State of Hawaii Symantec Protection Suite Briefing Bill Musson, CISSP Senior Systems Engineer 1 Agenda • Symantec Endpoint Protection SEP11 Overview • Symantec Endpoint Protection SEP12 Overview – Symantec Insight – Symantec Online Network for Advanced Response (SONAR) • Centralized Security Management – Symantec Management Platform – IT Analytics for SEP – Workflow – SPC v1 – SPC v2 2 Symantec Endpoint Protection 11 3 Symantec Endpoint Protection 11 Network Access Control Single Agent, Single Console Results: Device and Application Control Increased Protection, Control & Manageability Intrusion Prevention Firewall Reduced Cost, Complexity & Risk Exposure Antispyware Antivirus SEP 11 NAC 11 Managed by Symantec Endpoint Protection Manager 4 Gartner Magic Quadrant for EPP 5 Symantec Endpoint Protection 12 Symantec Insight Symantec Online Network for Advanced Response (SONAR) 6 The Problem No Existing Protection Addresses the “Long Tail” Today, both good and bad software obey a long-tail distribution. Unfortunately neither technique works well for the tens of millions of files with low prevalence. (But this is precisely where the majority of today’s malware falls) Blacklisting works well here. For this long tail a new technique is needed. Good Files Prevalence Bad Files Whitelisting works well here. 7 The Inspiration Only malware mutates So . . . if an executable is unique, it’s suspicious . . . but how to know if a file is unique? 8 How many copies of this file exist? How new is this program? Is it signed? How often has this file been downloaded? How many people are using it? Where is it from? Does it have a security rating? Have other users reported infections? Is the source associated with infections? What rights are required? How will this file behave if executed? Is the file associated with files that are linked to infections? Does the file look similar to malware? How old is the file? Is the source associated with SPAM? Have other users reported infections? Who created it? Is the source associated with many new files? Who owns it? What does it do? 9 Achilles Heel of Mutated Threats Unrivaled Security Hackers mutate threats to evade fingerprints Mutated threats stick out like a sore thumb Virus Writer’s Catch-22 – Mutate too much = Insight finds it – Mutate too little = Easy to discover & fingerprint 10 Symantec Insight The context of a file is as telling as its content What rights are required? How will this file behave if executed? Is the file associated with files that are linked to OR OR Does the file look similar to malware? infections? BAD GOOD LOW How old is the file? Reputation HI NEW OLD Is the source associated with Prevalence Age SPAM? Theinfections? context Have other users reported you need Who created it? 11 How it works 2 1 4 Rate nearly every file on the internet Check the DB during scans Build a collection network Is it new? Bad reputation? Allow Deny Prevalence 5 Provide actionable data 3 Look for associations Age Source Behavior Associations 12 First Insight is used for manual scans of endpoints. What are other ways that Symantec leverages Insight in Symantec Endpoint Protection 12? 15 Download Insight • Download Insight is a technology that checks the reputation of binaries being downloaded and blocks them if they are “Bad”. • Download Insight scans files when they are downloaded using what we term a portal application (IE. Firefox, IE) 16 Faster Scans On a typical system, 70% of active applications can be skipped! Traditional Scanning Insight - Optimized Scanning Has to scan every file Skips any file we are sure is good, leading to much faster scan times 17 Scan Speed Symantec Endpoint Protection Scans: 3.5X faster than McAfee 2X faster than Microsoft Ranked 1st in overall Performance! 160 140 120 100 80 60 40 20 0 Symantec Kaspersky Trend Micro Microsoft Sophos PassMark™ Software, Feb., 2011 - http://www.passmark.com/AVReport McAfee Average 18 Create Policies based on Risk Tolerance Only software with at least 10,000 users over 2 months old. Can install medium-reputation software with at least 100 other users. No restrictions but machines must comply with access control policies. Finance Dept Help Desk Developers 19 Symantec Online Network for Advanced Response (SONAR) This information enables three new features 20 Now, lets review how Symantec Insight and SONAR are utilized to strengthen and augment security in SEP 11 as well as reduce false positives. The Security Stack – for 32 & 64 bit systems Network IPS & Browser Protect & FW Insight Lookup Heuristics & Signature Scan Real time behavioral SONAR IPS & Browser Protection • Firewall • Network & Host IPS • Monitors vulnerabilities • Monitors traffic • Looks for system changes Stops stealth installs and drive by downloads Focuses on the vulnerabilities, not the exploit Improved firewall supports IPv6, enforces policies 23 Insight – Provides Context Network IPS & Browser Protect Insight Heuristics & Signature Scan Real time behavioral SONAR Insight Reputation on 2.5 Billion files Adding 31 million per week Identifies new and mutating files Feeds reputation to our other security engines Only system of its kind 24 File Scanning Network IPS & Browser Protect Insight Heuristics & Signature Scan Real time behavioral SONAR File Scanning Cloud and Local Signatures New, Improved update mechanism Most accurate heuristics on the planet. Uses Insight to prevent false positives 25 SONAR – Completes the Protection Stack Network IPS & Browser Protect Insight Lookup File Based Protection – Sigs/Heuristics Real time behavioral SONAR SONAR • Monitors processes and threads as they execute • Rates behaviors • Feeds Insight Only hybrid behavioralreputation engine on the planet Monitors 400 different application behaviors Selective sandbox (ex Adobe) 26 What about the actual performance impact on the client with SEP 12. SEP Client Impact on Memory Use 180.0 160.0 140.0 120.0 100.0 80.0 60.0 40.0 20.0 0.0 Memory Usage Symantec Kaspersky Trend Micro McAfee Sophos Microsoft Average Symantec Endpoint Protection uses: 66% less memory than McAfee 76% less memory than Microsoft PassMark™ Software, Feb., 2011 - http://www.passmark.com/AVReport 28 Will SEP 12 do anything to continue improving performance for guests in virtual environments. SEP 12 Built for Virtual Environments Virtual Client Tagging Virtual Image Exception Shared Insight Cache Resource Leveling Together – up to 90% reduction in disk IO 30 Centralized Security Management Plus Convergence and Integration with Operational Tools Symantec Management Platform IT Analytics for SEP Workflow SPC v1 SPC v2 31 Symantec Management Platform Path to Full PC Lifecycle Management Symantec Altiris Altiris Endpoint Protection Software Delivery Client Management Integrated Component Suite Suite • Streamline migrations • Initiate scans or agent health tasks • Dashboards integrate security and operational information •Apply Patches •Ensure software is installed and stays installed • Report machines not connecting •Identify missing hard-drives • Policy-based software delivery • Application Management • Software Virtualization • Patch Management • Backup and Recovery • Application Usage • Remote Control 32 Enhanced Reporting - IT Analytics for SEP • Ad-hoc Data Mining – Pivot Tables – Data from multiple Symantec Endpoint Protection Servers – Break down by virus occurrences, computer details, history of virus definition distribution . . . • Charts, Reports and Trend Analysis – Alert & risk categorization trends over time – Monitor trends of threats & infections detected by scans • Dashboards – Overview of clients by version – Summary of threat categorization and action taken for a period of time – Summary of Virus and IPS signature distribution 33 Workflow Integrate IT Tools to Match Business Processes • Graphical tool • Integration across products •3rd party integration •Process control • Timeouts • Escalations • Delegation • Auditing 34 Symantec Protection Center v1 Centralized Security Console • Features – Single Sign-On – Central Access to Products Reports and Dashboards – Basic Gin Feeds • Product Coverage – Symantec Endpoint Protection – Symantec Network Access Control – Symantec Data Loss Prevention – Symantec Critical Systems Protection – IT Analytics – Symantec Brightmail Gateway 35 Symantec Protection Center v2 Symantec Protection Center Cross Product Automation Cross Product Reports & Dashboards Symantec Protection Suites Encryption Single Sign On and Console Access Symantec EP and NAC Data Loss Prevention Control Compliance Suite Native Management for select products Endpoint Management 3rd Party / Cloud Based Products Data Feeds GIN Feeds Protection Center Appliance 36 Thank You! Bill Musson William_musson@symantec.com 808-220-4061 37