Daredevil

• Davor Perat
• Senior Technology Consultant
Agenda

1 Threat landscape and the endpoint

2 Protecting the endpoint
3 Performance or protection, why choose?
4 Virtualized and embedded system optimization
5 Streamlined management and reporting across platforms
6 Symantec product integration and support
7 Architecture overview
8 Additional resources and summary

2
Let’s get started!

3
Threat landscape and the endpoint

4
 Internet Security Threat Report: ISTR Volume 21

Known Malware New Malware Network Attack Social Engineering System Tampering Data Theft Vulnerabilities

Symantec discovered more than 430 million new unique pieces of malware in 5

2015, up 36% from the year before.

A new Zero-Day vulnerability discovered every week in 2015

6
 9 threat response centers
175M
Consumer and
Enterprise 57M
endpoints attack sensor
protected in 157countries

12,000
Cloud applications
Discovered
protected
430 million
new unique pieces 182M
of malware last year web attacks
blocked last year

Billions 1 Billion
of email traffic
scanned/day web requests scanned
daily

One of the largest civilian cyber intelligence networks

3.7 Trillion rows of security-relevant data 7
 The threat landscape continues to escalate

430M 125% 35% 55%

Increase in Targeted
new pieces of increase of Zero-Day increase of
Attacks
malware were created vulnerability from ransomware in
in 2015 2014 to 2015 2015

Inbound Outbound
Payload delivery Payload execution
Communication Communication

Source: Symantec ISTR 2016

8
How Symantec can help
Symantec Endpoint Protection 14

UNRIVALED BLAZING SMARTER

SECURITY PERFORMANCE MANAGEMENT

Stops targeted attacks and Performance so fast your A single management

advanced persistent users won’t even know its console across Windows,
threats with intelligent there. Mac, Linux, and Virtual
security and layered platforms with granular
protection that goes policy control.
beyond antivirus.

Inbound Outbound
Payload delivery Payload execution
Communication Communication

EASY INTEGRATION &

SUPERIOR PROTECTION BETTER PERFORMANCE
AUTOMATION 9
SEP protects against all types of threats
SEP 14 combines Core and Next Generation technologies
SEP 14 SEP 14
Intelligent Advanced Emulator
Application Device Threat Cloud Machine for crypto-
Control Control Always Learning
Pre- malware
App & Up to Date

Device Execution
Control Detection

Firewall & Network Process BPEs SONAR

Intrusion Behavioral
Prevention IDS/IPS Behavior Signatures
Behaviors

Exploit
SEP 14 Reputation
Prevention
Memory Insight Insight
Exploit Signer File / Domain
Mitigation Reputation Reputation

10
SEP 14 Next Generation Protection Technologies and Enhancements

Machine Application Emulator Intelligent Performance Enabling Enhanced

Enhancements
Learning Protection ••Anti-evasion Threat Integrations Automation
technique to Cloud ••Faster real-
••Pre-execution ••Memory time virus ••REST APIs ••Expanded
detection for Exploit detect hidden LiveUpdate to
••Real-time detection ••Enable
new and Mitigation malware deliver
cloud lookup , BlueCoat
evolving ~70% integrations security
threats reduction in updates for
definition size Windows
clients
Compete
Compete Strong 70% drop in Faster and Easy
Against Automation
Against Traps Anti-Evasion daily updates Light Weight Integrations
Cylance

Easy Integration &

Superior Protection Better Performance
Automation
Protecting the endpoint

12
Your endpoints are the target

Data leakage Malware

and tampering

Software Network threats

vulnerability
 COMPLIANCE THREAT PROTECTION

Introducing SEP

Application and
File-based
Device Control
protection
System Lockdown

Host integrity Network Threat

protection

Central Management
Protection layers | Single agent

AntiVirus
Whitelisting
AntiSpyware
Blacklisting
Heuristic
Device Control
Reputation
System Lockdown
Email Scanning

Compliance check:
• Standard Insight Firewall
• Template Custom IPS
• Custom Stream Level IPS
• Automation Browser Protection
 File-based
Zero-day threats and
protection reduced false positives

Insight

Download Protection Download protection protects against new and unknown files that
traditional signature-based security does not detect. Detections are
based on the prevalence, age, source and overall reputation given
by Insight.

SONAR SONAR is a real-time monitoring heuristic system that targets

(Behavioral Heuristic) malicious behavior. It leverages Insight to provide zero-day
threat protection and signature-less mitigation.
Signature engine is the traditional Antivirus feature matching
threats against signatures. It still accounts for 50% of all detections
Signature in 2014. The engine also leverages Insight for false positive
prevention. Signatures are used for files and emails scans.
16
 File-based
Protection:
Continued
Static Data Scanner

SDS Engine

Emulator: SAPE: ITCS: CoreDef-3 :

VM for packed Machine Cloud- based Lightweight AV
threat learning engine scanning Signatures

• Emulator: Analyze the payload by executing a packed threat in a local virtualized

sandbox.
• SAPE: Determines if a file is good or bad based on experience, criteria set by analysts,
and behavior.
• ITCS: Reduces resource and storage overhead by keeping the most relevant signatures
locally and applying small updates when needed. All other signatures are hosted in the
cloud.
• CoreDef-3: Traditional antivirus engine that contains a lighter set of definitions.
17
 Network Threat
Protection

Custom
IPS
Firewall protects against intrusion and gives control over the data
entering and leaving the endpoint.

Custom IPS allows administrators to create SNORT like Network IPS

signatures at the packet level (OSI Layer 2)

Network IPS is stream-based filtering that uses generic exploit

blocking (GEM) to block threats using a published vulnerability.
(OSI Layer 5) Browser IPS

Browser IPS protects against obfuscated attacks at the browser

level. (Encrypted Java, ActiveX, Flash, and more).
(OSI Layer 7). Browser Protection works with Firefox and Internet
Explorer.

18
 Network Threat
Protection

••Insight, Browser Protection, SONAR, Virus and

Application
Spyware Protection and Application Control
Presentation ••Browser Protection and Insight

Session ••Firewall and IPS

Transport ••Firewall

Network ••Firewall

Data link ••Firewall and Custom IPS

Physical ••Device Control

 Application and Device Application
Control
Control

Application Control blocks unwanted applications based on hash or

filename. Device Control

Device Control blocks unauthorized hardware to be connected

to the endpoint. Prevents data leakage and dual homing
networks. System Lockdown

System Lockdown leverages Application Control to whitelist or

blacklist a set of applications. Commonly used in static
environments like embedded systems and secure workstations.

20
 Host integrity Standard
requirements

Template requirements
Host integrity audits the endpoint against requirements. The audit
gives a PASS of FAIL result, which is translated into an automated
remediation.

Standard requirements include Endpoint security status, content

updates, critical patches, and more. Custom requirements

Template requirements can be retrieved via LiveUpdate to audit

advanced requirements, such as password complexity or
presence of a second NIC connected to the system.

Custom requirement is a feature that provides a simple method

to execute programs and scripts to evaluate and remediate any
aspect of the endpoint.
21
Insight
-127 CALCULTING SCORE 127

Insight is the largest reputation data file system in the world and
leverages more than 175 million endpoints to gather information on
binary executable files.

Age: Insight looks at how long a file has been created because
malware tends to be very new when infecting a system.

Prevalence: Insight keeps count of how many endpoints ran or

downloaded a given application.

Source and System Hygiene: Insight uses a rating system: The

number of system infections and where the threat came from to
determine an accurate reputation score.

Previous Conviction: Insight leverages telemetry from features like

file-based protection, IPS or SONAR to determine if a file already
had a malicious behavior on another system. 22
 Threat spectrum vs SEP features

Known Malware New Malware Network Attack Social Engineering System Tampering Data Theft Vulnerabilities

Signatures
Heuristic
Heuristic (SONAR) (SONAR)
Machine Learning Reputation
(Insight)
Reputation (Insight)
IPS (GEM)
IPS / Firewall
Application control

Device control
Host Integrity
23
Protection across the attack chain
Inbound Outbound
Payload delivery Payload execution
New in SEP14 Communication Communication

Reputation Machine Learning (ML)

Machine Advanced ML*

Learning Clustering
Behavioral ML
Next gen IPS Next-gen IPS
Network Stateful Firewall
Browser protection
Tamper Protection and Lockdown
Hardening
Memory Exploit Mitigation* Application control
Anti Virus signatures
AV
Emulation for crypto-malware*
Real-time response to rapidly changing threat landscape
Big Data
Threat vector learning at scale

Signature based Non signature based Machine learning and deep learning
24
Performance or protection. Why choose?

25
BLAZING PERFORMANCE WITH INSIGHT
Up to 70% reduction in scan overhead by only scanning unknown files

Trusted by
Insight

Traditional scan Scan powered by Insight

26
Scan throttling
Scheduled scans use less resources when you need your system
Idle Busy

Best
Scenario CPU/Disk User Best App Balanced
Scan

Busy Server Busy Idle Throttled Throttled Running

SEP Using PC Busy Busy Paused Throttled Running SEP

SEP
Uses up to 75% reduces its
CPU Usage
resources Moving resources usage
Idle Busy Paused Throttled Running
Mouse

Lunchtime Idle Idle Running Running Running

27
Scan randomization
Preventing the AV storm
Usability

CPU & I/O

28
Scan randomization
Preventing the AV storm
Usability

CPU & I/O

Randomization window
29
Virtualized and embedded system optimizations

30
Built for all endpoints
Reduced-size client: Smaller
Limited storage footprint and lighter content
update.

CoreDef-3 with size

Resource sharing enhancement.
ITCS enabled.

License cost VDI specific settings

31
Embedded and VDI client installation
package
• Contains a smaller set of Virus and
Spyware content distribution files 45 MB
• Contains a reduced-package size that
includes all features:
– Virus and Spyware*
– Firewall

45 MB
– IPS
– SONAR
– System Lockdown
– Application Control, and more

• More NTFS compression where possible Embedded and

Standard Client VDI Client
• No installer cache
Estimated definition size: 170 MB 75 MB
32
Embedded and VDI Virus and Spyware content
• Distributed three times per day on week
days and once a day on weekends
• Separate download from the console
• Content specific to the lightweight client
• Contains less signatures than the traditional
set

33
Intelligent Threat Cloud services details

Projected size Average query Performance

range of AV time to the cloud degradation?
definitions on the
local disk.

Less than 5% compared

75 MB – 170 MB 1.7 seconds to SEP 12.1.6 scan

34
 Client types and definitions types

Standard Embedded and VDI Dark network

Definition type CoreDef-3 CoreDef-3 with size CoreDef-1.5

enhancement
ITCS enabled Yes Yes No

Estimated package size ~45MB ~45MB ~360MB

(Network traffic)
Estimated definition size on ~170MB ~75MB >700MB
disk (Full.zip)

The SEP 12.x clients use coreDef-1.5. When you upgrade these clients to SEP 14,
Copyright © 2014 Symantec Corporation

they are migrated to CoreDef-3.

35
 Differences between SEP 12.1 and SEP 14 definition sizes

SEP 12.1 SEP 12.1 SEP 14 Standard SEP 14 Embedded and VDI
Standard Reduced
Definition type CoreDef-1.5 CoreDef-3 with CoreDef-3 CoreDef-3 with size
size enhancement
enhancement
ITCS enabled No No Yes Yes
Estimated package ~360 MB ~45 MB ~45MB ~45MB
size (Network traffic)
Estimated definition ~700 MB ~75 mb ~170MB ~75MB
size on disk (Full.zip)
36
What if you can skip all the standard files in a VM ?

By default, SEP 14.x trusts and skips most

of the OS and some applications.
There are still some files present in the
VM template that are not a threat and
those files are scanned over and over.
Virtual Image Exception VIE sets all the
files present on the VM template as
trusted by adding them to the local SEP
reputation store.

Local
reputation
store 37
When a VIE enabled template is cloned… We scan very little
When the new VM is based on the VIE
Trusted by
Insight trusted image, only new documents and
applications are scanned.
This reduced I/O applies to both real-
time, on-demand, and scheduled scans.

Trusted
by VIE
VIE VIE VIE VIE

38
Shared Insight Cache
• Shared Insight Cache (SIC) is a server application which caches known clean files in
order to optimize scheduled scan performances.
• The SIC server is mainly designed for virtual environments, but usage on physical
system is supported given that network latency is kept at an absolute low.
• The SIC server keeps a record in memory (RAM) of files which are voted clean by
system performing scans.

SIC
SHARED INSIGHT CACHE
SEP for VDI
Agent Agentless

••Features ••Features
••SONAR Behavior ••Agentless Anti-Malware
••Intrusion Prevention ••Insight file reputation
••Browser Protection ••Agentless Network IPS (requires
••Firewall NSX)
••Network IPS ••Console to manage DCS
••Application Device Control
••Insight Reputation
••Console to manage SEP
• Windows Desktop Supportability: Windows 7/Windows 8
System Requirements: VMware NSX/VMware ESXi 5.5 and VMware vShield/ESXi 5.1+
•Copyright © 2014 Symantec Corporation
40
 File Hash Def Ver Result

Shared Insight Cache: High Level AE32D… 2011.1... Clean

B923E… 2011.1… Clean

Shared Insight Cache F9123… 2011.1… Clean

Server (SIC) C3FDA… 2010.2… Clean

The first SEP client needs to scan a Subsequent SEP clients need to scan the same file. They
file and queries SIC and finds no query the cache server and find the file has already been
record. SEP scans the file and scanned with the same version of defs and the file is clean.
sends the results to the SIC. SEP client skips scanning the file.

VM VM VM VM VM VM
VM VM VM VM VM VM
Virtual farm Virtual farm
VM Cluster

41
Shared insight cache architecture

Insight SIC Server SEPM

Reputation Clean state Logs

Symantec Endpoint Protection for Virtual Desktop Infrastructure (VDI)

43
 Non-persistent VDI refinements
• VDI licensing scheme
– Shorter retention time equals more licenses available
– Set the client as VDI in the template
– Configure the Manager to set the separate retention
scheme

453
– Select Admin > Domain properties
Streamlined management and reporting across platform

45
 Policies
Single console Multiples agents

Vista,7,8,10 Reporting
Server
Embedded
Alerting
OSX 10.6.8
10.10
Management

RPM & DPKG

Distros

46
Policies
• Central configuration LiveUpdate

• Location aware settings

Virus & Spyware Firewall
• Manual grouping or Active Directory import Protection

• Tree structure inheritance

Location
Settings

Application & IPS

Device Control
(System Lockdown)

Host Integrity

47
Location awareness

Office Home Travel

LiveUpdate
LiveUpdate LiveUpdate

Virus & Spyware Firewall

Protection Virus & Spyware Firewall Virus & Spyware Firewall
Protection Protection

Location
Settings Location Location
Settings Settings

Application & IPS

Device Control Application & IPS Application & IPS
(system lockdown) Device Control Device Control
(system lockdown) (system lockdown)

Host Integrity
Host Integrity Host Integrity

• Adapts all policies based on location

• Location determination uses Boolean logic and multiple criteria making impossible to “fake” a
location:
Office location = Gateway mac address + Connected to SEPM + Resolve intranet site to a given IP
48
Reporting
• Three views:
– Dashboard: Overview
– Monitors: Tables and logs
– Reports: Graphs

• Exports:
– CSV,MHTML (alerts)

• Actionable reports:
– Launch scan, update, and
remediate

• Alerts:
– Console
– Email

49
Alerting and scheduled reports
• Email or Console
• Preconfigured conditions
• You can create your own alerts for
a selected number of events
• Alert equals live data that can
change over time
• Scheduled report equals Static
data at a given point

50
Active Directory integration
• Organizational unit
synchronization Active Directory
– Client grouping matching Active
Directory
– No support for Active Directory
groups
OU
• Console login SSO
Password changes when the
Windows account changes
User Mapping OU Import

51
 SEP Manager
Domains
• Can separate entities while using the
LiveUpdate
LiveUpdate

same management server.

Virus & Spyware Firewall
Virus & Spyware Firewall
Protection
Protection

• Separate:
Application & IPS Application & IPS
Device Control
(system lockdown) Device Control
(system lockdown)

Host Integrity
Host Integrity

– Policies
– Groups structure
– Reporting and alerting settings

• Mostly used by service providers or

large environment with multiple IT
teams

Domain A Domain B

52
 SEP Manager
Account delegation
Console with multiple access levels:
LiveUpdate
LiveUpdate

Virus & Spyware Firewall

Virus & Spyware Firewall
Protection
Protection

Application & IPS Application &

System Admin has access to all settings.

Device Control IPS
(system lockdown) Device Control
(system lockdown)

Host Integrity
Host Integrity

Domain Admin has access to settings for

a single domain.

Limited Admin has limited access to some

settings for a single domain
Domain A Domain B

53
Product Integration

54
Symantec Endpoint Protection integration

Advanced reporting Threat detection

Managed Services
Syslog Server Agent

IT Analytics

55
Managed Security Services

Network Endpoint Security Threat

Security Security Intelligence experts

Automated triage workflow

Rapid Response | Operational Efficiency | Attack Visibility

56
MSS overview

57
IT Analytics benefits

Key
Historical log Customized Granular log
performance
retention reporting analysis
indicators

58
Syslog
• SEPM can send events to a Syslog
server.
• Events can be parsed and generate
alerts and tickets with third-party
Event management solutions.

59
Extend SEP capabilities with the SEPM API Service
RESTful API to built in to SEPM to
Symantec Endpoint Protection Manager
enable Programmatic integration
Client Application &
Management
Policy
Control
Device Control
Reports &
Analytics
with SEP
Customer Benefit:
REST API’s
ü Orchestrate/automate SEPM
SEP14 - API’s functionality from other
Login & Logout of SEPM applications and scripts
Obtain a list of groups
ü Connect SEP to 3rd party platforms
Assign a fingerprint list to a group for system lockdown. for control or network plane
Retrieve the Symantec Endpoint Manager version integration with the endpoint
information
Add or delete a blacklist as a file fingerprint list
60
Architecture Overview

61
Symantec Endpoint Protection 14.x Architecture Components
Management

Events and
* Policy
SEPM Console

Content Distribution

Content
Updates
LiveUpdate
SEPM GUP Internet
Server

Endpoint Protection

Protection and
Logs
Windows Linux Mac Embedded Virtual

* SEPM can use an embedded database of MS-SQL. MS-SQL is recommended for larger organization 1000+ Endpoints
Server architectures

SINGLE SITE MULTIPLE SITES

ü Small environments ü Medium to large ü Very large environment

ü Simple to implement environments ü Provides failover
ü No failover ü Provides failover ü Provides site disaster redundancy
ü Requires two servers ü Provides geographical administration delegation
ü MSSQL backend ü Requires two servers per site
recommended ü MSSQL backend mandatory
ü Introduces delay in log visibility due to the
replication schedule

<1000 Endpoints >1000 Endpoints >50 000 Endpoints

63
Content Distribution methods

SEPM GUP LiveUpdate Server Internet

ü Direct distribution to ü Reduces WAN usage ü Provides content ü Rapid delivery

endpoints ü Acts as a content proxy validation scheduling ü Recommended for
ü Central control of ü Recommended for ü Distribute content to nomad users
content update scattered environments non Windows ü No central control of
ü Any client can be a GUP endpoints content used
Additional resources

65
Symantec Connect Forum
• Forums annotated by
customers, staff, and partners
• Videos and tutorials
• Earn rewards

66
 Symantec Education Services Offers Effective Product Training
• Achieve expected value for your products.

• Learn how Symantec products can solve your business

problems today and tomorrow.

• Gain best practice insight to keep your investments

running smoothly long-term.
Education Services
• For more information visit training.symantec.com
A broad range of training solutions to
help you get the most out of
Symantec products.

67
68