Symantec Endpoint Protection 11.

0
Overview and Architecture
Silviu Popescu
Symantec Product Manager at Omnilogic SRL

Symantec Global Intelligence Network

3 Symantec SOCs

80 Symantec Monitored
Countries

40,000+ Registered Sensors

in 180+ Countries

8 Symantec Security
Response Centers

> 6,000 Managed Security Devices + 120 Million Systems Worldwide + 30% of Worlds email Traffic + Advanced Honeypot Network

Dublin, Ireland
Tokyo, Japan

Calgary, Canada
San Francisco, CA
Mountain View, CA

Reading, England

Santa Monica, CA
Alexandria, VA
Taipei, Taiwan

Sydney, Australia

Pune, India

Attack Trends
Data Breaches

Information on data breaches that could lead to identity theft. Data collected is not
Symantec data.

The government sector accounted for the majority of data breaches with 25%, followed
by Education (20%) and Healthcare (14%) - the majority of breaches (54%) were due
to theft or loss with hacking only accounting for 13%.

Attack Trends
Underground Economy Servers

Trading in credit cards, identities, online payment services, bank accounts, bots, fraud
tools, etc. are ranked according to goods most frequently offered for sale on underground
economy servers.

Credit cards were the most frequently advertised item (22%) followed by bank accounts
(21%).

Email passwords sell for almost as much as a bank account.

Attack Trends
underground black trading

Finance sector headlines

http://money.cnn.com/2005/05/23/news/fortune500/bank_info/

Finance II

http://www.theregister.co.uk/2007/04/19/phishing_evades_two-factor_authentication/

Malicious Code Trends

New malicious code threats

In the first half of 2007, 212,101 new malicious code threats were reported to Symantec. This is a
185% increase over the second half of 2006.

This increase can mainly be attributed to new Trojans such as staged downloaders.

The first stage of a staged downloader is usually written for a specific target or purpose, resulting in
the creation of a very large number of them.

The Battle has changed

05 Threat Landscape Shift
2004 Landscape
Virus

2006 Landscape
Crimeware

Threats are noisy & visible to everyone

Threats are silent & unnoticed

with variants

Threats are indiscriminate, hit everyone

Threats are highly targeted,

regionalized

Threats are disruptive impact visible

Threats steal data & damage brands

impact unclear

Remediation action is technical (remove)

Remediation more complex, may

need to investigate data leak

Going through perimeter and gateway

Going after uneducated network

clients and other endpoints

Anatomy of Layered Endpoint

Protection
Symantec
Solution

Always on,
always up-todate

Host integrity
& remediation

Symantec
Network
Access Control

Zero-hour attacks, identity

theft, application injection

Applications

Behaviour
Blocking

Symantec Confidence
Online

iPod slurping, IP theft

I/O Devices

Device
controls

Buffer Overflow, process

injection, key logging

Memory/
Processes

Buffer overflow &

exploit protection

Malware, Rootkits, day-zero

vulnerabilities

Operating
System

O/S Protection

Symantec Client
Security

Network
Connection

Network IPS

Symantec Mobile
Security

Endpoint
Exposures

Worms, exploits & attacks

Viruses, Trojans, malware

& spyware

Data & File

System

Client Firewall
AntiVirus
Anti-spyware

Symantec Endpoint Protection

Protection
Technology

Symantec Sygate
Enterprise
Protection
Symantec Critical
System Protection

Symantec
AntiVirus

Scope of Endpoint Protection

Symantec Endpoint Protection Summary

Network Access
Control

Device Control

Intrusion
Prevention

Firewall

Antispyware

AntiVirus

Includes a NAC agent to ensure each endpoint is NACready (Sygate)

Adds endpoint compliance to endpoint protection

Device control to prevent data leakage at the endpoint

(Sygate)

Protection against mp3 players, USB sticks, etc

Behavior-based Intrusion prevention (Whole Security)

Network traffic inspection adds vulnerability-based

protection

Industrys best managed desktop firewall

Adaptive policies lead the pack for location awareness

Sygate and Symantec Client Security

Best anti-spyware, leading the pack in rootkit detection

and removal

Includes VxMS scanning technology (Veritas)

The Worlds leading anti-virus solution

More consecutive Virus Bulletin certifications (31) than

any vendor

Ingredients for Endpoint Security

Network Access
Control

Device Control

Intrusion
Prevention

Firewall

Antspyware

AntiVirus

Symantec Endpoint
Protection 11.0

Symantec Network
Access Control 11.0

Ingredients for Endpoint Protection

AntiVirus
Worlds leading AV solution
Most (31) consecutive VB100 Awards

AntiVirus

Few more detailed information ...

Forrs: Andreas Clementi, Antivirus comparative summary report 2006

Ingredients for Endpoint Protection

Antispyware
Best rootkit detection and removal
Raw Disk Scan for superior Rootkit protection

Antispyware

AntiVirus
Source: Thompson Cyber Security Labs, August 2006

Ingredients for Endpoint Protection

Firewall
Industry leading endpoint firewall technology
Gartner MQ Leader 4 consecutive years
Rules based FW can dynamically adjust port
settings to block threats from spreading

Firewall

Antispyware

AntiVirus

Ingredients for Endpoint Protection

Intrusion Prevention
Combines network- and host based prevention
Generic Exploit Blocking (GEB) one signature
to proactively protect against all variants
Intrusion
Prevention

Firewall

Granular application access control

Proactive Threat Scans - Very low (0.002%) false
positive rate

16M
Installations

Antispyware

AntiVirus

Only 20 False Positives

for every 1 Million PCs

Ingredients for Endpoint Protection

Device Control
Prevents data leakage
Device Control

Restrict Access to devices (USB keys, Backup drives, MP3)

Intrusion
Prevention

Firewall

Antispyware

AntiVirus

yFDC
l
l
i
S
.
ticks
rives
2
s
d
3
y
e
r
l
W
emo
rm ovab
o
m
m
W
e
e
l
r
New
ovab
onto
f
m
l
e
e
r
s
t
i
ets
ying
p
next
o
targ
sticks
s
c
i
y
y
r
e
b
o
devic
eads SB mem
r
e
p
h
t
s

hen
as U
w
h
s
c
n
u
u
s
ally r computer
c
i
t
a
a
om
aut nected to
con

Ingredient for Endpoint Compliance

Network Access
Control

Network Access Control

Network access control ready

Device Control

Agent is included, no extra agent deployment

Simply license SNAC Server

Intrusion
Prevention

Firewall

Antispyware

AntiVirus

New Key Features

Symantec Endpoint Protection Manager

Features Overview
Monitoring &
Reporting

Deployment &
Integration

Email report
distribution

Client Install package

builder

Centralized event
logging

Patch & update

Customizable report
filters
Real-time event
viewing
Command system
Network security
status view
Notifications view
Event export to SSIM &
3rd-party SIEM
solutions
Embedded and MSSQL
support

Administration
Centralized, webbased console
Simplified user
interface for SMB and
enterprises

Policy Actions
Integrated
management of all
agent components

Role-based access

Import and sync AD

users and Org Units

Single console to
define & manage AV,
FW, NAC and other
policies

Administrative
domains

Authenticate admin
users via AD

Group-based policy
application

Assign rights by user

or group

Customizable agent
package installation
settings

Reusable policy
objects

User-defined, multitiered groups

Centralized setting of
exclusions and
exceptions

Remote agent
installation

Migration from SAV,

SCS, SSEP & SNAC

RSA SecurID
authentication

Symantec Endpoint Protection 11

Proactuv security solution for endpoints
The traditional signature based technology is obsolated
24 MB memory footprint full arenal;layered securty
Network Access Control functionality
LAN (802.1x), Layer-2 and DHCP

Device Control
USB, Fireware, Bloototh, Infrared, SCSI, ...
System lockdown even the admin can not change ...

Full, complete integration

Single management console, centralized log, report

The price is not a question...

and this all for unchanged price in symantec antivirus price

Thank You

2006 Symantec Corporation. All rights reserved.

THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION
IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS
SUBJECT TO CHANGE WITHOUT NOTICE.