#SymVisionEmea - VOXvox.veritas.com/legacyfs/online/veritasdata/Symantec... · 2016-07-04 · New...

#SymVisionEmea

#SymVisionEmea

Targeted Attack: Symantec enhanced protection Vision and integration with Next-Gen Firewall

Hervé Doreau – Security Practice Manager

Graham Ahearne– MSS-ATP Product Manager

SYMANTEC VISION SYMPOSIUM 2014 3

Disclaimer: Any information regarding pre-

release Symantec offerings, future updates or

other planned modifications is subject to ongoing

evaluation by Symantec and therefore subject to

change. This information is provided without

warranty of any kind, express or

implied. Customers who purchase Symantec

offerings should make their purchase decision

based upon features that are currently available.

Targeted Attack: Symantec enhanced protection

SYMANTEC VISION SYMPOSIUM 2014


4

Key Challenges and Focus Areas

Integrating with Next Gen Firewall

Advanced Threat Protection

1

2

3

Roadmap 4

Targeted Attack: Symantec enhanced protection 4


Customer Challenges

Realization

Customer Needs Shift

Breach is Inevitable

Understanding Where Important

Data Is

Stopping Incoming Attacks

Finding Incursions

Containing & Remediating

Problems

Restoring Operations

Identify Protect Detect Respond Recover

Protection Only Protection + Detection

& Response



Symantec Offers Great Proactive Protection Today

Endpoint Protection

Web Security Email Security


Insight

• File reputation • World’s largest

with intelligence on over 8 billion

SONAR SkepticTM Disarm

• Behavioral analysis

• Analyzes over 1400 behaviors

• Advanced spear phishing heuristics

• 100% unknown virus SLA

• Spear phishing attachment sanitization

• 95% + effectiveness

IPS

• Prevents exploits • Blocks command

and control communication

Symantec Global Intelligence Network

Real Time Link Following

• Real time blocking

• Follows URL to true destination with Skeptic malware analysis

Intelligence Sharing

6


Solving the Challenges: Advanced Threat Protection Cynic ™

Designed to draw out VM aware malware

Instrumented to simulate user behaviors to drive malware to execute


Ability to observe user mode and kernel mode behaviors (i.e. file tries to install a driver); SONAR behavioral scoring

Cloud based service enables elastic, fast adoption to changing malware analysis demands & on demand queries

Portable Executables, PDF, Office docs, Java files, containers


Today’s Approach


Manual correlation & remediation

Network Security technology detects suspected Malware

• Determines whether malware is known and if SEP has blocked it

• Verifies whether endpoints are compromised

• Determines if / where infection has spread

Initiates endpoint actions (clean, block, quarantine, gather forensics, …)

Launches corrective actions

Network Security Group

Symantec End Point Protection Manager

Endpoint Security Group

TODAY

NetSec VX


Solving the Challenges: Advanced Threat Protection Synapse correlation of events across the solution

9

Email.cloud

Gateway SEP

• Provides meaningful prioritization for incident responders, saving time

• Closes the loop from network event to target machine or user

• Synapse supports:

– Event Context (Managed Endpoint or not, blocked on that endpoint or not, IOCs, other Email.cloud recipients, shared bad files, senders, URLs across the environment)


Events Events

Events

Symantec Cloud


Symantec Advanced Threat Protection


MSS – Advanced Threat Protection

Advanced Threat Protection Solution

Symantec introduces new advanced threat detection and response capabilities unifying security across the endpoint, email and gateway helping organizations achieve better protection and drive down security OpEx

Incident Response Managed Adversary Services

#SymVisionEmea

Integrating across Network and Endpoint



Today’s Approach


Manual correlation & remediation

Network Security technology detects suspected Malware

• Determines whether malware is known and if SEP has blocked it

• Verifies whether endpoints are compromised

• Determines if / where infection has spread

Initiates endpoint actions (clean, block, quarantine, gather forensics, …)

Launches corrective actions

Network Security Group

Symantec End Point Protection Manager

Endpoint Security Group

TODAY

NetSec VX

12


Efficient detection requires integration… Across network and endpoint


Symantec Endpoint Protection

Network-based Adv. Threat Detection

MSS Advanced Threat Protection

13


Managed Security Services: Advanced Threat Protection

Network Security

Endpoint Security

Security Intelligence

Threat Experts

Automated Triage Workflows

Rapid Response | Operational Efficiency | Attack Visibility

Integration



Detecting the Unknown

• WILDFIRE: VX scan confirms file malicious

• AMP: Advanced Malware Protection file match

• THREAT EMULATION SERVICE: VX scan confirms file malicious

• Infected client comms (Anti-bot)

• Suspect file sent for virtual execution

Network-based, threat analysis and protection



Rapid Assessment of Advanced Threats


Release 1 (H1 CY2014)

Network

Adv. Threat

Detection

Symantec Endpoint

Protection

16

Symantec Managed

Security Services

Virt Exec

Symantec Global

Intelligence Network

• File Reputation

• Origin Intelligence

• Threat behaviour (VX) • Threat info (multi-source)

Outcome: Protected

• Mitigation guidance

INCIDENT

• Fingerprint

Billions of files (20 million new each week)

150 million endpoints

240,000 sensors across 200 countries

16


Increased Efficacy of Threat Investigations


Sources

Potential Threat List

Malicious File Downloaded






















Malware Download, Endpoint Protected

SEP Recognition File Reputation

Network

FILE A

FILE B

















































17

#SymVisionEmea

MSS ATP Demo



MSS ATP



MSS-ATP Accelerates Detection and Response


Automated correlation & remediation

Network Security technology detects suspected Malware and alerts MSS-ATP

Analyzes the endpoints to:

• determine whether malware is known and SEP has blocked

• verify whether endpoints are compromised

• understand if / where infection has spread

• identify the malware & blocks IP address

Initiates endpoint actions (clean, block, quarantine, gather forensics)

Symantec Advanced Threat Protection Symantec End Point Protection Manager

TOMORROW

20


Network

Adv. Threat

Detection

Symantec Endpoint

Protection


Symantec Managed

Security Services

Virt Exec

Symantec Global

Intelligence Network

• File Reputation

• Origin Intelligence

• Threat behaviour (VX) • Threat info (multi-source)

Outcome: Not Protected

• Mitigation guidance

INCIDENT

• Fingerprint

Billions of files (20 million new each week)

150 million endpoints

240,000 sensors across 200 countries

Increased Visibility and Directed Response

Adversary & Threat Intelligence

RESPONSE

• Malware clean

• Network containment

• Search for file hash • Search for IOCs

• Increased security policy based on specific IP/app/user

• Quarantine endpoint OUTCOME

Outcome: Protected

Release 2 (coming soon)

21

#SymVisionEmea

Solving the Challenges Advanced Threat Protection Roadmap


Advanced Threat Protection Solution Overview



New endpoint security add-on that provides: • Better ability to

identify advanced threats and targeted attacks

• Increased visibility into scope of attack & forensic info

• Global context aids in prioritization for fast response

Endpoint Security: Advanced Threat Protection

Gateway Security: Threat Defense

New gateway that provides: • Better ability to




Includes integration with Cynic™ & Synapse.

New cloud-based, multi-platform sandbox environment available to Gateway Security: ATP & Email Security.cloud. Simulates user behavior to remotely execute suspicious files, and combines behavioral analysis with global threat intelligence to return a verdict.

Symantec Cynic™

Symantec Synapse

New technology that enables communication between Gateway Security: ATP, SEP and Email Security.cloud to share threat identification details and define events that require IT security attention. Provides meaningful prioritization for incident responders.

Email Security: Advanced Threat Protection

New email security add-on that provides: • Better ability to




Products Technologies

23


Use Case: Advanced Threat Protection Solution

Event Correlation & Prioritization Across Endpoint, Email & Gateway

Endpoint Protection


Email Security.cloud

1. Initial event, at Gateway ATP, a Cynic™ detection of unique malware, triggers process

4. Synapse checks if the malware infected the destination endpoint, or any other endpoint 5. If so Endpoint ATP provides forensic info across Endpoint Ecosystem

6. Analyst can prioritize and remediate within minutes, not weeks

2. Synapse checks if the malware was detected by email.

3. If so, Email ATP provides forensic info concerning sender, subject, and other emails to the same user.

Customer Security Analyst

Faster Detection & Response = Better Protection & Lower Security OpEx



Symantec Gateway Security: Threat Defense

SGSTD


Internet

BLACKLIST

On-box inspection with proven technologies. In-line = block; TAP-mode = inspect only 1

Asynchronous inspection of suspicious files sent to Cynic™ for analysis 2

Cynic™ assesses file behavior in multiple sandboxing VMs, up to and including bare metal execution for VM-aware malware and utilizes Skeptic and SONAR heuristics

3

Email & Endpoint (ESS, SEPM)

Behaviors are put in global context against Symantec Intelligence Data and correlated to email, endpoint events via Synapse 4

Verdict and an actionable, richly detailed report on what Cynic™ observed is provided, prioritized contextually 5

25


Symantec Endpoint Security: Advanced Threat Protection


SEP Client

SES: ATP

SEP Client

SEP Client

Why SES: ATP? New product in development: • Uses scale of the SEP ecosystem to

detect advanced threats • Does this through Aggregate

Endpoint Security – “localised” version of Symantec’s big data vision

SEP Manager

Delivered as an on-prem. VA.

Detect Accurately

Analyze Quickly

Respond with Confidence

Cynic On-Demand GIN

End

po

int

Ente

rpri

se

Glo

bal


• Improved visibility into protection: when is a customer targeted, who is targeted, how are they targeted?

• Better detection via Cynic™, leveraging Symantec’s global context

• A feed to the gateway for correlation means better response prioritization & lower cost

Solving the Challenges: Advanced Threat Protection Email Security.cloud: Targeted Attack Reporting

27 Targeted Attack: Symantec enhanced protection 27

#SymVisionEmea



Demo

PREVIEW

SYMANTEC VISION SYMPOSIUM 2014 30

Solving the Challenges When can we get it?



New Advanced Threat Protection Summary


Endpoint Protection


Partner Network Security Gateways

GA = June 2014

Beta = coming soon Extended Free Trials

Customer Security Analyst

Email Security

Symantec Global Intelligence Network

MSS – Advanced Threat Protection

Managed Adversary Services

Incident Response

GA = Summer 2014

GA = Fall 2014

31

Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

#SymVisionEmea


#SymVisionEmea - VOXvox.veritas.com/legacyfs/online/veritasdata/Symantec... · 2016-07-04 · New...

Documents

Transcript of #SymVisionEmea - VOXvox.veritas.com/legacyfs/online/veritasdata/Symantec... · 2016-07-04 · New...