1.96k likes | 3.48k Views
Symantec Endpoint Protection Technical Review. Brian Pallozzi, CISSP. Principal Sales Engineer. Agenda. Enterprise Security Protection Stack . 1. What’s new (RU6). 2. Architectures. 3. Suggestions. 4. The Changing Threat Landscape: An Explosion of Malware. In 2009
E N D
Symantec Endpoint ProtectionTechnical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection
Agenda Enterprise Security Protection Stack 1 What’s new (RU6) 2 Architectures 3 Suggestions 4 Symantec Endpoint Protection
The Changing Threat Landscape: An Explosion of Malware In 2009 >15,000signatures a day • 3 Billion attacks blocked • 240 Million variants • Highly targeted threats In 2010 25,000 detections a day In 2007 1,500signatures a day In 2000 5 signatures a day Symantec Endpoint Protection 3
Endpoint Security (#1 market position2, Positioned in Leader’s Quadrant in Gartner Magic Quadrant3) IndustryRecognition WW Corporate Endpoint IDC 2009 Security Leadership Symantec 23% • Consumer Endpoint Security (#1 market position1) • Messaging Security (#1 market position4, Positioned in Leader’s Quadrant in Gartner Magic Quadrant leader5) • Policy & Compliance (#1 market position6) • Email Archiving (#1market position7, Positioned in Leader’s Quadrant in Gartner Magic Quadrant8, Forrester Wave leader9) • Data Loss Prevention (#1 market position, Gartner Magic Quadrant10 and Forrester Wave leader11) • Security Management (#1 market position12) • Security Information & Event Management (SIEM) (Positioned in Leader’s Quadrant in Gartner Magic Quadrant13) Source: IDC WW Corporate Endpoint Market 2008
Network AccessControl TruScan Application Control Device Control (Network) Intrusion Prevention Firewall Antispyware Antivirus Ingredients for Endpoint Security Symantec Network Access Control 11.0 Symantec Endpoint Protection 11.0
Increased Protection, Control & Manageability Reduced Cost, Complexity & Risk Exposure Symantec Endpoint Protection 11.0 and Symantec Network Access Control 11.0 SingleAgent, Single Console Results:
Client User Interface (UI) • Client UI focused on ease-of-use for end-users • Enable users to quickly view settings and navigate Single Agent 7
Antivirus Symantec Endpoint Protection
Virus Definition Update Options Enterprises can choose from several flexible update options: • Customers can choose how and when to deploy virus definition updates. • Updates are hosted on thousands of servers worldwide. • Microdef technology keeps the download to the desktop small (~ 250K/day). • Fully certified AV content updates are available for SEP three times per day.
Improved Detection and Removal • Repair engine (Eraser) is extensible • Improvements are ongoing • Not dependant on new releases • SEP 11 • Lower level rootkit detection • Admin specified homepage restore • Surgical cookie cleanup ERASER Bypass MS API Microsoft File System API User Mode Kernel Mode Direct Volume Scan Windows File System Volume Manager Mapping Server Rootkit Hook Points
Client Performance • Quicker on-demand scans due to load point caching • Eraser performance improvements • On-demand Scan Tuning Client Performance Enhancements “On the machines I tested, the end-user experience was pleasant. I could easily perform other tasks and switch between applications – in fact, even for the balanced scans…if I didn’t hear the hard disk, I might not have known it was spinning.” – Feedback from External Test customer
Testing Groups • Virus Bulletin 100 • http://www.virusbtn.com • AV-Test.org • http://avtest.org • AV Comparatives • http://www.av-comparatives.org • Anti Malware testing Standards Organization • http://www.amtso.org/
Third Party Efficacy Tests • Third Party Reviews Validate Effectiveness • High Detection Rates in Real Tests • Low False Positives Symantec Endpoint Protection
Proactive Technologies Symantec Endpoint Protection
? TruScan:Behavioral Detection Engine EnumerateprocessesEnumerate allprocesses &embeddedcomponents Analyzeprocess behavior Assess behavior& characteristicsof eachprocess Score eachprocess Detectionroutines areweighted &processes areclassified Automaticprotection Malicious codeis identified,reported &automaticallymitigated • Detects 1,000 new threats/month - not detected by leading AV engines • Very low (0.004%) false positive rate
Trojan Score = Valid Score = M N S S biVi aiTi T1 T2 T3 T4 T5 T6 TN i=1 i=1 a1 a2 a3 a4 a5 a6 aN b1 b2 b3 b4 b5 b6 bM V1 V2 V3 V4 V5 V6 VM A New Approach – Behavioral Detection Engine • Each Engine has two sets of detection modules: • Pro-valid = evidence of valid application behavior • Pro-malicious = evidence of malicious application behavior • Each Detection Module has a weight • The weight indicates the importance of the behavioral trait • Each process gets 2 scores: • Valid Score = measure of how valid the process is • Malicious Score = measure of how malicious the process is ** Caveat: It’s not as simple as this - detection Modules are cooperative
A Good Engine Will Create Separation Between Valid Applications & Malicious Code Valid applications Adjust Scores (Sensitivity Settings) to reduce FP’s Malicious Code
Device Control • Block Devices by type (Windows Class ID) • Supports all common ports • USB, Infrared, Bluetooth, Serial, Parallel,FireWire, SCSI, PCMCIA • Can block read/write/execute from removable drives* • Example: • Block all USB devices except USB mouse and keyboard • Peripheral Deice Control • W32.SillyFDC • targets removable memory sticks • spreads by copying itself onto removable drives such as USB memory sticks • automatically runs when the device is connected to a computer
Application Behavior Analysis RegistryAccess Control Module & DLL Loading Control Controls access and writing to registry keys Blocks applications from loading modules Monitors behavior or applications \WINDOWS\system32\ ProcessExecution Control Blocks unwanted programs from running File AccessControl Blocks unwanted access to files or folders Application Control
System Lockdown Features • Prevents unauthorized code from running on protected system • Malware • Unauthorized applications • Creates a Digital Inventory of the system • Checksum.exe tool builds inventory • Create multiple inventories per server • Fingerprints all executables (exe, com, dll, ocx, etc.) • Block anything not on the list from execution System Lockdown
Network Threat Protection Symantec Endpoint Protection
1010101 1010101 1010101 NetworkThreat Protection Features Back Door Blended Threat Buffer Overflow Known Exploits Network Threat Protection Key Features • Best-of breed rule-based firewall engine • Inspects encrypted and cleartext network traffic • IPS engine • Generic Exploit Blocking (GEB) • Packet- and stream-based IPS • Custom IPS signatures similar to Snort™ • Autolocation switching
Best-of-Breed Personal Firewall Personal Firewall Features DPI Firewall • Rule-based firewall engine • Firewall rule triggers • Application, host, service, time • Full TCP/IP support • TCP, UDP, ICMP, Raw IP Protocol • Support for Ethernet protocols • Allow or block • Token ring, IPX/SPX, AppleTalk, NetBEUI • Able to block protocol drivers • E.g., VMware, WinPcap • Adapter-specific rules • Deep Packet Inspection Engine employs IDP • Regular expression support • Allows custom signatures
Intrusion Prevention Features • Combines Generic Exploit Blocking (GEB) and SCS IDS with Sygate IDS • Deep packet inspection • Sygate IDS engine allows admins to create their own signatures • Uses signature format similar to SNORT™ • Regex support • Signatures applied only to vulnerable applications • Resistant to common and advanced evasion techniques Signature IDS GEB Custom Sig Engine Intrusion Prevention System rule tcp, tcp_flag&ack, daddr=$LOCALHOST, msg="[182.1] RPC DCOM bufferoverflow attempt detected", content="\x05\x00\x00\x03\x10\x00\x00\x00"(0,8) RCP SMTP RCP SMTP SSH SSH HTTP IM IM FTP HTTP FTP
Policy: Office AutoLocation Triggers Policy: Remote • IP address (range or mask) • DNS server • DHCP server • WINS server • Gateway address • TMP token exists (hw token) • DNS name resolves to IP • Policy Manager connected • Network connection type (wireless, VPN, Ethernet, dial-up) • Supports and/or relationships VPN AutoLocation Switching Enhancements Corporate LAN Remote Location(home, coffee shop, hotel, etc.
Network Access ControlPolicy Compliance Symantec Endpoint Protection
Symantec Network Access Control Choose quarantine, remediation or federated access Enforce policy before access is granted Execute updates, programs, services, etc Limit connection to VLAN, etc Broadest enforcement options of any vendor Remote connectivity (IPSec, SSL VPN) LAN-based, DHCP, Appliance Standards-based, CNAC, MSNAP Ensures endpoints are protected and compliant prior to accessing network resources 28
SQL Data Store -Policies -Events& Logs -Security Content -Reporting Data -State Information -Updates and Patches Java Based Console -Policy Management -Agent Management -Roles and Administration -Launch Reports -View Alerts Architecture Symantec Endpoint Protection Manager (SEPM) HTTPS HTTP/S Servers Laptops Desktops Symantec Endpoint Clients
End-pointPolicy Replication & High Availability Architecture Failover between Management Servers & Data Stores Clustered Databases Clustered Databases Datastore Datastore Replication SEPM SEPM SEPM SEPM SEPM SEPM
Group Update Provider • Small, simple low-maintenance manager for small offices • Only deltas replicated across WAN links Data Replication • Site-to-site data replication for scalability & availability • Customizable filters control what data is replicated between sites Group Update Provider SEPM and Datastore SEPMs and Datastore Management Server Hierarchy Small Regional Office Regional Site Main Site
Domains Company 1 Company 3 Company 2 Advanced Grouping Management • Database • Domains • Groups • Locations • Clients Database Locations
3rd Party Integration • LDAP • Active Directory • Syslog • RSA
Basic Reporting and Alerting • Scheduled Email Reports • 52 Default Reports • Monitors • Customizable Dashboard • Notifications
New in Release Update 6 Macintosh Antivirus Management Scan Randomization Telemetry Support Web Based SEPM Console Symantec Protection Center Symantec Endpoint Recovery Tool Symantec Protection Suite
New in RU6Macintosh Management from SEPM Console • Client package and group • Policies • Antivirus and Antispyware policy • Centralized Exceptions policy • LiveUpdate policy • Run commands • Enable Auto-Protect • Restart Client Computers • Scan • Update Content • Update Content and Scan Symantec Protection Suite
New in RU6Symantec Endpoint Protection for Macintosh • Macintosh Antivirus client managed by Windows SEPM • Support Mac OS X 10.4, 10.5, 10.6 • Support migrating from Symantec Antivirus for Macintosh 10.x • Support G3, G4, G5,and Intel processors Symantec Protection Suite
New in RU6Scan Randomization • Allow administrator to select a window over time that a scheduled scan will kick off • Daily – up to 23 hours • Weekly – up to 167 hours • Monthly – up to 671 Hours • Improve support for virtual environment • Available on Windows client only. Symantec Protection Suite
New in RU6Data Collection - Telemetry • Collect and send anonymous data to Symantec for following purposes • To improve our product in the future. • To improve customer support • Able to Opt Out • Following data are collected • SEP / SNAC Enabled • SEP / OS Version • Database Stats • Free Disk Space, CPU and Available Memory • Major Errors • Numbers Collected: • Groups, Domains, Hosts, Admin Accounts, Servers/Site, Clients from AD, Alerts, Replication Errors, Revisions Kept, Policies, Computers per Revision, Enforcers, GUPs, Percent of Computers up to date Symantec Protection Suite
New in RU6Web-based SEPM Console • Does not require Java Runtime on the remote client side • Easy to access using Web browser • Support Internet Explorer 7 & 8 Symantec Protection Suite
New in RU6Web-based Portal • Manage multiple Symantec products through a Single Console. • Symantec Endpoint Protection • Symantec Web Gateway • Symantec Data Loss Prevention • Symantec Critical System Protection • Symantec IT Analytics • Symantec Brightmail Gateway • Support Internet Explorer 7 & 8 Symantec Protection Suite
New in RU6Symantec Endpoint Recovery Tool (SERT) • Windows PE 2.1 based bootable CD • Features: • Symantec Endpoint Encryption Support • Launch Command Prompt prior to Scanner • Allows use of third party disk access apps (BitLocker, etc.) • Use definitions from local media (USB, local disk, etc.) rather than downloading from Internet – can also be used to scan with rapid release definitions • Download definitions from Internet • No PIN code requirement (Norton Bootable Recovery Tool requires PIN) • Available through FileConnect Symantec Protection Suite
Multi-Dimensional Ad-hoc/Pivot Table Reporting Multi-Dimensional Ad-hoc/Pivot Table Reporting Robust Graphical Dashboards Pivot Chart Functionality with Excel Export Robust Graphical Dashboards Advanced Reporting – Business Intelligence Symantec Endpoint Protection Alert – Standard Cube IT Analytics Traditional Reporting • Flexible ad-hoc/custom reporting • Drill-down capabilities • Multi-dimensional analysis • Improved server performance • Seamlessly export to Excel & PDF • Multiple report requests can hinder server performance • Large databases or complicated queries may take a long time to run • Canned reports offer limited options for customization or data analysis SQL 2005 Reporting Services Analysis Services SEP Database baydynamics SEP Database
Symantec Protection CenterIntelligent Management Integration Endpoint Protection Network Access Control Data Loss Prevention Server Protection Symantec Protection Center Messaging Security VISIBILITY - Pinpoint relevant security threats promptly RESPONSE - Accelerate time to protection Web Security EFFICIENCY - Increase productivity of security operations Reporting Analytics
New in RU6Power Eraser • Designed to complement mainline antivirus applications by detecting and remediating specific types of threats: • New variants of existing threats for which there is no coverage by the current definition sets • Fake antivirus applications, and other Rogue-ware • Rootkits • System settings that have been tampered with maliciously • Because Symantec Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. Use standard antivirus applications and troubleshooting techniques first; if they do not remove all of the threats, use Symantec Power Eraser. • Available from the “Help and Support” button on the client. Symantec Protection Suite
New in RU6Power Eraser • Part of the Symantec Endpoint Protection Support Tool • Aggressive scanning • Support Tool then finishes scanning Symantec Protection Suite
New in RU6Support Tool Symantec Protection Suite
Designing and Sizing the correct SEP Architecture Symantec Endpoint Protection