You ll learn about our roadmap across the Symantec email and gateway security offerings.

#SymVisionEmea

In this session you will hear how Symantec continues to focus our comprehensive security expertise, global intelligence and portfolio on giving organizations proactive, targeted attack protection today and in the future. You ll learn about our roadmap across the Symantec email and gateway security offerings. We ll reveal our expanded vision of Targeted Attack Protection spanning email, gateway and cloud platforms to provide far greater protection, a 100% detection rate and rapid remediation of both common and advanced threats. 2

#SymVisionEmea Gateway, cloud and targeted attacks Our vision, strategy and roadmap Patrick Gardner VP, Engineering Jane Wong Director, Product Management 3

The rise of targeted attacks 91% increase in targeted attack campaigns in 2013 vs 2012 ISTR 19 (Symantec, 2014) 4

Targeted attacks against organizations by size 5

Organizations are not stopping Targeted attacks 66% Breaches went undetected for 30 days or more 243 days before detection 4 months to remediate 6

The shift in mindset 7

The shift in mindset Threat Intelligence Data Loss Prevention - Discover Endpoint Protection Email Security Web Security Data Center Security Advanced Threat Protection Solution Email, Gateway, Endpoint Managed Security Services Advanced Threat Protection Solution Email, Gateway, Endpoint Managed Security Services Incident Response Services 8

Symantec Advanced Threat Protection Solution Products Advanced Threat Protection Solution Technologies Endpoint Security: Advanced Threat Protection Gateway Security: Threat Defense Email Security: Advanced Threat Protection New advanced threat detection and response capabilities unifying security across the endpoint, email and gateway helping organizations achieve better protection and drive down security operations costs Detection: Better ability to identify targeted attack scope Visibility: Improved insight into events and trends Response: Increased logging of forensic information Context: Global context from the Symantec GIN Symantec Cynic New cloud based sandbox analysis Combines global threat analysis and behavioral analysis Symantec Synapse New correlation across endpoint, email, & gateway Provides prioritization for incident responders 9

Protect, detect & respond Protect - identify new threat at any control point, real-time local block across all Detect discover new malware via Cynic, search all endpoints for similar behaviors (IOC s) Respond discover new spear-phish URL, immediately see who else got the email, who clicked link, and infection status of their endpoint 10

Symantec Advanced Threat Technology 11

Rapid detection of malware - cynic Reports Portable Executables, PDF, Office docs, Acrobat, Java files, containers Draws out VM aware malware Mimics human interaction Cloud based service enables rapid scale, and fast updates to analysis Bare metal execution 12

Accurate prioritization of events - synapse Threat correlation across gateway, endpoint and email enables effective prioritization High prioritization of assets to be remediated due to active infection Lower prioritization of threats already remediated at other control points 0-day threats identified over the network, but blocked at the endpoint, will be assigned a lower priority 13

Symantec Gateway Security: Threat defense 14

Threats to gateway security 2 ND Watering hole attacks are 2 nd only to Spear phishing 77% Websites have vulnerabilities 16% Of these are critical 23 Zero day exploits discovered in 2013 Unprotected % of Unmanaged Endpoints increases the complexity of the problem faced by Sec Ops today Source: Symantec Internet Security Threat Report volume 19 15

Symantec Gateway Security: Threat defense Network Traffic Internet Endpoints BLAC KLIST Real-time Inspection Blacklist Vantage Insight AV Mobile Insight SGSTD 1 On-box inspection with proven technologies. In-line = block; TAP-mode = inspect only 2 Asynchronous inspection of suspicious files sent to Cynic for analysis Symantec big data intelligence Symantec Cloud 3 Cynic assesses file behavior in multiple sandboxing VMs, up to and including bare metal execution for VM-aware malware and utilizes Skeptic and SONAR heuristics Email & Endpoint (ESS, SEPM) Synapse Correlation Cynic 4 Behaviors are put in global context against Symantec Intelligence Data and correlated to email, endpoint events via Synapse Conviction, Actionable intelligence 5 Verdict and an actionable, richly detailed report on what Cynic observed is provided, prioritized contextually 16

Symantec Gateway Security: Threat defense futures Jack in Finance Enhanced visibility into all inspection events across control points to aid in forensic investigation, includes encrypted traffic view Enhanced ability to pinpoint the user under attack and create a profile of normal activity ; i.e. the CEO s administrative assistant versus a new hire to the finance department Additional options for malware analysis (i.e. on-site as a black box appliance, uploading of custom o/s images, etc.) Enhanced integration to the web gateway products to extend ATP capabilities 17

Symantec Email Security: Advanced Threat Protection 18

Threats to email security 1 in 392 emails are a phishing attack 1 in 196 emails are a malware attack 25% of malware in email is delivered via a link 66% of all email worldwide is spam 91% Increase in targeted attacks in 2013 vs 2012 Email is top incursion vector for attacks Source: Symantec Internet Security Threat Report volume 19 Advanced Threat Protection by Symantec SYMANTEC VISION SYMPOSIUM 2014 19

Symantec Email Security: Advanced Threat Protection Vision Detailed reporting on advanced malware blocked by Symantec, including targeted attacks Accurate prioritization of threat activity across control points via Synapse data correlation Detect new malware via Cynic sandboxing including virtual and physical execution Detailed behavioural reporting what was the malware trying to do? Gain campaign insights via Symantec threat actor intelligence 20

Symantec Email Security: Advanced Threat Protection V1: Enhanced visibility of advanced malware More detailed data, targeted attack visibility, threat categories and severity levels Email Details Date, time, timezone Domain of recipient email Rcpt To Envelope Recipient RFC5321 To Header RFC5322 Source IP - sender IP address Geo-location of source Mail From Envelope Sender RFC5321 From Header RFC5322 Subject Line Malware Details Malware name Malicious URL or attachment file hash Detection method e.g. Skeptic, Link Following Targeted Attack Yes/No Why Symantec deems attack to be targeted (summary) Threat Category - Trojan, InfoStealer etc. Severity Level indicating threat sophistication Severity Levels HIGH Targeted Attack MEDIUM Zero-day or new malware LOW Blocked malware Advanced Threat Protection by Symantec SYMANTEC VISION SYMPOSIUM 2014 21

Symantec Email Security: Advanced Threat Protection V1: Enhanced visibility of advanced malware Reduce response time and effort with data correlation SIEM integration API to pull down detailed data on malicious emails that have been blocked by Email Security.cloud Mechanism Data Feeds are streamed on request through a URL HTTPS secures and encrypts the data, CSV format More detail 23 data points (vs. 9 in current Anti-Virus Detailed report) New data includes Targeted Attack analysis, Severity Level, Geolocation of attacker and SHA256 hashes Synapse integration Event correlation drives prioritization and supports response today, sets stage for automated protection in future releases Advanced Threat Protection by Symantec SYMANTEC VISION SYMPOSIUM 2014 22

V2 FOCUS Symantec Email Security: Advanced Threat Protection Futures Better detection of new malware, via integration with Symantec Cynic sandboxing technology Detailed behavioral reporting what did Symantec observe the malware trying to do? Submit blocked email samples for analysis Enhanced Synapse correlation data feed with additional data to further strengthen accuracy of event prioritization across control points Gain intelligence on adversaries and their modus operandi, via Symantec threat actor intelligence Advanced Threat Protection by Symantec SYMANTEC VISION SYMPOSIUM 2014 23

Symantec Endpoint Security: Advanced Threat Protection 24

Symantec Endpoint Security: Advanced Threat Protection Automatic, continuous suspicious event prioritization Detect Accurately Analyze Quickly Respond with Confidence Automatically generates prioritized list of suspicious events Analyzes global and local context data to determine scope and severity. Optionally sends to Cynic for behavior reporting Convicts file and locally blacklists to immediately contain the attack. Endpoints send suspicious activity in real-time Machine-learning based algorithm (SEAA) applied to data Global intelligence benchmarking Cynic results Comprehensive body of evidence for SIEM integration Immediately prevents additional downloads Instructs SEPM to blacklist locally via policy Advanced Threat Protection by Symantec SYMANTEC VISION SYMPOSIUM 2014 25

Suspicious event analytics algorithm Goal Provide high fidelity and automatically generated prioritized list of suspicious events Automates the job of finding suspicious events across your endpoints Informs you of attacks quicker and requires less effort How Machine learning based algorithm Developed in collaboration with STAR Validated against specific enterprise data sets as opposed to broad, global data from enterprises Requires Full visibility into all PE files created on the endpoint Full visibility into all AV and IP Ping data Full visibility into all SONAR submissions (1,400 behaviors) Deep integration with the SEP client 26

Symantec Advanced Threat Protection Solution 27

How we solve the problem. Protect, Detect, Respond Advanced Threat Solution Tell me about advanced threats faster and better than anyone else Elastic cloud technologies detect 0-day evasive threats through many techniques of code execution and analysis Visibility into threats targeting both managed and unmanaged clients Highlight the most important events so I can prioritize my time Give me actionable intelligence so that I can defend my organization Synapse-driven event prioritization across all Symantec control points Greater Symantec context gives you additional intelligence: URL sources, origin, files downloaded by that file, processes created, etc. Deep file analysis provides a full behavioral report which can be used for incident response 28

#SymVisionEmea Thank you! Patrick_Gardner@Symantec.com Jane_Wong@Symantec.com Copyright 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Advanced Threat Protection by Symantec 29

Enhance visibility of advanced malware Email ATP Add-on: Detailed Malware Report Threat Categories Worm Viruses (File Infector) Backdoor The ability to self-replicate from across a network. Threats that do not require host files or sectors and selfreplicate across disks (e.g., copying oneself to the floppy drive and from the floppy to the hard drive). The ability to self-replicate on the same host. Program or feature in a program that allows unauthorized remote control and access to the system on which it is installed without notice and consent. The program that controls (and often connects to) the backdoor can be considered a component of the backdoor even if it installs with notice and consent. InfoStealer Downloader Trojan Hacktool Contains functionality that is intended to collect confidential data from the target system without adequate notice and without receiving appropriate consent. Confidential data includes information that most people would not be willing to share with someone and includes bank details, credit card numbers, and passwords. Installs or causes other malware to be installed on the system. Program whose sole purpose is to download programs without adequate notice or consent. Without user consent, purposely modifies or deletes system components in such a way that the program effectively disrupts the host computer's functionality so that activities that would have been possible before it was installed would not be possible after install. This includes changes made to a system to prevent it from accessing other resources on a network or Internet. Programs whose primary purpose is to provide the means to exploit or subvert an operating system or third-party application with the purpose of gaining unauthorized access to or rendering a system unusable by an owner without his authorization. 30

Endpoint Enterprise Global Symantec Endpoint Security: Advanced Threat Protection Detect Accurately Cynic On-Demand GIN Analyze Quickly Delivered as an on-prem. VA. SES: ATP SEP Manager Respond with Confidence Why SES: ATP? SEP Client SEP Client SEP Client Deep endpoint integration leverages proprietary suspicious event data Automatic, continuous and high fidelity suspicious event prioritization using machine-learning based algorithm Quickly builds a comprehensive body of evidence so you can take action with confidence 31