You ll learn about our roadmap across the Symantec and gateway security offerings.

Transcription

1 #SymVisionEmea

2 In this session you will hear how Symantec continues to focus our comprehensive security expertise, global intelligence and portfolio on giving organizations proactive, targeted attack protection today and in the future. You ll learn about our roadmap across the Symantec and gateway security offerings. We ll reveal our expanded vision of Targeted Attack Protection spanning , gateway and cloud platforms to provide far greater protection, a 100% detection rate and rapid remediation of both common and advanced threats. 2

3 #SymVisionEmea Gateway, cloud and targeted attacks Our vision, strategy and roadmap Patrick Gardner VP, Engineering Jane Wong Director, Product Management 3

4 The rise of targeted attacks 91% increase in targeted attack campaigns in 2013 vs 2012 ISTR 19 (Symantec, 2014) 4

5 Targeted attacks against organizations by size 5

6 Organizations are not stopping Targeted attacks 66% Breaches went undetected for 30 days or more 243 days before detection 4 months to remediate 6

7 The shift in mindset 7

8 The shift in mindset Threat Intelligence Data Loss Prevention - Discover Endpoint Protection Security Web Security Data Center Security Advanced Threat Protection Solution , Gateway, Endpoint Managed Security Services Advanced Threat Protection Solution , Gateway, Endpoint Managed Security Services Incident Response Services 8

9 Symantec Advanced Threat Protection Solution Products Advanced Threat Protection Solution Technologies Endpoint Security: Advanced Threat Protection Gateway Security: Threat Defense Security: Advanced Threat Protection New advanced threat detection and response capabilities unifying security across the endpoint, and gateway helping organizations achieve better protection and drive down security operations costs Detection: Better ability to identify targeted attack scope Visibility: Improved insight into events and trends Response: Increased logging of forensic information Context: Global context from the Symantec GIN Symantec Cynic New cloud based sandbox analysis Combines global threat analysis and behavioral analysis Symantec Synapse New correlation across endpoint, , & gateway Provides prioritization for incident responders 9

10 Protect, detect & respond Protect - identify new threat at any control point, real-time local block across all Detect discover new malware via Cynic, search all endpoints for similar behaviors (IOC s) Respond discover new spear-phish URL, immediately see who else got the , who clicked link, and infection status of their endpoint 10

11 Symantec Advanced Threat Technology 11

12 Rapid detection of malware - cynic Reports Portable Executables, PDF, Office docs, Acrobat, Java files, containers Draws out VM aware malware Mimics human interaction Cloud based service enables rapid scale, and fast updates to analysis Bare metal execution 12

13 Accurate prioritization of events - synapse Threat correlation across gateway, endpoint and enables effective prioritization High prioritization of assets to be remediated due to active infection Lower prioritization of threats already remediated at other control points 0-day threats identified over the network, but blocked at the endpoint, will be assigned a lower priority 13

14 Symantec Gateway Security: Threat defense 14

15 Threats to gateway security 2 ND Watering hole attacks are 2 nd only to Spear phishing 77% Websites have vulnerabilities 16% Of these are critical 23 Zero day exploits discovered in 2013 Unprotected % of Unmanaged Endpoints increases the complexity of the problem faced by Sec Ops today Source: Symantec Internet Security Threat Report volume 19 15

16 Symantec Gateway Security: Threat defense Network Traffic Internet Endpoints BLAC KLIST Real-time Inspection Blacklist Vantage Insight AV Mobile Insight SGSTD 1 On-box inspection with proven technologies. In-line = block; TAP-mode = inspect only 2 Asynchronous inspection of suspicious files sent to Cynic for analysis Symantec big data intelligence Symantec Cloud 3 Cynic assesses file behavior in multiple sandboxing VMs, up to and including bare metal execution for VM-aware malware and utilizes Skeptic and SONAR heuristics & Endpoint (ESS, SEPM) Synapse Correlation Cynic 4 Behaviors are put in global context against Symantec Intelligence Data and correlated to , endpoint events via Synapse Conviction, Actionable intelligence 5 Verdict and an actionable, richly detailed report on what Cynic observed is provided, prioritized contextually 16

17 Symantec Gateway Security: Threat defense futures Jack in Finance Enhanced visibility into all inspection events across control points to aid in forensic investigation, includes encrypted traffic view Enhanced ability to pinpoint the user under attack and create a profile of normal activity ; i.e. the CEO s administrative assistant versus a new hire to the finance department Additional options for malware analysis (i.e. on-site as a black box appliance, uploading of custom o/s images, etc.) Enhanced integration to the web gateway products to extend ATP capabilities 17

18 Symantec Security: Advanced Threat Protection 18

19 Threats to security 1 in 392 s are a phishing attack 1 in 196 s are a malware attack 25% of malware in is delivered via a link 66% of all worldwide is spam 91% Increase in targeted attacks in 2013 vs is top incursion vector for attacks Source: Symantec Internet Security Threat Report volume 19 Advanced Threat Protection by Symantec SYMANTEC VISION SYMPOSIUM

20 Symantec Security: Advanced Threat Protection Vision Detailed reporting on advanced malware blocked by Symantec, including targeted attacks Accurate prioritization of threat activity across control points via Synapse data correlation Detect new malware via Cynic sandboxing including virtual and physical execution Detailed behavioural reporting what was the malware trying to do? Gain campaign insights via Symantec threat actor intelligence 20

21 Symantec Security: Advanced Threat Protection V1: Enhanced visibility of advanced malware More detailed data, targeted attack visibility, threat categories and severity levels Details Date, time, timezone Domain of recipient Rcpt To Envelope Recipient RFC5321 To Header RFC5322 Source IP - sender IP address Geo-location of source Mail From Envelope Sender RFC5321 From Header RFC5322 Subject Line Malware Details Malware name Malicious URL or attachment file hash Detection method e.g. Skeptic, Link Following Targeted Attack Yes/No Why Symantec deems attack to be targeted (summary) Threat Category - Trojan, InfoStealer etc. Severity Level indicating threat sophistication Severity Levels HIGH Targeted Attack MEDIUM Zero-day or new malware LOW Blocked malware Advanced Threat Protection by Symantec SYMANTEC VISION SYMPOSIUM

22 Symantec Security: Advanced Threat Protection V1: Enhanced visibility of advanced malware Reduce response time and effort with data correlation SIEM integration API to pull down detailed data on malicious s that have been blocked by Security.cloud Mechanism Data Feeds are streamed on request through a URL HTTPS secures and encrypts the data, CSV format More detail 23 data points (vs. 9 in current Anti-Virus Detailed report) New data includes Targeted Attack analysis, Severity Level, Geolocation of attacker and SHA256 hashes Synapse integration Event correlation drives prioritization and supports response today, sets stage for automated protection in future releases Advanced Threat Protection by Symantec SYMANTEC VISION SYMPOSIUM

23 V2 FOCUS Symantec Security: Advanced Threat Protection Futures Better detection of new malware, via integration with Symantec Cynic sandboxing technology Detailed behavioral reporting what did Symantec observe the malware trying to do? Submit blocked samples for analysis Enhanced Synapse correlation data feed with additional data to further strengthen accuracy of event prioritization across control points Gain intelligence on adversaries and their modus operandi, via Symantec threat actor intelligence Advanced Threat Protection by Symantec SYMANTEC VISION SYMPOSIUM

24 Symantec Endpoint Security: Advanced Threat Protection 24

25 Symantec Endpoint Security: Advanced Threat Protection Automatic, continuous suspicious event prioritization Detect Accurately Analyze Quickly Respond with Confidence Automatically generates prioritized list of suspicious events Analyzes global and local context data to determine scope and severity. Optionally sends to Cynic for behavior reporting Convicts file and locally blacklists to immediately contain the attack. Endpoints send suspicious activity in real-time Machine-learning based algorithm (SEAA) applied to data Global intelligence benchmarking Cynic results Comprehensive body of evidence for SIEM integration Immediately prevents additional downloads Instructs SEPM to blacklist locally via policy Advanced Threat Protection by Symantec SYMANTEC VISION SYMPOSIUM

26 Suspicious event analytics algorithm Goal Provide high fidelity and automatically generated prioritized list of suspicious events Automates the job of finding suspicious events across your endpoints Informs you of attacks quicker and requires less effort How Machine learning based algorithm Developed in collaboration with STAR Validated against specific enterprise data sets as opposed to broad, global data from enterprises Requires Full visibility into all PE files created on the endpoint Full visibility into all AV and IP Ping data Full visibility into all SONAR submissions (1,400 behaviors) Deep integration with the SEP client 26

27 Symantec Advanced Threat Protection Solution 27

28 How we solve the problem. Protect, Detect, Respond Advanced Threat Solution Tell me about advanced threats faster and better than anyone else Elastic cloud technologies detect 0-day evasive threats through many techniques of code execution and analysis Visibility into threats targeting both managed and unmanaged clients Highlight the most important events so I can prioritize my time Give me actionable intelligence so that I can defend my organization Synapse-driven event prioritization across all Symantec control points Greater Symantec context gives you additional intelligence: URL sources, origin, files downloaded by that file, processes created, etc. Deep file analysis provides a full behavioral report which can be used for incident response 28

29 #SymVisionEmea Thank you! Copyright 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Advanced Threat Protection by Symantec 29

30 Enhance visibility of advanced malware ATP Add-on: Detailed Malware Report Threat Categories Worm Viruses (File Infector) Backdoor The ability to self-replicate from across a network. Threats that do not require host files or sectors and selfreplicate across disks (e.g., copying oneself to the floppy drive and from the floppy to the hard drive). The ability to self-replicate on the same host. Program or feature in a program that allows unauthorized remote control and access to the system on which it is installed without notice and consent. The program that controls (and often connects to) the backdoor can be considered a component of the backdoor even if it installs with notice and consent. InfoStealer Downloader Trojan Hacktool Contains functionality that is intended to collect confidential data from the target system without adequate notice and without receiving appropriate consent. Confidential data includes information that most people would not be willing to share with someone and includes bank details, credit card numbers, and passwords. Installs or causes other malware to be installed on the system. Program whose sole purpose is to download programs without adequate notice or consent. Without user consent, purposely modifies or deletes system components in such a way that the program effectively disrupts the host computer's functionality so that activities that would have been possible before it was installed would not be possible after install. This includes changes made to a system to prevent it from accessing other resources on a network or Internet. Programs whose primary purpose is to provide the means to exploit or subvert an operating system or third-party application with the purpose of gaining unauthorized access to or rendering a system unusable by an owner without his authorization. 30

31 Endpoint Enterprise Global Symantec Endpoint Security: Advanced Threat Protection Detect Accurately Cynic On-Demand GIN Analyze Quickly Delivered as an on-prem. VA. SES: ATP SEP Manager Respond with Confidence Why SES: ATP? SEP Client SEP Client SEP Client Deep endpoint integration leverages proprietary suspicious event data Automatic, continuous and high fidelity suspicious event prioritization using machine-learning based algorithm Quickly builds a comprehensive body of evidence so you can take action with confidence 31