Redefining Endpoint Security: Symantec Endpoint Protection

Russ Jensen Sr. Presales Engineer, CISSP, MCSE

Key Ingredients for Endpoint Protection

Redefining Endpoint Security

Antivirus

Antivirus

• World’s leading AV solution

• Most (44) consecutive VB100 Awards

Virus Bulletin –June 2009

Viruses, Trojans, Worms

Symantec:

• Submitted all supported environments for analysis since Nov. ‘99

• ONLY vendor to obtain 44 consecutive VB100 Awards

2

Key Ingredients for Endpoint Protection

Redefining Endpoint Security

Antivirus

Antispyware

Antispyware

• Best rootkit detection and removal

• VxMS = superior rootkit protection

Source: Thompson Cyber Security Labs,

Viruses, Trojans, Worms

Spyware, Rootkits

3

Key Ingredients for Endpoint Protection

Redefining Endpoint Security

Antivirus

Antispyware

Firewall

Firewall

• Industry leading endpoint firewall technology

• Gartner MQ “Leader” – 4 consecutive years

• Rules based FW can dynamically adjust port settings to block threats from spreading

Viruses, Trojans, Worms

Spyware, Rootkits

Worms, Spyware

4

Key Ingredients for Endpoint Protection

Redefining Endpoint Security

Antivirus

Antispyware

Firewall

Intrusion

Prevention

Intrusion Prevention

• Combines NIPS (network) and HIPS (host)

• Generic Exploit Blocking (GEB) – one signature to proactively protect against all variants

• Granular application access control

• TruScanTM - Proactive Threat Scanning technology - Very low (0.0049%) false positive rate

• Detects 1,000 new threats/month - not detected by leading av engines

No False Alarm

False Alarms

25M Installations

Fewer than 50 False Positives for

every 1 MM PC’s

Worms, Spyware

Spyware, Rootkits

Viruses, Trojans, Worms

0-day, Key Logging

5

Intrusion Prevention System (IPS) Combined technologies offer best defense

Redefining Endpoint Security 6

(N)IPS

Network IPS (H)IPS

Host IPS

Deep packet inspection Attack-facing

(Symantec sigs. via

LiveUpdate, Custom

sigs, SNORT-like)

Intrusion

Prevention

(IPS)

TruScanTM Behavior-based

(Proactive Threat

Scan technology)

Generic Exploit Blocking Vulnerability-facing

(Signatures for

vulnerability)

System Lockdown

White listing (tightly

control which

applications can run)

Key Ingredients for Endpoint Protection

Redefining Endpoint Security

Antivirus

Antispyware

Firewall

Intrusion

Prevention

Device and Application

Control

Device and Application Control

• Prevents data leakage

• Restrict Access to devices (USB keys, Back-up drives)

• Whitelisting – allow only “trusted” applications to run

Spyware, Rootkits

Viruses, Trojans, Worms

Worms, Spyware

Slurping, IP theft

0-day, Key Logging

7

Redefining Endpoint Security

Results:

Reduced

Cost, Complexity &

Risk Exposure

Increased

Protection, Control &

Manageability

Antivirus

Antispyware

Firewall

Intrusion

Prevention

Device and Application

Control

Single Agent, Single Console

Symantec Endpoint

Protection

8

Comprehensive Reporting

Redefining Endpoint Security 9

• 50+ pre-defined reports

• Customizable Dashboard

• Monitors

What’s new in Symantec Endpoint Protection?

1

• Clients for Mac OS X and Linux

• Resource Utilization Leveling for Virtualization

• Symantec Endpoint Recovery Tool

• IT Analytics™ for Advanced Reporting

• Symantec Protection Center

Mac Support

• Mac Intel and PPC, OSX10.4 (Tiger), OSX 10.5 (Leopard), OSX 10.6 (Snow Leopard)

Redefining Endpoint Security

• Blocks both Mac and PC viruses - preventing Mac users from spreading PC viruses

• Manage Mac OS X and PC clients from one console

• Compatible with Apple Remote Desktop and other software distribution tools

Macintosh Management from SEPM Console

• Client package and group

• Policies

– Antivirus and Antispyware policy

– Centralized Exceptions policy

– LiveUpdate policy

• Run commands

– Enable Auto-Protect

– Restart Client Computers

– Scan

– Update Content

– Update Content and Scan

Redefining Endpoint Security 12

SEP for Mac Features

13

Area Features/Details

Management

• Execute commands from SEPM to Mac Clients

• Reporting/Dashboard view, license auditing of Mac Clients

• Policy Configuration (including AntiVirus/AntiSpyware, LiveUpdate, Centralized Exceptions)

• Note: Mac clients can receive content (definitions) from LiveUpdate (No SEPM Updates)

- Administrators can also set up LiveUpdate Administrator as another option

• Note: Deployment of Mac client packages to remote Mac systems via SEPIC, email

deployment and Third Party applications (i.e. Apple Remote Desktop, etc)

Migration • Supports migration of existing SAV for Mac clients to SEP for Mac

• Supports migration of clients/group membership from existing SACM to SEPM

Client • Mac AV Client enhanced to support being managed by SEP Manager

• Supports Mac OS 10.4, 10.5, and 10.6 operating systems

• Localized for English and Japanese languages

Virtualization in Symantec Endpoint Protection

• SEP 11.0.6 supports virtualization today

– VMWare (at least WS 5.0, GSX 3.2, and ESX 2.5)

– Microsoft Virtual Server 2005

– Hyper-V

• Supporting Documentation

Virtualization Best Practices White Paper

Best Practices Guide

14 Symantec Endpoint Protection Virtualization

SEP 11.0.6 Enhanced for Virtual Environments

15

• An client in each VM

• “Utilization Leveling”

– Randomized scan times prevents CPU utilization spikes

– Randomized updates – from SEP Management server or directly from Symantec

• Performance optimized scan engine with IO aware Scan Tuning, and multithreading

• CPU utilization aware scanning

• Removes the latency associated with definition updates on virtual desktops

Symantec Endpoint Protection Virtualization

Symantec Endpoint Recovery Tool

Symantec Endpoint Protection Virtualization 16

Boots outside your OS so deeply embedded malware can be detected and removed easier than ever before.

• New wizard creates recovery tool

• Burns CD/DVD, install to USB or create ISO File

• State-of-the-art malware removal and remediation

17

• Optimize investment in Endpoint Protection

– Make fully informed decisions about organization’s performance and security

• Continuously improve IT Security operations

– Timeliness & quality of information

– Observe compliance Standards and reduce costs

– Top level summary of your essential IT Security data

– Analyze trends and diagnose outbreaks

• Improve scalability

– Offload reporting & replication burden from SEPM

– Increases speed of useful report generation

1

Analysis &

Reporting Services

SEP Database

IT Analytics - Symantec Endpoint Protection

Redefining Endpoint Security 17

18

IT Analytics - Symantec Endpoint Protection

• Ad-hoc Data Mining – Visibility – Navigate & explore a unified view of data extracted from multiple

Symantec Endpoint Protection Servers

– Break down Symantec Endpoint Protection client data by virus occurrences, computer details, history of virus definition distribution, and much more

• Charts, Reports and Trend Analysis – Improve productivity – Symantec Endpoint Protection client settings communication history

– Alert & risk categorization trends over time

– Monitor trends of threats & infections detected by scans

• Executive Dashboards – Holistic View / Strategic Decisions Examples of Endpoint Protection dashboards might include:

– Overview of Symantec Endpoint Protection clients by version

– Summary of threat categorization and action taken for a period of time

– Summary of Virus Definition and Intrusion Prevention Signature distribution

Redefining Endpoint Security

Redefining Endpoint Security 19

SEP Reporting

Tactical View of frontline endpoint defenses. Current view of events and the state of SEP clients.

IT Analytics

Strategic View over time of endpoint defenses. Trend analysis and data mining via a consolidated view of multiple Endpoint Protection Managers.

Symantec Security Incident Manager

Centralized security event reporting. Correlation between SEP, CCS, DLP and other vendor solutions. Incident response and forensics.

Symantec Protection Center

20

Threat Visibility Increased Productivity Unparalleled Intelligence

Single Console Access

• Lack of Security Visibility

• No Understanding of Risk

• Sophistication Is Increasing

• Budgets Are Decreasing

• Faster, More Complex Threats

• Slow Response Times

• Pinpoint Threats Faster

• Deep Visibility Across Infrastructure

• Integrated GIN

• Real-Time Consolidated Access

• Lowered TCO

• Single-Sign On for Improved Productivity

• Faster Time To Remediate Threats

• Automated Intelligence; Less Risk

• Use Case Based Scenarios

Key Security Challenges For Enterprise

Redefining Endpoint Security

Roadmap Development Guiding Principles

21

Agent Simplification Detection, Remediation & Response

Visibility & Orchestration

Agent consolidation

Smaller footprints

Minimal performance impact

Prompt platform support

Change threat economics

Expanding technology toolkit

In-product and online delivery

Leverage Symantec scale

Console consolidation

Flexible process automation

Auditability

Cross-organization alignment

Superior Protection Drive Efficiency Reduce Complexity

Key Bets:

• End users want security to be invisible

• Changing the cost of attack changes the threat landscape

• The right centralized management drives out operational cost

• Endpoint Security and Management are converging

Jasper

22

11.0.5 (Jade) 11.0.6 (Jasper) 12.1 (Amber)

September 2009 Q2 2010 1H 2011

Environment

Coverage Unified Management

Revolutionary

Protection

Symantec Endpoint Protection – Jasper (SEP 11.0.6)

• SEPM managed Mac client (AV Only)

• Symantec Protection Center

– Web-based, cross product UI portal

– Cross product reports

– SSO/RBAC

• Symantec Endpoint Recovery Tool

– Posted online for download

• Quality Data Collection

• Virtualization: Randomized Scheduled Scan

Downloading Symantec Endpoint Protection 11

Visit the NUIT Web site to download a copy of this software or to view quick reference guides and step-by-step instructions for Windows or Mac machines.

www.it.northwestern.edu/software/sav/

Redefining Endpoint Security 24

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Redefining Endpoint Security

Russ Jensen

Russell_jensen@symantec.com

320-761-8948

25