Upload
others
View
52
Download
0
Embed Size (px)
Citation preview
Redefining Endpoint Security: Symantec Endpoint Protection
Russ Jensen Sr. Presales Engineer, CISSP, MCSE
Key Ingredients for Endpoint Protection
Redefining Endpoint Security
Antivirus
Antivirus
• World’s leading AV solution
• Most (44) consecutive VB100 Awards
Virus Bulletin –June 2009
Viruses, Trojans, Worms
Symantec:
• Submitted all supported environments for analysis since Nov. ‘99
• ONLY vendor to obtain 44 consecutive VB100 Awards
2
Key Ingredients for Endpoint Protection
Redefining Endpoint Security
Antivirus
Antispyware
Antispyware
• Best rootkit detection and removal
• VxMS = superior rootkit protection
Source: Thompson Cyber Security Labs,
Viruses, Trojans, Worms
Spyware, Rootkits
3
Key Ingredients for Endpoint Protection
Redefining Endpoint Security
Antivirus
Antispyware
Firewall
Firewall
• Industry leading endpoint firewall technology
• Gartner MQ “Leader” – 4 consecutive years
• Rules based FW can dynamically adjust port settings to block threats from spreading
Viruses, Trojans, Worms
Spyware, Rootkits
Worms, Spyware
4
Key Ingredients for Endpoint Protection
Redefining Endpoint Security
Antivirus
Antispyware
Firewall
Intrusion
Prevention
Intrusion Prevention
• Combines NIPS (network) and HIPS (host)
• Generic Exploit Blocking (GEB) – one signature to proactively protect against all variants
• Granular application access control
• TruScanTM - Proactive Threat Scanning technology - Very low (0.0049%) false positive rate
• Detects 1,000 new threats/month - not detected by leading av engines
No False Alarm
False Alarms
25M Installations
Fewer than 50 False Positives for
every 1 MM PC’s
Worms, Spyware
Spyware, Rootkits
Viruses, Trojans, Worms
0-day, Key Logging
5
Intrusion Prevention System (IPS) Combined technologies offer best defense
Redefining Endpoint Security 6
(N)IPS
Network IPS (H)IPS
Host IPS
Deep packet inspection Attack-facing
(Symantec sigs. via
LiveUpdate, Custom
sigs, SNORT-like)
Intrusion
Prevention
(IPS)
TruScanTM Behavior-based
(Proactive Threat
Scan technology)
Generic Exploit Blocking Vulnerability-facing
(Signatures for
vulnerability)
System Lockdown
White listing (tightly
control which
applications can run)
Key Ingredients for Endpoint Protection
Redefining Endpoint Security
Antivirus
Antispyware
Firewall
Intrusion
Prevention
Device and Application
Control
Device and Application Control
• Prevents data leakage
• Restrict Access to devices (USB keys, Back-up drives)
• Whitelisting – allow only “trusted” applications to run
Spyware, Rootkits
Viruses, Trojans, Worms
Worms, Spyware
Slurping, IP theft
0-day, Key Logging
7
Redefining Endpoint Security
Results:
Reduced
Cost, Complexity &
Risk Exposure
Increased
Protection, Control &
Manageability
Antivirus
Antispyware
Firewall
Intrusion
Prevention
Device and Application
Control
Single Agent, Single Console
Symantec Endpoint
Protection
8
Comprehensive Reporting
Redefining Endpoint Security 9
• 50+ pre-defined reports
• Customizable Dashboard
• Monitors
What’s new in Symantec Endpoint Protection?
1
• Clients for Mac OS X and Linux
• Resource Utilization Leveling for Virtualization
• Symantec Endpoint Recovery Tool
• IT Analytics™ for Advanced Reporting
• Symantec Protection Center
Mac Support
• Mac Intel and PPC, OSX10.4 (Tiger), OSX 10.5 (Leopard), OSX 10.6 (Snow Leopard)
Redefining Endpoint Security
• Blocks both Mac and PC viruses - preventing Mac users from spreading PC viruses
• Manage Mac OS X and PC clients from one console
• Compatible with Apple Remote Desktop and other software distribution tools
Macintosh Management from SEPM Console
• Client package and group
• Policies
– Antivirus and Antispyware policy
– Centralized Exceptions policy
– LiveUpdate policy
• Run commands
– Enable Auto-Protect
– Restart Client Computers
– Scan
– Update Content
– Update Content and Scan
Redefining Endpoint Security 12
SEP for Mac Features
13
Area Features/Details
Management
• Execute commands from SEPM to Mac Clients
• Reporting/Dashboard view, license auditing of Mac Clients
• Policy Configuration (including AntiVirus/AntiSpyware, LiveUpdate, Centralized Exceptions)
• Note: Mac clients can receive content (definitions) from LiveUpdate (No SEPM Updates)
- Administrators can also set up LiveUpdate Administrator as another option
• Note: Deployment of Mac client packages to remote Mac systems via SEPIC, email
deployment and Third Party applications (i.e. Apple Remote Desktop, etc)
Migration • Supports migration of existing SAV for Mac clients to SEP for Mac
• Supports migration of clients/group membership from existing SACM to SEPM
Client • Mac AV Client enhanced to support being managed by SEP Manager
• Supports Mac OS 10.4, 10.5, and 10.6 operating systems
• Localized for English and Japanese languages
Virtualization in Symantec Endpoint Protection
• SEP 11.0.6 supports virtualization today
– VMWare (at least WS 5.0, GSX 3.2, and ESX 2.5)
– Microsoft Virtual Server 2005
– Hyper-V
• Supporting Documentation
Virtualization Best Practices White Paper
Best Practices Guide
14 Symantec Endpoint Protection Virtualization
SEP 11.0.6 Enhanced for Virtual Environments
15
• An client in each VM
• “Utilization Leveling”
– Randomized scan times prevents CPU utilization spikes
– Randomized updates – from SEP Management server or directly from Symantec
• Performance optimized scan engine with IO aware Scan Tuning, and multithreading
• CPU utilization aware scanning
• Removes the latency associated with definition updates on virtual desktops
Symantec Endpoint Protection Virtualization
Symantec Endpoint Recovery Tool
Symantec Endpoint Protection Virtualization 16
Boots outside your OS so deeply embedded malware can be detected and removed easier than ever before.
• New wizard creates recovery tool
• Burns CD/DVD, install to USB or create ISO File
• State-of-the-art malware removal and remediation
17
• Optimize investment in Endpoint Protection
– Make fully informed decisions about organization’s performance and security
• Continuously improve IT Security operations
– Timeliness & quality of information
– Observe compliance Standards and reduce costs
– Top level summary of your essential IT Security data
– Analyze trends and diagnose outbreaks
• Improve scalability
– Offload reporting & replication burden from SEPM
– Increases speed of useful report generation
1
Analysis &
Reporting Services
SEP Database
IT Analytics - Symantec Endpoint Protection
Redefining Endpoint Security 17
18
IT Analytics - Symantec Endpoint Protection
• Ad-hoc Data Mining – Visibility – Navigate & explore a unified view of data extracted from multiple
Symantec Endpoint Protection Servers
– Break down Symantec Endpoint Protection client data by virus occurrences, computer details, history of virus definition distribution, and much more
• Charts, Reports and Trend Analysis – Improve productivity – Symantec Endpoint Protection client settings communication history
– Alert & risk categorization trends over time
– Monitor trends of threats & infections detected by scans
• Executive Dashboards – Holistic View / Strategic Decisions Examples of Endpoint Protection dashboards might include:
– Overview of Symantec Endpoint Protection clients by version
– Summary of threat categorization and action taken for a period of time
– Summary of Virus Definition and Intrusion Prevention Signature distribution
Redefining Endpoint Security
Redefining Endpoint Security 19
SEP Reporting
Tactical View of frontline endpoint defenses. Current view of events and the state of SEP clients.
IT Analytics
Strategic View over time of endpoint defenses. Trend analysis and data mining via a consolidated view of multiple Endpoint Protection Managers.
Symantec Security Incident Manager
Centralized security event reporting. Correlation between SEP, CCS, DLP and other vendor solutions. Incident response and forensics.
Symantec Protection Center
20
Threat Visibility Increased Productivity Unparalleled Intelligence
Single Console Access
• Lack of Security Visibility
• No Understanding of Risk
• Sophistication Is Increasing
• Budgets Are Decreasing
• Faster, More Complex Threats
• Slow Response Times
• Pinpoint Threats Faster
• Deep Visibility Across Infrastructure
• Integrated GIN
• Real-Time Consolidated Access
• Lowered TCO
• Single-Sign On for Improved Productivity
• Faster Time To Remediate Threats
• Automated Intelligence; Less Risk
• Use Case Based Scenarios
Key Security Challenges For Enterprise
Redefining Endpoint Security
Roadmap Development Guiding Principles
21
Agent Simplification Detection, Remediation & Response
Visibility & Orchestration
Agent consolidation
Smaller footprints
Minimal performance impact
Prompt platform support
Change threat economics
Expanding technology toolkit
In-product and online delivery
Leverage Symantec scale
Console consolidation
Flexible process automation
Auditability
Cross-organization alignment
Superior Protection Drive Efficiency Reduce Complexity
Key Bets:
• End users want security to be invisible
• Changing the cost of attack changes the threat landscape
• The right centralized management drives out operational cost
• Endpoint Security and Management are converging
Jasper
22
11.0.5 (Jade) 11.0.6 (Jasper) 12.1 (Amber)
September 2009 Q2 2010 1H 2011
Environment
Coverage Unified Management
Revolutionary
Protection
Symantec Endpoint Protection – Jasper (SEP 11.0.6)
• SEPM managed Mac client (AV Only)
• Symantec Protection Center
– Web-based, cross product UI portal
– Cross product reports
– SSO/RBAC
• Symantec Endpoint Recovery Tool
– Posted online for download
• Quality Data Collection
• Virtualization: Randomized Scheduled Scan
Downloading Symantec Endpoint Protection 11
Visit the NUIT Web site to download a copy of this software or to view quick reference guides and step-by-step instructions for Windows or Mac machines.
www.it.northwestern.edu/software/sav/
Redefining Endpoint Security 24
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Redefining Endpoint Security
Russ Jensen
320-761-8948
25