111 State of Hawaii Symantec Protection Suite Briefing Bill Musson, CISSP Senior Systems Engineer.
-
date post
20-Dec-2015 -
Category
Documents
-
view
218 -
download
1
Transcript of 111 State of Hawaii Symantec Protection Suite Briefing Bill Musson, CISSP Senior Systems Engineer.
2
Agenda• Symantec Endpoint Protection SEP11 Overview• Symantec Endpoint Protection SEP12 Overview
– Symantec Insight
– Symantec Online Network for Advanced Response (SONAR)
• Centralized Security Management– Symantec Management Platform
– IT Analytics for SEP
– Workflow
– SPC v1
– SPC v2
4
Symantec Endpoint Protection 11
Results:
Reduced Cost, Complexity &
Risk Exposure
Increased Protection, Control &
Manageability
Antivirus
Antispyware
Firewall
IntrusionPrevention
Device and ApplicationControl
Network AccessControl
Single Agent, Single Console
Managed by Symantec Endpoint Protection Manager
NAC 11SEP 11
66
Symantec Endpoint Protection 12
Symantec Insight
Symantec Online Network for Advanced Response (SONAR)
7
Unfortunately neither technique works well for the tens of millions of
files with low prevalence.
(But this is precisely where the majority of today’s malware falls)
Today, both good and bad software obey a long-tail distribution.
Bad Files Good Files
Prev
alen
ce
Whitelisting works well here.
For this long tail a new technique is needed.
Blacklisting works well here.
The Problem
No Existing Protection Addresses the “Long Tail”
8
The Inspiration
Only malware mutates
So . . . if an executable is unique, it’s suspicious
. . . but how to know if a file is unique?
9
How often has this file been downloaded?
Where is it from?
Have other users reported infections?
Is the source associated with infections?
How will this file behave if executed?
How old is the file?
How many people are using it?
Is the source associated with SPAM?
Is the source associated with many new files?
Does the file look similar to malware?
Is the file associated with files that are linked to infections?
Who created it?
Does it have a security rating?
Is it signed?
What rights are required?
Who owns it? What does it do?
How new is this program?
How many copies of this file exist?
Have other users reported infections?
10
Achilles Heel of Mutated Threats
Hackers mutate threats to evade fingerprints
Mutated threats stick out like a sore thumb
Virus Writer’s Catch-22– Mutate too much = Insight finds it
– Mutate too little = Easy to discover & fingerprint
B7 938F4C15FE
Unrivaled Security
11
Symantec InsightThe context of a file
is as telling as its content
How will this file behave if executed?
How old is the file? Is the source associated with SPAM?
Does the file look similar to malware?
Is the file associated with files that are linked to infections?
Who created it?
What rights are required?
Have other users reported infections?
BAD GOOD LOW HI
ORNEW OLD
OR
Reputation Prevalence AgeThe context you need
12
2
Prevalence
Age
Source
Behavior
3
4
Look for associations
Check the DB during scans
Rate nearly every file on the internet
5 Provide actionable data
1 Build a collection network
Associations
How it works
Allow
Is it new?Bad reputation?
15
First Insight is used for manual scans of endpoints. What are other ways that Symantec leverages Insight in Symantec Endpoint Protection 12?
16
Download Insight
• Download Insight is a technology that checks the reputation of binaries being downloaded and blocks them if they are “Bad”.
• Download Insight scans files when they are downloaded using what we term a portal application (IE. Firefox, IE)
17
Faster Scans
17
Insight - Optimized ScanningSkips any file we are sure is good,leading to much faster scan times
Traditional ScanningHas to scan every file
On a typical system, 70% of active applications can be skipped!
18
Scan Speed
18
Symantec Kaspersky Trend Micro Microsoft Sophos McAfee Average0
20
40
60
80
100
120
140
160
Symantec Endpoint Protection Scans:3.5X faster than McAfee2X faster than Microsoft
Ranked 1st in overall Performance!
PassMark™ Software, Feb., 2011 - http://www.passmark.com/AVReport
19
Create Policies based on Risk Tolerance
Only software with at least 10,000 users over 2 months old.
Finance Dept
Can install medium-reputation software
with at least 100 other users.
Help Desk
No restrictions but machines must
comply with access control policies.
Developers
20
Symantec Online Network for Advanced Response (SONAR)
This information enables three new features
Artificial Intelligence Based Classification engine
Human-authoredBehavioral Signatures
Behavioral PolicyLockdown
Now, lets review how Symantec Insight and SONAR are utilized to strengthen and augment security in SEP 11 as well as reduce false positives.
23
The Security Stack – for 32 & 64 bit systems
23
Network IPS & Browser
Protect & FW
Heuristics & Signature
Scan
Real time behavioralSONAR
IPS & Browser Protection• Firewall• Network & Host IPS• Monitors vulnerabilities• Monitors traffic• Looks for system
changes
Stops stealth installs and drive by downloadsFocuses on the vulnerabilities, not the exploitImproved firewall supports IPv6, enforces policies
24
Insight – Provides Context
24
Network IPS & Browser Protect
Heuristics & Signature
Scan
Real time behavioralSONAR
InsightReputation on 2.5 Billion
filesAdding 31 million per
week
Identifies new and mutating filesFeeds reputation to our other security enginesOnly system of its kind
25
File Scanning
25
Network IPS & Browser Protect
Real time behavioralSONAR
File ScanningCloud and Local Signatures
New, Improved update mechanism
Most accurate heuristics on the planet.Uses Insight to prevent false positives
Heuristics & Signature Scan
26
SONAR – Completes the Protection Stack
26
Network IPS & Browser Protect
File Based Protection –
Sigs/Heuristics
Real time behavioralSONAR
SONAR• Monitors processes and
threads as they execute• Rates behaviors• Feeds Insight
Only hybrid behavioral-reputation engine on the planetMonitors 400 different application behaviorsSelective sandbox (ex Adobe)
28
SEP Client Impact on Memory Use
28
Symantec Endpoint Protection uses:66% less memory than McAfee76% less memory than Microsoft
Memory Usage
PassMark™ Software, Feb., 2011 - http://www.passmark.com/AVReport
Symantec Kaspersky Trend Micro McAfee Sophos Microsoft Average0.0
20.0
40.0
60.0
80.0
100.0
120.0
140.0
160.0
180.0
30
SEP 12 Built for Virtual Environments
30
Virtual Client Tagging
Virtual Image Exception
Shared Insight Cache
Resource Leveling
Together – up to 90% reduction in disk IO
31
31
Centralized Security Management PlusConvergence and Integration with Operational Tools
Symantec Management Platform
IT Analytics for SEP
Workflow
SPC v1
SPC v2
32
Altiris
Client ManagementSuite
• Policy-based software delivery• Application Management• Software Virtualization• Patch Management• Backup and Recovery• Application Usage• Remote Control
Altiris
Software Delivery Suite
•Apply Patches •Ensure software is installed and stays installed • Report machines not connecting•Identify missing hard-drives
Symantec Management PlatformPath to Full PC Lifecycle Management
Symantec
Endpoint Protection Integrated Component
• Streamline migrations• Initiate scans or agent health tasks• Dashboards integrate security and
operational information
33
Enhanced Reporting - IT Analytics for SEP
• Ad-hoc Data Mining – Pivot Tables– Data from multiple Symantec Endpoint Protection
Servers
– Break down by virus occurrences, computer details, history of virus definition distribution . . .
• Charts, Reports and Trend Analysis– Alert & risk categorization trends over time
– Monitor trends of threats & infections detected by scans
• Dashboards– Overview of clients by version
– Summary of threat categorization and action taken for a period of time
– Summary of Virus and IPS signature distribution
33
34
WorkflowIntegrate IT Tools to Match Business Processes
34
• Graphical tool
• Integration across products
• 3rd party integration
• Process control
• Timeouts
• Escalations
• Delegation
• Auditing
35
Symantec Protection Center v1 Centralized Security Console
• Features– Single Sign-On
– Central Access to Products Reports and Dashboards
– Basic Gin Feeds
• Product Coverage– Symantec Endpoint Protection
– Symantec Network Access Control
– Symantec Data Loss Prevention
– Symantec Critical Systems Protection
– IT Analytics
– Symantec Brightmail Gateway
36
Symantec Protection Center v2
36
Symantec Protection Center
Symantec EP and NAC
Data Loss Prevention
Control Compliance
Suite
Endpoint Management
Cross Product Reports & Dashboards
Cross Product Automation
Single Sign On and Console Access
Data Feeds
Protection Center Appliance
GIN Feeds
Native Management for select products
3rd Party / Cloud Based Products
Symantec Protection
SuitesEncryption