91
Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

  • View
    239

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Symantec Endpoint ProtectionTechnical Review

Brian Pallozzi, CISSPPrincipal Sales Engineer

Symantec Endpoint Protection 1

Page 2: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Agenda

Symantec Endpoint Protection 2

Enterprise Security Protection Stack 1

What’s new (RU6)2

Architectures3

Suggestions4

Page 3: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

The Changing Threat Landscape: An Explosion of Malware

3

Jan-00 Jul-00 Jan-01 Jul-01 Jan-02 Jul-02 Jan-03 Jul-03 Jan-04 Jul-04 Jan-05 Jul-05 Jan-06 Jul-06 Jan-07 Jul-07 Jan-08 Jul-08 Jan-09 Jul-09 Jan-100

1000000

2000000

3000000

4000000

5000000

6000000

7000000

Trad

ition

al S

igna

ture

s

In 2000

5signatures a day

In 2007

1,500 signatures a day

In 2009

>15,000 signatures a day

• 3 Billion attacks blocked• 240 Million variants • Highly targeted threats

3Symantec Endpoint Protection

In 2010

25,000detections a day

Page 4: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Source: IDC WW Corporate Endpoint Market 2008

4

Industry Recognition

• Endpoint Security (#1 market position2, Positioned in Leader’s Quadrant in Gartner Magic Quadrant3)

• Messaging Security (#1 market position4, Positioned in Leader’s Quadrant in Gartner Magic Quadrant leader5)

• Policy & Compliance (#1 market position6)

• Email Archiving (#1market position7, Positioned in Leader’s Quadrant in Gartner Magic Quadrant8, Forrester Wave leader9)

• Data Loss Prevention (#1 market position, Gartner Magic Quadrant10 and Forrester Wave leader11)

• Security Management (#1 market position12)

• Security Information & Event Management (SIEM) (Positioned in Leader’s Quadrant in Gartner Magic Quadrant13)

McAfee17%

Trend Micro9%

Sophos7%

Cisco4%

Kaspersky Lab

3%

Other37%

Symantec 23%

Security LeadershipWW Corporate Endpoint IDC 2009

• Consumer Endpoint Security (#1 market position1)

Page 5: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Ingredients for Endpoint Security

Symantec Endpoint Protection 11.0

Symantec Network Access Control 11.0

Antivirus

Antispyware

Firewall

TruScan

Device Control

Application Control

(Network) Intrusion Prevention

Network AccessControl

Page 6: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Single Agent, Single Console

Symantec Endpoint Protection 11.0

and Symantec Network Access Control 11.0

Results:

Reduced Cost, Complexity &

Risk Exposure

Increased Protection, Control &

Manageability

Page 7: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

77

Single Agent

Client User Interface (UI)

• Client UI focused on ease-of-use for end-users

• Enable users to quickly view settings and navigate

Page 8: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Easy End User Troubleshooting

Page 9: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

9

Antivirus

Symantec Endpoint Protection

Page 10: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

10

Virus Definition Update Options

Enterprises can choose from several flexible update options:

Frequency Availability Certification Level Quality Delivery Options

Every 30 minutes

Fastest Rapid Release High LU, VDTM/SEPM, IU

Every 8 Hours Fast Full Highest LU, VDTM/SEPM, IU

• Customers can choose how and when to deploy virus definition updates.• Updates are hosted on thousands of servers worldwide.• Microdef technology keeps the download to the desktop small (~ 250K/day).• Fully certified AV content updates are available for SEP three times per day.

Page 11: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Improved Detection and Removal

• Repair engine (Eraser) is extensible– Improvements are

ongoing– Not dependant on new

releases• SEP 11

– Lower level rootkit detection

– Admin specified homepage restore

– Surgical cookie cleanup

User Mode

Kernel Mode

Rootkit Hook Points

Microsoft File System API

Windows File System

Volume Manager

ERASER

Bypass MS API

Mapping Server

Direct Volume Scan

Page 12: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

12

Client Performance Enhancements

Client Performance

• Quicker on-demand scans due to load point caching

• Eraser performance improvements

• On-demand Scan Tuning

“On the machines I tested, the end-user experience was pleasant. I could easily perform other tasks and switch between applications – in fact, even for the balanced scans…if I didn’t hear the hard disk, I might not have known it was spinning.”

– Feedback from External Test customer

Page 13: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Testing Groups• Virus Bulletin 100

– http://www.virusbtn.com

• AV-Test.org– http://avtest.org

• AV Comparatives– http://www.av-comparatives.org

• Anti Malware testing Standards Organization– http://www.amtso.org/

13

Page 14: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Third Party Efficacy Tests

14

Third Party Reviews Validate Effectiveness• High Detection Rates in Real Tests• Low False Positives

Symantec Endpoint Protection

Page 15: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

15

Proactive Technologies

Symantec Endpoint Protection

Page 16: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

TruScan:Behavioral Detection Engine

Enumerateprocesses

Enumerate allprocesses &embedded

components

Analyzeprocess behavior

Assess behavior& characteristics

of eachprocess

Score eachprocess

Detectionroutines areweighted &

processes areclassified

Automaticprotection

Malicious codeis identified,reported &

automaticallymitigated

??

• Detects 1,000 new threats/month - not detected by leading AV engines

• Very low (0.004%) false positive rate

Page 17: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

A New Approach – Behavioral Detection Engine

• Each Engine has two sets of detection modules:

– Pro-valid = evidence of valid application behavior

– Pro-malicious = evidence of malicious application behavior

• Each Detection Module has a weight

– The weight indicates the importance of the behavioral trait

• Each process gets 2 scores:

– Valid Score = measure of how valid the process is

– Malicious Score = measure of how malicious the process is

** Caveat: It’s not as simple as this - detection Modules are cooperative

b1 b2 b3 b4 b5 bM

V1 V2 V3 V4 V5 V6 VM

b6

T1 T2 T3 T4 T5 T6 TN

a1 a2 a3 a4 a5 aNa6

Trojan Score = Si=1

N

aiTi

Valid Score = Si=1

M

biVi

Page 18: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

A Good Engine Will Create Separation Between Valid Applications & Malicious Code

Valid applications

Malicious Code

Adjust Scores (Sensitivity Settings)

to reduce FP’s

Page 19: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Device Control

• Block Devices by type (Windows Class ID)

• Supports all common ports

– USB, Infrared, Bluetooth, Serial, Parallel,FireWire, SCSI, PCMCIA

• Can block read/write/execute from removable drives*

• Example:

– Block all USB devices except USB mouse and keyboard

Peripheral Deice Control

W32.SillyFDC

• targets removable memory sticks

• spreads by copying itself onto removable drives

such as USB memory sticks

• automatically runs when the device is connected to

a computer

Page 20: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Application Control

Application Behavior Analysis

Monitors behavior or applications

ProcessExecution Control

Blocks unwanted programs from running

File AccessControl

Blocks unwanted access to files or folders

RegistryAccess Control

Controls access and writing to registry keys

Module & DLL Loading Control

Blocks applications from loading modules

\WINDOWS\system32\

Page 21: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

21

System LockdownSystem Lockdown Features

• Prevents unauthorized code from running on protected system• Malware• Unauthorized applications

• Creates a Digital Inventory of the system• Checksum.exe tool builds inventory• Create multiple inventories per

server• Fingerprints all executables (exe,

com, dll, ocx, etc.)• Block anything not on the list from

execution

Page 22: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

22

Network Threat Protection

Symantec Endpoint Protection

Page 23: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Network Threat Protection Features

Network Threat Protection Key Features

• Best-of breed rule-based firewall engine• Inspects encrypted and cleartext network traffic

• IPS engine• Generic Exploit Blocking (GEB)• Packet- and stream-based IPS• Custom IPS signatures similar to Snort™

• Autolocation switching

Buffer OverflowBack Door

1010101

1010101

1010101

Blended Threat Known Exploits

Page 24: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Best-of-Breed Personal Firewall

Personal Firewall Features

• Rule-based firewall engine• Firewall rule triggers

• Application, host, service, time• Full TCP/IP support

• TCP, UDP, ICMP, Raw IP Protocol• Support for Ethernet protocols

• Allow or block• Token ring, IPX/SPX, AppleTalk,

NetBEUI• Able to block protocol drivers

• E.g., VMware, WinPcap• Adapter-specific rules

Deep Packet Inspection Engine employs IDPRegular expression supportAllows custom signatures

DPI Firewall

Page 25: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

SSHIM

SMTP

FTPHTTP

RCP

Intrusion Prevention Systemrule tcp, tcp_flag&ack, daddr=$LOCALHOST, msg="[182.1] RPC DCOM bufferoverflow attempt detected", content="\x05\x00\x00\x03\x10\x00\x00\x00"(0,8)

rule tcp, tcp_flag&ack, daddr=$LOCALHOST, msg="[182.1] RPC DCOM bufferoverflow attempt detected", content="\x05\x00\x00\x03\x10\x00\x00\x00"(0,8)

Custom

Sig E

ngine

Signature ID

S

GE

BSSH

IM

SMTP

FTPHTTP

RCP

Intrusion Prevention Features

• Combines Generic Exploit Blocking (GEB) and SCS IDS with Sygate IDS• Deep packet inspection• Sygate IDS engine allows admins to create their own signatures

• Uses signature format similar to SNORT™• Regex support• Signatures applied only to vulnerable applications

• Resistant to common and advanced evasion techniques

Page 26: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

AutoLocation Switching Enhancements

AutoLocation Triggers

• IP address (range or mask)• DNS server• DHCP server• WINS server• Gateway address• TMP token exists (hw token)• DNS name resolves to IP• Policy Manager connected• Network connection type

(wireless, VPN, Ethernet, dial-up)

Supports and/or relationships

Policy: Office

Policy: Remote

Corporate LAN

Remote Location(home, coffee shop,

hotel, etc.

VPN

Page 27: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

27

Network Access ControlPolicy Compliance

Symantec Endpoint Protection

Page 28: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

28

28

Symantec Network Access Control

• Choose quarantine, remediation or federated access

– Enforce policy before access is granted

– Execute updates, programs, services, etc

– Limit connection to VLAN, etc

• Broadest enforcement options of any vendor

– Remote connectivity (IPSec, SSL VPN)

– LAN-based, DHCP, Appliance

– Standards-based, CNAC, MSNAP

Ensures endpoints are protected and compliant prior to accessing network resources

Page 29: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Management

29

Page 30: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Integrated Management Policy Driven

Page 31: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

31

Architecture

LaptopsDesktops

SQL Data Store-Policies-Events& Logs-Security Content-Reporting Data-State Information-Updates and Patches

Java Based Console-Policy Management-Agent Management-Roles and Administration-Launch Reports-View Alerts

Servers

Symantec Endpoint Clients

HTTP/S

HTTPS

Symantec Endpoint Protection Manager (SEPM)

Page 32: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

32

End-pointPolicy

Failover between Management Servers & Data Stores

Replication & High Availability Architecture

Datastore

Clustered Databases

SEPMSEPM SEPM

Datastore

Clustered Databases

SEPMSEPM SEPM

Replication

Page 33: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

33

Management Server Hierarchy

Regional Site

Small Regional

Office

Main Site

Group Update Provider

• Small, simple low-maintenance manager for small offices

• Only deltas replicated across WAN links

Data Replication

• Site-to-site data replication for scalability & availability

• Customizable filters control what data is replicated between sites

SEPM and DatastoreGroup Update

ProviderSEPMs and Datastore

Page 34: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Advanced Grouping Management

• Database

• Domains

• Groups

• Locations

• Clients

Domains

Company 2

Company 1

Company 3

Database

Temporary Europe Headquarters

Engineering Sales Accounting

Office

Wireless

QA Lab

OfficeLocations

Page 35: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

3rd Party Integration

• LDAP• Active Directory• Syslog• RSA

Page 36: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Basic Reporting and Alerting

• Scheduled Email Reports

• 52 Default Reports

• Monitors• Customizable

Dashboard• Notifications

Page 37: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

New in Release Update 6

Symantec Protection Suite 37

Macintosh Antivirus Management

Symantec Protection Center

Symantec Endpoint Recovery Tool

Telemetry Support

Scan Randomization

Web Based SEPM Console

Page 38: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

New in RU6Macintosh Management from SEPM Console

Symantec Protection Suite 38

• Client package and group• Policies

– Antivirus and Antispyware policy

– Centralized Exceptions policy

– LiveUpdate policy

• Run commands– Enable Auto-Protect

– Restart Client Computers

– Scan

– Update Content

– Update Content and Scan

Page 39: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

New in RU6Symantec Endpoint Protection for Macintosh

Symantec Protection Suite 39

• Macintosh Antivirus client managed by Windows SEPM• Support Mac OS X 10.4, 10.5, 10.6• Support migrating from Symantec Antivirus for Macintosh 10.x• Support G3, G4, G5,   and Intel processors

Page 40: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

New in RU6Scan Randomization

Symantec Protection Suite 40

• Allow administrator to select a window over time that a scheduled scan will kick off– Daily – up to 23 hours

– Weekly – up to 167 hours

– Monthly – up to 671 Hours

• Improve support for virtual environment

• Available on Windows client only.

Page 41: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

New in RU6Data Collection - Telemetry

Symantec Protection Suite 41

• Collect and send anonymous data to Symantec for following purposes– To improve our product in the future.

– To improve customer support

• Able to Opt Out• Following data are collected

– SEP / SNAC Enabled

– SEP / OS Version

– Database Stats

– Free Disk Space, CPU and Available Memory

– Major Errors

– Numbers Collected: • Groups, Domains, Hosts, Admin Accounts,

Servers/Site, Clients from AD, Alerts, Replication Errors, Revisions Kept, Policies, Computers per Revision, Enforcers, GUPs, Percent of Computers up to date

Page 42: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

New in RU6Web-based SEPM Console

Symantec Protection Suite 42

• Does not require Java Runtime on the remote client side• Easy to access using Web browser• Support Internet Explorer 7 & 8

Page 43: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

New in RU6Web-based Portal• Manage multiple Symantec

products through a Single Console.– Symantec Endpoint Protection

– Symantec Web Gateway

– Symantec Data Loss Prevention

– Symantec Critical System Protection

– Symantec IT Analytics

– Symantec Brightmail Gateway

• Support Internet Explorer 7 & 8

Symantec Protection Suite 43

Page 44: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

New in RU6Symantec Endpoint Recovery Tool (SERT)• Windows PE 2.1 based bootable

CD– Features:

• Symantec Endpoint Encryption Support• Launch Command Prompt prior to Scanner

– Allows use of third party disk access apps (BitLocker, etc.)

• Use definitions from local media (USB, local disk, etc.) rather than downloading from Internet – can also be used to scan with rapid release definitions

• Download definitions from Internet• No PIN code requirement (Norton

Bootable Recovery Tool requires PIN)

• Available through FileConnect

Symantec Protection Suite 44

Page 45: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

• Flexible ad-hoc/custom reporting

• Drill-down capabilities

• Multi-dimensional analysis

• Improved server performance

• Seamlessly export to Excel & PDF

• Multiple report requests can hinder server performance

• Large databases or complicated queries may take a long time to run

• Canned reports offer limited options for customization or data analysis

IT Analytics

SQL 2005Reporting ServicesAnalysis Services

Advanced Reporting – Business Intelligence

45

Traditional Reporting

SEPDatabase

SEP Database

Symantec Endpoint Protection Alert – Standard Cube

Robust Graphical Dashboards

Multi-Dimensional Ad-hoc/Pivot Table Reporting

Pivot Chart Functionality with Excel Export

Robust Graphical Dashboards

Multi-Dimensional Ad-hoc/Pivot Table Reporting

baydynamics

Page 46: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Symantec Protection CenterIntelligent Management Integration

46

Server Protection

Endpoint Protection

Messaging Security

Web Security

Data Loss Prevention

Network Access Control

VISIBILITY - Pinpoint relevant security threats promptly

RESPONSE - Accelerate time to protection

EFFICIENCY - Increase productivity of security operations

Symantec Protection Center

Reporting Analytics

Page 47: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

New in RU6Power Eraser

Symantec Protection Suite 47

• Designed to complement mainline antivirus applications by detecting and remediating specific types of threats:

• New variants of existing threats for which there is no coverage by the current definition sets

• Fake antivirus applications, and other Rogue-ware

• Rootkits

• System settings that have been tampered with maliciously

• Because Symantec Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. Use standard antivirus applications and troubleshooting techniques first; if they do not remove all of the threats, use Symantec Power Eraser.

• Available from the “Help and Support” button on the client.

Page 48: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

New in RU6Power Eraser

Symantec Protection Suite 48

• Part of the Symantec Endpoint Protection Support Tool

• Aggressive scanning

• Support Tool then finishes scanning

Page 49: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

New in RU6Support Tool

Symantec Protection Suite 49

Page 50: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

50

Designing and Sizing the correct SEP Architecture

Symantec Endpoint Protection

Page 51: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

SEP Design Considerations• What Technologies will be deployed• Do you want different security polices when users are in different locations• Will desktops/servers/laptops/users/depts have different policies• How many geographic locations are there in the company• How often does the customer want to provide content updates• Do you want to automatically deploy SEP patches• Which method of distribution does the customer want to use• Do you need a High Available Management Infrastructure• How long does the customer need to retain logs• What is the frequency of requests for data older then one week, one month, and one year• What metrics need to be gathered frequently• Who needs access to the Data and what is their location• Are there multiple administrative groups in the organization (ie IT, Sec, Desktop, Server)• Is there need to tie in to an existing 3rd party tool or authentication scheme

Page 52: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

SEP Decisions

• Number of Management Servers: • Management Servers locations:• What Database(s) will be used: • Number of Databases: • Classification Methodology: • Where log information will reside:• Old Management Server Upgrade Path:• What Technologies will be Deployed and configured:

Page 53: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Deployment ArchitecturesSingle Site Distributed Site

Log Replication High Availability

Page 54: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Client/Server Communication

Page 55: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Recommendations

• Keep a SEP DB close to Each SEP Manager• Pull Mode

– Client to Server Ratio Maximum: None

– Lowest heartbeat configuration: (# clients /1000) minute

• Push Mode– Client to Server Ratio Maximum: 50,000

– 1000 client connections per minute

• Optimize I/O Channels• Managers should have good/fast connectivity to DB

Page 56: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Recommendations

• Symantec Endpoint Protection Manager Recommendations for environments under 10,000 clients– 2GB RAM Minimum Requirement

– Single Processor

• Symantec Endpoint Protection Manager Recommendations for environments over 10,000 clients– 4GB RAM Minimum Requirement

– Dual Processor recommended

Page 57: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Heartbeat Sizing

Presentation Identifier Goes Here 57

Page 58: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Settings that Effect DB Sizing

Page 59: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Virus Event Storage Costs

Number of Viruses in DB

Approximate Space

1,000 0.8 MB

5,000 4.3 MB

15,000 12.9 MB

25,000 21.6 MB

50,000 43.2 MB

Page 60: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Backups

The Number of backups kept impact the total disk space needed on the SEPM server.

Size is Approx 75% of DB size multiplied by the number of copies being kept.

Ex. 1GB db * 0.75 * 3 Copies = 2.3 GB of Disk Space needed on SEPS1

Page 61: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Example: Total Disk Space Needed

• In 60 Days you have on average 15,000 Viruses

• You plan on Keeping 20,000 Events of each Log

• You Plan on Keeping 5 Versions of SEP both 64 bit, 32 Bit, English, and French

• 7 Backups are being kept

Item Space

15,000 Viruses 12.9 MB

20,000 Events per Log 722 MB

20 Versions in DB 1.24 GB

Content Updates 300 MB

= Approx 2.27 GB

Multiply by 1.4 to add the overhead of indexes and other tables

3.2 GB Needed for DB

16.8 GB Needed for Backups on SEPM Server

4 GB of Disk Space on SEPM for IIS Content

Page 62: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

62

Best PracticesRecommended Client Protection Policies

Symantec Endpoint Protection

Page 63: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Malware Protection

Page 64: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Antivirus/Antispyware Policy

Symantec always recommends running SEP with Auto Protect enabled and routine ‐scheduled scans enabled.

It is typically recommended to start your deployment with a full weekly scan.

If you notice that there are not many infections being discovered via the on demand scan, it is ‐recommended to decrease the frequency and depth of the scan.

In environments with low infection rates, it is not uncommon to find monthly full scan or weekly quick scans being performed.

64

Page 65: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Antivirus/Antispyware Policy Cont:

Symantec provides 3 Antivirus and Antispyware policies out of box. Symantec recommends the default antivirus policy on most machines.

On machines that are slow, have high resource utilization, or on machines where users typically complain of performance, Symantec recommends applying the High Performance policy.

For machines that are mission critical and for machines/users that have a high infection rate (Bad Internet Hygiene), Symantec recommends applying the High Security Antivirus Policy.

65

Page 66: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Antivirus/Antispyware Policy Cont:

It is suggested to enable the Delay Scheduled Scans if running on Batteries. Enabling this feature will typically increase end user satisfaction with the product. Running a full scan while running on batteries depletes the power quicker.

To further increase end user acceptance of the product, more companies provide the end user the right to stop scans.

It is recommended to keep the defaults on Internet Email Scanning, TruScan*, Quarantine*, and Submissions.

Symantec only recommends installing Outlook/Lotus plug ins when Antivirus is ‐absent on the Mail Server.

66

Page 67: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Antivirus/Antispyware Policy Cont:

Symantec updates definitions three times a day, each day that goes by without a definition update means less protection.

On average, Symantec adds over 20K signatures a day. It is recommended to display a notification to end users if definitions are out dated.

If users have the ability to initiate LiveUpdate, then Symantec recommends lowering the number of days before sending a notification to 5 days when content is out of date.

It is also recommended to set the Internet Browser Protection recovery home page to your companies’ website. Most companies redirect to an internal web page with the security policies and escalation procedures.

67

Page 68: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Antivirus/Antispyware Policy Cont:

*TruScan default settings depend upon the manager version.

Set sensitivity high Log initially until exceptions have been

addressed, then terminate

Set frequency to Scan new processes immediately.

68

Page 69: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Antivirus/Antispyware Policy Cont:

*Quarantine When is the last time you got anything out

of the quarantine?

Do nothing for performance

If Clean/Delete actions are too drastic due to possible false positive considerations, consider Clean/Quarantine with a short retention.

Consider the benefits of performance vs. usefulness of Risk Tracer.

69

Page 70: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

70

Network Protection

Symantec Endpoint Protection

Page 71: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Firewalls and IPS

Reactive Signature based scanning is not enough alone Heuristics is not enough alone Behavior technology is not enough alone

Proactive Prevent unsolicited traffic from being accepted Prevent accepted traffic from containing threats

Workstations vs. Servers

71

Page 72: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Firewall Policy There are 4 traditional configurations that individuals may consider when deploying a client

firewall. Each configuration provides a different level of protection and changes the likelihood of encountering false positives and preventing legitimate applications from working.

72

Page 73: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Firewall Policy Firewall Disabled: Disabling the firewall minimizes the potential for making a mistake with the

configuration that can cause legitimate applications to cease working. Since every network environment is unique, some customers find it easier to keep this technology disabled until there is a need.

In Symantec Endpoint Protection, disabling the firewall but enabling Intrusion Prevention provides additional protection with minimal configuration and false positives.

Block Known Trojan Ports: Choosing to allow all network traffic with the exception to ports commonly associated with known Trojans will provide an additional level of Security while minimizing the risk of creating a policy that might block a legitimate application. Although this might provide some protection, the Intrusion Prevention Engine already provides signatures to detect and block most of these exploits.

In this configuration, Administrators can choose to block specific applications without the need of knowing what is installed in the environment.

73

Page 74: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Firewall Policy

Block all Inbound Connections: Configuring the firewall to block all inbound connections greatly reduces the risk of an attacker gaining access to a client’s resources or data. Most applications that get installed on the box will still be allowed to initiate communications which will minimize some of the configuration settings that would need to be configured.

This configuration will not stop all malicious pieces of code from getting installed on the box nor will it prevent the malicious code from communicating important pieces of data to a hacker. This configuration will also block some legitimate corporate applications like management utilities that expect to receive connections from a management server. It is highly recommended to test this configuration thoroughly prior to deploying the configuration.

Some companies have found it easier to deploy this configuration that blocks all inbound connections except from the Servers installed in the organization. This has minimized the number of changes that need to be made as new applications are installed and it has minimized the number of exceptions needed to the policy.

Explicit Deny: In this configuration, the firewall is configured to block all communications except for those settings that you choose to accept. This is the most secure approach to creating firewall policies. This means that any new code introduced to the environment (good or bad) will not be allowed to communicate until an administrator approves it. Although this provides the most secure architecture, constant changes are usually needed to accommodate application changes.

74

Page 75: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Firewall Policy

Symantec recommends to start deployment with the firewall disabled and Intrusion Prevention (IPS) enabled. Administrators can then increase the protection on the Client by deploying the firewall over time.

Extensive testing should be conducted prior to deploying the firewall policy.

It is also beneficial to consider disabling the firewall when on the corporate network and hardening the firewall when users disconnect from the corporate network.

This is normally done through the Location Awareness feature. Care should be taken when defining network segments. Symantec recommends using multiple network identifiers when creating the policy.

Symantec also recommends the use of Peer to Peer Enforcement between Clients. Peer to Peer enforcement forces a client to block all connections from a remote machine until the machine has proven that it is in compliance to corporate policy.

75

Page 76: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Intrusion Prevention Policy Symantec recommends always running IPS on client machines. Symantec makes no

recommendations on changing the default settings for IPS.

If Administrators or individuals within the organization are running security tools and assessment tools, Symantec does recommend excluding those machines from the IPS detection as it may yield false positives.

Note: Symantec does not recommend running the IPS on a Server OS without fully testing.

76

Page 77: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

77

Proactive Threat Protection

Symantec Endpoint Protection

Page 78: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Application and Device Control Policy

Application Control and Device Control are advanced features that can be used to further enhance malware protection for your business. Extreme caution should be used in creating application and device control policies as these advanced technologies may cause legitimate applications to cease operating.

Symantec recommends using Application Control and Device Control Settings only after testing the impact of the policy in your environment. Application Control and Device control allows Administrators the ability to restrict the behavior of applications and users in the environment. Since this is a diverse technology, the opportunities are endless as to what can be done.

78

Page 79: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Application and Device Control Policy

Allow Only Read to the following Keys to prevent tampering or changing of IE Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

79

Page 80: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Application and Device Control Policy

Consider Disallowing execute autorun

Disallowing execute from USB

80

Page 81: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Application and Device Control Policy Cont:

Allow only read to the following Registry Keys that allow applications to start automatically: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler HKEY_CLASSES_ROOT\comfile\shell\open\command HKEY_CLASSES_ROOT\piffile\shell\open\command HKEY_CLASSES_ROOT\exefile\shell\open\command HKEY_CLASSES_ROOT\txtfile\shell\open\command HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Note: Symantec does not recommend running the Application Control on a Server OS without fully Testing Live

81

Page 82: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

LiveUpdate

Page 83: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

LiveUpdate Policy

Symantec recommends to configure multiple methods for updating content on clients that are mobile. This will allow those systems that are not connected to the corporate network to receive content updates when not connected to the management server.

The most typical recommendation is for customers to create two polices. One that defines clients update from the management server while connected to the network and another policy that defines updating through LiveUpdate directly from Symantec when the client machine is not connected to the corporate network.

83

Page 84: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Location Awareness

*Symantec typically recommends that administrators create two locations (Default/Internal and External) when using these two LiveUpdate policies.

A default location is provided with each created group.

The default location ‘LiveUpdate” policy should have the Clients contact the SEP Manager (SEPM) for their content updates.

The external location LiveUpdate policy should have Client conduct LiveUpdate calls directly to Symantec’s LiveUpdate site to retrieve content updates.

*Weigh the risks, resource usage and benefits of single vs. multiple locations. Weigh across all policy types.

84

Page 85: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

External LiveUpdate Policy

It is recommended to set the “External” LiveUpdate policy retrieval schedule for every 4 hours.

Remember Symantec releases certified LiveUpdate content 3 times daily. This will ensure that the client systems stay up to date with the latest security content updates.

85

Page 86: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

External LiveUpdate Policy Cont:

It is also recommended to configure the Advanced Settings to “Allow the user to manually launch LiveUpdate”.

86

Page 87: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

External Location Configuration Cont:

Specify the conditions for this location trigger. In this case the ability to connect to the management server was a condition that was used.

Symantec recommends that more then one condition be specified when configuring a location.

87

Page 88: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

LiveUpdate Content

For the smallest possible size of your microdefs, increase the number of downloads to retain.

You sacrifice only disk space store them and CPU cycles to build them.

88

Page 89: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Exceptions

Page 90: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Centralized Exceptions Policy

• The recommendation for exceptions is to add exceptions as needed. SEP automatically makes exceptions for certain applications, but it is best to add additional exceptions for Databases, Transactional Logs, VMWare Images, and other items that high transactional volume. It is also recommended to not allow employees the ability to add exceptions unless needed. For additional information on default exceptions and information on how to add exceptions, please reference the Symantec Online Knowledge Base.

90

Page 91: Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Symantec Protection Suite 91

Brian Pallozzi, [email protected]