blog | it klinika - daredevil · 2016-12-07 · browser ips 18 network ips is stream-based...
TRANSCRIPT
Daredevil
• DavorPerat
• SeniorTechnologyConsultant
Agenda
2
1234567
Threatlandscapeandtheendpoint
Protectingtheendpoint
Performanceorprotection,whychoose?
Virtualizedandembeddedsystemoptimization
Streamlinedmanagementandreportingacrossplatforms
Architectureoverview
Symantecproductintegrationandsupport
8 Additionalresourcesandsummary
3
Let’sgetstarted!
4
Threatlandscapeandtheendpoint
InternetSecurityThreatReport:ISTRVolume21
5
KnownMalware NewMalware NetworkAttack SocialEngineering SystemTampering DataTheft Vulnerabilities
Symantecdiscoveredmorethan430millionnewuniquepiecesofmalwarein2015,up36%fromtheyearbefore.
AnewZero-Dayvulnerabilitydiscoveredeveryweekin2015
6
7
One of the largest civilian cyber intelligence networks3.7 Trillion rows of security-relevant data
175MConsumerand
Enterpriseendpointsprotected
57Mattacksensor
in157countries
182Mwebattacksblockedlastyear
Discovered
430millionnewuniquepiecesofmalwarelastyear
Billionsofemailtrafficscanned/day
1Billionwebrequestsscanneddaily
12,000Cloudapplicationsprotected
9 threatresponsecenters
Thethreatlandscapecontinuestoescalate
8Source:SymantecISTR2016
55%IncreaseinTargeted
Attacks
430Mnewpiecesof
malwarewerecreatedin2015
125%increaseofZero-Dayvulnerabilityfrom2014to2015
35%increaseof
ransomware in2015
InboundCommunication Payloadexecution Outbound
CommunicationPayloaddelivery
HowSymanteccanhelpSymantecEndpointProtection14
9
UNRIVALEDSECURITY
BLAZINGPERFORMANCE
SMARTERMANAGEMENT
Stopstargetedattacksandadvancedpersistentthreatswithintelligentsecurityandlayeredprotectionthatgoesbeyondantivirus.
Performancesofastyouruserswon’tevenknowitsthere.
AsinglemanagementconsoleacrossWindows,Mac,Linux,andVirtualplatformswithgranularpolicycontrol.
SUPERIORPROTECTION BETTERPERFORMANCE EASYINTEGRATION&AUTOMATION
InboundCommunication Payloadexecution Outbound
CommunicationPayloaddelivery
SEPprotectsagainstalltypesofthreatsSEP14combinesCoreandNextGenerationtechnologies
10
Pre-ExecutionDetection
ProcessBehavior
ReputationExploitPrevention
NetworkIDS/IPS
App&DeviceControl
InsightFile / Domain Reputation
InsightSignerReputation
Advanced Machine Learning
Intelligent Threat CloudAlways Up to Date
ApplicationControl
DeviceControl
BPEsBehavioralSignatures
SONARBehaviors
Memory Exploit Mitigation
Firewall & Intrusion Prevention
SEP14
SEP14
SEP14
Emulator for crypto-malware
MachineLearning
••Pre-executiondetectionfornewandevolvingthreats
ApplicationProtection••MemoryExploitMitigation
Emulator••Anti-evasiontechniquetodetecthiddenmalware
IntelligentThreatCloud
••Real-timecloudlookup,~70%reductionindefinitionsize
PerformanceEnhancements••Fasterreal-timevirusdetection
EnablingIntegrations••RESTAPIs••EnableBlueCoatintegrations
EnhancedAutomation••ExpandedLiveUpdatetodeliversecurityupdatesforWindowsclients
70%dropindailyupdates
CompeteAgainstTraps
CompeteAgainstCylance
StrongAnti-Evasion
EasyIntegrations
FasterandLightWeight Automation
SEP14NextGenerationProtectionTechnologiesandEnhancements
SuperiorProtection BetterPerformance EasyIntegration&Automation
12
Protectingtheendpoint
Yourendpointsarethetarget
Malware
NetworkthreatsSoftwarevulnerability
Dataleakageandtampering
NetworkThreatprotection
File-basedprotection
ApplicationandDeviceControlSystemLockdown
Hostintegrity
COMPLIANCE THREATPROTECTION
IntroducingSEP
CentralManagement
FirewallCustomIPS
StreamLevelIPSBrowserProtection
AntiVirusAntiSpyware
HeuristicReputation
EmailScanning
WhitelistingBlacklistingDeviceControlSystemLockdown
Compliancecheck:• Standard• Template• Custom• Automation
Insight
Protectionlayers|Singleagent
DownloadProtection
16
File-basedprotection
SONARisareal-timemonitoringheuristicsystemthattargetsmaliciousbehavior.ItleveragesInsighttoprovidezero-daythreatprotectionandsignature-lessmitigation.
SignatureengineisthetraditionalAntivirusfeaturematchingthreatsagainstsignatures.Itstillaccountsfor50%ofalldetectionsin2014.TheenginealsoleveragesInsightforfalsepositiveprevention.Signaturesareusedforfilesandemailsscans.
Downloadprotectionprotectsagainstnewandunknownfilesthattraditionalsignature-basedsecuritydoesnotdetect.Detectionsarebasedontheprevalence,age,sourceandoverallreputationgivenbyInsight.
Insight
SONAR(BehavioralHeuristic)
Signature
Zero-daythreatsandreducedfalsepositives
17
File-basedProtection:Continued
StaticDataScanner
SDSEngine
Emulator:VMforpacked
threat
SAPE:Machine
learningengine
ITCS:Cloud- basedscanning
CoreDef-3:LightweightAVSignatures
• Emulator:Analyzethepayloadbyexecutingapackedthreatinalocalvirtualizedsandbox.
• SAPE:Determinesifafileisgoodorbadbasedonexperience,criteriasetbyanalysts,andbehavior.
• ITCS:Reducesresourceandstorageoverheadbykeepingthemostrelevantsignatureslocallyandapplyingsmallupdateswhenneeded.Allothersignaturesarehostedinthecloud.
• CoreDef-3:Traditionalantivirusenginethatcontainsalightersetofdefinitions.
BrowserIPS
18
NetworkIPSisstream-basedfilteringthatusesgenericexploitblocking(GEM)toblockthreatsusingapublishedvulnerability.(OSILayer5)
CustomIPSallowsadministratorstocreateSNORTlikesignaturesatthepacketlevel(OSILayer2)
BrowserIPSprotectsagainstobfuscatedattacksatthebrowserlevel.(EncryptedJava,ActiveX,Flash,andmore).(OSILayer7).BrowserProtectionworkswithFirefoxandInternetExplorer.
NetworkIPS
CustomIPS
NetworkThreatProtection
Firewallprotectsagainstintrusionandgivescontroloverthedataenteringandleavingtheendpoint.
NetworkThreatProtection
Application ••Insight,BrowserProtection,SONAR,VirusandSpywareProtectionandApplicationControl
Presentation ••BrowserProtectionandInsight
Session ••Firewalland IPS
Transport ••Firewall
Network ••Firewall
Datalink ••FirewallandCustomIPS
Physical ••DeviceControl
SystemLockdown
20
SystemLockdownleveragesApplicationControltowhitelistorblacklistasetofapplications.Commonlyusedinstaticenvironmentslikeembeddedsystemsandsecureworkstations.
DeviceControlblocksunauthorizedhardwaretobeconnectedtotheendpoint.Preventsdataleakageanddualhomingnetworks.
DeviceControl
ApplicationControl
ApplicationControlblocksunwantedapplicationsbasedonhashorfilename.
ApplicationandDeviceControl
Customrequirements
21
Customrequirementisa featurethatprovidesasimplemethodtoexecuteprogramsandscriptstoevaluateandremediateanyaspectoftheendpoint.
TemplaterequirementscanberetrievedviaLiveUpdatetoauditadvancedrequirements,suchaspasswordcomplexityorpresenceofasecondNICconnectedtothesystem.
Templaterequirements
Standardrequirements
Standardrequirementsinclude Endpointsecuritystatus,contentupdates,criticalpatches,andmore.
Hostintegrity
Hostintegrityauditstheendpointagainstrequirements.TheauditgivesaPASS ofFAILresult,whichistranslatedintoanautomatedremediation.
Insight
22
CALCULTINGSCORE-127 127
Insightisthelargestreputationdatafilesystemintheworldandleveragesmorethan175millionendpointstogatherinformationonbinaryexecutablefiles.
Age: Insightlooksathowlongafilehasbeencreatedbecausemalwaretendstobeverynewwheninfectingasystem.
Prevalence:Insightkeepscountofhowmanyendpointsranordownloadedagivenapplication.
SourceandSystemHygiene: Insightusesaratingsystem:Thenumberofsysteminfectionsandwherethethreatcamefromtodetermineanaccuratereputationscore.
PreviousConviction: Insightleveragestelemetryfromfeatureslikefile-basedprotection,IPSorSONARtodetermineifafilealreadyhadamaliciousbehavioronanothersystem.
ThreatspectrumvsSEPfeatures
23
KnownMalware NewMalware NetworkAttack SocialEngineering SystemTampering DataTheft Vulnerabilities
Signatures
Heuristic(SONAR)
Reputation(Insight)
IPS/Firewall
Applicationcontrol
Devicecontrol
HostIntegrity
IPS(GEM)
Heuristic(SONAR)
Reputation(Insight)
MachineLearning
Protectionacrosstheattackchain
24
InboundCommunication Payloadexecution Outbound
CommunicationPayloaddelivery
NextgenIPS
TamperProtectionandLockdown
ReputationMachineLearning(ML)
BehavioralML
AdvancedML*
AntiVirussignatures
StatefulFirewall
Browserprotection
Real-timeresponsetorapidlychangingthreatlandscape
Threatvectorlearningatscale
Next-genIPS
Applicationcontrol
Clustering
Emulationforcrypto-malware*
Signaturebased Nonsignaturebased Machinelearninganddeeplearning
MachineLearning
Network
BigData
Hardening
AV
MemoryExploitMitigation*
NewinSEP14
25
Performanceorprotection.Whychoose?
BLAZINGPERFORMANCEWITHINSIGHTUpto70%reductioninscanoverheadbyonlyscanningunknownfiles
26
TrustedbyInsight
Traditionalscan ScanpoweredbyInsight
ScanthrottlingScheduledscansuselessresourceswhenyouneedyoursystem
27
Idle Busy
SEPCPUUsage
SEPUsesupto75%
resources
SEPreducesits
resourcesusage
Scenario CPU/Disk User BestApp Balanced BestScan
BusyServer Busy Idle Throttled Throttled Running
UsingPC Busy Busy Paused Throttled Running
MovingMouse Idle Busy Paused Throttled Running
Lunchtime Idle Idle Running Running Running
ScanrandomizationPreventingtheAVstorm
28
Usability
CPU&I/O
ScanrandomizationPreventingtheAVstorm
29
Usability
CPU&I/O
Randomizationwindow
30
Virtualizedandembeddedsystemoptimizations
Builtforallendpoints
31
Limitedstorage
Resourcesharing
Licensecost
Reduced-sizeclient:Smallerfootprintandlightercontentupdate.
CoreDef-3withsizeenhancement.ITCSenabled.
VDIspecificsettings
EmbeddedandVDIclientinstallationpackage
• ContainsasmallersetofVirusandSpywarecontentdistributionfiles
• Containsareduced-packagesizethatincludesallfeatures:– VirusandSpyware*– Firewall– IPS– SONAR– SystemLockdown– ApplicationControl,andmore
• MoreNTFScompressionwherepossible
• Noinstallercache
32
Estimateddefinitionsize:
StandardClient EmbeddedandVDIClient
45 MB
45 MB
170 MB 75 MB
EmbeddedandVDIVirusandSpywarecontent
• Distributedthreetimesperdayonweekdaysandonceadayonweekends
• Separatedownloadfromtheconsole
• Contentspecifictothelightweightclient
• Containslesssignaturesthanthetraditionalset
33
IntelligentThreatCloudservicesdetails
34
ProjectedsizerangeofAV
definitionsonthelocaldisk.
Averagequerytimetothecloud
Performancedegradation?
Lessthan5%comparedtoSEP12.1.6scan1.7seconds75MB– 170MB
Clienttypesanddefinitionstypes
Copyright©2014SymantecCorporation
35
Standard EmbeddedandVDI Darknetwork
Definition type CoreDef-3 CoreDef-3withsizeenhancement
CoreDef-1.5
ITCSenabled Yes Yes No
Estimatedpackagesize(Networktraffic)
~45MB ~45MB ~360MB
Estimated definitionsizeondisk(Full.zip)
~170MB ~75MB >700MB
TheSEP12.xclientsusecoreDef-1.5.WhenyouupgradetheseclientstoSEP14,theyaremigratedtoCoreDef-3.
SEP 12.1Standard
SEP12.1Reduced
SEP 14Standard SEP14EmbeddedandVDI
Definition type CoreDef-1.5 CoreDef-3withsizeenhancement
CoreDef-3 CoreDef-3withsizeenhancement
ITCSenabled No No Yes Yes
Estimatedpackagesize(Networktraffic)
~360MB ~45MB ~45MB ~45MB
Estimated definitionsizeondisk(Full.zip)
~700 MB ~75mb ~170MB ~75MB
DifferencesbetweenSEP12.1andSEP14definitionsizes
36
Whatifyoucanskipallthe standard filesinaVM?
37
Bydefault,SEP14.xtrustsandskipsmostoftheOSandsomeapplications.TherearestillsomefilespresentintheVMtemplatethatarenotathreatandthosefilesarescannedoverandover.VirtualImageExceptionVIEsetsallthefilespresentontheVMtemplateastrustedbyaddingthemtothelocalSEPreputationstore.
Localreputation
store
WhenaVIEenabledtemplateiscloned…Wescanverylittle
38
WhenthenewVMisbasedontheVIEtrustedimage,onlynewdocumentsandapplicationsarescanned.ThisreducedI/Oappliestobothreal-time,on-demand,andscheduledscans.
TrustedbyInsight
VIE VIE VIE VIE
TrustedbyVIE
SharedInsightCache
• SharedInsightCache(SIC)isaserverapplicationwhichcachesknowncleanfilesinordertooptimizescheduledscan performances.
• TheSICserverismainlydesignedforvirtualenvironments,butusageonphysicalsystemissupportedgiventhatnetworklatencyiskeptatanabsolutelow.
• TheSICserverkeepsarecordinmemory(RAM)offileswhicharevotedcleanbysystemperformingscans.
SICSHAREDINSIGHTCACHE
SEPforVDI
Copyright©2014SymantecCorporation40
Agent
••Features••SONARBehavior••IntrusionPrevention••BrowserProtection••Firewall••NetworkIPS••ApplicationDeviceControl••InsightReputation••ConsoletomanageSEP
Agentless
••Features••AgentlessAnti-Malware••Insightfilereputation••AgentlessNetworkIPS(requiresNSX)
••ConsoletomanageDCS
• WindowsDesktopSupportability:Windows7/Windows8• SystemRequirements:VMwareNSX/VMwareESXi5.5andVMwarevShield/ESXi5.1+
SharedInsightCache:HighLevel
VMCluster
Virtualfarm
VM VM VMVM VM VM
Virtualfarm
VM VM VMVM VM VM
File Hash DefVer Result
AE32D… 2011.1... Clean
B923E… 2011.1… Clean
F9123… 2011.1… Clean
C3FDA… 2010.2… Clean
SharedInsightCacheServer(SIC)
ThefirstSEPclientneedstoscanafileandqueriesSICandfindsnorecord.SEPscansthefileandsendstheresultstotheSIC.
SubsequentSEPclientsneedtoscanthesamefile.Theyquerythecacheserverandfindthefilehasalreadybeenscannedwiththesameversionofdefsandthefileisclean.SEPclientskipsscanningthefile.
41
Sharedinsightcachearchitecture
Insight SICServer SEPM
Reputation Cleanstate Logs
SymantecEndpointProtectionforVirtualDesktopInfrastructure(VDI)
43
Non-persistentVDIrefinements
– Shorterretentiontimeequalsmorelicensesavailable– SettheclientasVDIinthetemplate– ConfiguretheManagertosettheseparateretentionscheme
– SelectAdmin>Domainproperties
• VDIlicensingscheme
543
45
Streamlinedmanagementandreportingacrossplatform
RPM&DPKGDistros
SingleconsoleMultiplesagents
46
Policies
Reporting
Alerting
Management
Vista,7,8,10Server
Embedded
OSX10.6.810.10
Policies
• Centralconfiguration
• Locationawaresettings
• ManualgroupingorActiveDirectoryimport
• Treestructureinheritance
47
Virus&SpywareProtection
Firewall
IPSApplication&DeviceControl(SystemLockdown)
LiveUpdate
HostIntegrity
LocationSettings
Locationawareness
• Adaptsallpoliciesbasedonlocation• LocationdeterminationusesBooleanlogicandmultiplecriteriamakingimpossibleto“fake”alocation:Officelocation=Gatewaymacaddress+ConnectedtoSEPM+ResolveintranetsitetoagivenIP
48
Virus&SpywareProtection
Firewall
IPSApplication&DeviceControl
(systemlockdown)
LiveUpdate
HostIntegrity
LocationSettings
Virus&SpywareProtection
Firewall
IPSApplication&DeviceControl
(systemlockdown)
LiveUpdate
HostIntegrity
LocationSettings
Virus&SpywareProtection
Firewall
IPSApplication&DeviceControl
(systemlockdown)
LiveUpdate
HostIntegrity
LocationSettings
Office Home Travel
Reporting
• Threeviews:– Dashboard:Overview– Monitors:Tablesandlogs– Reports:Graphs
• Exports:– CSV,MHTML(alerts)
• Actionablereports:– Launchscan,update,andremediate
• Alerts:– Console– Email
49
Alertingandscheduledreports
• EmailorConsole
• Preconfiguredconditions
• Youcancreateyourownalertsforaselectednumberofevents
• Alertequalslivedatathatcanchangeovertime
• ScheduledreportequalsStaticdataatagivenpoint
50
ActiveDirectoryintegration
• Organizationalunitsynchronization– ClientgroupingmatchingActiveDirectory
– NosupportforActiveDirectorygroups
• ConsoleloginSSOPasswordchangeswhentheWindowsaccountchanges
51
ActiveDirectory
OU
UserMapping OUImport
Domains
• Canseparateentitieswhileusingthesamemanagementserver.
• Separate:– Policies– Groupsstructure– Reportingandalertingsettings
• MostlyusedbyserviceprovidersorlargeenvironmentwithmultipleITteams
52
Virus&SpywareProtection
Firewall
IPSApplication&DeviceControl
(systemlockdown)
LiveUpdate
HostIntegrity
Virus&SpywareProtection
Firewall
IPSApplication&DeviceControl
(systemlockdown)
LiveUpdate
HostIntegrity
DomainA DomainB
SEPManager
Accountdelegation
Consolewithmultipleaccesslevels:
SystemAdminhasaccesstoallsettings.
DomainAdminhasaccesstosettingsforasingledomain.
LimitedAdminhaslimitedaccesstosomesettingsforasingledomain
53
Virus&SpywareProtection
Firewall
IPSApplication&DeviceControl
(systemlockdown)
LiveUpdate
HostIntegrity
Virus&SpywareProtection
Firewall
IPSApplication&DeviceControl
(systemlockdown)
LiveUpdate
HostIntegrity
DomainA DomainB
SEPManager
54
ProductIntegration
SymantecEndpointProtectionintegration
55
ThreatdetectionAdvancedreportingManagedServicesAgentSyslogServer
ITAnalytics
ManagedSecurityServices
NetworkSecurity
EndpointSecurity
SecurityIntelligence
Threatexperts
56
Automated triage workflow
RapidResponse| OperationalEfficiency| AttackVisibility
MSSoverview
57
ITAnalyticsbenefits
Historicallogretention
Customizedreporting
Keyperformanceindicators
Granularloganalysis
58
Syslog
59
• SEPMcansendeventstoaSyslogserver.
• Eventscanbeparsedandgeneratealertsandticketswiththird-partyEventmanagementsolutions.
ExtendSEPcapabilitieswiththeSEPMAPIService
60
RESTfulAPI tobuiltintoSEPMtoenableProgrammaticintegrationwithSEP
CustomerBenefit:
üOrchestrate/automateSEPMfunctionalityfromotherapplicationsandscripts
üConnectSEPto3rd partyplatformsforcontrolornetworkplaneintegrationwiththeendpoint
Symantec Endpoint Protection ManagerClient Management
Reports &Analytics
PolicyControl
Application & Device Control
REST API’s
SEP14- API’sLogin &LogoutofSEPM
Obtain alistofgroups
Assignafingerprintlisttoagroupforsystemlockdown.
RetrievetheSymantecEndpoint Managerversioninformation
Add ordeleteablacklistasafilefingerprintlist
61
ArchitectureOverview
SymantecEndpointProtection14.xArchitectureComponents
Windows Linux Mac Embedded
SEPM GUP LiveUpdateServer
SEPM Console
Virtual
*
*SEPMcanuseanembeddeddatabaseofMS-SQL.MS-SQLisrecommendedforlargerorganization1000+Endpoints
EventsandPolicy
Management
ContentUpdates
ContentDistribution
ProtectionandLogs
EndpointProtection
Internet
Serverarchitectures
63
SINGLESITE
ü Smallenvironmentsü Simpletoimplementü Nofailover
ü Mediumtolargeenvironments
ü Providesfailoverü Requirestwoserversü MSSQLbackend
recommended
<1000Endpoints >1000Endpoints
MULTIPLESITES
ü Verylargeenvironmentü Providesfailoverü Providessitedisasterredundancyü Providesgeographicaladministrationdelegationü Requirestwoserverspersiteü MSSQLbackendmandatoryü Introducesdelayinlogvisibilityduetothe
replicationschedule
>50000Endpoints
ContentDistributionmethods
SEPM
ü Directdistributiontoendpoints
ü Centralcontrolofcontentupdate
Internet
ü Rapiddeliveryü Recommendedfor
nomadusersü Nocentralcontrolof
contentused
GUP
ü ReducesWANusageü Actsasacontentproxyü Recommendedfor
scatteredenvironmentsü AnyclientcanbeaGUP
LiveUpdateServer
ü Providescontentvalidationscheduling
ü DistributecontenttononWindowsendpoints
65
Additionalresources
SymantecConnectForum
• Forumsannotatedbycustomers,staff,andpartners
• Videosandtutorials
• Earnrewards
66
EducationServicesAbroadrangeoftrainingsolutionsto
helpyougetthemostoutofSymantecproducts.
• Achieveexpectedvalueforyourproducts.
• LearnhowSymantecproductscansolveyourbusinessproblemstodayandtomorrow.
• Gainbestpracticeinsighttokeepyourinvestmentsrunningsmoothlylong-term.
• Formoreinformationvisittraining.symantec.com
67
SymantecEducationServices OffersEffectiveProductTraining
68