111

State of HawaiiSymantec Protection Suite Briefing

Bill Musson, CISSPSenior Systems Engineer

2

Agenda• Symantec Endpoint Protection SEP11 Overview• Symantec Endpoint Protection SEP12 Overview

– Symantec Insight

– Symantec Online Network for Advanced Response (SONAR)

• Centralized Security Management– Symantec Management Platform

– IT Analytics for SEP

– Workflow

– SPC v1

– SPC v2

33

Symantec Endpoint Protection 11

4

Symantec Endpoint Protection 11

Results:

Reduced Cost, Complexity &

Risk Exposure

Increased Protection, Control &

Manageability

Antivirus

Antispyware

Firewall

IntrusionPrevention

Device and ApplicationControl

Network AccessControl

Single Agent, Single Console

Managed by Symantec Endpoint Protection Manager

NAC 11SEP 11

5

Gartner Magic Quadrant for EPP

66

Symantec Endpoint Protection 12

Symantec Insight

Symantec Online Network for Advanced Response (SONAR)

7

Unfortunately neither technique works well for the tens of millions of

files with low prevalence.

(But this is precisely where the majority of today’s malware falls)

Today, both good and bad software obey a long-tail distribution.

Bad Files Good Files

Prev

alen

ce

Whitelisting works well here.

For this long tail a new technique is needed.

Blacklisting works well here.

The Problem

No Existing Protection Addresses the “Long Tail”

8

The Inspiration

Only malware mutates

So . . . if an executable is unique, it’s suspicious

. . . but how to know if a file is unique?

9

How often has this file been downloaded?

Where is it from?

Have other users reported infections?

Is the source associated with infections?

How will this file behave if executed?

How old is the file?

How many people are using it?

Is the source associated with SPAM?

Is the source associated with many new files?

Does the file look similar to malware?

Is the file associated with files that are linked to infections?

Who created it?

Does it have a security rating?

Is it signed?

What rights are required?

Who owns it? What does it do?

How new is this program?

How many copies of this file exist?

Have other users reported infections?

10

Achilles Heel of Mutated Threats

Hackers mutate threats to evade fingerprints

Mutated threats stick out like a sore thumb

Virus Writer’s Catch-22– Mutate too much = Insight finds it

– Mutate too little = Easy to discover & fingerprint

B7 938F4C15FE

Unrivaled Security

11

Symantec InsightThe context of a file

is as telling as its content

How will this file behave if executed?

How old is the file? Is the source associated with SPAM?

Does the file look similar to malware?

Is the file associated with files that are linked to infections?

Who created it?

What rights are required?

Have other users reported infections?

BAD GOOD LOW HI

ORNEW OLD

OR

Reputation Prevalence AgeThe context you need

12

2

Prevalence

Age

Source

Behavior

3

4

Look for associations

Check the DB during scans

Rate nearly every file on the internet

5 Provide actionable data

1 Build a collection network

Associations

How it works

Allow

Is it new?Bad reputation?

15

First Insight is used for manual scans of endpoints. What are other ways that Symantec leverages Insight in Symantec Endpoint Protection 12?

16

Download Insight

• Download Insight is a technology that checks the reputation of binaries being downloaded and blocks them if they are “Bad”.

• Download Insight scans files when they are downloaded using what we term a portal application (IE. Firefox, IE)

17

Faster Scans

17

Insight - Optimized ScanningSkips any file we are sure is good,leading to much faster scan times

Traditional ScanningHas to scan every file

On a typical system, 70% of active applications can be skipped!

18

Scan Speed

18

Symantec Kaspersky Trend Micro Microsoft Sophos McAfee Average0

20

40

60

80

100

120

140

160

Symantec Endpoint Protection Scans:3.5X faster than McAfee2X faster than Microsoft

Ranked 1st in overall Performance!

PassMark™ Software, Feb., 2011 - http://www.passmark.com/AVReport

19

Create Policies based on Risk Tolerance

Only software with at least 10,000 users over 2 months old.

Finance Dept

Can install medium-reputation software

with at least 100 other users.

Help Desk

No restrictions but machines must

comply with access control policies.

Developers

20

Symantec Online Network for Advanced Response (SONAR)

This information enables three new features

Artificial Intelligence Based Classification engine

Human-authoredBehavioral Signatures

Behavioral PolicyLockdown

Now, lets review how Symantec Insight and SONAR are utilized to strengthen and augment security in SEP 11 as well as reduce false positives.

23

The Security Stack – for 32 & 64 bit systems

23

Network IPS & Browser

Protect & FW

Heuristics & Signature

Scan

Real time behavioralSONAR

IPS & Browser Protection• Firewall• Network & Host IPS• Monitors vulnerabilities• Monitors traffic• Looks for system

changes

Stops stealth installs and drive by downloadsFocuses on the vulnerabilities, not the exploitImproved firewall supports IPv6, enforces policies

24

Insight – Provides Context

24

Network IPS & Browser Protect

Heuristics & Signature

Scan

Real time behavioralSONAR

InsightReputation on 2.5 Billion

filesAdding 31 million per

week

Identifies new and mutating filesFeeds reputation to our other security enginesOnly system of its kind

25

File Scanning

25

Network IPS & Browser Protect

Real time behavioralSONAR

File ScanningCloud and Local Signatures

New, Improved update mechanism

Most accurate heuristics on the planet.Uses Insight to prevent false positives

Heuristics & Signature Scan

26

SONAR – Completes the Protection Stack

26

Network IPS & Browser Protect

File Based Protection –

Sigs/Heuristics

Real time behavioralSONAR

SONAR• Monitors processes and

threads as they execute• Rates behaviors• Feeds Insight

Only hybrid behavioral-reputation engine on the planetMonitors 400 different application behaviorsSelective sandbox (ex Adobe)

What about the actual performance impact on the client with SEP 12.

28

SEP Client Impact on Memory Use

28

Symantec Endpoint Protection uses:66% less memory than McAfee76% less memory than Microsoft

Memory Usage

PassMark™ Software, Feb., 2011 - http://www.passmark.com/AVReport

Symantec Kaspersky Trend Micro McAfee Sophos Microsoft Average0.0

20.0

40.0

60.0

80.0

100.0

120.0

140.0

160.0

180.0

Will SEP 12 do anything to continue improving performance for guests in virtual environments.

30

SEP 12 Built for Virtual Environments

30

Virtual Client Tagging

Virtual Image Exception

Shared Insight Cache

Resource Leveling

Together – up to 90% reduction in disk IO

31

31

Centralized Security Management PlusConvergence and Integration with Operational Tools

Symantec Management Platform

IT Analytics for SEP

Workflow

SPC v1

SPC v2

32

Altiris

Client ManagementSuite

• Policy-based software delivery• Application Management• Software Virtualization• Patch Management• Backup and Recovery• Application Usage• Remote Control

Altiris

Software Delivery Suite

•Apply Patches •Ensure software is installed and stays installed • Report machines not connecting•Identify missing hard-drives

Symantec Management PlatformPath to Full PC Lifecycle Management

Symantec

Endpoint Protection Integrated Component

• Streamline migrations• Initiate scans or agent health tasks• Dashboards integrate security and

operational information

33

Enhanced Reporting - IT Analytics for SEP

• Ad-hoc Data Mining – Pivot Tables– Data from multiple Symantec Endpoint Protection

Servers

– Break down by virus occurrences, computer details, history of virus definition distribution . . .

• Charts, Reports and Trend Analysis– Alert & risk categorization trends over time

– Monitor trends of threats & infections detected by scans

• Dashboards– Overview of clients by version

– Summary of threat categorization and action taken for a period of time

– Summary of Virus and IPS signature distribution

33

34

WorkflowIntegrate IT Tools to Match Business Processes

34

• Graphical tool

• Integration across products

• 3rd party integration

• Process control

• Timeouts

• Escalations

• Delegation

• Auditing

35

Symantec Protection Center v1 Centralized Security Console

• Features– Single Sign-On

– Central Access to Products Reports and Dashboards

– Basic Gin Feeds

• Product Coverage– Symantec Endpoint Protection

– Symantec Network Access Control

– Symantec Data Loss Prevention

– Symantec Critical Systems Protection

– IT Analytics

– Symantec Brightmail Gateway

36

Symantec Protection Center v2

36

Symantec Protection Center

Symantec EP and NAC

Data Loss Prevention

Control Compliance

Suite

Endpoint Management

Cross Product Reports & Dashboards

Cross Product Automation

Single Sign On and Console Access

Data Feeds

Protection Center Appliance

GIN Feeds

Native Management for select products

3rd Party / Cloud Based Products

Symantec Protection

SuitesEncryption

37

3737

Bill MussonWilliam_musson@symantec.com808-220-4061

Thank You!