Symantec Nye Veier Innen EndpointProtection

Next generation
Symantec Endpoint Protection

12.1
Unrivaled Security. Blazing Performance.
Built for Virtual Environments.
Gunnar Kr Kopperud
Principal Security Engineer
1
Targeted &
Rapidly Mutating
Attacks
Virtualization
had become the
rule
Social Networks
and socially
engineered attacks

Driven by Key IT Security Trends
Symantec Endpoint Protection 12.1
Increased
Cost of
Incidents
Threat Landscape
Who is being attacked
Small Businesses
End-Users
Governments
- Targeted Attacks
- Bank accounts
- ID Theft
- Cyber Sabotage
- Data Breaches
- Business disruption - Scammed for dollars - Cyber Espionage
Enterprises
- End-user disruption
- DDOS attacks
- Removal costs
- Hactivism
Threat Landscape
2010 Explosion of Threats
10M
286M
10M
286M
3.1B
10M
Signatures
Malware Variants
Malware Attacks
Threat Landscape
What do they do?
Steal Resources
- Send spam
- Part of a DDOS
attack
Steal Information
Extort Money
Destroy
- Steal sensitive info

e.g. banking
credentials
- Old fashion con
- Hackitivism
- Sit back and wait for

the $s to roll in
- Cyber-Sabotage
Examples:
Rustock
Zeus
Rogue AV
Stuxnet
The Problem
75% of malware infect less than 50 machines
The Problem
The average malware infect only 20 machines
The Problem
Many infections are seen on a single machine
Threat Landscape
Trends that will change the threat landscape
Signature Model
Desktop
Server
Real
Phone/Tablet
Cloud
Virtual
Trojan.x 11010101010101
Trojan.y 00011101010101
Trojan.z 11010101010101
Trojan.v 00011101010101
Reputation
Threat Summary
Malware continue to be a threat to business, government and
consumer
Social engineering has spread to all forms of interaction users have
on-line with the ultimate goal of stealing resources, information and
money
And now with the introduction of Stuxnet cyber-sabotage becomes a

real threat for governments and infrastructure providers
Attacker tools have created a robust eco-system for hackers creating
an explosion malware and increasing the capability of even average
hackers to evade detection
New computing trends will effect protection policies but not the need
to defend against malware
While hackers have evolved so has Symantec, with new ways to fight
malware, like Reputation.
ISTR XVI - Threat Landscape
2010 Overarching Themes
11
Threat Landscape
Mobile Threats
Most malware for mobiles are Trojans posing as legitimate apps
163
115
vulnerabilities
vulnerabilities
2009
2010
Mobiles will be targeted more when used for financial transactions
Symantec Internet Security Threat Report (ISTR), Volume 16
12
Stay Informed: Additional Resources

Build Your Own ISTR
go.symantec.com/istr
Daily measure of global cybercrime risks

nortoncybercrimeindex.com
Stay Abreast of Latest Threats

Twitter.com/threatintel
Symantec Internet Security Threat Report (ISTR), Volume 16
13
Malware Authors Have Switched Tactics
75% of malware is rapidly

mutating
From:
A mass distribution one
worm hits millions of PCs
Storm made its way onto millions
of machines across the globe
To:
A micro distribution model.
Hacked web site builds a trojan
for each visitor
The average Harakit variant is
distributed to 1.6 users!
14
How many copies of this file exist?

How new is this program?
Is it signed?
How often has this file been downloaded?
How many people are using it?
Where is it from?
Does it have a security rating?
OnlyHave
malware
mutates
other users reported infections?
Is the
source associated
infections?
Insight
spotswith
rapidly
changing &
If we track every
file
onfilethe
internet
...
How
will
this
behave
if
executed?
What rights are required?
mutated files
Is the file associated with files that are linked to infections?
New or mutated files will stick out
Does the file look similar to malware?
How old is the file?
Is the source associated with SPAM?
Have other users reported infections?
Who created it?
Is the source associated with many new files?
Which lead us to think . . .

Who owns it?
What does it do?

15
The Problem
Millions of file variants (good and bad)

So imagine that we know:
about every file in the world today

and how many copies of each exist
and which files are good and which are bad
Now lets order them by prevalence with

Bad on left
Good on the right
16
The Problem
No Existing Protection Addresses the Long Tail

Today, both good and bad software obey a long-tail distribution.
Unfortunately neither technique
works well for the tens of millions of
files with low prevalence.
(But this is precisely where the
majority of todays malware falls)
Blacklisting works
well here.
For this long tail a new

technique is needed.
Good Files
Prevalence
Bad Files
Whitelisting works
well here.
17
Insight
Because the context of a file
is as telling as its content
What rights are required? How will this file behave if executed?
Is theOR
file associated with files that are linked to infections?
Does the file look similar to malware?
BAD
GOOD LOW
How
old is the file?
Reputation
OR
HI
NEW
OLD
Is the source associated with SPAM?

Prevalence
Age
The context you need
Have other users reported infections?
Who created it?
18
How Symantec Insight Works

2
Rate nearly
2.5 billion
every
file on
the files
internet
Check the DB
during scans
Build
175a
collection
million
network
PCs
Is it new?
Bad reputation?
Prevalence
5
Provide
actionable data
Look for
associations
Age
Source
Behavior
Associations
Built for
Virtualization
Network Access
Control

Single Agent, Single Console
Device and Application

Control
Increased
Protection, Control &
Manageability
Intrusion
Prevention
Firewall
Reduced
Cost, Complexity &
Risk Exposure
Antispyware
Antivirus
Symantec Endpoint
Protection
Symantec Network
Access Control
20
Whats New
Unrivaled
Security
Powered by Insight
Real Time Behavior
Monitoring with
SONAR
Blazing
Performance
Built for Virtual

Environments
Up to 70% reduction
in scan overhead
Smarter Updates
Faster Management
Tested and optimized

for virtual
environments
Higher VM densities
21
The Security Stack for 32 & 64 bit systems
Network IPS
& Browser
Protect & FW
Insight
Lookup
Heuristics &
Signature Scan
Real time
behavioral
SONAR
IPS & Browser Protection

Firewall
Network & Host IPS
Monitors vulnerabilities
Monitors traffic
Looks for system
changes
Stops stealth installs and drive

by downloads
Focuses on the vulnerabilities,
not the exploit
Improved firewall supports IPv6,
enforces policies
22
Insight Provides Context
Network IPS &

Browser
Protect
Insight
Heuristics &
Signature Scan
Real time
behavioral
SONAR
Insight
Reputation on 2.5 Billion
files
Adding 31 million per
week
Identifies new and mutating files

Feeds reputation to our other
security engines
Only system of its kind
23
File Scanning
Network IPS &

Browser
Protect
Insight
Heuristics &
Signature Scan
Real time
behavioral
SONAR
File Scanning
Cloud and Local Signatures
New, Improved update
mechanism
Most accurate heuristics on the

planet.
Uses Insight to prevent false
positives
24
SONAR Completes the Protection Stack
Network IPS &

Browser
Protect
Insight
Lookup
File Based
Protection
Sigs/Heuristics
Real time
behavioral
SONAR
SONAR
Monitors processes and
threads as they execute
Rates behaviors
Feeds Insight
Only hybrid behavioralreputation engine on the planet

Monitors 400 different
application behaviors
Selective sandbox (ex Adobe)
25
Why Insight?
Unrivaled
Security
Blazing
Performance
Insight
Not a replacement technology
It makes our other technologies more powerful
Download Insight
Download Insight is a technology that checks the reputation of
binaries being downloaded and blocks them if they are Bad.
Download Insight scans files when they are downloaded using
what we term a portal application (IE. Firefox, IE)
27
32 and 64 bit support
SONAR real-time behavioral protection

Artificial Intelligence
behavior surveillance
System behavior
Misbehaving
applications
Security response
authored infection flow
Host file and DNS

modification prevention
Processes
SymProtect
Registry
Files
28
Improved IPS
A group of layered security engines aimed at
stopping malware from getting on to user
systems, over the network
All engines are content driven and content is

rapidly updatable with new protection
IPv6 Support
Network IPS
Network Intercept
Scans all network traffic and applies protection

against a library of vulnerability signatures
Intercept: Network traffic
Canary
Browser protection against heavily obfuscated attacks
Intercept: Browser script API calls
Browser Intercept
UXP
Generic signature-less exploit protection for
browsers against 0-day attacks
Intercept: System API calls
System Intercept
Disk
29
Application and Device control

X64 support
Server Oses support
Improved logging
Upgraded Default Polices
Tuned for Todays Threat
Landscape
30
Insight: Where does it fit into SEP 12.1s protection stack

Scan
Network Threat
Protection
AV/AS
SONAR
AV/AS
UXP
AutoProtect
Download Insight
Browser Protection
Execute
Intrusion Prevention Engine
Download, Read, Write
Firewall
Network/Browsing
Behavioural
Heuristics
Bloodhound
Heuristics
System Change
Detection
Reputation
Backed
Heuristics
Suspicious
Behaviour
Detection
Insight
Lookup
Bloodhound
Heuristics
Insight Report Downloaded Risk Distribution
Troubleshooting: Insight (cont)

Mitigation of possible FP via logging
Create an exception directly from the SEPM console Risk log.
Add Exception from Exceptions Policy

The administrator can see if the user allowed the application.
Insight
Unrivaled
Security
Blazing
Performance
Why scan known good files over and over?
Blazing Performance with Reputation Optimized

Scanning
On a typical system, 70% of active

applications can be skipped!
Traditional Scanning
Reputation- Optimized Scanning
Has to scan every file
Skips any file we are sure is good,

leading to much faster scan times
35
35
The Results are In: Symantec Endpoint Protection:

100
80
60
40
20
0
120
100
80
60
40
20
0
200,0
150,0
100,0
50,0
0,0
Detected 25% more threats than any other

vendor tested.
Detected 6x as many threats as Microsoft.
Removed more threats than any other
vendor tested including 36% more than
McAfee more than 4x the number as
Trend Micro.
Scanned faster, used less memory and

outperformed all products in its class
Scanned 3.5x as fast as McAfee and used
66% less memory than Microsoft
37
Policies based on Risk
Only software
with at least
10,000 users over
2 months old.
Can install
medium-reputation
software with at
least 100 other
users.
No restrictions
but machines must
comply with
access control
policies.
Finance Dept
Help Desk
Developers
38
Built for Virtual Environments
39
The Problem
Growth of Virtual Endpoints and Threat Landscape
The Scan Storm
Virtualization Adoption
VDI Growth
AV, IPS and proactive detection growth
40
Optimized for VMware, Citrix and

Microsoft virtual environments
Easy to manage physical and virtual
clients
Scan Cache
Hypervisor
Maximizes performance and density

without sacrificing security
Best in class performance and
security
41
Built for Virtualization

Virtual Image Exception Allows customers to exclude all files
on a baseline image from scanning.
Shared Insight Cache A stand alone server that enables clients
to share scan results. This allows clients to skip scanning files
that have already been scanned by another client.
Virtual Client Tagging Makes the clients virtualization aware
and sends back the hypervisor vendor to SEPM. That data can
be used in client searching and reporting.
Scan Randomization Allows customers to select a window
over time that a scheduled scan will kick off
Offline Image Scanner A stand alone tool developed by STAR
that can scan offline VMware image (VMDK )files..
42
Virtual Insight Features
Virtual Image
Exception
Used on cloned images
Excludes all files
Reduces scan impact
Shared Insight Cache

Clients share scan results
Scan files once
Leverages Insight
Enhances Management and Reduces Scan

Impact by ~90%
Virtual Client Tagging
Resource Leveling
Identifies hypervisor
Set group specific policy
Search for virtual clients
Used for all virtual systems

Reduce overlap of events
Scans and def updates
43
IT Analytics - Symantec Endpoint Protection

Ad-hoc Data Mining Pivot Tables
Data from multiple Symantec Endpoint Protection
Servers
Break down by virus occurrences, computer details,
history of virus definition distribution . . .
Charts, Reports and Trend Analysis

Alert & risk categorization trends over time
Monitor trends of threats & infections detected by
scans
Dashboards
Overview of clients by version
Summary of threat categorization and action taken
for a period of time
Summary of Virus and IPS signature distribution
44
SEP Reporting
Tactical View of frontline endpoint
defenses. Current view of events and
the state of SEP clients.
IT Analytics
Strategic View over time of endpoint

defenses. Trend analysis and data
mining via a consolidated view of
multiple Endpoint Protection
Managers.
Symantec Protection Center 2.0
Single sign on management as well as
cross-product reporting and
dashboards of Symantec Endpoint
Protection, Messaging Gateway, SNAC,
PGP Universal Server.
45
46
Key Customer Challenges

Challenging Threat
Landscape
Evolving
Infrastructure
Prioritization
Challenges
More sophisticated
external attacks
Drive to adopt virtual and

cloud-based
infrastructures
Information explosion
prioritize what data to
protect
Need to embrace and

secure a wide range of
mobile devices
Growing number and

diversity of devices
prioritize IT risks
Targeted malware attacks

(Stuxnet)
Malicious insiders
(WikiLeaks) / wellmeaning insiders
Changing compliance
requirements
47
Combat Threats with Information Centric Management

Combat Threats with Information Centric Management
Completely
Protect the
Enterprise
DEVELOP &
ENFORCE IT POLICY
01010101010
10101010101
PROTECT
01010101010
INFRASTRUCTURE
01010101010
10101010101
PROTECT
01010101010
INFORMATION
10101010101
01010101010
10101010101
PROTECT IDENTITIES
10101010101
10101010101
MANAGE SYSTEMS
Centrally View
& Manage
Information
Name Severity
Type
Leverage
Local & Global
Intelligence
Count
Local trends and events

Global threat landscape
48
Context Creates Situational Awareness for Enterprises

Key Considerations:
Is this asset under
compliance?
Create
Situational
Awareness
Does this activity

resemble a known
attack?
Is this system critical to
the business?
49
Use Intelligence To Drive Targeted Security Response

Information Centric Security
Management
Reactive Security Management
50
Research Powered by Global Intelligence Network

Identifies more threats, takes action faster & prevents impact
Calgary, Alberta
San Francisco, CA
Mountain View, CA
Culver City, CA
Dublin, Ireland
Tokyo, Japan
Chengdu, China
Austin, TX
Taipei, Taiwan
Chennai, India
Pune, India
Worldwide Coverage
Global Scope and Scale
24x7 Event Logging
Rapid Detection
Attack Activity
Malware Intelligence
Vulnerabilities
Spam/Phishing
240,000+ sensors
200+ countries and
territories
150M client, server,

gateways monitored
Global coverage
35,000+ vulnerabilities
11,000 vendors
80,000 technologies
5M decoy accounts
8B+ email messages/day
1B+ web requests/day
Preemptive Security Alerts
Information Protection
Threat Triggered Actions

51
Local & global

threat intelligence
Cross Product
Reporting
Sensors in +200
Countries and
Territories
Accelerate time to
protection
Process automation
Symantec
Protection Center
Focus IT on
business critical
tasks
Create Event
Context
Prioritized
Response
Tiered integration across

Symantec & 3rd Party
Technologies
52
Symantec Protection Center

Relevant Actionable Security Intelligence
Intelligence
Identify emerging threats across local

and global environments
Priority
Prioritize tasks based on role, context

and severity
Action
Accelerate time to protection with

relevant, actionable intelligence
53
Whats New in 2.0?

Three levels of integration:
Single Sign on, Data collection,
Action
Symantec Global Intelligence

Network Integration
Basic event correlation
Cross Product Reporting:

malware, email, asset
Dashboard Notifications:
Role based prioritization
Prebuilt workflow templates:

Third Party Integration:
Open API and developer services
54
Dashboard
55
55
Cross Product Reporting
56
56
Single Sign On
57
57
The Symantec Endpoint Protection Family

Feature
SEP SBE 12.1
SEP.Cloud
SEP 12.1
5-99 seats
5-99 seats
100+ seats
Intrusion Detection/Prevention
Insight / SONAR
Protection for Mac OS X
Protection for Linux
Device and Application Control
Network Access Control SelfEnforcement ready
Symantec Hosted Infrastructure
Seats
Antivirus/Antispyware
Desktop Firewall
58
Symantec Endpoint Protection 12

Powered by Insight
Unrivaled Security
Blazing Performance
59
The Core IT Security Challenges

Develop and Enforce
IT Policies
Protect the Information
Authenticate Identities
Manage Systems
Protect the Infrastructure

60
Symantec s IT Security Strategy

Develop and Enforce
IT Policies
Policy Driven and Risk Based
Information and
Identity Centric
Manage Systems
Well Managed over a
Secure Infrastructure
61
Symantec is Focused on Meeting These Challenges

Develop and Enforce
IT Policies
Control Compliance Suite
Data Loss Prevention Suite

and Encryption
VeriSign Identity and

Authentication
Manage Systems
IT Management Suite

Enterprise Security Strategy
Symantec Protection Suites

62
Protect The Infrastructure
Symantec Protection Suites

Monitor
and
correlate
incidents
Enterprise Security Strategy
Protect email
and web
Secure
endpoints &
harden critical
servers
Backup
and recover
data
63
1000-5000 seats
Symantec
Protection Suite
Family
Symantec Protection Suite Enterprise Edition

Endpoints
100-1000 seats
Symantec Protection
Suite Enterprise Edition
50-100 seats
< 50 seats
Symantec Protection
Suite Small Business
Edition
Cost-conscious
More than AV
Desktop backup and
recovery
Spam and phishing
protection
Desktop and laptop
Symantec Protection
Suite Advanced Business
Edition
All-in-one
Symantec Protection Suite
Small Business Edition, PLUS:
Data loss prevention
technologies
SPAM protection at the
gateway
Server backup and recovery*
Backup Servers,
Desktops, and laptops
Robust and flexible
Gateway
Servers
Manage security
infrastructure
Protect
confidential data
Integrate manual
IT processes
Secure mission
critical servers
Best-of-breed
protection
Virtual, physical,
and multi-OS
Secure business
communications
Protect
confidential data
Manage
infrastructure
access
Symantec Protection Center
More than AV
Data loss prevention
Desktop backup/recovery
Spam and phishing protection
at gateway and server
Enhanced perimeter protection
Network access control
Note: Seat count is a recommendation,

not a license limitation
Networks,
heterogeneous servers,
desktops, and laptops
IT processes, data, networks, heterogeneous servers,

desktops, and laptops
64
Multi-layer Messaging Security

Protection at the Gateway, Mail Server, and Endpoint
Hosted
Gateway Security
Endpoint
Security
Email
Security
Email Security
IM Security
Email Encryption
Hosted Service Provider
On-site
Gateway Protection
OR
Brightmail Gateway
Web Gateway
Groupware /
Collaboration Protection
On-Site Web and

Messaging Gateway
Mail Security for Exchange

Mail Security for Domino
Premium AntiSpam
Messaging / Collaboration
Environment
Endpoint Security
Endpoint Protection
scanning of email
Endpoints
Web
Security
Network
Access Control
Desktop
Backup
Server
Backup
Mobile
Security
Centralized
Management
Microsoft Exchange & Lotus Domino
Challenges
Spam causes high email traffic & server overloading
Email security takes time to manage effectively
Controlling data sent outside company via email
Benefits
Block over 99% of spam reducing admin cost
Complete protection against malware via email
Features
One of the worlds largest threat
intelligence networks
Protecting over 800 million mailboxes
11 billion+ emails processed daily
Filters content to prevent data loss

Appliance & hosted deployment options
Extremely low false positive rate
65
Symantec Web Gateway

Challenges
Endpoint
Security
Email
Security
Web
Security
Network
Access Control
Features
Unknown malware spreading via the web

Cannot easily identify spyware infected computers
Difficult controlling applications & internet usage
Benefits
Lower infection rates
Significantly reduced cleanup, theft and lost data costs
Increases end user productivity
Identifies computers infected with

viruses & spyware, including
unknown versions
Controls application access to the
Internet
Blocks malicious websites
Monitors and/or blocks access to
inappropriate websites
Desktop
Backup
Inspects packets, IPs, URLs, files,

active content, applications, behavior
Botnet
Detection
Infected Client
Detection
Application
Control
Web
Malware Content
Scanning
Centralized
Management
URL Filtering
Mobile
Security
Malware Domains
& IPs
Server
Backup
Client
systems
Symantec Web Gateway is

Challenges
Core Functional Areas
Unknown malware spreading via the web

Cannot easily identify spyware infected computers
Difficult controlling applications & internet usage
Benefits
Lower infection rates
Significantly reduced cleanup, theft and lost data costs
Increases end user productivity
Identifies computers infected with

viruses & spyware
Controls application access to the
Internet
Blocks malicious websites
Monitors and/or blocks access to
inappropriate websites
Botnet
Detection
Infected Client
Detection
Application
Control
Malware Content
Scanning
URL Filtering
Web
Malware Domains
& IPs
Inspects packets, IPs, URLs, files,

active content, applications, behavior
Client
systems
67
Infected Client Detection
Phone Home
Signature
Detection
Behavioral
Correlation
Algorithm
Multi Port
Multi Protocol
Accurately
Identifies Bots on
the network
Automatic
Quarantine
Consolidated,
Useful Reporting
Limits potential
damage
Notifies end users
of risk
Specific Event
Information
Sort by Count,
Severity, Type
Identify and prevent compromised systems from harming the organization
68
Why Symantec for Web Security?
Flexibility
and Choice
Best in class hosted service, appliance, and virtual

appliance (upcoming) deployment options
Multiple deployment options
Extensive portfolio of complementary products
Multiple buying programs
Technology
Leadership
Next generation, bidirectional scanning

Largest, most applicable threat intelligence
network
STAR developed unique signatures
69
Network Access Control

Endpoint
Security
Employees Non-employees
Corporate
Network
Email
Security
Web
Security
Unmanaged
Managed
On-site
Remote
Network
Access Control
Desktop
Backup
Server
Backup
Mobile
Security
Centralized
Management
Challenges
Keeping applications & security up to date
efficiently
Out of date security can lead to infections
and significant clean-up work
Benefits
Ensures systems comply with corporate
policy with very little staff
Reduces infections and clean-up efforts
Features
Checks endpoint security & application settings
Automatic remediation of configuration issues
Self Enforcement automatically checks and fixes
issues regardless of devices current location
Centralized policy configuration & reporting
Backup Exec System Recovery

Gets Systems & Data Back Quick
Endpoint
Security
Email
Security
System & Data

Backups
Web
Security
Network
Access Control
Desktop
Backup
Server
Backup
Mobile
Security
Centralized
Management
Challenges
Quickly recovering from data loss and
system failure
Protecting servers cost-effectively from
failure and damage
Benefits
Server and desktop recovery in minutes,
not hours/days
Reduced management of backup
Lower costs from outages and data loss
Features
A simple, cost-effective backup solution
System and data recovery from a single
system backup
Incremental backups reduce backup
duration and impact
Integrated off-site backup
Central management console
71
Backup Exec
Challenges
Endpoint
Security
Email
Security
Web
Security
Network
Access Control
Desktop
Backup
Server
Backup
Mobile
Security
Centralized
Management
Quickly recover from data loss and

system failure
Protecting applications cost-effectively
from failure and damage
Branch office
Features
Backup to tape, disk, NAS
Server application integrated agents
backup at content level
Incremental backups reduce backup
duration and impact
Integrated data de-duplication
Powerful central management
Branch office
Branch office
Benefits
Efficient backup and data restoration
Data recovery at file, folder and
application level
Dramatically reduced storage and
network impact
Main office
72
What is Data Loss Prevention?

Where is your
confidential data?
How is it
being used?
DISCOVER
MONITOR
How best to
prevent its loss?
PROTECT
DATA LOSS PREVENTION (DLP)

73
Defense-In-Depth: Encryption + Data Loss Prevention

Network DLP / Gateway Encryption
Automatically encrypt emails containing sensitive data
Notify employees in real time/context about encryption policies and tools
Storage DLP / File-Based Encryption

Discover where confidential data files are stored and automatically apply
encryption
Ease the burden to IT staff with near transparence to users
Endpoint DLP / Whole Disk Encryption

Target high risk users by discovering what laptops contain sensitive data
Protect AND enable the business by targeting encryption efforts to
sensitive data moving to USB devices
Solutions Based on Critical Server Value

Critical Server Value
Low
Primary Profile
Requirement
High
Malware
Protection
Demonstrate
Compliance (PCI)
Proactive
Prevention
Windows only
Multi-OS
Multi-OS
SEP AV Only
Which
Solution?
SEP with IPS

Monitoring Edition
Critical System Protection
Protection Suite for Servers
76
Symantec Critical System Protection
Protect Windows
NT 4 and 2000 systems
Protect multi-OS environments

from a single console
Address Compliance
requirements for critical servers
Protect VM Host systems

in virtual environments
77
Core Security Roadshow Italy - Nov. 10, 20
Mobile Security and management

Challenges
Endpoint
Security
Email
Security
Web
Security
Network
Access Control
Desktop
Backup
Server
Backup
Mobile
Security
Centralized
Management
Corporate data is unprotected on

mobile phones
Mobile endpoints can pass along
viruses to other systems
Features
Automatically detects and eliminates
viruses on Windows Mobile phones
Provides both automatic and
scheduled scans on handsets
File activity monitoring
Run handset actions remotely
Benefits
Reduces infection cleanup and loss of
company information
Eliminates end user impacts from
viruses and malware
78
State of Enterprise Mobility
Enterprise
Market Trends
Personal mobile devices
Diversity & dynamics
Rich app platforms
Security
Email requirements
Enterprise
Mobile
Network
Servicesrequirements
Strategy
Regulatory
Applications
compliance
IT requirements
Business enablement
Long-term planning
79
Mobile OS Limitations on Security & DLP

Most modern mobile OS products build security features
into the OS
Encryption on iOS
App sandboxing of data on iOS or WebOS
No browser plugins on Android
No network monitoring/control APIs on Apple, Android, etc.
Modern OS versions put end users in focus and in control

Only end user can close or remove files on Apple iOS
Android app can be triggered remotely, but removal requires
end user approval
Application push is not supported on iOS end user always selects apps
No remote access to iOS screens i.e. no remote control, webex of iPad
GUI, etc.
80
SYMANTEC SECURITY & MANAGEMENT
INFORMATION
What is the right

mobile strategy?
One that is integrated with

the overall IT strategy
PEOPLE
81
Components of Mobile Strategy

Mobile as a true end-point
Policy
Management
Security & Compliance

Application Management
Configuration Management
Secure
Access
Strong authentication
Complete PKI/OTP lifecycle
Authentication for apps
Information
Protection
DLP & Web Security

Data Encryption
Threat Protection
Enterprise Integration
Endpoint
Management
Security
Infrastructure
Business
Processes
82
Mobile Device Management & Security

Comprehensive, Integrated and Future-proof
Policy
Management

Secure
Access
Strong authentication
Complete PKI/OTP lifecycle
Information
Protection
DLP & Web Security

Data Encryption
Anti-Threat
Endpoint
Management
Security
Infrastructure
Business
Processes
83
1. Policy Management
Key Features
Security settings and Compliance
Passwords, Lock and Wipe (Complete and
Selective), Restrictions
Access based on device status (encryption,
jailbreak, apps)
Enterprise AppStore for internal apps &
App Recommendations
Key Benefits
Allow end-user devices
Manage personal and corporate data
separately
Achieve regulatory and corporate

compliance
Mobilize enterprise apps
Enable large deployments
Visibility on app status
Enterprise enrollment (Email, VPN and
Wi-Fi)
Certificate distribution and on-device
binding
84
Symantec on the iPad
85
Enterprise Enrollment
86
Enterprise AppStore
87
Mobile Management
iOS Agent Configuration Policies
Symantec Mobile Security and Management
88
Mobile Management
iOS Enterprise App Store Channel Content List
89
Mobile Management
iOS Enterprise App Store Editing Channel Contents
90
Viewing iOS Device Data
91
2. Secure Access
Key Features
Strong authentication to enterprise
resources
Managed PKI: Secure email and network
authentication
OTP: Soft-tokens for protecting the front
door
Certificate lifecycle management

Create deploy bind access
update revoke
Enrollment options with on-prem or cloud
services
Key Benefits
Comply with network security
requirements
Eliminate hassles around managing PKI

infrastructure
Solve common PKI issues with simplified
activation and auto-binding
Use mobile devices as authentication

tokens
Solve Active Directory password
expiration issues on devices
Embedded credential for applications

SDK for app developers: B2B and B2C
use-cases
92
Strong Authentication
Secure Remote Access
93
3. Information Protection
Key Features
DLP and Web-Security
Monitor and prevent data flow over email
and web
Application and removable media access
control
Key Benefits
Comprehensive visibility and protection
Reduce data leakage risks from mobile
Comply with regulatory requirements

Address growing mobile threats
Data Encryption
End-to-end email encryption
Full device encryption management
Threat Protection
Anti-malware
SMS Spam protection
Firewall
94
Windows Mobile
Android
Symbian
95
4. Enterprise Integration
Key Features
Asset and Systems Management
PCs + Servers + Macs + iPads + iPhones +
Androids + Windows Phone 7 + WebOS
Analytical reports with data on devices,
users and apps
Security Infrastructure
Certificate authorities, Directories, Firewalls
Integrates with Symantec Management
Platform
Key Benefits
Unified endpoint management
Integrate with existing security
investments
Eliminate need for point solutions and
special training
Solution with proven scalability
Enable mobility without compromises
Business processes
Service desk with role-based access control
Integrates with Symantec Workflow
96
Integrated Architecture
Intelligence
Analyze
Automation
Suites & Solutions
Client Management Suite from
Symantec
Workflows
Patch Management Solution from

Symantec
Symantec Endpoint Virtualization
Suite
Inventory Solution from
Symantec
Collect
Connect
Symantec Backup Exec System

Recovery
Server
Multi-tenancy
Roles-based Access
Groups/Org Units
Manage
Alerts/Notifications
97
97
Sand-box
Architecture
Value-prop: Replace functionality
Email Sync
Encryption
Personal-Corporate data
separation
Symantec
Architecture
Value-prop: Leverage and Extend
Sync is native to device; focus on
security and management
Device encryption is native; focus on
enforcement
Same effect with Selective wipe
Limitations: Boxed & Proprietary

Manages one app
Manages the complete device
Dependent on Box to allow

other apps & improvements
Enables enterprise apps
Device specific- each OS &

updates
Client & Client-less architectures

allow new device support from day 1
98
Why Symantec for Mobile

We go beyond the basics
Policy
Management
Basic Mobile Device

Management is
table stakes
Secure
Access
Information
Protection
SYMANTEC
Strong
authentication
ADVANTAGE
SYMANTEC
DLPADVANTAGE
& Web Security
PKI/OTP lifecycle
management
Data Encryption
Anti-Threat
Endpoint
Management
Security
SYMANTEC
ADVANTAGE
Infrastructure
Business
Processes
99
Symantecs Mobile Solutions

Across consumer, enterprise and service provider
Consumer
Service Provider
Enterprise
Consumer Clients
Network Focus
Enterprise Management
& Security
Specific to device, OS
Multi-service
Multi-OS, multi-device
Content Security
Norton Everywhere
Symantec Global Intelligence

Network Integration
On device and private cloud

based solution
Deployed on consumer
phones and tablets
Corporate controls, productivity

controls and content security
Deployed on premise or cloud
Deployed at the network layer

100
Symantec
Mobile business enablement
Comprehensive mobility management
Device Security & Management, Secure Access, Information Protection
Unified management across all endpoints

PCs, Servers, Macs, iPads, iPhones, Androids, Windows Phone 7, WebOS
Future-proof architecture to meet the mobile adoption needs

Marketing leading products in enterprise security
101
Symantecs Feature List
SEP Mobile
Mobile Management 7.0
Content Security
PGP Mobile
Password Controls
Remote Wipe
Encryption/Management
Asset Inventory
Configuration Mgmt &
Feature Controls
App Management/Distrib.
Remote Assistance
Device Mgmt
Device Security
Anti-Virus w/ Live Update
App Control
SMS Anti-Spam
Stateful Firewall
Identify & Access
Soft tokens/OTP
PKI for Mobile
VeriSign PKI Service
NAC
SNAC Mobile
Compliance Management
Mobile Mgmt 7.0
Next Gen Network Protection
Communication Logging
Policy based filtering
NGNP
VeriSign VIP
Symantecs Current capability
Symantecs Short-term roadmap

102
Nyttige linker
Symantec Response Blogs
http://www.symantec.com/business/security_response/weblog/index.jsp
Symantec Insight
http://www.symantec.com/business/theme.jsp?themeid=insight
SEP 12 Beta
http://go.symantec.com/sep12beta
Symantec Mobile Solutions

http://www.symantec.com/business/theme.jsp?themeid=mobile-securitymanagement
103
Q&A
104
Thank you!
Gunnar Kr Kopperud
Principal Security Engineer
48018908 gkopperud@symantec.com
Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. Any forward-looking indication of plans for products is preliminary and all future releases are tentative and are subject to
change. Any future product release or planned modifications to product capability, functionality, or features are subject to ongoing evaluation by Symantec, and may or may not be
implemented and should not be considered firm commitments by Symantec and should not be relied upon in making purchasing decisions. The information in this document is
subject to change without notice.
105
Appendix:
Symantec Network Access Control 12.1
106
106
Symantec Network Access Control
Checks adherence to endpoint

security policies
Antivirus installed and current?
NAC is process
that creates a much
more secure
network
Firewall installed and running?

Required patches and service packs?
Required configuration?
Fixes configuration problems

Controls guest access
Network Access Control puts you in control of what attaches
to your netwok
107
What to Control with Each Phase
Phase 1
Endpoint
Lockdown
Managed
Endpoints
Self-Enforced with the

SEP client
Company-owned
laptops & desktops
Unmanaged
Endpoints
N/A
Phase 2
Network
Lockdown
(partial)
Ingress Control
Wireless, VPN, Key
subnets
Use Enforcer
Ingress Control
Wireless, VPN, Key
subnets
Use Enforcer
Phase 3
Network
Lockdown
(complete)
Complete Access
Control
for LAN & remote
endpoints
Complete Access for

remote & LAN
Guests
108
What Type of Enforcement to Use

with Each Phase
Phase 1
Endpoint
Lockdown
Managed
Endpoints
Self-Enforcement
Unmanaged
Endpoints
N/A
Phase 2
Network
Lockdown
(partial)
Phase 3
Network
Lockdown
(complete)
Gateway
Enforcement
LAN (802.1X), DHCP Enforcement
Gateway
Enforcement
LAN (802.1X), DHCP, Gateway

Enforcement
Start with SEP Enforcement then move to network-based enforcement

109
Defenses Against Targeted Attacks

Advanced Reputation Security
Detect and block new and unknown threats based on reputation and ranking
Host Intrusion Prevention

Implement host lock-down as a means of hardening against malware infiltration
Removable Media Device Control

Restrict removable devices and functions to prevent malware infection
Email & Web Gateway Filtering

Scan and monitor inbound/outbound email and web traffic and block accordingly
Data Loss Prevention

Discover data spills of confidential information that are targeted by attackers
Encryption
Create and enforce security policy so all confidential information is encrypted
Network Threat and Vulnerability Monitoring

Monitor for network intrusions, propagation attempts and other suspicious traffic patterns
110
Defenses Against Hide and Seek (Zero-Days & Rootkits)

Advanced Reputation Security
Detect and block new and unknown threats based on reputation and ranking
Security Incident and Event Management

Detect and correlate suspicious patterns of behavior
Network Threat and Vulnerability Monitoring

Leverage external services to monitor and correlate security events
Vulnerability Assessment
Ensure network devices, OS, databases and web applications systems are properly configured
Determine whether or not a vulnerability is truly exploitable
Host Intrusion Prevention

Implement host lock-down as a means of hardening against malware infiltration
111
Defenses Against Social Engineering

Web Gateway Security
Scans all potentially malicious downloads regardless of how the download is initiated
Prevent users from being redirected to malicious Websites
Data Loss Prevention

Discover concentrations of confidential information downloaded to an employees PC
Network and Host Based Intrusion Prevention

Monitor and protect critical systems from exploitation
Protect against misleading applications like fake antivirus
Prevent drive-by download web attacks
Strong Authentication
Two-factor authentication to protect against socially engineered password theft
Security Awareness Training

Ensure employees become the first line of defense
112
Defenses Against Mobile Threats

Device Management
Remotely wipe devices in case of theft or loss
Update devices with applications as needed without physical access
Get visibility and control of devices, users and applications
Device Security
Guard mobile device against malware and spam
Prevent the device from becoming a vulnerability
Content Security
Identify confidential data on mobile devices
Encrypt mobile devices to prevent lost devices from turning into lost confidential data
Identity and Access

Strong authentication and authorization for access to enterprise applications and resources
Allow access to right resources from right devices with right postures
113

Symantec Nye Veier Innen EndpointProtection

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Symantec Nye Veier Innen EndpointProtection

Uploaded by

Copyright:

Available Formats

Next generation

Symantec Endpoint Protection

Symantec Endpoint Protection

- Business disruption - Scammed for dollars - Cyber Espionage

- Steal sensitive info

- Old fashion con

- Sit back and wait for

75% of malware infect less than 50 machines

The average malware infect only 20 machines

Many infections are seen on a single machine

And now with the introduction of Stuxnet cyber-sabotage becomes a

ISTR XVI - Threat Landscape

2010 Overarching Themes

Mobiles will be targeted more when used for financial transactions

Symantec Internet Security Threat Report (ISTR), Volume 16

Stay Informed: Additional Resources

Daily measure of global cybercrime risks

Stay Abreast of Latest Threats

Symantec Internet Security Threat Report (ISTR), Volume 16

Malware Authors Have Switched Tactics

75% of malware is rapidly

Symantec Endpoint Protection 12.1

How many copies of this file exist?

How often has this file been downloaded?

How many people are using it?

Does it have a security rating?

Is the source associated with SPAM?

Have other users reported infections?

Who created it?

Is the source associated with many new files?

Which lead us to think . . .

Symantec Endpoint Protection 12.1

What does it do?

Millions of file variants (good and bad)

about every file in the world today

Now lets order them by prevalence with

No Existing Protection Addresses the Long Tail

For this long tail a new

Is the source associated with SPAM?

The context you need

Have other users reported infections?

Who created it?

How Symantec Insight Works

Symantec Endpoint Protection

Device and Application

Symantec Endpoint Protection 12.1

Symantec Endpoint Protection 12.1

Built for Virtual

Tested and optimized

The Security Stack for 32 & 64 bit systems

Symantec Endpoint Protection 12.1

IPS & Browser Protection

Stops stealth installs and drive

Insight Provides Context

Network IPS &

Symantec Endpoint Protection 12.1

Identifies new and mutating files

Network IPS &

Symantec Endpoint Protection 12.1

Most accurate heuristics on the

SONAR Completes the Protection Stack

Network IPS &

Symantec Endpoint Protection 12.1

Only hybrid behavioralreputation engine on the planet