Documente Academic
Documente Profesional
Documente Cultură
• Davor Perat
• Senior Technology Consultant
Agenda
2
Let’s get started!
3
Threat landscape and the endpoint
4
Internet Security Threat Report: ISTR Volume 21
Known Malware New Malware Network Attack Social Engineering System Tampering Data Theft Vulnerabilities
Symantec discovered more than 430 million new unique pieces of malware in 5
6
9 threat response centers
175M
Consumer and
Enterprise 57M
endpoints attack sensor
protected in 157countries
12,000
Cloud applications
Discovered
protected
430 million
new unique pieces 182M
of malware last year web attacks
blocked last year
Billions 1 Billion
of email traffic
scanned/day web requests scanned
daily
Inbound Outbound
Payload delivery Payload execution
Communication Communication
Inbound Outbound
Payload delivery Payload execution
Communication Communication
Device Execution
Control Detection
Exploit
SEP 14 Reputation
Prevention
Memory Insight Insight
Exploit Signer File / Domain
Mitigation Reputation Reputation
10
SEP 14 Next Generation Protection Technologies and Enhancements
12
Your endpoints are the target
Introducing SEP
Application and
File-based
Device Control
protection
System Lockdown
Central Management
Protection layers | Single agent
AntiVirus
Whitelisting
AntiSpyware
Blacklisting
Heuristic
Device Control
Reputation
System Lockdown
Email Scanning
Compliance check:
• Standard Insight Firewall
• Template Custom IPS
• Custom Stream Level IPS
• Automation Browser Protection
File-based
Zero-day threats and
protection reduced false positives
Insight
Download Protection Download protection protects against new and unknown files that
traditional signature-based security does not detect. Detections are
based on the prevalence, age, source and overall reputation given
by Insight.
SDS Engine
Custom
IPS
Firewall protects against intrusion and gives control over the data
entering and leaving the endpoint.
18
Network Threat
Protection
Transport ••Firewall
Network ••Firewall
20
Host integrity Standard
requirements
Template requirements
Host integrity audits the endpoint against requirements. The audit
gives a PASS of FAIL result, which is translated into an automated
remediation.
Insight is the largest reputation data file system in the world and
leverages more than 175 million endpoints to gather information on
binary executable files.
Age: Insight looks at how long a file has been created because
malware tends to be very new when infecting a system.
Known Malware New Malware Network Attack Social Engineering System Tampering Data Theft Vulnerabilities
Signatures
Heuristic
Heuristic (SONAR) (SONAR)
Machine Learning Reputation
(Insight)
Reputation (Insight)
IPS (GEM)
IPS / Firewall
Application control
Device control
Host Integrity
23
Protection across the attack chain
Inbound Outbound
Payload delivery Payload execution
New in SEP14 Communication Communication
Signature based Non signature based Machine learning and deep learning
24
Performance or protection. Why choose?
25
BLAZING PERFORMANCE WITH INSIGHT
Up to 70% reduction in scan overhead by only scanning unknown files
Trusted by
Insight
Best
Scenario CPU/Disk User Best App Balanced
Scan
28
Scan randomization
Preventing the AV storm
Usability
30
Built for all endpoints
Reduced-size client: Smaller
Limited storage footprint and lighter content
update.
31
Embedded and VDI client installation
package
• Contains a smaller set of Virus and
Spyware content distribution files 45 MB
• Contains a reduced-package size that
includes all features:
– Virus and Spyware*
– Firewall
45 MB
– IPS
– SONAR
– System Lockdown
– Application Control, and more
33
Intelligent Threat Cloud services details
34
Client types and definitions types
The SEP 12.x clients use coreDef-1.5. When you upgrade these clients to SEP 14,
Copyright © 2014 Symantec Corporation
SEP 12.1 SEP 12.1 SEP 14 Standard SEP 14 Embedded and VDI
Standard Reduced
Definition type CoreDef-1.5 CoreDef-3 with CoreDef-3 CoreDef-3 with size
size enhancement
enhancement
ITCS enabled No No Yes Yes
Estimated package ~360 MB ~45 MB ~45MB ~45MB
size (Network traffic)
Estimated definition ~700 MB ~75 mb ~170MB ~75MB
size on disk (Full.zip)
36
What if you can skip all the standard files in a VM ?
Local
reputation
store 37
When a VIE enabled template is cloned… We scan very little
When the new VM is based on the VIE
Trusted by
Insight trusted image, only new documents and
applications are scanned.
This reduced I/O applies to both real-
time, on-demand, and scheduled scans.
Trusted
by VIE
VIE VIE VIE VIE
38
Shared Insight Cache
• Shared Insight Cache (SIC) is a server application which caches known clean files in
order to optimize scheduled scan performances.
• The SIC server is mainly designed for virtual environments, but usage on physical
system is supported given that network latency is kept at an absolute low.
• The SIC server keeps a record in memory (RAM) of files which are voted clean by
system performing scans.
SIC
SHARED INSIGHT CACHE
SEP for VDI
Agent Agentless
••Features ••Features
••SONAR Behavior ••Agentless Anti-Malware
••Intrusion Prevention ••Insight file reputation
••Browser Protection ••Agentless Network IPS (requires
••Firewall NSX)
••Network IPS ••Console to manage DCS
••Application Device Control
••Insight Reputation
••Console to manage SEP
• Windows Desktop Supportability: Windows 7/Windows 8
System Requirements: VMware NSX/VMware ESXi 5.5 and VMware vShield/ESXi 5.1+
•Copyright © 2014 Symantec Corporation
40
File Hash Def Ver Result
The first SEP client needs to scan a Subsequent SEP clients need to scan the same file. They
file and queries SIC and finds no query the cache server and find the file has already been
record. SEP scans the file and scanned with the same version of defs and the file is clean.
sends the results to the SIC. SEP client skips scanning the file.
VM VM VM VM VM VM
VM VM VM VM VM VM
Virtual farm Virtual farm
VM Cluster
41
Shared insight cache architecture
43
Non-persistent VDI refinements
• VDI licensing scheme
– Shorter retention time equals more licenses available
– Set the client as VDI in the template
– Configure the Manager to set the separate retention
scheme
453
– Select Admin > Domain properties
Streamlined management and reporting across platform
45
Policies
Single console Multiples agents
Vista,7,8,10 Reporting
Server
Embedded
Alerting
OSX 10.6.8
10.10
Management
46
Policies
• Central configuration LiveUpdate
Host Integrity
47
Location awareness
LiveUpdate
LiveUpdate LiveUpdate
Location
Settings Location Location
Settings Settings
Host Integrity
Host Integrity Host Integrity
• Exports:
– CSV,MHTML (alerts)
• Actionable reports:
– Launch scan, update, and
remediate
• Alerts:
– Console
– Email
49
Alerting and scheduled reports
• Email or Console
• Preconfigured conditions
• You can create your own alerts for
a selected number of events
• Alert equals live data that can
change over time
• Scheduled report equals Static
data at a given point
50
Active Directory integration
• Organizational unit
synchronization Active Directory
– Client grouping matching Active
Directory
– No support for Active Directory
groups
OU
• Console login SSO
Password changes when the
Windows account changes
User Mapping OU Import
51
SEP Manager
Domains
• Can separate entities while using the
LiveUpdate
LiveUpdate
• Separate:
Application & IPS Application & IPS
Device Control
(system lockdown) Device Control
(system lockdown)
Host Integrity
Host Integrity
– Policies
– Groups structure
– Reporting and alerting settings
Domain A Domain B
52
SEP Manager
Account delegation
Console with multiple access levels:
LiveUpdate
LiveUpdate
Host Integrity
Host Integrity
53
Product Integration
54
Symantec Endpoint Protection integration
IT Analytics
55
Managed Security Services
57
IT Analytics benefits
Key
Historical log Customized Granular log
performance
retention reporting analysis
indicators
58
Syslog
• SEPM can send events to a Syslog
server.
• Events can be parsed and generate
alerts and tickets with third-party
Event management solutions.
59
Extend SEP capabilities with the SEPM API Service
RESTful API to built in to SEPM to
Symantec Endpoint Protection Manager
enable Programmatic integration
Client Application &
Management
Policy
Control
Device Control
Reports &
Analytics
with SEP
Customer Benefit:
REST API’s
ü Orchestrate/automate SEPM
SEP14 - API’s functionality from other
Login & Logout of SEPM applications and scripts
Obtain a list of groups
ü Connect SEP to 3rd party platforms
Assign a fingerprint list to a group for system lockdown. for control or network plane
Retrieve the Symantec Endpoint Manager version integration with the endpoint
information
Add or delete a blacklist as a file fingerprint list
60
Architecture Overview
61
Symantec Endpoint Protection 14.x Architecture Components
Management
Events and
* Policy
SEPM Console
Content Distribution
Content
Updates
LiveUpdate
SEPM GUP Internet
Server
Endpoint Protection
Protection and
Logs
Windows Linux Mac Embedded Virtual
* SEPM can use an embedded database of MS-SQL. MS-SQL is recommended for larger organization 1000+ Endpoints
Server architectures
65
Symantec Connect Forum
• Forums annotated by
customers, staff, and partners
• Videos and tutorials
• Earn rewards
66
Symantec Education Services Offers Effective Product Training
• Achieve expected value for your products.
67
68