1
Eliminates The Broadest Range Of Malicious Server Threats
Runs On The Broadest Range Of Operating Systems
Loose Privileges
System Devices
Buffer Overflow
Back Door
That’s where Symantec Critical System Protection comes in. An industry leading combination of Host Intrusion Prevention and Host IDS-based log monitoring and auditing, provides the layered protection needed to protect these systems and data from insider attack. Critical System Protection also supports the broadest array of operating systems that these systems typically reside in – AIX, HPUX, Linux – it’s not just a Windows world, especially in this part of the datacenter.
File Server
Server
Application Server
Database
Server

52. Symantec Critical System Protection
Symantec Critical System Protection 5.1 Multi-layer protection for critical systems
Close back doors (block ports)
Limit network connectivity by application
Restrict traffic flow inbound and outbound
Restrict apps & O/S behaviors
Protect systems from buffer overflow
Intrusion prevention for day-zero attacks
Network
Protection
Exploit
Prevention
Symantec Critical System Protection
System
Controls
Auditing &
Alerting
Lock down configuration & settings
Enforce security policy
De-escalate user privileges
Prevent removable media use
Let’s look under the hood of Critical System Protection a bit more.
[Build Network Protection] The Network Protection that CSP provides is useful in closing back doors and helping to restrict traffic flow both inbound and outbound to that system.
[Build Exploit Prevention] The Exploit Prevention layer helps to restrict certain types of application and OS behaviors, protecting from buffer overflows and day-zero attacks.
[Build Auditing & Alerting] The Host IDS layer centers around Auditing and Alerting – allowing the admin to monitor logs and settings in a way that paves the way for quick action to rectify issues.
[Build System Controls] And finally, the System Controls layer allows for granular policy configuration and lockdown, preventing misuse and abuse due to inappropriate admin privileges.
Monitor logs, system settings & user
auth for security events
Consolidate & forward logs for archival
Smart event response for quick action

53. Endpoint Protection + Critical System Protection
Securing Endpoints provides an essential “Security Foundation”
Protects against broadest array of exposures
These two solutions together make a rock solid “Security Foundation.” A single console is the heart of ensuring that all operational elements are met, providing configuration, deployment, reporting and other essential management functions.
Symantec Client Security
Endpoint Security
Symantec Critical System Protection
Cell Phone
Laptop
Desktop
File Server
Application Server
Messaging Server
Database Server

54. Symantec Mobile Security Suite 5.0 for Windows Mobile
The Symantec Suite… Simple and Complete
Security
Antivirus, Firewall, anti-spam, network access control, phone feature control, tamper protection and (optional) VPN
Smart phones and PCs use the same LiveUpdate infrastructure
Data Protection
Password Protection, Data Encryption, Data Activity Log
Offers a range of responses to match varying risk tolerance
Activity Log… peace-of-mind and a possible option for regulatory compliance without the overhead of encryption
Management Console for managing the mobile endpoint
Recommend leveraging a mobile device management provider (Sybase, Nokia Intellisync, mFormation…)
Don’t forget AV and FW, they prevent a user from being ‘robbed blind’
Bringing PC-level security to the hacker’s next destination

55. Version Upgrade Process
Symantec is committed to providing customers and channel partners with an enhanced and simplified version upgrade process. 1
Customers eligible for upgrade will automatically receive an notification.
Customers can then download their software directly from File Connect, using the serial number provided. 2
Customers can also visit Symantec’s improved Licensing Portal that delivers multi-function capabilities in one easy to navigate portal.
licensing.symantec.com
(serial and/or account number required)
fileconnect.symantec.com

56. Benefits of Entitlement Program
Why this is a great deal for customers:
Customers who buy Symantec AntiVirus Corporate Edition today are entitled to receive Symantec Endpoint Protection 11.0 on September 27, 2007*
Customers will be getting a lot more than what they initially purchased:
Existing Symantec AntiVirus/Symantec Client Security customers will be entitled to Symantec Endpoint Protection. This gives them (a) new market leading firewall (b) IPS – WholeSecurity proactive behavioral protection (c) device control and application control (d) Option to enable SNAC (SNAC-ready)
Existing Symantec Sygate Enterprise Protection (Sygate desktop firewall) customers will be entitled to Symantec Endpoint Protection This gives them (a) market leading antivirus and antispyware (b) IPS – WholeSecurity proactive behavioral protection (c) Option to enable SNAC (SNAC-ready)
With this entitlement program, Symantec provides customers with the next generation of endpoint security that redefines what is required for complete protection
* See previous slide for exact product entitlement mapping