Symantec Strategy Briefing Endpoint Protection... · PKI Email Security Data Center Security Cloud...

Symantec Strategy Briefing

Director of UK&I Technical Sales, Office of the CTOClive Finlay

Copyright © 2016 Symantec Corporation3

Agenda

• 9:30 - 10:00 - Strategy

• 10:00 - 11:30 - SEP14

• 11:30 - 11:45 - Break

• 11:45 – 12:35 - ATP

• 12:35 - 13:00 - Risk Insight

• 13:00 - Lunch

Copyright 2016, Symantec Corporation 2016 Internet Security Threat Report Volume 21 4

Released April 2016: appendices an infographics available at http://go.symantec.com/istr

https://youtu.be/wM7M788PxQc

Copyright 2016, Symantec Corporation

Top 5 Messages:

1 On Average, One Zero-day was discovered every week in 2015

2 Over Half a Billion Personal Information Records Lost to Breach

3 Three out of Every Four Websites Put You at Risk

4 Encryption Now Used as a Cyber Weapon to Hold Companies and Individuals’ Critical Data Hostage

5 Don’t Call Us, We’ll Call You: Cyber Scammers Now Make You Call Them to Hand Over Your Cash

2016 Internet Security Threat Report Volume 21 5


In 2009 there were

2,361,414new piece of malware created.

That’s

1 Million 179 Thousanda day.

In 2015 that number was

430,555,582



Zero-Days



2006

14

2007 2008 2009 2010 2011 20120

2

4

6

8

10

12

14

16

13

15

9

12

14

8

Zero-Day Vulnerabilities

2013 2014

2423

2015

54



Hackers Unleash Trove of Data from Hacking Team

• HackingTeam (HT) had zero days in Adobe Flash, Internet Explorer and Microsoft Windows

CVE Affected Product First Notice Patch Date

CVE-2015-5119 Adobe Flash July 7 July 8



CVE-2015-2425 Internet Explorer July 14 July 14

CVE-2015-2426 Microsoft Windows July 20 July 20

CVE-2015-2387 Microsoft Windows July 8 July 14



Targeted Attacks



2012 2013 2014

• Recipients per Campaign

• Average Number of Email Attacks Per Campaign

• Campaigns


2015

Targeted Attack Campaigns

300

600

900

1,200

1,500150

120

90

60

30

12

2529

122

111

2318

11

1,305

841779

408

55% increase

Copyright 2016, Symantec Corporation 2016 Internet Security Threat Report Volume 21 13

OrgSize

2015 Risk Ratio

2015 Risk Ratio as Percentage

Attacksper Org

Large Enterprises

2,500+ Employees

1 in 2.7 38% 3.6

Medium Business

251–2,500Employees

1 in 6.8 15% 2.2

Small Business

(SMB) 1–250

Employees

1 in 40.5 3% 2.1

Spear-Phishing Attacks by Size of Targeted Organization


Professionalization of Cyber Crime



TeslaCrypt Ransomware – Technical Support Available

202016 Internet Security Threat Report Volume 21


Dridex Gang - Number of Known Spam Runs Per Day



When Cyber Criminals

Work in Call Centers, Write Documentationand Take the Weekends Off

You Know it’s a Profession

222016 Internet Security Threat Report Volume 21


Key Trends Reshaping the Enterprise Security Market

RESURGENCE OF ENDPOINT Rapid shift to mobile and IoT

DISAPPEARING PERIMETER Decreasingly relevant with “fuzzy” perimeter

RAPID CLOUD ADOPTION Enterprise data and applications moving to cloud

SERVICES Security as a Service; box fatigue

CYBERSECURITY Governments and regulators playing ever larger role

23


4

Global market leader in Endpoint Security, Email Security, Data Loss Prevention and Website Security, User Authentication

Enterprise focus on three core solution areas:• Advanced Threat Protection• Information Protection Everywhere• Cybersecurity Services

Largest consumer security footprint on the planet –67M

Secures 90% of F500 and 370,000 organizations around the world

The Global Leader in Cyber Security

Global market leader in Web Security and Cloud Security

Delivers integrated solutions in six primary security arenas:• Advanced Web and Cloud Security• Advanced Threat Protection• Encrypted Traffic Management• Incident Response, Analytics and Forensics• Web Application Protection• Network Performance and Optimization

Secures 15,000 organizations globally including over 70% of the Fortune 500.

Network + Security + Cloud


Proven Security LeadershipDriving Exceptional Growth, Profitability and Innovation at Scale

25

• Symantec and Blue Coat is a very positive merger with very little overlap. We see a tremendous interest in the capabilities of the Blue Coat tech stack, and from our perspective, we see it as complementary to existing technologies.

By combining forces, Symantec can compete against Dell and IBM with a strong offering for advanced threat protection and powerful incident response analytics for large enterprises.

• Vontu PGP Verisign Messagelabs

• Solera Norman Shark Elastica Perspecsys Netronome

Combined Highly Successful Acquisitions

• Well-recognized thought leader in cyber security• Scaled go-to-market and product strategy efforts at Blue Coat

and McAfee

Mike Fey (COO/President)

• Extensive CEO-level experience to grow & scale companies; turn-around expert; M&A successes

• Cyber security and technical expertise

Greg Clark (CEO)


Symantec | At a Glance

175M endpoints under protection

6 SOCs threat response centers

3000+R&D engineers

385,000 customers worldwide

$4.6B annual revenue 2123 patents


Complex User Definition

Evolving Data Attack Surface

Expanding Perimeter

Multi-Phased, Multi-Staged Attacks




File

UR

L

Wh

itel

ist

Bla

cklis

t

Cer

tifi

cate

Mac

hin

e Le

arn

ing

Cyber Security Services


File

UR

L

Wh

itel

ist

Bla

cklis

t

Cer

tifi

cate

Mac

hin

e Le

arn

ing

182M web

attacks blocked last year

Discovered

430 millionnew unique piecesof malware last year

12,000+ Cloud applications discovered and protected

100Msocial engineering scams blocked last year

1Bmalicious emails stopped last year

175M Consumer and Enterprise endpoints

protected

9 global threat response centers with

3,000 Researchers and Engineers

1 Billion previously unseen web requests

scanned daily

2 Billion emails scanned per day

CLOUD GLOBAL INTELLIGENCE SOURCED FROM:


DLPSecure Web Gateway

RiskInsight

Secure Mail Gateway

Web Application Firewall

Advanced Threat Protection

MalwareAnalysis

Cyber SecurityServices

IT SystemManagement

Endpoint Protection

EDR

Endpoint Cloud

VIPIdentity

LocalIntelligence

File

UR

L

Wh

itel

ist

Bla

cklis

t

Cer

tifi

cate

Mac

hin

e Le

arn

ing

SIEM Integration

Data CenterSecurity

EncryptionContent Analysis

Performance Optimization

Cloud Secure Web

GatewayCloud DLP CASB

Managed PKI

Email Security

Data Center

Security

Cloud Sandbox

WebsiteSecurity

Encryption

Compliance Management

EncryptedTraffic

ManagementSecurity Analytics

SOC Workbench

Third Party Ecosystem

ON

P

RE

MIS

ES

CLO

UD

HOME

Cloud Data Protection

Symantec Endpoint Protection 14.0

Steve BroadwellSr. Principal Security Engineer Endpoint and ATP Specialist

Paul Murgatroyd

The Threat Landscape Will Continue to Escalate

Endpoint Security must detect and block threats across all points in the attack chain

55%Increase in Targeted Attacks

430Mnew pieces of malware were created in 2015

125%increase of Zero-Day

vulnerability from 2014 to 2015

35%increase of

ransomware in 2015

55Symantec Endpoint Protection 14

INCURSION INFESTATION INOCULATIONINFECTION

• Web• Email• Trusted Apps• Devices

• File• File-less (Macro’s)• Memory• Network Recon• Crypto-Malware• Rootkits

• Weaponization & Evasion

• C&C Communications• Lateral Movement• Unauthorized Execution

• Quarantine Files & Endpoints

• Removal and Remediation

• Harden System

MULTIPLE VECTORS DIVERSE PAYLOADS RAPID CONTAGION

Complex Environments + Smart Attackers = Advanced Threats

Endpoint vendors lack effective technologies across the attack chain to block modern advanced threats


Symantec Endpoint Protection

Malicious software was involved in 90% of our Cyber-espionage

incidents this year. Whether it’s delivered via email, a web drive-by,

or direct/remote installation, protecting the endpoint is critical.

Verizon 2016 Data Breach Investigations Report

Incursion Infestation & Exfiltration InoculationInfection


Product Overview

Multi-layered protection powered by artificial intelligence and

advanced machine learning to deliver

SUPERIOR PROTECTION, HIGH-PERFORMANCE and

ORCHESTRATED RESPONSE.

SEP stops threats regardless of how they attack your endpoint; so

you can focus on your business.

Introducing Symantec Endpoint Protection 14


Superior ProtectionProtection against threats, using essential and next-gen technologies.

Fed by the largest global threat intelligence network in the world.

High PerformanceA single management console and high performance, lightweight

agent to protect the business without slowing down end users.

Orchestrated Response Easily integrate into existing security infrastructure to maintain a high

level of protection and speed response.

Symantec Endpoint Protection 14Protection against advanced threats without compromising end-user or IT productivity

60

Performance

Protection

Response

Symantec Endpoint Protection 14

SEP12 Existing protection stackPerceived gaps in our protection stack – being filled by niche vendors today

INCURSION INFESTATION and EXFILTRATIONINFECTION

ANTIVIRUS

NETWORK FIREWALL & INTRUSION

PREVENTION

APPLICATION AND DEVICE

CONTROL

BEHAVIOR MONITORING

REPUTATION ANALYSIS


PREVENTION

Scans and eradicates malware that arrives on a system

Blocks malware before it spreads to your machineand controls traffic

Determines safety of files and websites using the wisdom of the community

Monitors and blocks files that exhibit suspicious behaviors

Control file, registry, and device access and behavior; whitelisting, blacklisting, etc.


SUPERIOR PROTECTION


Superior Protection Across the Attack ChainStop Targeted Attacks and Zero-Day Threats with layered protection

Pre-execution detection of new and evolving threats

INCURSION INFESTATION and EXFILTRATIONINFECTION

ANTIVIRUS


PREVENTION

APPLICATION AND DEVICE

CONTROL

BEHAVIOR MONITORING

MEMORY EXPLOIT

MITIGATION

REPUTATION ANALYSIS

ADVANCED MACHINE LEARNING

EMULATOR

Patented real-time cloud lookup for scanning of suspicious files


PREVENTION

Scans and eradicates malware that arrives on a system


Determines safety of files and websites using the wisdom of the community

Monitors and blocks files that exhibit suspicious behaviors

Blocks zero-day exploits against vulnerabilities in popular software

Control file, registry, and device access and behavior; whitelisting, blacklisting, etc.

Virtual machine detects malware hidden using custom packers


SUPERIOR PROTECTION



Patch Released

Patch Applied

Vulnerability Discovered

Vulnerability Disclosed

ZONE OF EXPLOITATION

WEEKS

MONTHSSignature-less and works

regardless of the flaw/bug/vulnerability

Preemptively blocks exploit techniques, foiling attempts of

attackers to take over a machine

SUPERIOR PROTECTION

Blocks zero day memory attacks in popular softwareMemory Exploit Mitigation


SUPERIOR PROTECTION

Blocks zero day memory attacks in popular softwareMemory Exploit Mitigation

• Generic exploit attack detection and mitigation• Not signature based

• Blocks exploit attempts• Works at shellcode execution level• Counters different exploitation techniques

• Hardens software applications• Prevents a vulnerability from being exploited• Makes it harder for hackers to write exploits


SUPERIOR PROTECTION

Java Exploit ProtectionMemory Exploit Mitigation

Protects the sandbox to prevent an attacker from compromising an applet to access system files

Enables the Security Manager to ensure malicious applets are unable to execute privileged actions, such as downloading and installing malware.

Prevents Java code from executing actions outside the Java sandbox

System.setSecurityManager(null);


SUPERIOR PROTECTION

Structured Exception Handler Protection (SEHOP) Memory Exploit Mitigation

Windows uses SEHOP when handling software exceptions.

It is a method to exploit vulnerable applications with malicious code.

Windows Vista Service Pack 1 and later supports SEHOP to prevent exploits that use this technique – but its disabled by default!

Generic Exploit Mitigation provides protection against these type of attacks when SEHOP is turned off.


SUPERIOR PROTECTION

Heap Spray MitigationMemory Exploit Mitigation

Compromises an application by

placing arbitrary code into heap

memory

Adds a pointer to execute the code at a later time

GEM monitors the heap memory and

blocks incoming attacks.


SUPERIOR PROTECTION

How does MEM get all this data?Memory Exploit Mitigation

GEM injects a DLL into protected processes.

When an exploit attempt is detected, GEM terminates the protected process to

prevent the malicious code from

running.

SEP notifies the user and logs an event in

the Security log.

Advanced Machine LearningBlocks unknown threats and mutating malware


Trained Machine

New & RetrainedAdvanced ML

Detect on clientwith Advanced

Machine Learning

Training Algorithm

Collect Training sets in Real-Time

High efficacy with infrequent updates

Detects large classes of malware with a

low false positive rate

0-day protection against variants of the same malware family

SUPERIOR PROTECTION

One of the largest civilian cyber intelligence networks

3.7 Trillion rows of security-relevant data

The Largest Civilian Global Threat Intelligence Network in the World

Diverse data, advanced algorithms, highly-skilled threat experts

70

175MConsumer and

Enterprise endpointsprotected

57Mattack sensor

in 157countries

182Mweb attacks blocked last year

Discovered

430 millionnew unique piecesof malware last year

9 threat response centers

Billionsof email traffic scanned/day

1 Billionweb requests scanned daily

12,000Cloud applications protected

SUPERIOR PROTECTION


Why add a local emulator

Malware is changing quicker than ever, how can we keep up?


SUPERIOR PROTECTION

2005 2015 Impact

% Threats packed 50% 83%Harder to detect

generically

Obfuscation techniqueCommercial packers: UPX,

PECompact...Custom packer

Difficult to keep up with and detect packers

Packer update frequency Few Very, very frequentPacker signatures have

short lives

Extensively calls special APIs to

generate decryption keys;

If API support not found, it bails out

Upatre

Very prevalent and keeping up

with them through p-code changes is very cumbersome

Virut/Sality

Source Level polymorphism;

Recompiled binaries differ markedly in

function and register use

Ransomware

Executable

Emulation Capabilities

Fast and accurate detection of hidden malware


Executable

Packer

No Emulation

Executable

Emulation

Emulation Environment

Packed, not recognized

Payload Recognized

Emulation Environment

Unpacking

Packer

Emulates file execution to cause threats to reveal

themselves

Lightweight solution runs in milliseconds with high

efficacy

Malware hidesbehind custom

polymorphic packers

Emulator ‘unpacks’ the malware in a

virtual environment

SUPERIOR PROTECTION

File Reputation Analysis Age, frequency, and location are used to expose unknown threats

Symantec Endpoint Protection 14•73

Big Data Analytics

Analytics

Warehouse

Analysts

Attack Quarantine System

Endpoints

Gateways

3rd Party Affiliates

Global SensorNetwork

Symantec Threat Intelligence Network

Global Data Collection

Honeypots

Bad safety ratingFile is blocked

No safety rating yetCan be blocked

Good safety ratingFile is whitelisted

SUPERIOR PROTECTION

Behavioral MonitoringBehavioral monitoring stops zero-day and unknown threats

Symantec Endpoint Protection 14•74

Human-authoredBehavioral Signatures

Behavioral PolicyLockdown

Monitors nearly 1400 file behaviors to answer:

Who is it related to? What did it contain? Where did it come from? What has it done?

Artificial IntelligenceBased Classification Engine

SUPERIOR PROTECTION








75

Performance

Protection

Response


Intelligent Threat Cloud

Patented real-time cloud lookup for all scanned files


70% reduction in network bandwidth usage for definition file updates

Most up-to-date cloud intelligence to scan suspicious files

HIGHPERFORMANCE

Intelligent Threat Cloud

Enables dramatic reduction of on disk and delta definition sizes


HIGHPERFORMANCE

SEP 12.1 Standard SEP 12.1 Reduced SEP 14 Standard SEP 14 Embedded and VDI

Intelligent Threat Cloud enabled

No No Yes Yes

Estimated package size (Network traffic)

~360 MB ~45 MB ~45MB ~45MB

Estimated definition size on disk (Full.zip)

~700 MB ~75 MB ~170MB ~75MB

Estimated Daily Update

~4.7MB ~3.4MB ~400KB ~400KB

Reducing Total Cost of Ownership and Endpoint Complexity

A single agent combines multiple technologies

78

SEP 14

Anti-malwareNext-Gen Endpoint

EndpointDetection &

Response

Exploit Prevention

EMET

HIGHPERFORMANCE









79

Performance

Protection

Response


Respond to Advanced AttacksQuickly prevent the spread of infection to minimize damage

Orchestrate a response from Symantec EDR Console; EDR capabilities are built into the SEP agent.

INNOCULATION

POWER ERASER HOST INTEGRITY SYSTEM LOCKDOWN

SECURE WEB GATEWAY

INTEGRATION

EDR CONSOLE (ATP:ENDPOINT)

Aggressive remediation of hard-to-remove infections

Use APIs to orchestrate a response from Secure Web Gateway

Part of Application Control - harden endpoint security with whitelisting & blacklisting

Quarantine, detect unauthorized change, conduct damage assessment and ensures compliance

ORCHESTRATEDRESPONSE


Enabling Integrations with SEP Management APIs

Easily integrate with security infrastructure


SEP ManagerATP

Sweep, Hunt,

Collect, Fix

Secure Web Gateway

REST APIs

ORCHESTRATEDRESPONSE

Orchestrate/Automate SEPM functionality

from other applications and scripts

Market Leading Next Generation Endpoint Protection

• #1 in EPP market share (IDC)

• Over 270,000 loyal customers

• Over 300 beta customers for SEP 14

• Beats competition in 3rd party tests

Symantec consistently outperforms the products in its class

82

14 Years RunningPerfect Score for Protection

Only vendor with AAA rating for over 14 straight quarters

SEP outperforms Cylance

Recommend Product“Verdict: we love

this product.”

SEP 14


Demo

Generic Exploit MitigationAdvanced Machine Learning

Refreshed Platform Support

Platforms no longer supportedMicrosoft EoL products and platforms that cannot support SEP14


Operating systems

• Windows Server 2003

• Windows XP

• Windows XP 2009 Embedded

Products

• SQL Server 2005

• SQL Server 2008 R2 SP1 and SP2

SEP 14 provides backward compatibility support for SEP 12.1.x clients that run on both supported and now legacy operating systems.

http://www.symantec.com/docs/TECH96790

Migration PathsSEPM

86

11.x 12.1

12.1 14

14

Migration PathsClient

87

11.x

12.0

12.1.x

14

14

14

Architecture



Improved user experience

Client installation improvements

Product Notifications

Improved User Experience

Improved user experienceLearning from our user base and delivering easier to use software


New Manager UI.

Enhancements added to the Install and Configuration Wizard.

New System requirements: Only 64-bit OS supported.


Secure out of the boxSecure database communication with SEPM to SQL encryption


For database server communication, Tomcat TLS

1.2 is now the default.

SEPM to SQL encryption can be disabled using

SetSQLServerTLSEncryption.bat in the SEPM Tools

folder.

Secure out of the boxSecure client-to-server communication with HTTPS


HTTPS is now the default client-server

communication protocol when installing the

Symantec Endpoint Protection Manager.

Upgrades to SEP 14 will retain previous

settings.


Managing Unsupported ClientsEnsuring you maintain visibility


SEPM 14.x detects unsupported SEP 11.x and 12.0 clients communicating to the server and notifies the administrators.

Making scans and exceptions easierCommonly requested location for exceptions


System Drive prefix

User Profile Exception prefix

User Profile Scanning prefix

Improving update efficiencyMake it easier to find the right GUP


SEPM

GUP

Environment has a large volume of subnets and

needs a solution for clients that roam outside

of their own subnet.

Configure the LiveUpdate policy so the client looks up

it’s subnet mask and downloads content from a

local GUP.

Problem

Solution


Improving update efficiency


SEPM

GUP

Organization has smaller locations with limited

connectivity that use a regional GUP.

Control the maximum bandwidth that a client uses to download content from a

GUP.

Problem

Solution

Reducing the bandwidth between GUP and client


Improving replication efficiency


Increased timing options offer flexibility and control

Schedule replication to daily, weekly, hourly, or auto-replicate.

Set a time interval when replication will start.

Set and control replication schedules more effectively to avoid overhead.

Client Installation Improvements

Simplifying the install processIncreasing success of installs


Cleanwipe Optional Configuration in Client Install Settings

• Offered as a selection when creating a SEP client package. The feature will completely remove an existing client and then begin a client install.

AutoUpdate ensures new clients always get latest definitions

• Auto-Upgrade packages now include definitions for clients migrating to SEP 14.

• Deltas or Full client packages will be repackaged with definitions "on demand" at the time client requests upgrade package.

Cleanwipe requires a restart of the system.

Simplifying the install processIncreasing success of installs

101

Deploy SEP to Mac clients using Auto Upgrade

SEP 14 upgrades Mac clients by adding a package to a group.

• You can only upgrade to 14, cannot add 12.1 packages to groups.

Can use AutoUpgrade settings for Windows clients, including:

• Allow users to postpone upgrades

• Schedule upgrades for a specific time

• Spread upgrades across multiple days

• Reset Client-Server Communications

• Reboot scheduling & user choice (snooze button)

Product Notifications

Stay up to date with product notificationsEnsuring customers always get the latest version information

103

Default interval for checking is 12 hours.Latest News link

Alerts work for all administrators.

Latest News alertClicking a notification causes the icon to

disappear.

Stay up to date with product notificationsEnsuring customers always get the latest version information

104

Product updates.

Security advisories.

Best practices.

Trending issues.

And much more!

Thank you!

Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

105

Symantec Advanced Threat Protection

Endpoint and ATP SpecialistPaul Murgatroyd

Blocking Threats is Simply Not EnoughHard to keep up with significant growth and sophistication in cyber threats

Source: Symantec ISTR Report 2016Gartner Magic Quadrant for Endpoint Protection, 2016Kenna Security Report, 2015

430,000,000new pieces of malware were found by Symantec in 2015

44%Customers were

compromised despite using malware blocking

technologies

38%of time spent by security

professional in firefighting alerts

Average number of days to remediate

found vulnerabilities

days12055%Increase in targeted spear phishing email campaigns


Staying Ahead of Broad, Sophisticated Attack Techniques is Challenging

Copyright © 2016 Symantec Corporation

Endpoints remain easy targets; email continues to be the primary attack vector

Spear-Phishing attacks

Advanced Malware

Spam

Ransomware

Malicious Websites

Negligent Employee

Other (e.g., Stolen

devices)

Endpoints

Email

Network & Web

108

What Happens When an Attack is Successful?

Source: Symantec ISTR Report 2016IBM Data Breach Report, 2016

305

Total Data Breaches in 2015

429million

Total Identities Exposed In 2015

4million

Average cost of data breach to organizations


…has led to many new products and standalone vendors

$77B IN 2015

$170B IN 2020

The massive

growth in the

cyber security

market

What Are The Market Dynamics?


Visibility Has Become a Big Challenge

Networks

Known BadContent Detected

SuspiciousNetwork Behavior

Endpoints



Web



Malicious URL Detected

Email



Malicious URL Detected

• Today’s security products are largely unintegrated

• It’s time-consuming and difficult to clean up attack artifacts across the organization

• Incident Response team is overwhelmed with too many alerts


Symantec’s Point of ViewA unified platform to UNCOVER, INVESTIGATE, and RESPONDIntegrated across major control points

RESPONDControl with confidence


SEP ATP

ATPATP

PREVENT UNCOVER

INVESTIGATERESPOND

PREVENTBlock known threats Visibility into malicious and suspicious

activity using Machine learning, payload detonation and behavioral analysis within minutes

UNCOVER

Search for IOCs, see related events, view pre-correlated incidents, and get context enrichment from data feeds

INVESTIGATE

112

Uncover, prioritize, investigate, respond in ONE console


CLOUD SANDBOX CORRELATION INVESTIGATION

EMAILENDPOINT NETWORK

REMEDIATION

Physical & Virtual Detonation

andPrioritization

Detect once, Find everywhere

Block, Clean, Fix in real-time

Uncover, investigate, and remediate any attack artifact

across all endpoints

Leverage Symantec Endpoint Protection

Protect and detect advanced threats entering the network

using multiple layers of technology

Virtual or Physical appliance

Protect and detect advanced threats entering via email. Identifies targeted attacks

Leverage sandbox and Email Security.cloud

Symantec Advanced Threat Protection Platform

ROAMINGProtect and detect advanced

threats for roaming users when they are out of the

corporate network.

Cloud service


113


ATP Inspection Technologies- On Premise

IPS

Blocks malware as it tries to

spread over the network

• Protocol aware IPS

• Vulnerability and Exploit blocking

File

Scans and eradicates

malware files that arrive on a

system

• Antivirus Engine

• Auto Protect

• Heuristics

Reputation

Determines the safety of files &

websites using the “wisdom of the

crowd” (analytics)

• Domain/IP Reputation

• File Reputation

• Android APK Reputation

IOC Feeds

Blocks or allows per Symantec

sourced blacklist and customer

created whitelist

• C&C detections

• GIN

• DeepsightThreat Intelligence

v

Technologies tested and proven on >150M endpoints

Endpoint Behaviors

Assesses and records all

processes, system changes, etc

• Static code Analysis

• Dynamic behavioral process trace

v

Machine Learning

Score the suspiciousness

of files and endpoints

• Decision tree analysis

• Bucket files

114

Correlation

ATP Inspection Technologies- Cloud

Symantec Cynic™Correlation

Dynamic Adversary Intelligence

• New cloud-based sandbox and payload detonation

• Execute files in both virtual and physical environments to uncover “VM-aware” threats

• Aggregate and correlate threat events across multiple control points

• Reduce the number of incidents that security analysts need to investigate

• Quickly identify whether an organization is under a targeted attack

• Automatically search for known Indicators-of-Compromise across the entire environment

SandboxingSymantec Synapse™

Attribution

Attribution

Sandbox


Symantec Advanced Threat Protection: Modules

ATP: Roaming


Correlation

Symantec Endpoint Detection and Response (ATP: Endpoint)Provide EDR capability without the need to deploy new endpoint agents

Investigate suspicious events and get full endpoint visibility

Instant search for any attack artifact and sweep endpoints for IoC

Remediate all instances of threatsin minutes, with one click

Leverage SEP & non-Symantec investment. No new endpoint agent required.

GIN

Sandbox

SEP Manager


Correlation

ATP: Network

Uncover the stealthiest threats that others miss1

Quick search for any IoC (files and URLs)

Blacklist/Whitelist files and URLs once identified malicious

Prioritize threats that remain unblocked at the endpoint, by leveraging SEP

GIN

Sandbox

Best advanced threat detection and accuracy rate in its class

Source: Dennis Tech Lab, Dec. 2015

Firewall

ATP: Network

118Copyright © 2016 Symantec Corporation

ATP: Email

GIN

ATP: Email

Correlation

Sandbox

Export Data to SIEM

Url Information

25+Data

PointsSeverity

LevelMalware Category

File Hashes

Provide deep visibility into targeted attack campaigns

Quickly correlate and respond to threats with SIEM integration

Uncover and block advanced threats by leveraging cloud sandbox

Rich threat intelligence

Integrates with SIEM

Leverage Email Security.cloud

Get More Indicators of Compromise on Advanced Threats Than Anybody Else


Correlation

ATP: Roaming

Protect users from advanced threats wherever they are browsing the internet

Detect and block advanced threats in the encrypted traffic

Deep visibility into web traffic

GIN

Sandbox

Uncover and block advanced threats embedded in HTTP and HTTPS traffic

Firewall

ATP: Roaming

Cloud-hosted solution


Integration with 3rd

party applicationsEnables customers to integrate ATP with existing security platforms and leverage their existing security investments

• Public APIs• Integration with ServiceNow & Splunk

Introducing ATP: Roaming

New Control Point available to our customers for additional fee

• Threat Protection for Roaming Users• Detects and blocks threats in encrypted

traffic Daredevil Release Planning Session

Dynamic Adversary Intelligence

More attack detections and better visibility on the threat attacking the organization

• File and Network IOCs for attribution and local adversary activities

What’s New in Symantec ATP Nov. 2016 Release


Symantec Advanced Threat Protection Platform

GIN

SEP Manager

ATP: Endpoint

ATP: Email

Correlation

Sandbox

Uncover and investigate advanced threats across email, endpoint, network, and web traffic

Prioritize what matters most

Remediate complex attacks in minutes, with one click

Leverage existing investment- both Symantec & non-Symantec products

Uncover, Prioritize, Remediate

in one console

ATP: Network

ATP: Roaming



A single prioritized view of all advanced attack activity in your organization, without adding new agents.

Exports rich intelligence from endpoint, network, email, and web traffic from a single solution into your 3rd-party security products

Allows you to maximize your existing security investments, both Symantec and non-Symantec products

Connects the dots of an attack across multiple control points, so that every attack component can be quickly remediated with one click of a button

Combines global telemetry from one of the largest cyber intelligence networks in the world with local customer context to uncover attacks

Differentiators


Symantec Advanced Threat Protection Outperforms Competitors

69%

71%

90%

100%Superior Detection

Ranked BEST in detection and accuracy


124

Risk Insight

Sr. Principal Security EngineerSteven Broadwell

Symantec Enterprise Security | Product Strategy


Users

Data

Apps

Cloud

Endpoints

Gateways

Data Center

Unified Security Analytics Platform

Log andTelemetryCollection

Unified IncidentManagement and Customer Hub

Inline Integrationsfor Closed-loopActionable Intelligence

Regional and Industry Benchmarking

Integrated Threatand BehavioralAnalysis

Threat Protection

ENDPOINTS DATA CENTER GATEWAYS

• Advanced Threat Protection Across All Control Points• Built-In Forensics and Remediation Within Each Control Point• Integrated Protection of Server Workloads: On-Premise, Virtual, & Cloud• Cloud-based Management for Endpoints, Datacenter, and Gateways

Information Protection

DATA IDENTITIES

• Integrated Data and Identity Protection• Cloud Security Broker for Cloud & Mobile Apps• User and Behavioral Analytics• Cloud-based Encryption and Key Management

Cyber Security ServicesMonitoring, Incident Response, Simulation, Adversary Threat Intelligence

Thank you!

Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

127

Date post:	07-Aug-2019
Category:	Documents
Upload:	trinhngoc
View:	218 times
Download:	0 times

Symantec Strategy Briefing Endpoint Protection... · PKI Email Security Data Center Security Cloud...

Documents