Professional Documents
Culture Documents
Targeted &
Rapidly Mutating
Attacks
Virtualization
had become the
rule
Social Networks
and socially
engineered attacks
Increased
Cost of
Incidents
Threat Landscape
Who is being attacked
Small Businesses
End-Users
Governments
- Targeted Attacks
- Bank accounts
- ID Theft
- Cyber Sabotage
- Data Breaches
Enterprises
- End-user disruption
- DDOS attacks
- Removal costs
- Hactivism
Threat Landscape
2010 Explosion of Threats
10M
286M
10M
286M
3.1B
10M
Signatures
Malware Variants
Malware Attacks
Threat Landscape
What do they do?
Steal Resources
- Send spam
- Part of a DDOS
attack
Steal Information
Extort Money
Destroy
- Hackitivism
- Cyber-Sabotage
Examples:
Rustock
Zeus
Rogue AV
Stuxnet
The Problem
The Problem
The Problem
Threat Landscape
Trends that will change the threat landscape
Signature Model
Desktop
Server
Real
Phone/Tablet
Cloud
Virtual
Trojan.x 11010101010101
Trojan.y 00011101010101
Trojan.z 11010101010101
Trojan.v 00011101010101
Reputation
Threat Summary
Malware continue to be a threat to business, government and
consumer
Social engineering has spread to all forms of interaction users have
on-line with the ultimate goal of stealing resources, information and
money
11
Threat Landscape
Mobile Threats
Most malware for mobiles are Trojans posing as legitimate apps
163
115
vulnerabilities
vulnerabilities
2009
2010
12
13
From:
A mass distribution one
worm hits millions of PCs
Storm made its way onto millions
of machines across the globe
To:
A micro distribution model.
Hacked web site builds a trojan
for each visitor
The average Harakit variant is
distributed to 1.6 users!
14
Where is it from?
OnlyHave
malware
mutates
other users reported infections?
Is the
source associated
infections?
Insight
spotswith
rapidly
changing &
If we track every
file
onfilethe
internet
...
How
will
this
behave
if
executed?
What rights are required?
mutated files
Is the file associated with files that are linked to infections?
New or mutated files will stick out
Does the file look similar to malware?
How old is the file?
The Problem
16
The Problem
Blacklisting works
well here.
Good Files
Prevalence
Bad Files
Whitelisting works
well here.
17
Insight
Because the context of a file
is as telling as its content
What rights are required? How will this file behave if executed?
Is theOR
file associated with files that are linked to infections?
Does the file look similar to malware?
BAD
GOOD LOW
How
old is the file?
Reputation
OR
HI
NEW
OLD
18
Rate nearly
2.5 billion
every
file on
the files
internet
Check the DB
during scans
Build
175a
collection
million
network
PCs
Is it new?
Bad reputation?
Prevalence
5
Symantec Endpoint Protection 12.1
Provide
actionable data
Look for
associations
Age
Source
Behavior
Associations
Built for
Virtualization
Network Access
Control
Intrusion
Prevention
Firewall
Reduced
Cost, Complexity &
Risk Exposure
Antispyware
Antivirus
Symantec Endpoint
Protection
Symantec Network
Access Control
20
Whats New
Unrivaled
Security
Powered by Insight
Real Time Behavior
Monitoring with
SONAR
Blazing
Performance
Up to 70% reduction
in scan overhead
Smarter Updates
Faster Management
21
Network IPS
& Browser
Protect & FW
Insight
Lookup
Heuristics &
Signature Scan
Real time
behavioral
SONAR
Insight
Heuristics &
Signature Scan
Real time
behavioral
SONAR
Insight
Reputation on 2.5 Billion
files
Adding 31 million per
week
23
File Scanning
Insight
Heuristics &
Signature Scan
Real time
behavioral
SONAR
File Scanning
Cloud and Local Signatures
New, Improved update
mechanism
24
File Based
Protection
Sigs/Heuristics
Real time
behavioral
SONAR
SONAR
Monitors processes and
threads as they execute
Rates behaviors
Feeds Insight
25
Why Insight?
Unrivaled
Security
Blazing
Performance
Insight
Not a replacement technology
It makes our other technologies more powerful
Download Insight
Download Insight is a technology that checks the reputation of
binaries being downloaded and blocks them if they are Bad.
Download Insight scans files when they are downloaded using
what we term a portal application (IE. Firefox, IE)
27
Security response
authored infection flow
Processes
SymProtect
Registry
Files
28
Improved IPS
A group of layered security engines aimed at
stopping malware from getting on to user
systems, over the network
Network Intercept
Canary
Browser protection against heavily obfuscated attacks
Intercept: Browser script API calls
Browser Intercept
UXP
Generic signature-less exploit protection for
browsers against 0-day attacks
Intercept: System API calls
System Intercept
Disk
29
Improved logging
Upgraded Default Polices
Tuned for Todays Threat
Landscape
30
Network Threat
Protection
AV/AS
SONAR
AV/AS
UXP
AutoProtect
Download Insight
Browser Protection
Execute
Firewall
Network/Browsing
Behavioural
Heuristics
Bloodhound
Heuristics
System Change
Detection
Reputation
Backed
Heuristics
Suspicious
Behaviour
Detection
Insight
Lookup
Bloodhound
Heuristics
Insight
Unrivaled
Security
Blazing
Performance
Traditional Scanning
35
120
100
80
60
40
20
0
200,0
150,0
100,0
50,0
0,0
Only software
with at least
10,000 users over
2 months old.
Can install
medium-reputation
software with at
least 100 other
users.
No restrictions
but machines must
comply with
access control
policies.
Finance Dept
Help Desk
Developers
38
39
The Problem
Virtualization Adoption
VDI Growth
AV, IPS and proactive detection growth
40
Scan Cache
Hypervisor
41
Virtual Image
Exception
Used on cloned images
Excludes all files
Reduces scan impact
Resource Leveling
Identifies hypervisor
Set group specific policy
Search for virtual clients
43
Dashboards
Overview of clients by version
Summary of threat categorization and action taken
for a period of time
Summary of Virus and IPS signature distribution
Symantec Endpoint Protection 12.1
44
SEP Reporting
Tactical View of frontline endpoint
defenses. Current view of events and
the state of SEP clients.
IT Analytics
45
46
Evolving
Infrastructure
Prioritization
Challenges
More sophisticated
external attacks
Information explosion
prioritize what data to
protect
Changing compliance
requirements
47
Completely
Protect the
Enterprise
DEVELOP &
ENFORCE IT POLICY
01010101010
10101010101
PROTECT
01010101010
INFRASTRUCTURE
01010101010
10101010101
PROTECT
01010101010
INFORMATION
10101010101
01010101010
10101010101
PROTECT IDENTITIES
10101010101
10101010101
MANAGE SYSTEMS
Centrally View
& Manage
Information
Name Severity
Type
Leverage
Local & Global
Intelligence
Count
48
49
50
Calgary, Alberta
San Francisco, CA
Mountain View, CA
Culver City, CA
Dublin, Ireland
Tokyo, Japan
Chengdu, China
Austin, TX
Taipei, Taiwan
Chennai, India
Pune, India
Worldwide Coverage
Rapid Detection
Attack Activity
Malware Intelligence
Vulnerabilities
Spam/Phishing
240,000+ sensors
200+ countries and
territories
35,000+ vulnerabilities
11,000 vendors
80,000 technologies
5M decoy accounts
8B+ email messages/day
1B+ web requests/day
Information Protection
Symantec
Protection Center
Focus IT on
business critical
tasks
Create Event
Context
Prioritized
Response
52
Intelligence
Priority
Action
53
Dashboard
55
55
56
56
Single Sign On
57
57
SEP.Cloud
SEP 12.1
5-99 seats
5-99 seats
100+ seats
Intrusion Detection/Prevention
Insight / SONAR
Protection for Mac OS X
Protection for Linux
Device and Application Control
Network Access Control SelfEnforcement ready
Symantec Hosted Infrastructure
Built for Virtual Environments
Seats
Antivirus/Antispyware
Desktop Firewall
58
59
Authenticate Identities
Manage Systems
60
Information and
Authenticate Identities
Identity Centric
Manage Systems
Secure Infrastructure
61
Authenticate Identities
Manage Systems
IT Management Suite
Protect email
and web
Secure
endpoints &
harden critical
servers
Backup
and recover
data
63
1000-5000 seats
Symantec
Protection Suite
Family
100-1000 seats
Symantec Protection
Suite Enterprise Edition
50-100 seats
< 50 seats
Symantec Protection
Suite Small Business
Edition
Cost-conscious
More than AV
Desktop backup and
recovery
Spam and phishing
protection
Symantec Protection
Suite Advanced Business
Edition
All-in-one
Symantec Protection Suite
Small Business Edition, PLUS:
Data loss prevention
technologies
SPAM protection at the
gateway
Server backup and recovery*
Backup Servers,
Desktops, and laptops
Gateway
Servers
Manage security
infrastructure
Protect
confidential data
Integrate manual
IT processes
Secure mission
critical servers
Best-of-breed
protection
Virtual, physical,
and multi-OS
Secure business
communications
Protect
confidential data
Manage
infrastructure
access
More than AV
Data loss prevention
Desktop backup/recovery
Spam and phishing protection
at gateway and server
Enhanced perimeter protection
Network access control
Networks,
heterogeneous servers,
desktops, and laptops
64
Email Security
IM Security
Email Encryption
On-site
Gateway Protection
OR
Brightmail Gateway
Web Gateway
Groupware /
Collaboration Protection
Endpoint Security
Endpoint Protection
scanning of email
Endpoints
Web
Security
Network
Access Control
Desktop
Backup
Server
Backup
Mobile
Security
Centralized
Management
Challenges
Spam causes high email traffic & server overloading
Email security takes time to manage effectively
Controlling data sent outside company via email
Benefits
Block over 99% of spam reducing admin cost
Complete protection against malware via email
Features
One of the worlds largest threat
intelligence networks
Protecting over 800 million mailboxes
11 billion+ emails processed daily
Features
Benefits
Lower infection rates
Significantly reduced cleanup, theft and lost data costs
Increases end user productivity
Desktop
Backup
Botnet
Detection
Infected Client
Detection
Application
Control
Web
Malware Content
Scanning
Centralized
Management
URL Filtering
Mobile
Security
Malware Domains
& IPs
Server
Backup
Client
systems
Benefits
Lower infection rates
Significantly reduced cleanup, theft and lost data costs
Increases end user productivity
Botnet
Detection
Infected Client
Detection
Application
Control
Malware Content
Scanning
URL Filtering
Web
Malware Domains
& IPs
Client
systems
67
Phone Home
Signature
Detection
Behavioral
Correlation
Algorithm
Multi Port
Multi Protocol
Accurately
Identifies Bots on
the network
Automatic
Quarantine
Consolidated,
Useful Reporting
Limits potential
damage
Notifies end users
of risk
Specific Event
Information
Sort by Count,
Severity, Type
68
Flexibility
and Choice
Technology
Leadership
69
Employees Non-employees
Corporate
Network
Email
Security
Web
Security
Unmanaged
Managed
On-site
Remote
Network
Access Control
Desktop
Backup
Server
Backup
Mobile
Security
Centralized
Management
Challenges
Keeping applications & security up to date
efficiently
Out of date security can lead to infections
and significant clean-up work
Benefits
Ensures systems comply with corporate
policy with very little staff
Reduces infections and clean-up efforts
Features
Checks endpoint security & application settings
Automatic remediation of configuration issues
Self Enforcement automatically checks and fixes
issues regardless of devices current location
Centralized policy configuration & reporting
Endpoint
Security
Email
Security
Web
Security
Network
Access Control
Desktop
Backup
Server
Backup
Mobile
Security
Centralized
Management
Challenges
Quickly recovering from data loss and
system failure
Protecting servers cost-effectively from
failure and damage
Benefits
Server and desktop recovery in minutes,
not hours/days
Reduced management of backup
Lower costs from outages and data loss
Features
A simple, cost-effective backup solution
System and data recovery from a single
system backup
Incremental backups reduce backup
duration and impact
Integrated off-site backup
Central management console
71
Backup Exec
Challenges
Endpoint
Security
Email
Security
Web
Security
Network
Access Control
Desktop
Backup
Server
Backup
Mobile
Security
Centralized
Management
Branch office
Features
Backup to tape, disk, NAS
Server application integrated agents
backup at content level
Incremental backups reduce backup
duration and impact
Integrated data de-duplication
Powerful central management
Branch office
Branch office
Benefits
Efficient backup and data restoration
Data recovery at file, folder and
application level
Dramatically reduced storage and
network impact
Main office
72
How is it
being used?
DISCOVER
MONITOR
How best to
prevent its loss?
PROTECT
Low
Primary Profile
Requirement
High
Malware
Protection
Demonstrate
Compliance (PCI)
Proactive
Prevention
Windows only
Multi-OS
Multi-OS
SEP AV Only
Which
Solution?
76
Protect Windows
NT 4 and 2000 systems
Address Compliance
requirements for critical servers
77
Desktop
Backup
Server
Backup
Mobile
Security
Centralized
Management
Features
Automatically detects and eliminates
viruses on Windows Mobile phones
Provides both automatic and
scheduled scans on handsets
File activity monitoring
Run handset actions remotely
Benefits
Reduces infection cleanup and loss of
company information
Eliminates end user impacts from
viruses and malware
78
Enterprise
Market Trends
Personal mobile devices
Diversity & dynamics
Security
Email requirements
Enterprise
Mobile
Network
Servicesrequirements
Strategy
Regulatory
Applications
compliance
IT requirements
Business enablement
Long-term planning
79
Encryption on iOS
App sandboxing of data on iOS or WebOS
No browser plugins on Android
No network monitoring/control APIs on Apple, Android, etc.
INFORMATION
Policy
Management
Secure
Access
Strong authentication
Complete PKI/OTP lifecycle
Authentication for apps
Information
Protection
Enterprise Integration
Endpoint
Management
Security
Infrastructure
Business
Processes
82
Policy
Management
Secure
Access
Strong authentication
Complete PKI/OTP lifecycle
Authentication for apps
Information
Protection
Enterprise Integration
Endpoint
Management
Security
Infrastructure
Business
Processes
83
1. Policy Management
Key Features
Security settings and Compliance
Passwords, Lock and Wipe (Complete and
Selective), Restrictions
Access based on device status (encryption,
jailbreak, apps)
Application Management
Enterprise AppStore for internal apps &
App Recommendations
Key Benefits
Allow end-user devices
Manage personal and corporate data
separately
Configuration Management
Enterprise enrollment (Email, VPN and
Wi-Fi)
Certificate distribution and on-device
binding
84
85
Enterprise Enrollment
86
Enterprise AppStore
87
Mobile Management
iOS Agent Configuration Policies
88
Mobile Management
iOS Enterprise App Store Channel Content List
89
Mobile Management
iOS Enterprise App Store Editing Channel Contents
90
91
2. Secure Access
Key Features
Strong authentication to enterprise
resources
Managed PKI: Secure email and network
authentication
OTP: Soft-tokens for protecting the front
door
Key Benefits
Comply with network security
requirements
92
Strong Authentication
93
3. Information Protection
Key Features
DLP and Web-Security
Monitor and prevent data flow over email
and web
Application and removable media access
control
Key Benefits
Comprehensive visibility and protection
Reduce data leakage risks from mobile
Data Encryption
End-to-end email encryption
Full device encryption management
Threat Protection
Anti-malware
SMS Spam protection
Firewall
94
Windows Mobile
Android
Symbian
95
4. Enterprise Integration
Key Features
Asset and Systems Management
PCs + Servers + Macs + iPads + iPhones +
Androids + Windows Phone 7 + WebOS
Analytical reports with data on devices,
users and apps
Security Infrastructure
Certificate authorities, Directories, Firewalls
Integrates with Symantec Management
Platform
Key Benefits
Unified endpoint management
Integrate with existing security
investments
Eliminate need for point solutions and
special training
Solution with proven scalability
Business processes
Service desk with role-based access control
Integrates with Symantec Workflow
96
Integrated Architecture
Intelligence
Analyze
Automation
Suites & Solutions
Client Management Suite from
Symantec
Workflows
Collect
Connect
Server
Multi-tenancy
Roles-based Access
Groups/Org Units
Manage
Alerts/Notifications
97
97
Sand-box
Architecture
Value-prop: Replace functionality
Email Sync
Encryption
Personal-Corporate data
separation
Symantec
Architecture
Value-prop: Leverage and Extend
Sync is native to device; focus on
security and management
Device encryption is native; focus on
enforcement
98
Policy
Management
Application Management
Configuration Management
Secure
Access
Information
Protection
SYMANTEC
Strong
authentication
ADVANTAGE
SYMANTEC
DLPADVANTAGE
& Web Security
PKI/OTP lifecycle
management
Authentication for apps
Data Encryption
Anti-Threat
Enterprise Integration
Endpoint
Management
Security
SYMANTEC
ADVANTAGE
Infrastructure
Business
Processes
99
Service Provider
Enterprise
Consumer Clients
Network Focus
Enterprise Management
& Security
Specific to device, OS
Multi-service
Multi-OS, multi-device
Content Security
Norton Everywhere
Deployed on consumer
phones and tablets
Symantec
Mobile business enablement
Comprehensive mobility management
Device Security & Management, Secure Access, Information Protection
101
SEP Mobile
Content Security
PGP Mobile
Password Controls
Remote Wipe
Encryption/Management
Asset Inventory
Configuration Mgmt &
Feature Controls
App Management/Distrib.
Remote Assistance
Device Mgmt
Device Security
Anti-Virus w/ Live Update
App Control
SMS Anti-Spam
Stateful Firewall
Identify & Access
Soft tokens/OTP
PKI for Mobile
VeriSign PKI Service
NAC
SNAC Mobile
Compliance Management
Mobile Mgmt 7.0
Next Gen Network Protection
Communication Logging
Policy based filtering
NGNP
VeriSign VIP
Nyttige linker
Symantec Response Blogs
http://www.symantec.com/business/security_response/weblog/index.jsp
Symantec Insight
http://www.symantec.com/business/theme.jsp?themeid=insight
SEP 12 Beta
http://go.symantec.com/sep12beta
103
Q&A
104
Thank you!
Gunnar Kr Kopperud
Principal Security Engineer
48018908 gkopperud@symantec.com
Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. Any forward-looking indication of plans for products is preliminary and all future releases are tentative and are subject to
change. Any future product release or planned modifications to product capability, functionality, or features are subject to ongoing evaluation by Symantec, and may or may not be
implemented and should not be considered firm commitments by Symantec and should not be relied upon in making purchasing decisions. The information in this document is
subject to change without notice.
105
Appendix:
Symantec Network Access Control 12.1
106
106
107
Phase 1
Endpoint
Lockdown
Managed
Endpoints
Company-owned
laptops & desktops
Unmanaged
Endpoints
N/A
Phase 2
Network
Lockdown
(partial)
Ingress Control
Wireless, VPN, Key
subnets
Use Enforcer
Ingress Control
Wireless, VPN, Key
subnets
Use Enforcer
Phase 3
Network
Lockdown
(complete)
Complete Access
Control
for LAN & remote
endpoints
108
Phase 1
Endpoint
Lockdown
Managed
Endpoints
Self-Enforcement
Unmanaged
Endpoints
N/A
Phase 2
Network
Lockdown
(partial)
Phase 3
Network
Lockdown
(complete)
Gateway
Enforcement
Gateway
Enforcement
109
Encryption
Create and enforce security policy so all confidential information is encrypted
Vulnerability Assessment
Ensure network devices, OS, databases and web applications systems are properly configured
Determine whether or not a vulnerability is truly exploitable
111
Strong Authentication
Two-factor authentication to protect against socially engineered password theft
112
Device Security
Guard mobile device against malware and spam
Prevent the device from becoming a vulnerability
Content Security
Identify confidential data on mobile devices
Encrypt mobile devices to prevent lost devices from turning into lost confidential data
113