Endpoint Security S.W.O.T. for the Public Sector

advertisement
State of Hawaii
Symantec Protection Suite Briefing
Bill Musson, CISSP
Senior Systems Engineer
1
Agenda
• Symantec Endpoint Protection SEP11 Overview
• Symantec Endpoint Protection SEP12 Overview
– Symantec Insight
– Symantec Online Network for Advanced Response (SONAR)
• Centralized Security Management
– Symantec Management Platform
– IT Analytics for SEP
– Workflow
– SPC v1
– SPC v2
2
Symantec Endpoint Protection 11
3
Symantec Endpoint Protection 11
Network Access
Control
Single Agent, Single Console
Results:
Device and Application
Control
Increased
Protection, Control &
Manageability
Intrusion
Prevention
Firewall
Reduced
Cost, Complexity &
Risk Exposure
Antispyware
Antivirus
SEP 11
NAC 11
Managed by Symantec Endpoint Protection Manager
4
Gartner Magic Quadrant for EPP
5
Symantec Endpoint Protection 12
Symantec Insight
Symantec Online Network for Advanced Response (SONAR)
6
The Problem
No Existing Protection Addresses the “Long Tail”
Today, both good and bad software obey a long-tail distribution.
Unfortunately neither technique
works well for the tens of millions of
files with low prevalence.
(But this is precisely where the
majority of today’s malware falls)
Blacklisting
works well here.
For this long tail a new
technique is needed.
Good Files
Prevalence
Bad Files
Whitelisting
works well here.
7
The Inspiration
Only malware mutates
So . . . if an executable is unique, it’s suspicious
. . . but how to know if a file is unique?
8
How many copies of this file exist?
How new is this program?
Is it signed?
How often has this file been downloaded?
How many people are using it?
Where is it from?
Does it have a security rating?
Have other users reported infections?
Is the source associated with infections?
What rights are required? How will this file behave if executed?
Is the file associated with files that are linked to infections?
Does the file look similar to malware?
How old is the file?
Is the source associated with SPAM?
Have other users reported infections?
Who created it?
Is the source associated with many new files?
Who owns it?
What does it do?
9
Achilles Heel of Mutated Threats
Unrivaled
Security
Hackers mutate threats to evade fingerprints
Mutated threats stick out like a sore thumb
Virus Writer’s Catch-22
– Mutate too much = Insight finds it
– Mutate too little = Easy to discover & fingerprint
10
Symantec Insight
The context of a file
is as telling as its content
What rights are required? How will this file behave if executed?
Is the file associated with files that are linked to
OR
OR
Does the file look similar to malware? infections?
BAD
GOOD LOW
How old is the file?
Reputation
HI
NEW
OLD
Is the source associated with
Prevalence
Age SPAM?
Theinfections?
context
Have other users reported
you need Who created it?
11
How it works
2
1
4
Rate nearly
every file on
the internet
Check the DB
during scans
Build a
collection
network
Is it new?
Bad reputation?
Allow
Deny
Prevalence
5
Provide
actionable data
3
Look for
associations
Age
Source
Behavior
Associations
12
First Insight is used for manual scans of
endpoints. What are other ways that
Symantec leverages Insight in Symantec
Endpoint Protection 12?
15
Download Insight
• Download Insight is a technology that checks the reputation of
binaries being downloaded and blocks them if they are “Bad”.
• Download Insight scans files when they are downloaded using
what we term a portal application (IE. Firefox, IE)
16
Faster Scans
On a typical system, 70% of active
applications can be skipped!
Traditional Scanning
Insight - Optimized Scanning
Has to scan every file
Skips any file we are sure is good,
leading to much faster scan times
17
Scan Speed
Symantec Endpoint Protection Scans:
3.5X faster than McAfee
2X faster than Microsoft
Ranked 1st in overall Performance!
160
140
120
100
80
60
40
20
0
Symantec
Kaspersky
Trend Micro
Microsoft
Sophos
PassMark™ Software, Feb., 2011 - http://www.passmark.com/AVReport
McAfee
Average
18
Create Policies based on Risk Tolerance
Only software
with at least
10,000 users over
2 months old.
Can install
medium-reputation
software with at
least 100 other
users.
No restrictions
but machines must
comply with
access control
policies.
Finance Dept
Help Desk
Developers
19
Symantec Online Network for Advanced Response (SONAR)
This information enables three new features
20
Now, lets review how Symantec Insight
and SONAR are utilized to strengthen
and augment security in SEP 11 as well as
reduce false positives.
The Security Stack – for 32 & 64 bit systems
Network IPS
& Browser
Protect & FW
Insight
Lookup
Heuristics &
Signature Scan
Real time
behavioral
SONAR
IPS & Browser Protection
• Firewall
• Network & Host IPS
• Monitors vulnerabilities
• Monitors traffic
• Looks for system
changes
Stops stealth installs and drive
by downloads
Focuses on the vulnerabilities,
not the exploit
Improved firewall supports IPv6,
enforces policies
23
Insight – Provides Context
Network IPS &
Browser
Protect
Insight
Heuristics &
Signature Scan
Real time
behavioral
SONAR
Insight
Reputation on 2.5 Billion
files
Adding 31 million per
week
Identifies new and mutating files
Feeds reputation to our other
security engines
Only system of its kind
24
File Scanning
Network IPS &
Browser
Protect
Insight
Heuristics &
Signature Scan
Real time
behavioral
SONAR
File Scanning
Cloud and Local Signatures
New, Improved update
mechanism
Most accurate heuristics on the
planet.
Uses Insight to prevent false
positives
25
SONAR – Completes the Protection Stack
Network IPS &
Browser
Protect
Insight
Lookup
File Based
Protection –
Sigs/Heuristics
Real time
behavioral
SONAR
SONAR
• Monitors processes and
threads as they execute
• Rates behaviors
• Feeds Insight
Only hybrid behavioralreputation engine on the planet
Monitors 400 different
application behaviors
Selective sandbox (ex Adobe)
26
What about the actual performance
impact on the client with SEP 12.
SEP Client Impact on Memory Use
180.0
160.0
140.0
120.0
100.0
80.0
60.0
40.0
20.0
0.0
Memory Usage
Symantec
Kaspersky
Trend
Micro
McAfee
Sophos
Microsoft
Average
Symantec Endpoint Protection uses:
66% less memory than McAfee
76% less memory than Microsoft
PassMark™ Software, Feb., 2011 - http://www.passmark.com/AVReport
28
Will SEP 12 do anything to continue
improving performance for guests in
virtual environments.
SEP 12 Built for Virtual Environments
Virtual Client
Tagging
Virtual Image
Exception
Shared Insight
Cache
Resource
Leveling
Together – up to 90% reduction in disk IO
30
Centralized Security Management Plus
Convergence and Integration with Operational Tools
Symantec Management Platform
IT Analytics for SEP
Workflow
SPC v1
SPC v2
31
Symantec Management Platform
Path to Full PC Lifecycle Management
Symantec
Altiris
Altiris
Endpoint Protection
Software Delivery
Client Management
Integrated Component
Suite
Suite
• Streamline migrations
• Initiate scans or agent health tasks
• Dashboards integrate security and
operational information
•Apply Patches
•Ensure software is installed and stays
installed
• Report machines not connecting
•Identify missing hard-drives
• Policy-based software delivery
• Application Management
• Software Virtualization
• Patch Management
• Backup and Recovery
• Application Usage
• Remote Control
32
Enhanced Reporting - IT Analytics for SEP
• Ad-hoc Data Mining – Pivot Tables
– Data from multiple Symantec Endpoint Protection
Servers
– Break down by virus occurrences, computer details,
history of virus definition distribution . . .
• Charts, Reports and Trend Analysis
– Alert & risk categorization trends over time
– Monitor trends of threats & infections detected by
scans
• Dashboards
– Overview of clients by version
– Summary of threat categorization and action taken
for a period of time
– Summary of Virus and IPS signature distribution
33
Workflow
Integrate IT Tools to Match Business Processes
• Graphical tool
• Integration across products
•3rd party integration
•Process control
• Timeouts
• Escalations
• Delegation
• Auditing
34
Symantec Protection Center v1
Centralized Security Console
• Features
– Single Sign-On
– Central Access to Products Reports and Dashboards
– Basic Gin Feeds
• Product Coverage
– Symantec Endpoint Protection
– Symantec Network Access Control
– Symantec Data Loss Prevention
– Symantec Critical Systems Protection
– IT Analytics
– Symantec Brightmail Gateway
35
Symantec Protection Center v2
Symantec Protection Center
Cross Product
Automation
Cross Product Reports
& Dashboards
Symantec
Protection
Suites
Encryption
Single Sign On and
Console Access
Symantec EP
and NAC
Data Loss
Prevention
Control
Compliance
Suite
Native Management
for select products
Endpoint
Management
3rd Party /
Cloud Based
Products
Data Feeds
GIN Feeds
Protection
Center
Appliance
36
Thank You!
Bill Musson
William_musson@symantec.com
808-220-4061
37
Download