Symantec Strategy Briefing Endpoint Protection... · PKI Email Security Data Center Security Cloud...
Transcript of Symantec Strategy Briefing Endpoint Protection... · PKI Email Security Data Center Security Cloud...
Symantec Strategy Briefing
Director of UK&I Technical Sales, Office of the CTOClive Finlay
Copyright © 2016 Symantec Corporation3
Agenda
• 9:30 - 10:00 - Strategy
• 10:00 - 11:30 - SEP14
• 11:30 - 11:45 - Break
• 11:45 – 12:35 - ATP
• 12:35 - 13:00 - Risk Insight
• 13:00 - Lunch
Copyright 2016, Symantec Corporation 2016 Internet Security Threat Report Volume 21 4
Released April 2016: appendices an infographics available at http://go.symantec.com/istr
Copyright 2016, Symantec Corporation
Top 5 Messages:
1 On Average, One Zero-day was discovered every week in 2015
2 Over Half a Billion Personal Information Records Lost to Breach
3 Three out of Every Four Websites Put You at Risk
4 Encryption Now Used as a Cyber Weapon to Hold Companies and Individuals’ Critical Data Hostage
5 Don’t Call Us, We’ll Call You: Cyber Scammers Now Make You Call Them to Hand Over Your Cash
2016 Internet Security Threat Report Volume 21 5
Copyright 2016, Symantec Corporation
In 2009 there were
2,361,414new piece of malware created.
That’s
1 Million 179 Thousanda day.
In 2015 that number was
430,555,582
2016 Internet Security Threat Report Volume 21 6
Copyright 2016, Symantec Corporation
Zero-Days
2016 Internet Security Threat Report Volume 21 8
Copyright 2016, Symantec Corporation
2006
14
2007 2008 2009 2010 2011 20120
2
4
6
8
10
12
14
16
13
15
9
12
14
8
Zero-Day Vulnerabilities
2013 2014
2423
2015
54
2016 Internet Security Threat Report Volume 21 9
Copyright 2016, Symantec Corporation
Hackers Unleash Trove of Data from Hacking Team
• HackingTeam (HT) had zero days in Adobe Flash, Internet Explorer and Microsoft Windows
CVE Affected Product First Notice Patch Date
CVE-2015-5119 Adobe Flash July 7 July 8
CVE-2015-5122 Adobe Flash July 10 July 14
CVE-2015-5123 Adobe Flash July 10 July 14
CVE-2015-2425 Internet Explorer July 14 July 14
CVE-2015-2426 Microsoft Windows July 20 July 20
CVE-2015-2387 Microsoft Windows July 8 July 14
2016 Internet Security Threat Report Volume 21 10
Copyright 2016, Symantec Corporation
Targeted Attacks
2016 Internet Security Threat Report Volume 21 11
Copyright 2016, Symantec Corporation
2012 2013 2014
• Recipients per Campaign
• Average Number of Email Attacks Per Campaign
• Campaigns
2016 Internet Security Threat Report Volume 21 12
2015
Targeted Attack Campaigns
300
600
900
1,200
1,500150
120
90
60
30
12
2529
122
111
2318
11
1,305
841779
408
55% increase
Copyright 2016, Symantec Corporation 2016 Internet Security Threat Report Volume 21 13
OrgSize
2015 Risk Ratio
2015 Risk Ratio as Percentage
Attacksper Org
Large Enterprises
2,500+ Employees
1 in 2.7 38% 3.6
Medium Business
251–2,500Employees
1 in 6.8 15% 2.2
Small Business
(SMB) 1–250
Employees
1 in 40.5 3% 2.1
Spear-Phishing Attacks by Size of Targeted Organization
Copyright 2016, Symantec Corporation
Professionalization of Cyber Crime
2016 Internet Security Threat Report Volume 21 19
Copyright 2016, Symantec Corporation
TeslaCrypt Ransomware – Technical Support Available
202016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
Dridex Gang - Number of Known Spam Runs Per Day
2016 Internet Security Threat Report Volume 21 21
Copyright 2016, Symantec Corporation
When Cyber Criminals
Work in Call Centers, Write Documentationand Take the Weekends Off
You Know it’s a Profession
222016 Internet Security Threat Report Volume 21
Copyright © 2016 Symantec Corporation23
Key Trends Reshaping the Enterprise Security Market
RESURGENCE OF ENDPOINT Rapid shift to mobile and IoT
DISAPPEARING PERIMETER Decreasingly relevant with “fuzzy” perimeter
RAPID CLOUD ADOPTION Enterprise data and applications moving to cloud
SERVICES Security as a Service; box fatigue
CYBERSECURITY Governments and regulators playing ever larger role
23
Copyright © 2016 Symantec Corporation24
4
Global market leader in Endpoint Security, Email Security, Data Loss Prevention and Website Security, User Authentication
Enterprise focus on three core solution areas:• Advanced Threat Protection• Information Protection Everywhere• Cybersecurity Services
Largest consumer security footprint on the planet –67M
Secures 90% of F500 and 370,000 organizations around the world
The Global Leader in Cyber Security
Global market leader in Web Security and Cloud Security
Delivers integrated solutions in six primary security arenas:• Advanced Web and Cloud Security• Advanced Threat Protection• Encrypted Traffic Management• Incident Response, Analytics and Forensics• Web Application Protection• Network Performance and Optimization
Secures 15,000 organizations globally including over 70% of the Fortune 500.
Network + Security + Cloud
Copyright © 2016 Symantec Corporation25
Proven Security LeadershipDriving Exceptional Growth, Profitability and Innovation at Scale
25
• Symantec and Blue Coat is a very positive merger with very little overlap. We see a tremendous interest in the capabilities of the Blue Coat tech stack, and from our perspective, we see it as complementary to existing technologies.
By combining forces, Symantec can compete against Dell and IBM with a strong offering for advanced threat protection and powerful incident response analytics for large enterprises.
• Vontu PGP Verisign Messagelabs
• Solera Norman Shark Elastica Perspecsys Netronome
Combined Highly Successful Acquisitions
• Well-recognized thought leader in cyber security• Scaled go-to-market and product strategy efforts at Blue Coat
and McAfee
Mike Fey (COO/President)
• Extensive CEO-level experience to grow & scale companies; turn-around expert; M&A successes
• Cyber security and technical expertise
Greg Clark (CEO)
Copyright © 2016 Symantec Corporation27
Symantec | At a Glance
175M endpoints under protection
6 SOCs threat response centers
3000+R&D engineers
385,000 customers worldwide
$4.6B annual revenue 2123 patents
Copyright © 2016 Symantec Corporation28
Complex User Definition
Evolving Data Attack Surface
Expanding Perimeter
Multi-Phased, Multi-Staged Attacks
Copyright © 2016 Symantec Corporation35
Copyright © 2016 Symantec Corporation36
Copyright © 2016 Symantec Corporation42
File
UR
L
Wh
itel
ist
Bla
cklis
t
Cer
tifi
cate
Mac
hin
e Le
arn
ing
Cyber Security Services
Copyright © 2016 Symantec Corporation43
File
UR
L
Wh
itel
ist
Bla
cklis
t
Cer
tifi
cate
Mac
hin
e Le
arn
ing
182M web
attacks blocked last year
Discovered
430 millionnew unique piecesof malware last year
12,000+ Cloud applications discovered and protected
100Msocial engineering scams blocked last year
1Bmalicious emails stopped last year
175M Consumer and Enterprise endpoints
protected
9 global threat response centers with
3,000 Researchers and Engineers
1 Billion previously unseen web requests
scanned daily
2 Billion emails scanned per day
CLOUD GLOBAL INTELLIGENCE SOURCED FROM:
Copyright © 2016 Symantec Corporation44
DLPSecure Web Gateway
RiskInsight
Secure Mail Gateway
Web Application Firewall
Advanced Threat Protection
MalwareAnalysis
Cyber SecurityServices
IT SystemManagement
Endpoint Protection
EDR
Endpoint Cloud
VIPIdentity
LocalIntelligence
File
UR
L
Wh
itel
ist
Bla
cklis
t
Cer
tifi
cate
Mac
hin
e Le
arn
ing
SIEM Integration
Data CenterSecurity
EncryptionContent Analysis
Performance Optimization
Cloud Secure Web
GatewayCloud DLP CASB
Managed PKI
Email Security
Data Center
Security
Cloud Sandbox
WebsiteSecurity
Encryption
Compliance Management
EncryptedTraffic
ManagementSecurity Analytics
SOC Workbench
Third Party Ecosystem
ON
P
RE
MIS
ES
CLO
UD
HOME
Cloud Data Protection
Symantec Endpoint Protection 14.0
Steve BroadwellSr. Principal Security Engineer Endpoint and ATP Specialist
Paul Murgatroyd
The Threat Landscape Will Continue to Escalate
Endpoint Security must detect and block threats across all points in the attack chain
55%Increase in Targeted Attacks
430Mnew pieces of malware were created in 2015
125%increase of Zero-Day
vulnerability from 2014 to 2015
35%increase of
ransomware in 2015
55Symantec Endpoint Protection 14
INCURSION INFESTATION INOCULATIONINFECTION
• Web• Email• Trusted Apps• Devices
• File• File-less (Macro’s)• Memory• Network Recon• Crypto-Malware• Rootkits
• Weaponization & Evasion
• C&C Communications• Lateral Movement• Unauthorized Execution
• Quarantine Files & Endpoints
• Removal and Remediation
• Harden System
MULTIPLE VECTORS DIVERSE PAYLOADS RAPID CONTAGION
Complex Environments + Smart Attackers = Advanced Threats
Endpoint vendors lack effective technologies across the attack chain to block modern advanced threats
56Symantec Endpoint Protection 14
Symantec Endpoint Protection
Malicious software was involved in 90% of our Cyber-espionage
incidents this year. Whether it’s delivered via email, a web drive-by,
or direct/remote installation, protecting the endpoint is critical.
Verizon 2016 Data Breach Investigations Report
Incursion Infestation & Exfiltration InoculationInfection
57Symantec Endpoint Protection 14
Product Overview
Multi-layered protection powered by artificial intelligence and
advanced machine learning to deliver
SUPERIOR PROTECTION, HIGH-PERFORMANCE and
ORCHESTRATED RESPONSE.
SEP stops threats regardless of how they attack your endpoint; so
you can focus on your business.
Introducing Symantec Endpoint Protection 14
59Symantec Endpoint Protection 14
Superior ProtectionProtection against threats, using essential and next-gen technologies.
Fed by the largest global threat intelligence network in the world.
High PerformanceA single management console and high performance, lightweight
agent to protect the business without slowing down end users.
Orchestrated Response Easily integrate into existing security infrastructure to maintain a high
level of protection and speed response.
Symantec Endpoint Protection 14Protection against advanced threats without compromising end-user or IT productivity
60
Performance
Protection
Response
Symantec Endpoint Protection 14
SEP12 Existing protection stackPerceived gaps in our protection stack – being filled by niche vendors today
INCURSION INFESTATION and EXFILTRATIONINFECTION
ANTIVIRUS
NETWORK FIREWALL & INTRUSION
PREVENTION
APPLICATION AND DEVICE
CONTROL
BEHAVIOR MONITORING
REPUTATION ANALYSIS
NETWORK FIREWALL & INTRUSION
PREVENTION
Scans and eradicates malware that arrives on a system
Blocks malware before it spreads to your machineand controls traffic
Determines safety of files and websites using the wisdom of the community
Monitors and blocks files that exhibit suspicious behaviors
Control file, registry, and device access and behavior; whitelisting, blacklisting, etc.
Blocks malware before it spreads to your machineand controls traffic
SUPERIOR PROTECTION
8Symantec Endpoint Protection 14
Superior Protection Across the Attack ChainStop Targeted Attacks and Zero-Day Threats with layered protection
Pre-execution detection of new and evolving threats
INCURSION INFESTATION and EXFILTRATIONINFECTION
ANTIVIRUS
NETWORK FIREWALL & INTRUSION
PREVENTION
APPLICATION AND DEVICE
CONTROL
BEHAVIOR MONITORING
MEMORY EXPLOIT
MITIGATION
REPUTATION ANALYSIS
ADVANCED MACHINE LEARNING
EMULATOR
Patented real-time cloud lookup for scanning of suspicious files
NETWORK FIREWALL & INTRUSION
PREVENTION
Scans and eradicates malware that arrives on a system
Blocks malware before it spreads to your machineand controls traffic
Determines safety of files and websites using the wisdom of the community
Monitors and blocks files that exhibit suspicious behaviors
Blocks zero-day exploits against vulnerabilities in popular software
Control file, registry, and device access and behavior; whitelisting, blacklisting, etc.
Virtual machine detects malware hidden using custom packers
Blocks malware before it spreads to your machineand controls traffic
SUPERIOR PROTECTION
8Symantec Endpoint Protection 14
Symantec Endpoint Protection 1463
Patch Released
Patch Applied
Vulnerability Discovered
Vulnerability Disclosed
ZONE OF EXPLOITATION
WEEKS
MONTHSSignature-less and works
regardless of the flaw/bug/vulnerability
Preemptively blocks exploit techniques, foiling attempts of
attackers to take over a machine
SUPERIOR PROTECTION
Blocks zero day memory attacks in popular softwareMemory Exploit Mitigation
Symantec Endpoint Protection 1464
SUPERIOR PROTECTION
Blocks zero day memory attacks in popular softwareMemory Exploit Mitigation
• Generic exploit attack detection and mitigation• Not signature based
• Blocks exploit attempts• Works at shellcode execution level• Counters different exploitation techniques
• Hardens software applications• Prevents a vulnerability from being exploited• Makes it harder for hackers to write exploits
Symantec Endpoint Protection 1465
SUPERIOR PROTECTION
Java Exploit ProtectionMemory Exploit Mitigation
Protects the sandbox to prevent an attacker from compromising an applet to access system files
Enables the Security Manager to ensure malicious applets are unable to execute privileged actions, such as downloading and installing malware.
Prevents Java code from executing actions outside the Java sandbox
System.setSecurityManager(null);
Symantec Endpoint Protection 1466
SUPERIOR PROTECTION
Structured Exception Handler Protection (SEHOP) Memory Exploit Mitigation
Windows uses SEHOP when handling software exceptions.
It is a method to exploit vulnerable applications with malicious code.
Windows Vista Service Pack 1 and later supports SEHOP to prevent exploits that use this technique – but its disabled by default!
Generic Exploit Mitigation provides protection against these type of attacks when SEHOP is turned off.
Symantec Endpoint Protection 1467
SUPERIOR PROTECTION
Heap Spray MitigationMemory Exploit Mitigation
Compromises an application by
placing arbitrary code into heap
memory
Adds a pointer to execute the code at a later time
GEM monitors the heap memory and
blocks incoming attacks.
Symantec Endpoint Protection 1468
SUPERIOR PROTECTION
How does MEM get all this data?Memory Exploit Mitigation
GEM injects a DLL into protected processes.
When an exploit attempt is detected, GEM terminates the protected process to
prevent the malicious code from
running.
SEP notifies the user and logs an event in
the Security log.
Advanced Machine LearningBlocks unknown threats and mutating malware
Symantec Endpoint Protection 1469
Trained Machine
New & RetrainedAdvanced ML
Detect on clientwith Advanced
Machine Learning
Training Algorithm
Collect Training sets in Real-Time
High efficacy with infrequent updates
Detects large classes of malware with a
low false positive rate
0-day protection against variants of the same malware family
SUPERIOR PROTECTION
One of the largest civilian cyber intelligence networks
3.7 Trillion rows of security-relevant data
The Largest Civilian Global Threat Intelligence Network in the World
Diverse data, advanced algorithms, highly-skilled threat experts
70
175MConsumer and
Enterprise endpointsprotected
57Mattack sensor
in 157countries
182Mweb attacks blocked last year
Discovered
430 millionnew unique piecesof malware last year
9 threat response centers
Billionsof email traffic scanned/day
1 Billionweb requests scanned daily
12,000Cloud applications protected
SUPERIOR PROTECTION
Symantec Endpoint Protection 14
Why add a local emulator
Malware is changing quicker than ever, how can we keep up?
Symantec Endpoint Protection 1471
SUPERIOR PROTECTION
2005 2015 Impact
% Threats packed 50% 83%Harder to detect
generically
Obfuscation techniqueCommercial packers: UPX,
PECompact...Custom packer
Difficult to keep up with and detect packers
Packer update frequency Few Very, very frequentPacker signatures have
short lives
Extensively calls special APIs to
generate decryption keys;
If API support not found, it bails out
Upatre
Very prevalent and keeping up
with them through p-code changes is very cumbersome
Virut/Sality
Source Level polymorphism;
Recompiled binaries differ markedly in
function and register use
Ransomware
Executable
Emulation Capabilities
Fast and accurate detection of hidden malware
Symantec Endpoint Protection 1472
Executable
Packer
No Emulation
Executable
Emulation
Emulation Environment
Packed, not recognized
Payload Recognized
Emulation Environment
Unpacking
Packer
Emulates file execution to cause threats to reveal
themselves
Lightweight solution runs in milliseconds with high
efficacy
Malware hidesbehind custom
polymorphic packers
Emulator ‘unpacks’ the malware in a
virtual environment
SUPERIOR PROTECTION
File Reputation Analysis Age, frequency, and location are used to expose unknown threats
Symantec Endpoint Protection 14•73
Big Data Analytics
Analytics
Warehouse
Analysts
Attack Quarantine System
Endpoints
Gateways
3rd Party Affiliates
Global SensorNetwork
Symantec Threat Intelligence Network
Global Data Collection
Honeypots
Bad safety ratingFile is blocked
No safety rating yetCan be blocked
Good safety ratingFile is whitelisted
SUPERIOR PROTECTION
Behavioral MonitoringBehavioral monitoring stops zero-day and unknown threats
Symantec Endpoint Protection 14•74
Human-authoredBehavioral Signatures
Behavioral PolicyLockdown
Monitors nearly 1400 file behaviors to answer:
Who is it related to? What did it contain? Where did it come from? What has it done?
Artificial IntelligenceBased Classification Engine
SUPERIOR PROTECTION
Superior ProtectionProtection against threats, using essential and next-gen technologies.
Fed by the largest global threat intelligence network in the world.
High PerformanceA single management console and high performance, lightweight
agent to protect the business without slowing down end users.
Orchestrated Response Easily integrate into existing security infrastructure to maintain a high
level of protection and speed response.
Symantec Endpoint Protection 14Protection against advanced threats without compromising end-user or IT productivity
75
Performance
Protection
Response
Symantec Endpoint Protection 14
Intelligent Threat Cloud
Patented real-time cloud lookup for all scanned files
Symantec Endpoint Protection 1476
70% reduction in network bandwidth usage for definition file updates
Most up-to-date cloud intelligence to scan suspicious files
HIGHPERFORMANCE
Intelligent Threat Cloud
Enables dramatic reduction of on disk and delta definition sizes
Symantec Endpoint Protection 1477
HIGHPERFORMANCE
SEP 12.1 Standard SEP 12.1 Reduced SEP 14 Standard SEP 14 Embedded and VDI
Intelligent Threat Cloud enabled
No No Yes Yes
Estimated package size (Network traffic)
~360 MB ~45 MB ~45MB ~45MB
Estimated definition size on disk (Full.zip)
~700 MB ~75 MB ~170MB ~75MB
Estimated Daily Update
~4.7MB ~3.4MB ~400KB ~400KB
Reducing Total Cost of Ownership and Endpoint Complexity
A single agent combines multiple technologies
78
SEP 14
Anti-malwareNext-Gen Endpoint
EndpointDetection &
Response
Exploit Prevention
EMET
HIGHPERFORMANCE
Symantec Endpoint Protection 14
Superior ProtectionProtection against threats, using essential and next-gen technologies.
Fed by the largest global threat intelligence network in the world.
High PerformanceA single management console and high performance, lightweight
agent to protect the business without slowing down end users.
Orchestrated Response Easily integrate into existing security infrastructure to maintain a high
level of protection and speed response.
Symantec Endpoint Protection 14Protection against advanced threats without compromising end-user or IT productivity
79
Performance
Protection
Response
Symantec Endpoint Protection 14
Respond to Advanced AttacksQuickly prevent the spread of infection to minimize damage
Orchestrate a response from Symantec EDR Console; EDR capabilities are built into the SEP agent.
INNOCULATION
POWER ERASER HOST INTEGRITY SYSTEM LOCKDOWN
SECURE WEB GATEWAY
INTEGRATION
EDR CONSOLE (ATP:ENDPOINT)
Aggressive remediation of hard-to-remove infections
Use APIs to orchestrate a response from Secure Web Gateway
Part of Application Control - harden endpoint security with whitelisting & blacklisting
Quarantine, detect unauthorized change, conduct damage assessment and ensures compliance
ORCHESTRATEDRESPONSE
19Symantec Endpoint Protection 14
Enabling Integrations with SEP Management APIs
Easily integrate with security infrastructure
Symantec Endpoint Protection 1481
SEP ManagerATP
Sweep, Hunt,
Collect, Fix
Secure Web Gateway
REST APIs
ORCHESTRATEDRESPONSE
Orchestrate/Automate SEPM functionality
from other applications and scripts
Market Leading Next Generation Endpoint Protection
• #1 in EPP market share (IDC)
• Over 270,000 loyal customers
• Over 300 beta customers for SEP 14
• Beats competition in 3rd party tests
Symantec consistently outperforms the products in its class
82
14 Years RunningPerfect Score for Protection
Only vendor with AAA rating for over 14 straight quarters
SEP outperforms Cylance
Recommend Product“Verdict: we love
this product.”
SEP 14
Symantec Endpoint Protection 14
Demo
Generic Exploit MitigationAdvanced Machine Learning
Refreshed Platform Support
Platforms no longer supportedMicrosoft EoL products and platforms that cannot support SEP14
85Symantec Endpoint Protection 14
Operating systems
• Windows Server 2003
• Windows XP
• Windows XP 2009 Embedded
Products
• SQL Server 2005
• SQL Server 2008 R2 SP1 and SP2
SEP 14 provides backward compatibility support for SEP 12.1.x clients that run on both supported and now legacy operating systems.
Migration PathsSEPM
86
11.x 12.1
12.1 14
14
Migration PathsClient
87
11.x
12.0
12.1.x
14
14
14
Architecture
Symantec Endpoint Protection 14Protection against advanced threats without compromising end-user or IT productivity
89Symantec Endpoint Protection 14
Improved user experience
Client installation improvements
Product Notifications
Improved User Experience
Improved user experienceLearning from our user base and delivering easier to use software
91Symantec Endpoint Protection 14
New Manager UI.
Enhancements added to the Install and Configuration Wizard.
New System requirements: Only 64-bit OS supported.
Secure out of the boxSecure database communication with SEPM to SQL encryption
92Symantec Endpoint Protection 14
For database server communication, Tomcat TLS
1.2 is now the default.
SEPM to SQL encryption can be disabled using
SetSQLServerTLSEncryption.bat in the SEPM Tools
folder.
Secure out of the boxSecure client-to-server communication with HTTPS
93Symantec Endpoint Protection 14
HTTPS is now the default client-server
communication protocol when installing the
Symantec Endpoint Protection Manager.
Upgrades to SEP 14 will retain previous
settings.
Managing Unsupported ClientsEnsuring you maintain visibility
94Symantec Endpoint Protection 14
SEPM 14.x detects unsupported SEP 11.x and 12.0 clients communicating to the server and notifies the administrators.
Making scans and exceptions easierCommonly requested location for exceptions
95Symantec Endpoint Protection 14
System Drive prefix
User Profile Exception prefix
User Profile Scanning prefix
Improving update efficiencyMake it easier to find the right GUP
96Symantec Endpoint Protection 14
SEPM
GUP
Environment has a large volume of subnets and
needs a solution for clients that roam outside
of their own subnet.
Configure the LiveUpdate policy so the client looks up
it’s subnet mask and downloads content from a
local GUP.
Problem
Solution
Improving update efficiency
97Symantec Endpoint Protection 14
SEPM
GUP
Organization has smaller locations with limited
connectivity that use a regional GUP.
Control the maximum bandwidth that a client uses to download content from a
GUP.
Problem
Solution
Reducing the bandwidth between GUP and client
Improving replication efficiency
98Symantec Endpoint Protection 14
Increased timing options offer flexibility and control
Schedule replication to daily, weekly, hourly, or auto-replicate.
Set a time interval when replication will start.
Set and control replication schedules more effectively to avoid overhead.
Client Installation Improvements
Simplifying the install processIncreasing success of installs
100Symantec Endpoint Protection 14
Cleanwipe Optional Configuration in Client Install Settings
• Offered as a selection when creating a SEP client package. The feature will completely remove an existing client and then begin a client install.
AutoUpdate ensures new clients always get latest definitions
• Auto-Upgrade packages now include definitions for clients migrating to SEP 14.
• Deltas or Full client packages will be repackaged with definitions "on demand" at the time client requests upgrade package.
Cleanwipe requires a restart of the system.
Simplifying the install processIncreasing success of installs
101
Deploy SEP to Mac clients using Auto Upgrade
SEP 14 upgrades Mac clients by adding a package to a group.
• You can only upgrade to 14, cannot add 12.1 packages to groups.
Can use AutoUpgrade settings for Windows clients, including:
• Allow users to postpone upgrades
• Schedule upgrades for a specific time
• Spread upgrades across multiple days
• Reset Client-Server Communications
• Reboot scheduling & user choice (snooze button)
Product Notifications
Stay up to date with product notificationsEnsuring customers always get the latest version information
103
Default interval for checking is 12 hours.Latest News link
Alerts work for all administrators.
Latest News alertClicking a notification causes the icon to
disappear.
Stay up to date with product notificationsEnsuring customers always get the latest version information
104
Product updates.
Security advisories.
Best practices.
Trending issues.
And much more!
Thank you!
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
105
Symantec Advanced Threat Protection
Endpoint and ATP SpecialistPaul Murgatroyd
Blocking Threats is Simply Not EnoughHard to keep up with significant growth and sophistication in cyber threats
Source: Symantec ISTR Report 2016Gartner Magic Quadrant for Endpoint Protection, 2016Kenna Security Report, 2015
430,000,000new pieces of malware were found by Symantec in 2015
44%Customers were
compromised despite using malware blocking
technologies
38%of time spent by security
professional in firefighting alerts
Average number of days to remediate
found vulnerabilities
days12055%Increase in targeted spear phishing email campaigns
Copyright © 2016 Symantec Corporation107
Staying Ahead of Broad, Sophisticated Attack Techniques is Challenging
Copyright © 2016 Symantec Corporation
Endpoints remain easy targets; email continues to be the primary attack vector
Spear-Phishing attacks
Advanced Malware
Spam
Ransomware
Malicious Websites
Negligent Employee
Other (e.g., Stolen
devices)
Endpoints
Network & Web
108
What Happens When an Attack is Successful?
Source: Symantec ISTR Report 2016IBM Data Breach Report, 2016
305
Total Data Breaches in 2015
429million
Total Identities Exposed In 2015
4million
Average cost of data breach to organizations
Copyright © 2016 Symantec Corporation109
…has led to many new products and standalone vendors
$77B IN 2015
$170B IN 2020
The massive
growth in the
cyber security
market
What Are The Market Dynamics?
Copyright © 2016 Symantec Corporation110
Visibility Has Become a Big Challenge
Networks
Known BadContent Detected
SuspiciousNetwork Behavior
Endpoints
Known BadContent Detected
SuspiciousNetwork Behavior
Web
Known BadContent Detected
SuspiciousNetwork Behavior
Malicious URL Detected
Known BadContent Detected
SuspiciousNetwork Behavior
Malicious URL Detected
• Today’s security products are largely unintegrated
• It’s time-consuming and difficult to clean up attack artifacts across the organization
• Incident Response team is overwhelmed with too many alerts
Copyright © 2016 Symantec Corporation111
Symantec’s Point of ViewA unified platform to UNCOVER, INVESTIGATE, and RESPONDIntegrated across major control points
RESPONDControl with confidence
Copyright © 2016 Symantec Corporation
SEP ATP
ATPATP
PREVENT UNCOVER
INVESTIGATERESPOND
PREVENTBlock known threats Visibility into malicious and suspicious
activity using Machine learning, payload detonation and behavioral analysis within minutes
UNCOVER
Search for IOCs, see related events, view pre-correlated incidents, and get context enrichment from data feeds
INVESTIGATE
112
Uncover, prioritize, investigate, respond in ONE console
Copyright © 2016 Symantec Corporation
CLOUD SANDBOX CORRELATION INVESTIGATION
EMAILENDPOINT NETWORK
REMEDIATION
Physical & Virtual Detonation
andPrioritization
Detect once, Find everywhere
Block, Clean, Fix in real-time
Uncover, investigate, and remediate any attack artifact
across all endpoints
Leverage Symantec Endpoint Protection
Protect and detect advanced threats entering the network
using multiple layers of technology
Virtual or Physical appliance
Protect and detect advanced threats entering via email. Identifies targeted attacks
Leverage sandbox and Email Security.cloud
Symantec Advanced Threat Protection Platform
ROAMINGProtect and detect advanced
threats for roaming users when they are out of the
corporate network.
Cloud service
Symantec Advanced Threat Protection
113
Copyright © 2016 Symantec Corporation
ATP Inspection Technologies- On Premise
IPS
Blocks malware as it tries to
spread over the network
• Protocol aware IPS
• Vulnerability and Exploit blocking
File
Scans and eradicates
malware files that arrive on a
system
• Antivirus Engine
• Auto Protect
• Heuristics
Reputation
Determines the safety of files &
websites using the “wisdom of the
crowd” (analytics)
• Domain/IP Reputation
• File Reputation
• Android APK Reputation
IOC Feeds
Blocks or allows per Symantec
sourced blacklist and customer
created whitelist
• C&C detections
• GIN
• DeepsightThreat Intelligence
v
Technologies tested and proven on >150M endpoints
Endpoint Behaviors
Assesses and records all
processes, system changes, etc
• Static code Analysis
• Dynamic behavioral process trace
v
Machine Learning
Score the suspiciousness
of files and endpoints
• Decision tree analysis
• Bucket files
114
Correlation
ATP Inspection Technologies- Cloud
Symantec Cynic™Correlation
Dynamic Adversary Intelligence
• New cloud-based sandbox and payload detonation
• Execute files in both virtual and physical environments to uncover “VM-aware” threats
• Aggregate and correlate threat events across multiple control points
• Reduce the number of incidents that security analysts need to investigate
• Quickly identify whether an organization is under a targeted attack
• Automatically search for known Indicators-of-Compromise across the entire environment
SandboxingSymantec Synapse™
Attribution
Attribution
Sandbox
Copyright © 2016 Symantec Corporation115
Symantec Advanced Threat Protection: Modules
ATP: Roaming
Copyright © 2016 Symantec Corporation116
Correlation
Symantec Endpoint Detection and Response (ATP: Endpoint)Provide EDR capability without the need to deploy new endpoint agents
Investigate suspicious events and get full endpoint visibility
Instant search for any attack artifact and sweep endpoints for IoC
Remediate all instances of threatsin minutes, with one click
Leverage SEP & non-Symantec investment. No new endpoint agent required.
GIN
Sandbox
SEP Manager
Copyright © 2016 Symantec Corporation117
Correlation
ATP: Network
Uncover the stealthiest threats that others miss1
Quick search for any IoC (files and URLs)
Blacklist/Whitelist files and URLs once identified malicious
Prioritize threats that remain unblocked at the endpoint, by leveraging SEP
GIN
Sandbox
Best advanced threat detection and accuracy rate in its class
Source: Dennis Tech Lab, Dec. 2015
Firewall
ATP: Network
118Copyright © 2016 Symantec Corporation
ATP: Email
GIN
ATP: Email
Correlation
Sandbox
Export Data to SIEM
Url Information
25+Data
PointsSeverity
LevelMalware Category
File Hashes
Provide deep visibility into targeted attack campaigns
Quickly correlate and respond to threats with SIEM integration
Uncover and block advanced threats by leveraging cloud sandbox
Rich threat intelligence
Integrates with SIEM
Leverage Email Security.cloud
Get More Indicators of Compromise on Advanced Threats Than Anybody Else
Copyright © 2016 Symantec Corporation119
Correlation
ATP: Roaming
Protect users from advanced threats wherever they are browsing the internet
Detect and block advanced threats in the encrypted traffic
Deep visibility into web traffic
GIN
Sandbox
Uncover and block advanced threats embedded in HTTP and HTTPS traffic
Firewall
ATP: Roaming
Cloud-hosted solution
Copyright © 2016 Symantec Corporation120
Integration with 3rd
party applicationsEnables customers to integrate ATP with existing security platforms and leverage their existing security investments
• Public APIs• Integration with ServiceNow & Splunk
Introducing ATP: Roaming
New Control Point available to our customers for additional fee
• Threat Protection for Roaming Users• Detects and blocks threats in encrypted
traffic Daredevil Release Planning Session
Dynamic Adversary Intelligence
More attack detections and better visibility on the threat attacking the organization
• File and Network IOCs for attribution and local adversary activities
What’s New in Symantec ATP Nov. 2016 Release
Copyright © 2016 Symantec Corporation121
Symantec Advanced Threat Protection Platform
GIN
SEP Manager
ATP: Endpoint
ATP: Email
Correlation
Sandbox
Uncover and investigate advanced threats across email, endpoint, network, and web traffic
Prioritize what matters most
Remediate complex attacks in minutes, with one click
Leverage existing investment- both Symantec & non-Symantec products
Uncover, Prioritize, Remediate
in one console
ATP: Network
ATP: Roaming
Copyright © 2016 Symantec Corporation122
Symantec Advanced Threat Protection
A single prioritized view of all advanced attack activity in your organization, without adding new agents.
Exports rich intelligence from endpoint, network, email, and web traffic from a single solution into your 3rd-party security products
Allows you to maximize your existing security investments, both Symantec and non-Symantec products
Connects the dots of an attack across multiple control points, so that every attack component can be quickly remediated with one click of a button
Combines global telemetry from one of the largest cyber intelligence networks in the world with local customer context to uncover attacks
Differentiators
Copyright © 2016 Symantec Corporation123
Symantec Advanced Threat Protection Outperforms Competitors
69%
71%
90%
100%Superior Detection
Ranked BEST in detection and accuracy
Copyright © 2016 Symantec Corporation
124
Risk Insight
Sr. Principal Security EngineerSteven Broadwell
Symantec Enterprise Security | Product Strategy
Copyright © 2016 Symantec Corporation2
Users
Data
Apps
Cloud
Endpoints
Gateways
Data Center
Unified Security Analytics Platform
Log andTelemetryCollection
Unified IncidentManagement and Customer Hub
Inline Integrationsfor Closed-loopActionable Intelligence
Regional and Industry Benchmarking
Integrated Threatand BehavioralAnalysis
Threat Protection
ENDPOINTS DATA CENTER GATEWAYS
• Advanced Threat Protection Across All Control Points• Built-In Forensics and Remediation Within Each Control Point• Integrated Protection of Server Workloads: On-Premise, Virtual, & Cloud• Cloud-based Management for Endpoints, Datacenter, and Gateways
Information Protection
DATA IDENTITIES
• Integrated Data and Identity Protection• Cloud Security Broker for Cloud & Mobile Apps• User and Behavioral Analytics• Cloud-based Encryption and Key Management
Cyber Security ServicesMonitoring, Incident Response, Simulation, Adversary Threat Intelligence
Thank you!
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
127