Comprehensive Endpoint Security Chris Quinn Systems Engineer March 24, 2009
Agenda 1 Today s Security Challenges 2 Symantec Endpoint Protection, NAC, and Open Collaborative Architecture 3 Why Symantec? 4 Next Steps Endpoint Security 3
Today s Challenges Internet Kiosks & Shared Computers Guests WANs & Extranets Consultants SSL VPN Employees Working at Home IPsec VPN Wireless Networks Web Applications Endpoint Security 4
The Complexity Challenge What s wrong with the current world? Multiple vendors without a complete product offering Agent bloat Too many endpoint agents to manage Too many consoles Too many silo d point solutions Specialized talent / resources needed for to configure and manage each application Endpoint Security 5
Multiple Complex Consoles/Agents Endpoint Security 6
Benefits of a Comprehensive Endpoint Solutions Threat Protection Keep the Bad things Out Protect against malware Protect from known and unknown threats Manage multiple endpoint technologies Network Access Control Trust, but Verify Enforce Endpoint Security policies Allow guest access to the network Provide access only to properly secured endpoints Data Loss Prevention & Encryption Keep the Good things In Discover confidential data Monitor its use Enforce policies to prevent its loss Encrypt to prevent unauthorized access Endpoint Management Keep the Wheels On Integrates security, data loss and management Provides automation Increases visibility and control Lowers total cost of ownership by managing multiple endpoint technologies Endpoint Security 7
Keeping the bad things out Endpoint Security 8
Business Problems at the Endpoint Endpoint management costs are increasing Cost of downtime impacts both productivity and revenue, productivity hit largest in enterprise Costs to acquire, manage and administer point products are increasing, as well as the demand on system resources Complexity is increasing as well Complexity and resources needed to manage disparate endpoint protection technologies are inefficient and time consuming Growing number of known and unknown threats Stealth-based and silent attacks are increasing, so there is a need for antivirus to do much more Source: Internet Security Threat Report Vol. XIII; Mar 2008 Endpoint Security 9
Keeping up with threats Endpoint Security 10
Changes in the Threat Landscape From Hackers To Thieves Fame motivated Financially motivated Noisy and highly visible Silent Indiscriminate Highly targeted Few named variants Overwhelming variants Endpoint Security 11
Key Ingredients for Endpoint Protection AntiVirus World s leading AV solution Most (41) consecutive VB100 Awards Virus Bulletin December 2008 Antivirus Endpoint Security 12 12
Key Ingredients for Endpoint Protection Antispyware Best rootkit detection and removal VxMS = superior rootkit protection Antispyware Viruses, Trojans, Worms Antivirus Source: Thompson Cyber Security Labs, August 2006 Endpoint Security 13 13
Key Ingredients for Endpoint Protection Firewall Industry leading endpoint firewall technology Gartner MQ Leader 4 consecutive years Rules based FW can dynamically adjust port settings to block threats from spreading Firewall Spyware, Rootkits Antispyware Viruses, Trojans, Worms Antivirus Endpoint Security 14 14
Key Ingredients for Endpoint Protection Intrusion Prevention Intrusion Prevention Worms, Spyware Firewall Spyware, Rootkits Antispyware Combines NIPS (network) and HIPS (host) Generic Exploit Blocking (GEB) one signature to proactively protect against all variants Granular application access control TruScan TM - Proactive Threat Scanning technology - Very low (0.0049%) false positive rate Detects 1,000 new threats/month - not detected by leading av engines No False Alarm 25M Installations Viruses, Trojans, Worms Antivirus False Alarms Fewer than 50 False Positives for every 1 MM PC s Endpoint Security 15 15
Intrusion Prevention System (IPS) Combined technologies offer best defense Intrusion Prevention (IPS) (N)IPS Network IPS (H)IPS Host IPS Deep packet inspection Attack-facing (Symantec sigs. via LiveUpdate, Custom sigs, SNORT-like) System Lockdown White listing (tightly control which applications can run) Generic Exploit Blocking Vulnerability-facing (Signatures for vulnerability) TruScan TM Behavior-based (Proactive Threat Scan technology) Endpoint Security 16
Exploit Timeline Vulnerability Announcement Vulnerability Exploit Virus Signature 0 Day <24 Hours 6-7 Days ~3 Hours Later Generic Exploit Blocking Vulnerability-Based Signature Based on vulnerabilities characteristics Number of Variants Blocked 814 426 Single GEB Signature MS RPC DCOM BO MS_RPC_NETDD E_BO Threat Blaster W32.Mytob.IM@ mm 394 MS LSASS BO Sasser TruScan TM Proactive Threat Scan technology Behavior Analysis 250 121 RPC_NETAPI32_B O NetBIOS MS NO (TCP) W97M.Invert.B W32.Gaobot.AA Y Endpoint Security 17 17
TruScan TM - Proactive Threat Scan Detects 1,000 threats/month not detected by top 5 leading antivirus engines 6 months testing with Norton consumer technology Very low false positive rate (0.004%) Fewer than 50 False Positives for every 1M computers No set up or configuration required Endpoint Security 18
Key Ingredients for Endpoint Protection Device and Application Control Device and Application Control 0-day, Key Logging Intrusion Prevention Prevents data leakage Restrict Access to devices (USB keys, Back-up drives) Whitelisting allow only trusted applications to run Worms, Spyware Firewall Spyware, Rootkits Antispyware Viruses, Trojans, Worms Antivirus W32.SillyFDC targets removable memory sticks spreads by copying itself onto removable drives such as USB memory sticks automatically runs when the device is next connected to a computer Endpoint Security 19 19
Symantec Endpoint Protection 11.0 Protect Against Unauthorized Applications The Risks Users installing unauthorized applications like Skype, BitTorrent, LimeWire, emule, etc. The Solution Block unauthorized applications using Application Control Only an Endpoint Security solution with full device control capabilities can protect against all threats Application Control included in base product; no extra cost Endpoint Security 20 20
Symantec Endpoint Protection 11.0 Protect Against FireWire and Bluetooth Attacks The Risks Physical attacks against endpoints Exploit PoC winlockpwn can break into a Windows machine using just FireWire connection Vulnerability by design in FireWire that will not be fixed Windows may be vulnerable to Bluetooth attacks that can take complete control over the system Microsoft recently released a critical Bluetooth security patch (MS08-030) to address this The Solution Block FireWire and Bluetooth using Device Control Only an Endpoint Security solution with full device control capabilities can protect against all threats Device Control included in base product; no extra cost Endpoint Security 21 21
Key Ingredient for Endpoint Compliance Network Access Control Device and Application Control Network Access Control Comes ready for Network Access Control add on Agent is included, no extra agent deployment Simply license SNAC Enforcement Intrusion Prevention Firewall Antispyware Antivirus Endpoint Security 22 22
How to Protect Against Threats with a Single Agent, Single Console Network Access Control Benefits: Device and Application Control Intrusion Prevention Increased Protection, Control & Manageability Firewall Reduced Cost, Complexity & Risk Exposure Antispyware Antivirus Symantec Endpoint Protection 11.0 Symantec Network Access Control 11.0 Endpoint Security 23
Incremental Value SNAC enabled Device and Application Control Enhanced Spyware/Rootkit protection Antispyware Antivirus Intrusion Prevention Firewall Extensive Intrusion Prevention functions (TruScan) SAV CE 10.x Antispyware Antivirus Firewall/Device Control and Network Access Control Ready Symantec Endpoint Protection 11.0 Endpoint Security 24
Flexible Deployment Options Standard deployment Intrusion Prevention* Antispyware Antivirus Comprehensive Endpoint Protection deployment Device and Application Control Firewall Intrusion Prevention Antispyware Antivirus Complete Endpoint Security Solution Network Access Control Device and Application Control Firewall Intrusion Prevention Antispyware Antivirus Security Functions enabled as needed Endpoint Security 25
Medium Large Organizations (100+) Symantec Endpoint Protection (SEP) Install SEP with antivirus and antispyware options enabled Enable additional protection features at own pace Migrate from Symantec AntiVirus at own pace For desktops, laptops and network servers Symantec Multi-tier Protection* SEP and additional solutions to protect multiplatform network environments, mobile devices, mail servers and SMTP gateways Excellent choice for organizations with Microsoft Exchange For organizations with multiple network servers and many workstations or laptops Symantec Multi-tier Protection* and SNAC Enforcers** SEP and additional solutions to protect multiplatform network environments, mobile devices, mail servers and SMTP gateways SNAC enforcer options provide greatest flexibility For organizations with multiple network servers and many workstations or laptops *SMP includes SEP plus Antivirus for Mac, Linux, Windows Mobile, as well as Mail Security for Exchange, Domino, Premium Antispam and 8300 Virutal Edition **SNAC Enforcers verify that a host is compliant with minimum security policies. Typical types are Gateway, LAN, DHCP and Self Enforcement Endpoint Security 27 27
Symantec Global Intelligence Network 4 Symantec SOCs 80 Symantec Monitored Countries 40,000+ Registered Sensors in 180+ Countries 11 Symantec Security Response Centers > 7,000 Managed Security Devices + 120 Million Systems Worldwide + 2Million Probe Network + Advanced Honeypot Network Tokyo, Japan Calgary, Canada Dublin, Ireland San Francisco, CA Mountain View, CA Reading, England Chengdu, China Culver City, CA Austin, TX Alexandria, VA Pune, India Taipei, Taiwan Chennai, India Sydney, Australia Received 41 consecutive Virus Bulletin 100% Certification awards* TruScan TM technology catches 1,000 more threats per month than other AV vendors** * Source: Endpoint virusbtn.org; Security ** Source: 28 Symantec 28
Trust, but verify Endpoint Security 29
What is Network Access Control? Restricts access to your network by creating a closed system Offers automatic endpoint remediation before access is granted Checks adherence to endpoint security policies even when connected to network Employees Non-employees Unmanaged Managed On-site Remote Corporate Network Endpoint Security 30
Solution: Network Access Control Checks adherence to endpoint security policies NAC is process that creates a much more secure network Antivirus installed and current? Firewall installed and running? Required patches and service packs? Required configuration? Fixes configuration problems Controls guest access Network Access Control helps prevent malware from spreading throughout the network Endpoint Security 31
Symantec Network Access Control 3 Key Components 1. Central Management Console 2. Endpoint Evaluation Technology 3. Enforcer Endpoint Security 32
1. Central Management Console Symantec Endpoint Protection Manager Policy Management Web-based GUI Enterprise class/scale Role-based access Hierarchical views Integration with Active Directory Same Management Console used for Symantec Endpoint Protection 11.0 Endpoint Security 33
2. Endpoint Evaluation Technologies Unmanagable Endpoints Remote Scanner Good Unmanaged Endpoints Dissolvable Agents Better Managed Endpoints Persistent Agents Best Symantec Endpoint Protection 11.0 agent is SNAC ready Endpoint Security 34
3. Enforcers Host-based Network-based (optional) Symantec Self-Enforcement Symantec Gateway Enforcer Symantec DHCP Enforcer Symantec LAN Enforcer-802.1X Good Better Best Endpoint Security 35
Why Symantec s NAC Symantec makes implementing a NAC less daunting & costly Neutral Deployable Today Flexible Primary Differentiators: Greater diversity of NAC approaches than any other vendor Operational Efficiencies Field-proven NAC solution with hundreds of customers Deployable today No need to wait for standards or upgrades Award winning solution Endpoint Security 36
Symantec NAC Self-Enforcement: How It Works Persistent Agent Symantec Endpoint Protection Manager Onsite or Remote Laptop Quarantine Protected Network Remediation Resources Client connects to network and validates policy Persistent Agent performs selfcompliance checks Compliance pass: Apply Office firewall policy Compliance fail: Apply Quarantine firewall policy Host Integrity Rule Anti-Virus On Anti-Virus Updated Personal Firewall On Service Pack Updated Status Patch Updated Endpoint Security 37 37
Keeping the good things in Endpoint Security 38
Keep the Wheels On Endpoint Security 39
Single Centrally Managed Console Symantec Endpoint Protection Symantec Network Access Control Symantec Endpoint Encryption Symantec Data Loss Prevention Endpoint Symantec Management Console Endpoint Security 40
Migration Made Easy Overview What is it? A free tool to help customers migrate to Symantec Endpoint Protection Symantec Integrated Component Product offered with pre-configures templates to remove previously installed solutions Symantec Competitive Where do I get and When? Download now at http://www.altiris.com/download.aspx Altiris Client Management Suite 30 Day Trial available today Who can use this? Any customer or partner may leverage the Symantec Endpoint Protection Integrated Component, but we recommend that customers consider that they are deploying the Altiris management platform. Endpoint Security 41
Complement Security with Management Symantec Endpoint Protection Integrated Component Altiris Software Delivery Suite Altiris Client Management Suite Streamline migrations Initiate scans or agent health tasks Dashboards integrate security and operational information Apply Patches Ensure software is installed and stays installed Report machines not connecting Identify missing hard-drives Policy-based software delivery Application Management Software Virtualization Patch Management Backup and Recovery Application Usage Remote Control Endpoint Security 42
Driving to Convergence Situation Solution Integration on Open Collaborative Architecture CMDB Duplication of tasks Gaps require manual processes Multiple consoles and agents Various data repositories Overlapping policies Native integration Single view of compliance Consolidated status reporting Pre-built workflow processes Endpoint Security 43 43
Why Open Collaborative Architecture? Security 3 rd Party Mgmt Solutions Symantec Collaborative Solutions Endpoint, Data, IT policy Compliance Mgmt Industry, Financial, IT policy Collaborative solution INFORMATION RISK INFRASTRUCTURE SECURITY STORAGE BUSINESS Business Continuity & COMPLIANCE OPERATIONS CONTINUITY Protect, retain, recover, HA/DR Resource Mgmt Asset, TCO, capacity, Performance Incident Resolution Helpdesk, Notify, Problem mgmt Open Collaborative Architecture Infrastructure Mgmt Discover, Deploy, Config, Change Evolving Evolving product product requirements requirements Tie Tie into into multiple multiple levels levels Cross 3 rd Party Cross multiple Products multiple processes processes and and disciplines disciplines Management Cooperate Cooperate in in cross cross vendor Product vendor environments / environments Leverage Leverage Symantec Services Symantec configuration, configuration, metadata, metadata, operations, operations, policy/task policy/task control control Data, Task & Operational Services Console, Workflow, Security, CMDB Altiris Endpoint Management SEP Endpoint Security Management SSIM Security Information Management Symantec Products CCS Control & Compliance Suite EV Information Risk & Compliance Vontu Data Loss Prevention NBU / BE Backup & Recovery SF / CC Storage Management VCS(-One) HA/DR & Server Management Symantec Endpoint Technology Security Solutions 44 44
Why Symantec? Endpoint Security 45
Why Symantec? Greater Security Greater Control Endpoint Security 46
Analysts Position Symantec as a Leader Altiris Platform Endpoint Security 47
Analysts Position Symantec as a Leader Symantec Endpoint Protection Altiris Platform Endpoint Security 48
Analysts Position Symantec as a Leader Symantec Network Access Control Symantec Endpoint Protection Altiris Platform Endpoint Security 49
Analysts Position Symantec as a Leader Symantec Endpoint Encryption Symantec Network Access Control Symantec Symantec Endpoint Protection Altiris Platform Endpoint Security 50
Analysts Position Symantec as a Leader Symantec Data Loss Prevention Endpoint Symantec Endpoint Encryption Symantec Network Access Control Symantec Endpoint Protection Altiris Platform Endpoint Security 51
Who Trusts Symantec Over 100 Million Endpoints Protected Endpoint Security 52
Questions? Chris Quinn Systems Engineer, Symantec chris_quinn@symantec.com Endpoint Security 54
Thank You! Copyright 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Endpoint Security 55