Symantec Endpoint Protection 12.1 Symantec - … Endpoint Protection 12.1 Symantec Protection Center 2.0 Let me phone a friend… Jimmy Sandberg Presale Engineer

Symantec Endpoint Protection 12.1Symantec Protection Center 2.0

Let me phone a friend…

Jimmy SandbergPresale Engineer

• Up to 70% reduction in scan overhead

• Smarter Updates• Faster Management

• Powered by Insight • Real Time Behavior

Monitoring with SONAR

• Tested and optimized for virtual environments

• Higher VM densities

Unrivaled Security

Built for Virtual Environments

Blazing Performance

What’s new in Symantec Endpoint Protection 12.1

Symantec - SEP 12.1 & SPC 2.0

Research Powered by Global Intelligence NetworkIdentifies more threats, takes action faster & prevents impact

Information ProtectionPreemptive Security Alerts Threat Triggered Actions

Global Scope and ScaleWorldwide Coverage 24x7 Event Logging

Rapid Detection

Attack Activity• 240,000+ sensors• 200+ countries and

territories

Malware Intelligence• 150M client, server,

gateways monitored• Global coverage

Vulnerabilities• 35,000+ vulnerabilities• 11,000 vendors• 80,000 technologies

Spam/Phishing• 5M decoy accounts• 8B+ email messages/day• 1B+ web requests/day

Austin, TXMountain View, CA

Culver City, CA

San Francisco, CA

Taipei, Taiwan

Tokyo, Japan

Dublin, IrelandCalgary, Alberta

Chengdu, China

Chennai, India

Pune, India


The changing threat landscape -An explosion of malware

4

0

1000000

2000000

3000000

4000000

5000000

6000000

7000000

Trad

itio

nal

Sig

nat

ure

s

In 2000

5signatures a day

In 2007

1,500signatures a day

In 2010

>50,000signatures a day

• Expected in the end of 2011:>100.000 unique signatures a day


Malware authors have switched tactics

From:

A mass distribution – one worm hits millions of PCs

Storm made its way onto millions of machines across the globe

To:

A micro distribution model.

Hacked web site builds a trojan for each visitor

The average Harakit variant is distributed to 1.6 users!

75% of malware infect less than 50 machines


The Idea

Only malware mutates

So . . . if an executable is unique, it’s suspicious

. . . but how to know if a file is unique?


Unrivaled Security


Foundation of reputation based security

Reputation:

• Game-changing approach

• Leverages data on hundreds of millions of files

• Reduces reliance on signatures

• Amplifies current protection

• Shifts the odds in our favor


The protection stack

Network IPS

Insight

Heuristics & Signature

Scan

Real time behavioral

SONAR

• Firewall• Network & Host IPS• Monitors vulnerabilities• Monitors traffic• Application & Device ctrl.

Stops stealth installs and drive by downloads

Focuses on the vulnerabilities, not the exploit (GEB)

Improved firewall supports IPv6, enforces policies


Insight – Provides Context

Network IPS & Browser

Protect

Insight


Scan


SONAR

Insight:Before we scan – check the reputation

Identifies new and mutating files

Feeds reputation to our other security engines

Only system of it’s kind



2

Prevalence

Age

Source

Behavior3

4

Look for reputation

Check the DB during scans

Rate nearly every file on the internet

5 Provide actionable data

1 Build a collection network

Is it new?

Bad reputation?

175 million

PCs

3.0 billion files*

(* Sept 2011)

How Symantec Insight works

Insight - Reputation Protection

– Allow the customization of a policy for end user experience

– Threshold can be set for age and prevalence

– Log and report on infection source

– Includes protection for browsers, peer to peer apps, email, and chat


Policies based on Risk

Finance Dept Help Desk Developers


So what is special about Insight?

• Ranks allexecutable files

• Tracks prevalence

• Tracks age

• Signatures for new malware

SymantecInsight

Only Insight can answer:

How old is the file?

How many copies are there?

Is the file associated with infections?

Only Insight can use reputation to identify mutating threats


File Scanning


Protect

Insight


Scan


SONAR

File ScanningCloud and Local SignaturesNew, Improved update mechanism

Most accurate heuristics on the planet.

Uses Insight to prevent false positives


SONAR (TruScan) – Completes the Protection Stack


Protect

Insight

Heuristics & Signature Scan


SONAR

SONAR• Monitors processes and

threads as they execute• Rates behaviors• Feeds Insight

Only hybrid behavioral-reputation engine on the planet

Monitors 400 different application behaviors

Sonar is formerly known as TruScan


SONAR - Reputation Protection

– Enhanced by Insight to keep False Positive detects to a minimum

– Analyzes file system and network behavior

– Tamper Protection utilizes same technology


Browser Intrusion Protection

– Can be updated in the field to protect against new browser vulnerabilities

– Protection for Internet Explorer, Firefox and Chrome


File-Based Signatures are NOT Enough

50%

33%

2010

2009

AV Detection IPS DectionsIPS DetectionsAV Detections

Sonar – 53,000 malicious files and

processes blocked /day This is an increase of >3.000% since 2008

Insight helping convict>1000,000files / day

Insight -blocking 90,000 downloads /day


Blazing Performance


24

Insight - Optimized ScanningSkips any file we are sure is good,leading to much faster scan times

Traditional ScanningHas to scan every file

On a typical system, 70% of active applications can be skipped!

Faster Scans with Insight


Improved client performance: ScanLess and Scan on Idle

– Use reputation to whitelist Symantec trusted and community trusted files

– Provide administrator with choices to use the information or run in paranoid mode

– Scan when system is idle

– Applicable to scheduled and on demand scans

And tons of new features and performance enhancements under the hood…

Chart for Demonstration Purposes Only




SEP 12.1 is built for Virtual Environments

• Optimized for VMware, Citrix and Microsoft virtual environments

• Easy to identify and manage physical and virtual clients

• Maximizes performance and density without sacrificing security

• Best in class performance and security

Hypervisor

Scan Cache


Virtualization Features

Image Exception

• Used on cloned images

• Excludes all files

• Reduces scan impact

Shared Insight Cache

• Clients share scan results

• Scan files once

• Leverages Insight

Virtual Client Tagging

• Identifies hypervisor

• Set group specific policy

• Search for virtual clients

Resource Leveling

• Used for all virtual systems

• Reduce overlap of events

• Scans and def updates

Enhances Management

Reduces Disk I/O up to 90%


Shared Insight Cache - High Level

VM Cluster*

ESX Server

VM VM VM

VM VM VM

ESX Server

VM VM VM

VM VM VM

File Hash Def Ver Result

AE32D… 2011.1... Clean

B923E… 2011.1… Clean

F9123… 2011.1… Clean

C3FDA… 2010.2… Clean

Shared Insight Cache Server (SIC)

*Works for ESX, Citrix and Hyper-V


But, what about “agent-less” installations?

• If we take the scanner out of the VM clients… it would work.

• However, it won’t support a full endpoint protection package

— No client-based packet inspection

— No client-firewall (HIPS/NIPS)

— No application control or device control

— No system integrity monitoring

— No real-time behavioral protection (SONAR)


What’s needed to defend the Virtual Endpoint

Signature and Heuristic File Scanning

Insight

Network and Host IPS

Browser Protection

SONAR

Application and Device Control


Simplified Administration


A Friendly Welcome Screen

• Provide guidance with a welcome screen that highlights the common tasks

• Features:

– Deploy SEP client

– Run LiveUpdate

– Product tour

– License status

– Adjust the server configuration


The new SEPM home page

• Features:

– Allow administrators of all signature deployments

– Launch of common tasks like client deployment

– Simplified endpoint status

– Simplified ThreatCon

– License status


New and improved email notifications

• Features:

– Can be viewed on a smartphone (HTML)

– License renewal and partner messages

– New client software is available

– Detecting unprotected clients

– Policy changes


Package deployment:Include latest Virus Definitions

• Provides an option that reduces signature impact on network

– Option to include latest signatures

– Option to limit signatures


Installation status reporting

• Register client in console as soon as installation starts

• Features:

– Report includes detailed client installation status

– Populates for all installation methods

– Reboot commands initiated from the report


Enhanced Disaster Recovery

• Solution: Allow a SEPM reinstall to use existing backed-up certificates so that clients just reconnect.

• Notes:

– This was the #1 supportability request


In Product Licensing

– Supports Trialware conversion

– In product activation

– License status, reports and notification reminders (content enforcement for SBE)


Symantec Protection Center 2.0


• Internal Threat Reporting

• Prioritized Actions

• Implement commands to products based on role

Existing Tools

Key Buyer: Security Operations

Protection Center 2.0

• Single Sign On

• Data collection

• Action

! ! ! ! !

Customer Objectives Symantec Solution


What’s New in SPC 2.0?

• Three levels of integration-Single Sign on, Data collection, Action

• Symantec GIN Integration

• Basic event correlation

• Cross Product Reporting-malware, email, asset

• Dashboard Notifications

• Prebuilt workflow templates-Symantec Endpoint Protection

• STEP 3rd Party Program








Email


Technical ArchitectureInformation Flow

Integration Web Services

Data Feed

Registration

Data Collection Service

Asset Processor

Event Archives CMDB

Event ChannelEvent ChannelEvent Channel

Event Summarizer Workflow Event Trigger

Pro

tect

ion

Cen

ter

Co

nso

le

Rep

ort

sD

ash

bo

ard

sN

oti

fica

tio

ns

Sett

ings

Symantec Services

Security Event Data

Symantec Protection Center Server

https://SERVERNAME/Symantec/ProtectionCenter

DeepSight SPC Data

Event Archives

Event Archives

Storage Exchange

Registration Wizard


Protection Center 2.0 Integrated Products

• Symantec Endpoint Protection

• Symantec Messaging Gateway

• Symantec Mail Security for Microsoft Exchange

• Symantec Data Loss Prevention Suite

• PGP Encryption from Symantec

• Symantec Control Compliance Suite

• VeriSign Managed Public Key Infrastructure (PKI) for SSL

• Deepsight Intelligence Services

• Bay Dynamics IT Analytics

• Bit 9 Parity Suite: Endpoint Protection


Symantec Protection Center for iPad


Protection Center for the iPadRelevant, Actionable Security Intel for Executives

• Role Based Dashboard. Executive summary of corporate risk posture relative to your organization

• Real-time Threat Intelligence. Global threat data from one of the largest sources of external threat intelligence

• Location aware compliance. Cross product reporting for internal and external IT compliance policies


Symantec - SEP 12.1 & SPC 2.0Welcome Dashboard



• Up to 70% reduction in scan overhead

• Smarter Updates• Faster Management

• Powered by Insight • Real Time Behavior

Monitoring with SONAR

• Tested and optimized for virtual environments

• Higher VM densities

Unrivaled Security


Blazing Performance

What’s New in Symantec Endpoint Protection 12.1


Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

http://www.emea.symantec.com/blackmarket/sv



Documents

Symantec Endpoint Protection 12.1 Symantec - … Endpoint Protection 12.1 Symantec Protection Center 2.0 Let me phone a friend… Jimmy Sandberg Presale Engineer