daredevil - it · pdf file40 agent ••features ••sonar behavior...
If you can't read please download the document
TRANSCRIPT
Daredevil
DavorPerat
SeniorTechnologyConsultant
Agenda
2
1234567
Threatlandscapeandtheendpoint
Protectingtheendpoint
Performanceorprotection,whychoose?
Virtualizedandembeddedsystemoptimization
Streamlinedmanagementandreportingacrossplatforms
Architectureoverview
Symantecproductintegrationandsupport
8 Additionalresourcesandsummary
3
Letsgetstarted!
4
Threatlandscapeandtheendpoint
InternetSecurityThreatReport:ISTRVolume21
5
KnownMalware NewMalware NetworkAttack SocialEngineering SystemTampering DataTheft Vulnerabilities
Symantecdiscoveredmorethan430millionnewuniquepiecesofmalwarein2015,up36%fromtheyearbefore.
AnewZero-Dayvulnerabilitydiscoveredeveryweekin2015
6
7
One of the largest civilian cyber intelligence networks3.7 Trillion rows of security-relevant data
175MConsumerand
Enterpriseendpointsprotected
57Mattacksensor
in157countries
182Mwebattacksblockedlastyear
Discovered
430millionnewuniquepiecesofmalwarelastyear
Billionsofemailtrafficscanned/day
1Billionwebrequestsscanneddaily
12,000Cloudapplicationsprotected
9 threatresponsecenters
Thethreatlandscapecontinuestoescalate
8Source:SymantecISTR2016
55%IncreaseinTargeted
Attacks
430Mnewpiecesof
malwarewerecreatedin2015
125%increaseofZero-Dayvulnerabilityfrom2014to2015
35%increaseof
ransomware in2015
InboundCommunication Payloadexecution
OutboundCommunicationPayloaddelivery
HowSymanteccanhelpSymantecEndpointProtection14
9
UNRIVALEDSECURITY
BLAZINGPERFORMANCE
SMARTERMANAGEMENT
Stopstargetedattacksandadvancedpersistentthreatswithintelligentsecurityandlayeredprotectionthatgoesbeyondantivirus.
Performancesofastyouruserswontevenknowitsthere.
AsinglemanagementconsoleacrossWindows,Mac,Linux,andVirtualplatformswithgranularpolicycontrol.
SUPERIORPROTECTION BETTERPERFORMANCE EASYINTEGRATION&AUTOMATION
InboundCommunication Payloadexecution
OutboundCommunicationPayloaddelivery
SEPprotectsagainstalltypesofthreatsSEP14combinesCoreandNextGenerationtechnologies
10
Pre-ExecutionDetection
ProcessBehavior
ReputationExploitPrevention
NetworkIDS/IPS
App&DeviceControl
InsightFile / Domain Reputation
InsightSignerReputation
Advanced Machine Learning
Intelligent Threat CloudAlways Up to Date
ApplicationControl
DeviceControl
BPEsBehavioralSignatures
SONARBehaviors
Memory Exploit Mitigation
Firewall & Intrusion Prevention
SEP14
SEP14
SEP14
Emulator for crypto-malware
MachineLearning
Pre-executiondetectionfornewandevolvingthreats
ApplicationProtectionMemoryExploitMitigation
EmulatorAnti-evasiontechniquetodetecthiddenmalware
IntelligentThreatCloud
Real-timecloudlookup,~70%reductionindefinitionsize
PerformanceEnhancementsFasterreal-timevirusdetection
EnablingIntegrationsRESTAPIsEnableBlueCoatintegrations
EnhancedAutomationExpandedLiveUpdatetodeliversecurityupdatesforWindowsclients
70%dropindailyupdates
CompeteAgainstTraps
CompeteAgainstCylance
StrongAnti-Evasion
EasyIntegrations
FasterandLightWeight Automation
SEP14NextGenerationProtectionTechnologiesandEnhancements
SuperiorProtection BetterPerformance EasyIntegration&Automation
12
Protectingtheendpoint
Yourendpointsarethetarget
Malware
NetworkthreatsSoftwarevulnerability
Dataleakageandtampering
NetworkThreatprotection
File-basedprotection
ApplicationandDeviceControlSystemLockdown
Hostintegrity
COMPLIANCE THREATPROTECTION
IntroducingSEP
CentralManagement
FirewallCustomIPS
StreamLevelIPSBrowserProtection
AntiVirusAntiSpyware
HeuristicReputation
EmailScanning
WhitelistingBlacklistingDeviceControlSystemLockdown
Compliancecheck: Standard Template Custom Automation
Insight
Protectionlayers|Singleagent
DownloadProtection
16
File-basedprotection
SONARisareal-timemonitoringheuristicsystemthattargetsmaliciousbehavior.ItleveragesInsighttoprovidezero-daythreatprotectionandsignature-lessmitigation.
SignatureengineisthetraditionalAntivirusfeaturematchingthreatsagainstsignatures.Itstillaccountsfor50%ofalldetectionsin2014.TheenginealsoleveragesInsightforfalsepositiveprevention.Signaturesareusedforfilesandemailsscans.
Downloadprotectionprotectsagainstnewandunknownfilesthattraditionalsignature-basedsecuritydoesnotdetect.Detectionsarebasedontheprevalence,age,sourceandoverallreputationgivenbyInsight.
Insight
SONAR(BehavioralHeuristic)
Signature
Zero-daythreatsandreducedfalsepositives
17
File-basedProtection:Continued
StaticDataScanner
SDSEngine
Emulator:VMforpacked
threat
SAPE:Machine
learningengine
ITCS:Cloud- basedscanning
CoreDef-3:LightweightAVSignatures
Emulator:Analyzethepayloadbyexecutingapackedthreatinalocalvirtualizedsandbox.
SAPE:Determinesifafileisgoodorbadbasedonexperience,criteriasetbyanalysts,andbehavior.
ITCS:Reducesresourceandstorageoverheadbykeepingthemostrelevantsignatureslocallyandapplyingsmallupdateswhenneeded.Allothersignaturesarehostedinthecloud.
CoreDef-3:Traditionalantivirusenginethatcontainsalightersetofdefinitions.
BrowserIPS
18
NetworkIPSisstream-basedfilteringthatusesgenericexploitblocking(GEM)toblockthreatsusingapublishedvulnerability.(OSILayer5)
CustomIPSallowsadministratorstocreateSNORTlikesignaturesatthepacketlevel(OSILayer2)
BrowserIPSprotectsagainstobfuscatedattacksatthebrowserlevel.(EncryptedJava,ActiveX,Flash,andmore).(OSILayer7).BrowserProtectionworkswithFirefoxandInternetExplorer.
NetworkIPS
CustomIPS
NetworkThreatProtection
Firewallprotectsagainstintrusionandgivescontroloverthedataenteringandleavingtheendpoint.
NetworkThreatProtection
Application Insight,BrowserProtection,SONAR,VirusandSpywareProtectionandApplicationControl
Presentation BrowserProtectionandInsight
Session Firewalland IPS
Transport Firewall
Network Firewall
Datalink FirewallandCustomIPS
Physical DeviceControl
SystemLockdown
20
SystemLockdownleveragesApplicationControltowhitelistorblacklistasetofapplications.Commonlyusedinstaticenvironmentslikeembeddedsystemsandsecureworkstations.
DeviceControlblocksunauthorizedhardwaretobeconnectedtotheendpoint.Preventsdataleakageanddualhomingnetworks.
DeviceControl
ApplicationControl
ApplicationControlblocksunwantedapplicationsbasedonhashorfilename.
ApplicationandDeviceControl
Customrequirements
21
Customrequirementisa featurethatprovidesasimplemethodtoexecuteprogramsandscriptstoevaluateandremediateanyaspectoftheendpoint.
TemplaterequirementscanberetrievedviaLiveUpdatetoauditadvancedrequirements,suchaspasswordcomplexityorpresenceofasecondNICconnectedtothesystem.
Templaterequirements
Standardrequirements
Standardrequirementsinclude Endpointsecuritystatus,contentupdates,criticalpatches,andmore.
Hostintegrity
Hostintegrityauditstheendpointagainstrequirements.TheauditgivesaPASS ofFAILresult,whichistranslatedintoanautomatedremediation.
Insight
22
CALCULTINGSCORE-127 127
Insightisthelargestreputationdatafilesystemintheworldandleveragesmorethan175millionendpointstogatherinformationonbinaryexecutablefiles.
Age: Insightlooksathowlongafilehasbeencreatedbecausemalwaretendstobeverynewwheninfectingasystem.
Prevalence:Insightkeepscountofhowmanyendpointsranordownloadedagivenapplication.
SourceandSystemHygiene: Insightusesaratingsystem:Thenumberofsysteminfectionsandwherethethreatcamefromtodetermineanaccuratereputationscore.
PreviousConviction: Insightleveragestelemetryfromfeatureslikefile-basedprotection,IPSorSONARtodetermineifafilealreadyhadamaliciousbehavioronanothersystem.
ThreatspectrumvsSEPfeatures
23
KnownMalware NewMalware NetworkAttack SocialEngineering SystemTampering DataTheft Vulnerabilities
Signatures
Heuristic(SONAR)
Reputation(Insight)
IPS/Firewall
Applicationcontrol
Devicecontrol
HostIntegrity
IPS(GEM)
Heuristic(SONAR)
Reputation(Insight)
MachineLearning
Protectionacrosstheattackchain
24
InboundCommunication Payloadexecution
OutboundCommunicationPayloaddelivery
NextgenIPS
TamperProtectionandLockdown
ReputationMachineLearning(ML)
BehavioralML
AdvancedML*
AntiVirussignatures
StatefulFirewall
Browserprotection
Real-timeresponsetorapidlychangingthreatlandscape
Threatvectorlearningatscale
Next-genIPS
Applicationcontrol
Clustering
Emulationforcrypto-malware*
Signaturebased Nonsignaturebased Machinelearninganddeeplearning
MachineLearning
Network
BigData
Hardening
AV
MemoryExploitMitigation*
NewinSEP14
25
Performanceorprotection.Whychoose?
BLAZINGPERFORMANCEWITHINSIGHTUpto70%reductioninscanoverheadbyonlyscanningunknownfiles
26
TrustedbyInsight
Traditionalscan ScanpoweredbyInsight
ScanthrottlingScheduledscansuselessresourceswhenyouneedyoursystem
27
Idle Busy
SEPCPUUsage
SEPUsesupto75%