111 State of Hawaii Symantec Protection Suite Briefing Bill Musson, CISSP Senior Systems Engineer

2 Agenda Symantec Endpoint Protection SEP11 Overview Symantec Endpoint Protection SEP12 Overview – Symantec Insight – Symantec Online Network for Advanced Response (SONAR) Centralized Security Management – Symantec Management Platform – IT Analytics for SEP – Workflow – SPC v1 – SPC v2

33 Symantec Endpoint Protection 11

4 Results: Reduced Cost, Complexity & Risk Exposure Increased Protection, Control & Manageability Antivirus Antispyware Firewall Intrusion Prevention Device and Application Control Network Access Control Single Agent, Single Console Managed by Symantec Endpoint Protection Manager NAC 11 SEP 11

5 Gartner Magic Quadrant for EPP

66 Symantec Endpoint Protection 12 Symantec Insight Symantec Online Network for Advanced Response (SONAR)

7 Unfortunately neither technique works well for the tens of millions of files with low prevalence. (But this is precisely where the majority of today’s malware falls) Unfortunately neither technique works well for the tens of millions of files with low prevalence. (But this is precisely where the majority of today’s malware falls) Today, both good and bad software obey a long-tail distribution. Bad Files Good Files Prevalence Whitelisting works well here. For this long tail a new technique is needed. Blacklisting works well here. The Problem No Existing Protection Addresses the “Long Tail”

8 The Inspiration Only malware mutates So... if an executable is unique, it’s suspicious... but how to know if a file is unique?

9 How often has this file been downloaded? Where is it from? Have other users reported infections? Is the source associated with infections? How will this file behave if executed? How old is the file? How many people are using it? Is the source associated with SPAM? Is the source associated with many new files? Does the file look similar to malware? Is the file associated with files that are linked to infections? Who created it? Does it have a security rating? Is it signed? What rights are required? Who owns it? What does it do? How new is this program? How many copies of this file exist? Have other users reported infections?

10 Achilles Heel of Mutated Threats Hackers mutate threats to evade fingerprints Mutated threats stick out like a sore thumb Virus Writer’s Catch-22 – Mutate too much = Insight finds it – Mutate too little = Easy to discover & fingerprint Unrivaled Security

11 Symantec Insight The context of a file is as telling as its content How will this file behave if executed? How old is the file? Is the source associated with SPAM? Does the file look similar to malware? Is the file associated with files that are linked to infections? Who created it? What rights are required? Have other users reported infections? BAD GOOD LOW HI OR NEW OLD OR Reputation Prevalence Age The context you need

122 Prevalence Age Source Behavior 3 4 Look for associations Check the DB during scans Rate nearly every file on the internet5 Provide actionable data1 Build a collection network Associations How it works Is it new? Bad reputation?

13 Real World Test 13 % of samples % False Positives

14 Remediation Test 14 Remediation Score (higher is better) Number of False Positives (lower is better)

15 First Insight is used for manual scans of endpoints. What are other ways that Symantec leverages Insight in Symantec Endpoint Protection 12?

16 Download Insight Download Insight is a technology that checks the reputation of binaries being downloaded and blocks them if they are “Bad”. Download Insight scans files when they are downloaded using what we term a portal application (IE. Firefox, IE)

17 Faster Scans 17 Insight - Optimized Scanning Skips any file we are sure is good, leading to much faster scan times Traditional Scanning Has to scan every file On a typical system, 70% of active applications can be skipped!

18 Scan Speed 18 Symantec Endpoint Protection Scans: 3.5X faster than McAfee 2X faster than Microsoft Ranked 1 st in overall Performance! PassMark™ Software, Feb.,

19 Create Policies based on Risk Tolerance Only software with at least 10,000 users over 2 months old. Finance Dept Can install medium-reputation software with at least 100 other users. Help Desk No restrictions but machines must comply with access control policies. Developers

20 Symantec Online Network for Advanced Response (SONAR) This information enables three new features

21 What do the hackers think about SONAR ? , 03:03 PM (This post was last modified: :03 PM by M0D3RN H4X3R 2.) Posts: 3592 Joined: Nov 2009 Reputation: 255 Doesn't matter, Your Crypted Viruses, Keyloggers, RATS etc never made it past Norton SONAR 2 anyways =/ (This is in Norton IS and AV 2010, Norton 360 V4) And it detects all hooks and the other method I can't remember to record keylogs. RATS and BOTS will be detected by SONAR 2 as always. Crypted or non-crypted. Even Runtime Crypted (Norton deletes EVERY runtime crypted file after its ran) and it never even gets time to execute. I honestly cant get past it, and no one here has. Norton has really killed our 100% FUD Viruses with SONAR 2 and Insight. Plus, it submits all your files SONAR 2 and insight picks up. “I honestly can’t get past it, and no one here has. Norton has really killed our 100% FUD Viruses with SONAR 2”

Now, lets review how Symantec Insight and SONAR are utilized to strengthen and augment security in SEP 11 as well as reduce false positives.

23 The Security Stack – for 32 & 64 bit systems 23 Network IPS & Browser Protect & FW Insight Lookup Heuristics & Signature Scan Real time behavioral SONAR IPS & Browser Protection Firewall Network & Host IPS Monitors vulnerabilities Monitors traffic Looks for system changes Stops stealth installs and drive by downloads Focuses on the vulnerabilities, not the exploit Improved firewall supports IPv6, enforces policies

24 Insight – Provides Context 24 Network IPS & Browser Protect Insight Heuristics & Signature Scan Real time behavioral SONAR Insight Reputation on 2.5 Billion files Adding 31 million per week Identifies new and mutating files Feeds reputation to our other security engines Only system of its kind

25 File Scanning 25 Network IPS & Browser Protect Insight Real time behavioral SONAR File Scanning Cloud and Local Signatures New, Improved update mechanism Most accurate heuristics on the planet. Uses Insight to prevent false positives Heuristics & Signature Scan

26 SONAR – Completes the Protection Stack 26 Network IPS & Browser Protect Insight Lookup File Based Protection – Sigs/Heuristics Real time behavioral SONAR Monitors processes and threads as they execute Rates behaviors Feeds Insight Only hybrid behavioral- reputation engine on the planet Monitors 400 different application behaviors Selective sandbox (ex Adobe)

What about the actual performance impact on the client with SEP 12.

28 SEP Client Impact on Memory Use 28 Symantec Endpoint Protection uses: 66% less memory than McAfee 76% less memory than Microsoft Memory Usage PassMark™ Software, Feb.,

Will SEP 12 do anything to continue improving performance for guests in virtual environments.

30 SEP 12 Built for Virtual Environments 30 Virtual Client Tagging Virtual Image Exception Shared Insight Cache Resource Leveling Together – up to 90% reduction in disk IO

31 Centralized Security Management Plus Convergence and Integration with Operational Tools Symantec Management Platform IT Analytics for SEP Workflow SPC v1 SPC v2

32 Altiris Client Management Suite Policy-based software delivery Application Management Software Virtualization Patch Management Backup and Recovery Application Usage Remote Control Altiris Software Delivery Suite Apply Patches Ensure software is installed and stays installed Report machines not connecting Identify missing hard-drives Symantec Management Platform Path to Full PC Lifecycle Management Symantec Endpoint Protection Integrated Component Streamline migrations Initiate scans or agent health tasks Dashboards integrate security and operational information

33 Enhanced Reporting - IT Analytics for SEP Ad-hoc Data Mining – Pivot Tables – Data from multiple Symantec Endpoint Protection Servers – Break down by virus occurrences, computer details, history of virus definition distribution... Charts, Reports and Trend Analysis – Alert & risk categorization trends over time – Monitor trends of threats & infections detected by scans Dashboards – Overview of clients by version – Summary of threat categorization and action taken for a period of time – Summary of Virus and IPS signature distribution 33

34 Workflow Integrate IT Tools to Match Business Processes 34 Graphical tool Integration across products 3 rd party integration Process control Timeouts Escalations Delegation Auditing

35 Symantec Protection Center v1 Centralized Security Console Features – Single Sign-On – Central Access to Products Reports and Dashboards – Basic Gin Feeds Product Coverage – Symantec Endpoint Protection – Symantec Network Access Control – Symantec Data Loss Prevention – Symantec Critical Systems Protection – IT Analytics – Symantec Brightmail Gateway

36 Symantec Protection Center v2 36 Symantec Protection Center Symantec EP and NAC Data Loss Prevention Control Compliance Suite Endpoint Management Cross Product Reports & Dashboards Cross Product Automation Single Sign On and Console Access Data Feeds Protection Center Appliance GIN Feeds Native Management for select products 3 rd Party / Cloud Based Products Symantec Protection Suites Encryption

37 Bill Musson Thank You!