Symantec Web Isolation Secure Access to Uncategorized and Risky Sites Protect Your Most Privileged Users Prevent Phishing and Ransomware Attacks John Moore Senior Security Engineer July 10, 2018

Web Isolation Fundamentals Browsing session is secured through isolation; access not blocked Everything assumed to be malicious All code and content prevented from reaching endpoints Enables access to unknown/risky content where there is a legitimate need Web isolation eliminates patient zero Isolation prevents infections before they ever happen Even zero-day vulnerabilities Malware has become extremely violent (e.g. ransomware) with close to zero dwell time for detection and remediation Isolation can be used to allow access to sites that previously would have been blocked. It does not depend on the Detect then Prevent construct. Everything is assumed to be bad. Easy to deploy and use given the way it is architected.

Symantec Announces Fireglass Acquisition Web isolation changes the game for protecting against advanced threats Fireglass web isolation Established in 2014 Leader in fast growing browser/web isolation market Customer value – increased malware protection for web & mail Integrates with Secure Web Gateway (ProxySG, ASG, VSWG) to allow safe access to uncategorized/risky sites Also can work with email on prem – parallel with Symantec SMG Offered stand-alone – cloud or on-prem Integrations underway with cloud-delivered Web Security Service and Symantec email security solutions (SMG, email.cloud) Integrate with 3rd party proxies and NGFW’s Symantec acquired Fireglass, a leader in the fast growing security category known as Isolation or Remote Browsing Adds capabilities in a few areas of our portfolio, primarily in Web and Email Security

Market View on Web Isolation “Evaluate and pilot a remote browser solution in 2017 as one of the most significant ways an enterprise can reduce the ability of web-based attacks on users to cause damage” Web isolation is a new threat prevention approach Sometimes referred to as Remote Browsing, but has broader applications for use Identified as top technology in 2016 & 2017 Gartner predicts that over 50% of enterprises will adopt web isolation Isolation can be used to allow access to sites that previously would have been blocked. It does not depend on the Detect then Prevent construct. Everything is assumed to be bad. Easy to deploy and use given the way it is architected.

90% of Cyber Attacks Come Through Web and Email Email & Phishing Threats Web Threats 1,400+ 83% New browser & plug-in vulnerabilities per year Growth in active phishing URLs of sites can be used to deliver malware 78% of Large Enterprise were targeted by spear phishing 55% - Security professionals often surprised to see that over 90% of cyber-attacks come through web and e-mail On the web side, it is primarily through vulnerabilities that exist in browsers or users wandering onto websites that deliver malicious content. The big vector on the email side is Phishing. Every 4 seconds 12% an unknown malware is downloaded of users click untrusted links or attachments Source: Verizon DBIR, Symantec ISTR, Gartner

The Threat of the Unknown Web Parameter BLOCK ALLOW / BLOCK? ALLOW? Known Good uncategorized or potentially risky* domains Unknown/Risky “How Can I Increase Security without over-blocking?” THE CHALLENGE Millions of new sites created every day 71% of all host names exist for 24 hours or less Many are legitimate, but some offer ideal cover for hackers launching attacks Difficult to assess w. traditional “detection” approaches Customizing protection without over-blocking Known Bad

Web Isolation Architecture Risks Symantec Web Isolation User Web 100% safe rendering information Render Execute Download Secure Disposable Container 100101001 010110100 110010101 101010011010 01 11 10 Documents Secure Disposable Container 100101001 010110100 110010101 101010011010 01 11 10 User gestures Email Some key aspects to highlight in our architecture and approach: - The solution is agentless - Web session is completely isolated in a container. Container handles rendering, execution and downloading - can be deployed as an on-premise solution or as a cloud service - Any device, OS or browser Secure Disposable Container Seamless browsing experience Isolate both web and email, including documents On premise, cloud and hybrid 100101001 010110100 110010101 101010011010 01 11 10

Demo

Key Use Cases

Problem: Over-blocking the “Middle Ground” Sites Web access policy: Always allow certain categories/sites Always block certain categories/sites Key Issue – Middle Ground Over-block – creates user issues Under-block – Increased risk of malware Allowed Categories Categories where some access may be required Uncategorized Threat Cats Health, Financial Services, etc. Dynamic DNS Host File Storage/ Sharing Hacking Suspicious Malicious in/out… … ALLOW ALLOW or DENY… DENY… MOSTLY DENY DENY …depending on organizational needs …for security best practices at the expense of user experience. Often requires additional ops to whitelist specific domains/users Some Allow Some Allow Often requires additional ops to whitelist specific domains/users

Web isolation with proxy using website categories Stop Over-blocking Web isolation with proxy using website categories Web access policy: Always allow certain categories/sites Always block certain categories/sites Middle ground categories/sites get isolated Expanded access with no malware risk Allowed Categories Categories where some access may be required Uncategorized Threat Cats Health, Financial Services, etc. Dynamic DNS Host File Storage/ Sharing Hacking Suspicious Malicious in/out… … ALLOW ISOLATE DENY

Stop Over-blocking Web isolation with proxy using categories (with risk levels: BCIS-advanced) Web access policy: Allow certain categories and low risk sites Block certain categories and riskiest sites Middle ground categories and potentially risky sites get isolated Expanded access with no malware risk Risk Level Allowed Categories Customer Category Categories where some access may be required Uncategorized Security Concerns Health, Financial Services, etc. Category of Interest File Storage/ Sharing Dynamic DNS Host Hacking Suspicious Malicious Outbound … 10 9 8 7 6 5 4 3 2 1 DENY ISOLATE ALLOW

Leveraging Symantec Global Intelligence Network (GIN) 21,000+ Cloud applications discovered and protected Discovered 430 million new unique pieces of malware last year 1B malicious emails stopped last year File URL Whitelist Blacklist Certificate Machine Learning Key Points – - Up to date, accurate data, correlated and analyzed to give you the latest information on known bads…no one can argue with the importance of this - Symantec has the largest civilian threat intelligence network in the world; sourced from: >1 billion web requests scanned daily >2 billion emails scanned per day Data from over 175M endpoint devices All analyzed and assessed by advanced algorithms to identify and risk score malicious sites The proof is in the results…data points in the black section of slide 182M web attacks blocked last year 100M social engineering scams blocked last year CLOUD GLOBAL INTELLIGENCE SOURCED FROM: 1 Billion previously unseen web requests scanned daily 2 Billion emails scanned per day 175M Consumer and Enterprise endpoints protected 9 Global threat response centers with 3,000 Researchers and Engineers

Additional Protection for Privileged Users Safeguard Privileged Users Prevent Malware with Web Access We have privileged users like executives, IT admins, HR, and finance that have extra permissions and access rights to sensitive data and systems I need to enable secure web browsing on those critical endpoints, and ensure internet delivered malware never impacts these devices C-Level Team Key IT Staff HR, Legal, Finance Malware on these endpoints has severe consequences because of unique system privileges

Prevent Phishing Attacks by Isolating Risky Embedded URL Links Prevent malware/ransomware from phishing attacks Isolate websites launched from URLs embedded in email Stop credential theft by preventing users from submitting corporate credentials and other sensitive information on unknown and malicious sites Protect my users from embedded URLs that links to malicious websites

Thank You!