Upload
trinhkien
View
269
Download
2
Embed Size (px)
Citation preview
Symantec Endpoint Protection 12.1Symantec Protection Center 2.0
Let me phone a friend…
Jimmy SandbergPresale Engineer
• Up to 70% reduction in scan overhead
• Smarter Updates• Faster Management
• Powered by Insight • Real Time Behavior
Monitoring with SONAR
• Tested and optimized for virtual environments
• Higher VM densities
Unrivaled Security
Built for Virtual Environments
Blazing Performance
What’s new in Symantec Endpoint Protection 12.1
Symantec - SEP 12.1 & SPC 2.0
Research Powered by Global Intelligence NetworkIdentifies more threats, takes action faster & prevents impact
Information ProtectionPreemptive Security Alerts Threat Triggered Actions
Global Scope and ScaleWorldwide Coverage 24x7 Event Logging
Rapid Detection
Attack Activity• 240,000+ sensors• 200+ countries and
territories
Malware Intelligence• 150M client, server,
gateways monitored• Global coverage
Vulnerabilities• 35,000+ vulnerabilities• 11,000 vendors• 80,000 technologies
Spam/Phishing• 5M decoy accounts• 8B+ email messages/day• 1B+ web requests/day
Austin, TXMountain View, CA
Culver City, CA
San Francisco, CA
Taipei, Taiwan
Tokyo, Japan
Dublin, IrelandCalgary, Alberta
Chengdu, China
Chennai, India
Pune, India
Symantec - SEP 12.1 & SPC 2.0
The changing threat landscape -An explosion of malware
4
0
1000000
2000000
3000000
4000000
5000000
6000000
7000000
Trad
itio
nal
Sig
nat
ure
s
In 2000
5signatures a day
In 2007
1,500signatures a day
In 2010
>50,000signatures a day
• Expected in the end of 2011:>100.000 unique signatures a day
Symantec - SEP 12.1 & SPC 2.0
Malware authors have switched tactics
From:
A mass distribution – one worm hits millions of PCs
Storm made its way onto millions of machines across the globe
To:
A micro distribution model.
Hacked web site builds a trojan for each visitor
The average Harakit variant is distributed to 1.6 users!
75% of malware infect less than 50 machines
Symantec - SEP 12.1 & SPC 2.0
The Idea
Only malware mutates
So . . . if an executable is unique, it’s suspicious
. . . but how to know if a file is unique?
Symantec - SEP 12.1 & SPC 2.0
Foundation of reputation based security
Reputation:
• Game-changing approach
• Leverages data on hundreds of millions of files
• Reduces reliance on signatures
• Amplifies current protection
• Shifts the odds in our favor
Symantec - SEP 12.1 & SPC 2.0
The protection stack
Network IPS
Insight
Heuristics & Signature
Scan
Real time behavioral
SONAR
• Firewall• Network & Host IPS• Monitors vulnerabilities• Monitors traffic• Application & Device ctrl.
Stops stealth installs and drive by downloads
Focuses on the vulnerabilities, not the exploit (GEB)
Improved firewall supports IPv6, enforces policies
Symantec - SEP 12.1 & SPC 2.0
Insight – Provides Context
Network IPS & Browser
Protect
Insight
Heuristics & Signature
Scan
Real time behavioral
SONAR
Insight:Before we scan – check the reputation
Identifies new and mutating files
Feeds reputation to our other security engines
Only system of it’s kind
Symantec - SEP 12.1 & SPC 2.0
Symantec - SEP 12.1 & SPC 2.0
2
Prevalence
Age
Source
Behavior3
4
Look for reputation
Check the DB during scans
Rate nearly every file on the internet
5 Provide actionable data
1 Build a collection network
Is it new?
Bad reputation?
175 million
PCs
3.0 billion files*
(* Sept 2011)
How Symantec Insight works
Insight - Reputation Protection
– Allow the customization of a policy for end user experience
– Threshold can be set for age and prevalence
– Log and report on infection source
– Includes protection for browsers, peer to peer apps, email, and chat
Symantec - SEP 12.1 & SPC 2.0
So what is special about Insight?
• Ranks allexecutable files
• Tracks prevalence
• Tracks age
• Signatures for new malware
SymantecInsight
Only Insight can answer:
How old is the file?
How many copies are there?
Is the file associated with infections?
Only Insight can use reputation to identify mutating threats
Symantec - SEP 12.1 & SPC 2.0
File Scanning
Network IPS & Browser
Protect
Insight
Heuristics & Signature
Scan
Real time behavioral
SONAR
File ScanningCloud and Local SignaturesNew, Improved update mechanism
Most accurate heuristics on the planet.
Uses Insight to prevent false positives
Symantec - SEP 12.1 & SPC 2.0
SONAR (TruScan) – Completes the Protection Stack
Network IPS & Browser
Protect
Insight
Heuristics & Signature Scan
Real time behavioral
SONAR
SONAR• Monitors processes and
threads as they execute• Rates behaviors• Feeds Insight
Only hybrid behavioral-reputation engine on the planet
Monitors 400 different application behaviors
Sonar is formerly known as TruScan
Symantec - SEP 12.1 & SPC 2.0
SONAR - Reputation Protection
– Enhanced by Insight to keep False Positive detects to a minimum
– Analyzes file system and network behavior
– Tamper Protection utilizes same technology
Symantec - SEP 12.1 & SPC 2.0
Browser Intrusion Protection
– Can be updated in the field to protect against new browser vulnerabilities
– Protection for Internet Explorer, Firefox and Chrome
Symantec - SEP 12.1 & SPC 2.0
File-Based Signatures are NOT Enough
50%
33%
2010
2009
AV Detection IPS DectionsIPS DetectionsAV Detections
Sonar – 53,000 malicious files and
processes blocked /day This is an increase of >3.000% since 2008
Insight helping convict>1000,000files / day
Insight -blocking 90,000 downloads /day
Symantec - SEP 12.1 & SPC 2.0
24
Insight - Optimized ScanningSkips any file we are sure is good,leading to much faster scan times
Traditional ScanningHas to scan every file
On a typical system, 70% of active applications can be skipped!
Faster Scans with Insight
Symantec - SEP 12.1 & SPC 2.0
Improved client performance: ScanLess and Scan on Idle
– Use reputation to whitelist Symantec trusted and community trusted files
– Provide administrator with choices to use the information or run in paranoid mode
– Scan when system is idle
– Applicable to scheduled and on demand scans
And tons of new features and performance enhancements under the hood…
Chart for Demonstration Purposes Only
Symantec - SEP 12.1 & SPC 2.0
SEP 12.1 is built for Virtual Environments
• Optimized for VMware, Citrix and Microsoft virtual environments
• Easy to identify and manage physical and virtual clients
• Maximizes performance and density without sacrificing security
• Best in class performance and security
Hypervisor
Scan Cache
Symantec - SEP 12.1 & SPC 2.0
Virtualization Features
Image Exception
• Used on cloned images
• Excludes all files
• Reduces scan impact
Shared Insight Cache
• Clients share scan results
• Scan files once
• Leverages Insight
Virtual Client Tagging
• Identifies hypervisor
• Set group specific policy
• Search for virtual clients
Resource Leveling
• Used for all virtual systems
• Reduce overlap of events
• Scans and def updates
Enhances Management
Reduces Disk I/O up to 90%
Symantec - SEP 12.1 & SPC 2.0
Shared Insight Cache - High Level
VM Cluster*
ESX Server
VM VM VM
VM VM VM
ESX Server
VM VM VM
VM VM VM
File Hash Def Ver Result
AE32D… 2011.1... Clean
B923E… 2011.1… Clean
F9123… 2011.1… Clean
C3FDA… 2010.2… Clean
Shared Insight Cache Server (SIC)
*Works for ESX, Citrix and Hyper-V
Symantec - SEP 12.1 & SPC 2.0
But, what about “agent-less” installations?
• If we take the scanner out of the VM clients… it would work.
• However, it won’t support a full endpoint protection package
— No client-based packet inspection
— No client-firewall (HIPS/NIPS)
— No application control or device control
— No system integrity monitoring
— No real-time behavioral protection (SONAR)
Symantec - SEP 12.1 & SPC 2.0
What’s needed to defend the Virtual Endpoint
Signature and Heuristic File Scanning
Insight
Network and Host IPS
Browser Protection
SONAR
Application and Device Control
Symantec - SEP 12.1 & SPC 2.0
A Friendly Welcome Screen
• Provide guidance with a welcome screen that highlights the common tasks
• Features:
– Deploy SEP client
– Run LiveUpdate
– Product tour
– License status
– Adjust the server configuration
Symantec - SEP 12.1 & SPC 2.0
The new SEPM home page
• Features:
– Allow administrators of all signature deployments
– Launch of common tasks like client deployment
– Simplified endpoint status
– Simplified ThreatCon
– License status
Symantec - SEP 12.1 & SPC 2.0
New and improved email notifications
• Features:
– Can be viewed on a smartphone (HTML)
– License renewal and partner messages
– New client software is available
– Detecting unprotected clients
– Policy changes
Symantec - SEP 12.1 & SPC 2.0
Package deployment:Include latest Virus Definitions
• Provides an option that reduces signature impact on network
– Option to include latest signatures
– Option to limit signatures
Symantec - SEP 12.1 & SPC 2.0
Installation status reporting
• Register client in console as soon as installation starts
• Features:
– Report includes detailed client installation status
– Populates for all installation methods
– Reboot commands initiated from the report
Symantec - SEP 12.1 & SPC 2.0
Enhanced Disaster Recovery
• Solution: Allow a SEPM reinstall to use existing backed-up certificates so that clients just reconnect.
• Notes:
– This was the #1 supportability request
Symantec - SEP 12.1 & SPC 2.0
In Product Licensing
– Supports Trialware conversion
– In product activation
– License status, reports and notification reminders (content enforcement for SBE)
Symantec - SEP 12.1 & SPC 2.0
• Internal Threat Reporting
• Prioritized Actions
• Implement commands to products based on role
Existing Tools
Key Buyer: Security Operations
Protection Center 2.0
• Single Sign On
• Data collection
• Action
! ! ! ! !
Customer Objectives Symantec Solution
Symantec - SEP 12.1 & SPC 2.0
What’s New in SPC 2.0?
• Three levels of integration-Single Sign on, Data collection, Action
• Symantec GIN Integration
• Basic event correlation
• Cross Product Reporting-malware, email, asset
• Dashboard Notifications
• Prebuilt workflow templates-Symantec Endpoint Protection
• STEP 3rd Party Program
Symantec - SEP 12.1 & SPC 2.0
Technical ArchitectureInformation Flow
Integration Web Services
Data Feed
Registration
Data Collection Service
Asset Processor
Event Archives CMDB
Event ChannelEvent ChannelEvent Channel
Event Summarizer Workflow Event Trigger
Pro
tect
ion
Cen
ter
Co
nso
le
Rep
ort
sD
ash
bo
ard
sN
oti
fica
tio
ns
Sett
ings
Symantec Services
Security Event Data
Symantec Protection Center Server
https://SERVERNAME/Symantec/ProtectionCenter
DeepSight SPC Data
Event Archives
Event Archives
Storage Exchange
Registration Wizard
Symantec - SEP 12.1 & SPC 2.0
Protection Center 2.0 Integrated Products
• Symantec Endpoint Protection
• Symantec Messaging Gateway
• Symantec Mail Security for Microsoft Exchange
• Symantec Data Loss Prevention Suite
• PGP Encryption from Symantec
• Symantec Control Compliance Suite
• VeriSign Managed Public Key Infrastructure (PKI) for SSL
• Deepsight Intelligence Services
• Bay Dynamics IT Analytics
• Bit 9 Parity Suite: Endpoint Protection
Symantec - SEP 12.1 & SPC 2.0
Protection Center for the iPadRelevant, Actionable Security Intel for Executives
• Role Based Dashboard. Executive summary of corporate risk posture relative to your organization
• Real-time Threat Intelligence. Global threat data from one of the largest sources of external threat intelligence
• Location aware compliance. Cross product reporting for internal and external IT compliance policies
Symantec - SEP 12.1 & SPC 2.0
• Up to 70% reduction in scan overhead
• Smarter Updates• Faster Management
• Powered by Insight • Real Time Behavior
Monitoring with SONAR
• Tested and optimized for virtual environments
• Higher VM densities
Unrivaled Security
Built for Virtual Environments
Blazing Performance
What’s New in Symantec Endpoint Protection 12.1
Symantec - SEP 12.1 & SPC 2.0
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
http://www.emea.symantec.com/blackmarket/sv