Revolutionizing Endpoint Security Kevin Murray, Sr. Director, Endpoint Security September 27, 2007

Revolutionizing Endpoint Security

Kevin Murray, Sr. Director, Endpoint Security

September 27, 2007

Copyright © Symantec Corporation 2007 2

Security 2.0 11

Trends at the Corporate Endpoint22

Announcing…33

A Complete Enterprise Security Solution44

Call to Action!55

Agenda


Security 2.0

• New technologies are changing the way we communicate – Businesses are sharing information across their extended enterprises and

engaging in more complex electronic interactions

• New technologies are also introducing new security risks– No longer focused on just the device – it’s about the information

and interactions

– Phishing, ID theft, malicious users and non-compliance are all risks

– Must keep the threats out, and ensure the information stays inside

• Symantec is bringing together an ecosystem of products, services and partners that help create a safe and connected world

• Symantec’s mission is to deliver solutions that protect customers’ connected experiences

Copyright © Symantec Corporation 2007

fear of eavesdropping

fear of online fraud

14%14%stopped paying

bills onlinestopped giving out

personal information

53%53%

Sources: Gartner; Cyber Security Industry Alliance, June 2005

Security 2.0: The Facts


Protecting Information

• External Threats Such As Viruses, Spyware & Crimeware

– Exploiting System Vulnerabilities

• Internal Threats Such As Data Theft and Data Leakage

– Exploit Lack Of Supervision For Corporate Information Flow

• Non-Compliance With Policies Or Regulations (SOX, FISMA, etc)

– Lack Of Adequate Controls Or Evidence Collection


Information Risk ManagementInformation Risk Management

Endpoint SecurityEndpoint Security

Endpoint Security & Information Foundation

Cell PhoneCell Phone LaptopLaptop DesktopDesktop File ServerFile Server Application ServerApplication Server Messaging ServerMessaging Server Database ServerDatabase Server

• Provides A Real Time Defense Against Malicious Activity


Policy Management

Event & Log ManagementInformation ManagementVulnerability Management

Information Risk ManagementInformation Risk Management


A Complete Enterprise Security Strategy


Security ManagementSecurity Management

i!


Endpoint Security


Business Problems at the Endpoint

Source: Infonetics Research - The Cost of Network Security Attacks: North America 2007

• Growing number of known and unknown threats

– Stealth-based and silent attacks are increasing, so there is a need for antivirus to do much more

• Endpoint management costs are increasing

– Cost of downtime impacts both productivity and revenue, productivity hit largest in enterprise

– Costs to acquire, manage and administer point products are increasing, as well as the demand on system resources

• Complexity is increasing as well

– Complexity and man power to manage disparate endpoint protection technologies are inefficient and time consuming

Number of Zero Day threats


What do these bars signify?


Causes of Sensitive Data Loss

The leading causes of sensitive data loss:

– User error3

– Violations of policy12

– Internet threats, attacks and hacks8

ITPolicyCompliance.com, “Taking Action to Protect Sensitive Data”, Feb. 2007


As Threat Landscape Changes, Technology Must as Well

• From Hackers & Spies…To Thieves

Silent

Overwhelming Variants

Highly Targeted

Few, Named Variants

Indiscriminate

Noisy & Visible

Moving from Disrupting Operations To Damaging Trust and Reputations


Protection From External Malicious Threats

• Protection Starts At The Corporate Endpoint

– Broad Range Of Client Devices : Laptop, Desktop, Cell Phone

– Broad Range Of Threats : Virus, Worms, Spyware … Crimeware

WindowsWindowsSmartphoneSmartphone

SymbianSymbianDeviceDevice

LaptopLaptopPCPC

CrimewareCrimeware SpywareSpyware WormWorm VirusVirus

DesktopDesktopPCPC


Is Endpoint Protection Enough Protection?

Source: Enterprise Strategy Group, January 2005 ESG Research Report, Network Security And Intrusion Prevention

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Employee Laptop

Internet Through Firewall

Non-Employee Laptop

VPN Home System

Don’t Know

Other

43%

39%

34%

27%

8%

8%

“What Are The Most Common Sources Of Automated Internet Worm Attacks ?”


The Need for Complete Endpoint Security: Endpoint Protection + Endpoint Compliance

Patch Updated

Service Pack Updated

Personal Firewall On

Antivirus Signature Updated

Antivirus On

Com

plia

nce

Endpoint Security Policy Status

Worms

UnknownAttacks

ID TheftViruses

Pro

tect

ion

101010110101011010101101010110101011010101


IT Policy

Symantec Endpoint Compliance Process

Endpoint Attaches to NetworkConfiguration Is Determined

Step 1

Compliance of ConfigurationAgainst Policy Is Checked

Step 2

✗

Take Action Based onOutcome of Policy Check

Step 3 PatchQuarantineVirtual Desktop

Monitor Endpoint toEnsure Ongoing Compliance

Step 4


Symantec Network Access Control

• Choose quarantine, remediation or federated access

– Enforce policy before access is granted

– Execute updates, programs, services, etc

– Limit connection to VLAN, etc

• Broadest enforcement options of any vendor

– Remote connectivity (IPSec, SSL VPN)

– LAN-based, DHCP, Appliance

– Standards-based, CNAC, MSNAP

Ensures endpoints are protected and compliant prior to accessing network resources


Web-based ApplicationsThin

Client/Server Applications

TraditionalClient/ServerApplications

Traveling Executives

Public Kiosk

File Share

Partner Extranet

Symantec On-Demand Protection

• Ideal for use with:

– Outlook Web Access (OWA)

– Web-enabled applications

• Most complete On-Demand security solution

– Virtual Desktop

– Malicious Code Prevention

– Cache Cleaner

– Mini personal firewall

– Host Integrity

– Adaptive Policies

Layered security technology solution for unmanaged endpoints


Network Access Control + On-Demand Protection

• Complete endpoint compliance regardless of network access method

– Managed Devices: laptops, mobile phones

– Unmanaged Devices: Guest, contractor, partners, kiosks

OWAOWA KioskKiosk PartnerPartner TempTemp

WindowsWindowsSmartphoneSmartphone

SymbianSymbianDeviceDevice

LaptopLaptopPCPC

DesktopDesktopPCPC


Today’s Endpoint Problems Addressed by Too Many Technologies…

Client Firewall

O/S Protection

Buffer overflow &exploit protection

Anti crimeware

Devicecontrols

Network IPS

Host integrity & remediation

ProtectionTechnology

Antispyware

Antivirus

NetworkConnection

OperatingSystem

Memory/Processes

Applications

Worms, exploits & attacks

Viruses, Trojans, malware & spyware

Malware, Rootkits, day-zero vulnerabilities

Buffer Overflow, process injection, key logging

Zero-hour attacks, Malware, Trojans, application injection

I/O DevicesSlurping, IP theft, malware

EndpointExposures

Always on, always up-to-

date

Data & FileSystem


NetworkConnection

OperatingSystem

Memory/Processes

Applications







…even from Symantec

EndpointExposures


date

Client Firewall

O/S Protection


Anti crimeware

Devicecontrols

Network IPS



Antispyware

AntivirusData & File

System

Symantec Confidence

Online

Symantec Sygate

EnterpriseProtection

Symantec Network

Access Control

SymantecSolution

SymantecAntiVirus


Ingredients for Endpoint Protection

Antivirus

AntiVirus

• Worlds leading AV solution

• Most (33) consecutive VB100 Awards

Virus Bulletin – Aug 2007Virus Bulletin – Aug 2007



Antivirus

Antispyware

Antispyware

• Best rootkit detection and removal

• Raw Disk Scan (VxMS) = superior rootkit protection

Source: Thompson Cyber Security Labs, August 2006



Antivirus

Antispyware

Firewall

Firewall

• Industry leading endpoint firewall technology

• Gartner MQ “Leader” – 4 consecutive years

• Rules based FW can dynamically adjust port settings to block threats from spreading



Antivirus

Antispyware

Firewall

IntrusionPrevention

Intrusion Prevention

• Combines NIPS (network) and HIPS (host)

• Generic Exploit Blocking (GEB) – one signature to proactively protect against all variants

• Granular application access control

• Proactive Threat Scan (TruScanTM) - Very low (0.004%) false positive rate

• Detects 1,000 new threats/month - not detected by leading av engines

No False Alarm

False Alarms

25M Installations25M Installations

Only 50 False Positives for every 1 Million PC’s

Only 50 False Positives for every 1 Million PC’s


Intrusion Prevention System (IPS)Combined technologies offer best defense

(N)IPSNetwork IPS

(H)IPSHost IPS

Application ControlRules-based(System lockdown by controlling an application’s ability to read, write, execute and network connections)

Proactive Threat ScanBehavior-based(Whole Security – TruScanTM)

Deep packet inspectionSignature–based(Can create custom sigs, SNORT-like)

Generic Exploit BlockingVulnerability-based(Sigs for vulnerability)

IntrusionPrevention

(IPS)



Antivirus

Antispyware

Firewall

IntrusionPrevention

Device Control

Device Control

• Prevents data leakage

• Restrict Access to devices (USB keys, Back-up drives)

• W32.SillyFDC (May 2007)

W32.SillyFDC

• targets removable memory sticks

• spreads by copying itself onto removable drives

such as USB memory sticks

• automatically runs when the device is next

connected to a computer


Ingredients for Endpoint Compliance

Antivirus

Antispyware

Firewall

IntrusionPrevention

Device Control

Network AccessControl

Network Access Control

• Network access control – ready

• Agent is included, no extra agent deployment

• Simply license SNAC Enforcement


Introducing…

Antivirus

Antispyware

Firewall

IntrusionPrevention

Device Control

Network AccessControl

Symantec Network Access Control 11.0

Symantec Endpoint Protection 11.0


Single Agent, Single Console

Results:

Reduced Cost, Complexity &

Risk Exposure

Increased Protection, Control &

Manageability




Beta Customer Value Data

• Single console

– Customers who participated reduced man-hours by 75%

• Security Related Reporting

– One customer expects to save 97% of the man hours on weekly security related reporting

• Application Control

– One customer:• anticipates a 50% reduction in calls to the support center

• and the avoidance of re-imaging over 100 PCs per week

• Recovering over 600 man hours a week from analyst and technicians’ time.

– Another:• anticipates recovering over $2.0 million from network outages caused by un-

authorized peer to peer applications


Memory Footprint Comparison(using final shipping product)

Average of 80% reduction in memory usage requirements

Product Baseline Memory Usage

Symantec AntiVirus Corporate Edition 62 MB

Symantec Client Security 129 MB

Symantec AntiVirus + Symantec Sygate Enterprise Protection 72 MB

McAfee Total Protection SMB 71 MB

Trend Micro OfficeScan Client/Server 50 MB

Symantec Endpoint Protection 11.0 24 MB!????


Dispelling Myths

Average of 80% reduction in memory usage requirements

Symantec Endpoint ProtectionComponent Processes in Memory

Baseline Memory Usage

Smc.exe 8,464 kb

SmcGui.exe 5,640 kb

ccSvcHost.exe 5,532 kb

RtvScan.exe 2,936 kb

ccApp.exe 0,746 kb

Total 24,218 kb


SeamlessSimple

34

Unmatched Protection

Symantec Endpoint Protection

• Single agent• Single console• Single license• Single support

program

• Unmatched combination of technologies

• Much more than antivirus

• Backed by the industry standard Symantec Global Intelligence Network

• Fits into your network• Easily configurable,

use only what you need

• Combines essential Protection and compliance functions

Secure


New Client User Interface

Client User Interface (UI)

• Client UI focused on ease-of-use for end-users

• Enable users to quickly view settings and navigate


How do we Increase Protection, Control and Manageability?

• Protection

– Much more than traditional Antivirus by including “advanced” technologies right in the core agent

– Combines world-class endpoint technologies

• Control

– Ensures Network access is secure, regardless of access method employee, guest, contractors, auditors

• Manageability

– Scalable multi-server architecture

– Based on world-class Sygate managed firewall


Enterprise Grade Management Console

Management Console

• Role Based access

• Hierarchical views

• Integration with Active Directory


Reporting

Comprehensive Reporting

• 50+ canned reports

• Customizable Dashboard

• Monitors


Migration Made Easy – Replace, Deploy, Configure

Deployment & Uninstall

• Deploy and Configure with Altiris CMS

• Uninstall, run other tasks, i.e., backup


Migration Assistance online


Summary of Endpoint Packages

• Individual products:

– Symantec™ Endpoint Protection 11.0

– Symantec™ Network Access Control 11.0

– Symantec™ Network Access Control Starter Edition 11.0

• Bundles / multi-product packages:

– Symantec™ Multi-tier Protection 11.0

– Symantec™ Endpoint Protection Small Business Edition 11.0

Available September 27, 2007!


Entitlement Summary

• Symantec AntiVirus Corporate Edition • Symantec Client Security • Confidence Online for Corporate PC’s (Whole Security)• Symantec Sygate Enterprise Protection


Symantec Multi-tier Protection 11.0

Symantec Endpoint ProtectionSmall Business Edition 11.0


Symantec Network Access Control Starter Edition 11.0

• Symantec AntiVirus Enterprise Edition

• Symantec AntiVirus with Groupware Protection• Symantec Client Security with Groupware Protection

• Symantec Network Access Control (LAN and/or DHCP)

• Symantec Network Access Control (Gateway and/or CNAC)

• Symantec Sygate Enterprise Protection (with Self Enforcement)

If Customer Owns (any): They Get:


Endpoint Protection Endpoint ComplianceSo

luti

on

Redefining Endpoint Security

Symantec Endpoint Security

Key

Pro

du

cts Symantec

Endpoint Protection

11.0

Symantec Endpoint

Protection 11.0

Def

init

ion

Endpoint Protection proactively protects laptops, desktops and servers from known and unknown malware such as viruses, worms, Trojans, spyware, adware and rootkits by combining these capabilities:

Antivirus Antispyware Desktop firewall Intrusion Prevention (Host & Network) Device & Application Control

Endpoint Compliance securely controls entry into networks

Ongoing endpoint integrity checking Centralized endpoint compliance policy management Automated remediation Host based enforcement of access policies Monitor and report System configuration checking, remediation &

enforcement

Oth

erP

rod

uct

s Symantec Mobile

Security

Symantec Critical System Protection

Symantec On-Demand Protection (for OWA &

Web Apps)

* SNAC-ready out of the box


11.0


11.0

Also available in a Starter

Edition


NetworkConnection

OperatingSystem

Memory/Processes

Applications







But, what about…?

EndpointExposures


date

Client Firewall

O/S Protection


Anti crimeware

Devicecontrols

Network IPS



Symantec Confidence

Online

Symantec Sygate

EnterpriseProtection

Symantec Network

Access Control

SymantecSolution

MicrosoftSolution

Antispyware

AntivirusData & File

System

ForefrontClient Security

+ Vista

Windows Firewall

MSRT

Microsoft NAP*

SymantecAntiVirus

Symantec Endpoint

Protection 11.0

& Symantec Network Access

Control 11.0

* Future


Endpoint Security

Small Business (10-100)

A Complete Security Portfolio for Organizations of Any Size

Symantec Enterprise Security

Symantec Multi-tier Protection Symantec Endpoint Protection Symantec Critical System Protection Symantec Mobile Security Suite Symantec Network Access Control Symantec On-Demand Protection

Symantec Endpoint Protection Small Business Edition Symantec Endpoint Protection Starter Edition Symantec Network Access Control Starter Edition Symantec Mobile Security Suite

Information Risk Management

Enterprise (100 +)

Security Management

Symantec Mail Security Symantec Enterprise Vault Symantec Database Security & Audit

Symantec Managed Security Services Symantec DeepSight Threat Management

System Symantec Security Information Manager

Endpoint Security

Information Risk Management Symantec Mail Security for Microsoft Exchange Symantec Enterprise Vault

Security Management Symantec Managed Security Services Symantec DeepSight Threat Management System Symantec Security Information Manager


Symantec™ Global Intelligence Network

Hundreds of MSS customersMillions of security alerts per monthMillions of threat reports per month200,000 malware submissions per month

Twyford, England

Munich, Germany

Alexandria, VA

Sydney, Australia

Redwood City, CA

Santa Monica, CA

Calgary, Canada

San Francisco, CA

Dublin, Ireland

Pune, India

Taipei, Taiwan

Tokyo, Japan

>6,200 Managed Security Devices + + AdvancedHoneypot Network

120 Million Systems Worldwide 30% of World’s email Traffic +

74 Symantec Monitored Countries

74 Symantec Monitored Countries+4 Symantec SOCs4 Symantec SOCs 40,000+ Registered Sensors

in 180+ Countries40,000+ Registered Sensors

in 180+ Countries+ + 8 Symantec Security Response Centers

8 Symantec Security Response Centers


For More Information…www.symantec.com/endpointsecurity


Thank You!www.symantec.com

Kevin Murray

[email protected]

(408) 517-8532

Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Other areas to cover as optional


Servers Are Endpoints Too

• Data Center Servers Are Exposed To A Broad Range Of Threats

– Malicious Code… Malicious Users

FileFileServerServer

EmailEmailServerServer

ApplicationApplicationServerServer

LooseLoosePrivilegesPrivileges

SystemSystemDevicesDevices

BufferBufferOverflowOverflow

BackBackDoorDoor

10101011010101

10101011010101

10101011010101

DatabaseDatabaseServerServer


Symantec Critical System Protection 5.1

• Eliminates The Broadest Range Of Malicious Server Threats

• Runs On The Broadest Range Of Operating Systems

FileFileServerServer

EmailEmailServerServer

ApplicationApplicationServerServer

LooseLoosePrivilegesPrivileges

SystemSystemDevicesDevices

BufferBufferOverflowOverflow

BackBackDoorDoor

10101011010101

10101011010101

10101011010101

DatabaseDatabaseServerServer


Symantec Critical System Protection 5.1Multi-layer protection for critical systems

NetworkProtection

ExploitPrevention

SystemControls

Auditing &Alerting

Symantec Critical System Protection

• Restrict apps & O/S behaviors

• Protect systems from buffer overflow

• Intrusion prevention for day-zero attacks

• Monitor logs, system settings & user

auth for security events

• Consolidate & forward logs for archival

• Smart event response for quick action

• Close back doors (block ports)

• Limit network connectivity by application

• Restrict traffic flow inbound and outbound

• Lock down configuration & settings

• Enforce security policy

• De-escalate user privileges

• Prevent removable media use


Symantec Client SecuritySymantec Client Security Symantec Critical System ProtectionSymantec Critical System Protection

Endpoint Protection + Critical System Protection

• Securing Endpoints provides an essential “Security Foundation”

– Protects against broadest array of exposures




Symantec Mobile Security Suite 5.0for Windows Mobile

– Security• Antivirus, Firewall, anti-spam, network access control,

phone feature control, tamper protection and (optional) VPN

• Smart phones and PCs use the same LiveUpdate infrastructure

– Data Protection• Password Protection, Data Encryption, Data Activity Log

• Offers a range of responses to match varying risk tolerance

• Activity Log… peace-of-mind and a possible option for regulatory compliance without the overhead of encryption

– Management Console for managing the mobile endpoint

• Recommend leveraging a mobile device management provider (Sybase, Nokia Intellisync, mFormation…)

Bringing PC-level security to the hacker’s next destination

• The Symantec Suite… Simple and Complete


Version Upgrade Process

Symantec is committed to providing customers and channel partners with an enhanced and simplified version upgrade process.

Customers eligible for upgrade will automatically receive an e-mail notification.

1

Customers can then download their software directly from File Connect, using the serial number provided.

2

fileconnect.symantec.com

Customers can also visit Symantec’s improved Licensing Portal that delivers multi-function capabilities in one easy to navigate portal.

licensing.symantec.com

(serial and/or account number required)


Benefits of Entitlement Program

• Why this is a great deal for customers:

– Customers who buy Symantec AntiVirus Corporate Edition today are entitled to receive Symantec Endpoint Protection 11.0 on September 27, 2007*

– Customers will be getting a lot more than what they initially purchased:• Existing Symantec AntiVirus/Symantec Client Security customers will be entitled

to Symantec Endpoint Protection. This gives them (a) new market leading firewall (b) IPS – WholeSecurity proactive behavioral protection (c) device control and application control (d) Option to enable SNAC (SNAC-ready)

• Existing Symantec Sygate Enterprise Protection (Sygate desktop firewall) customers will be entitled to Symantec Endpoint Protection 11.0. This gives them (a) market leading antivirus and antispyware (b) IPS – WholeSecurity proactive behavioral protection (c) Option to enable SNAC (SNAC-ready)

– With this entitlement program, Symantec provides customers with the next generation of endpoint security that redefines what is required for complete protection

* See previous slide for exact product entitlement mapping

Documents

Revolutionizing Endpoint Security Kevin Murray, Sr. Director, Endpoint Security September 27, 2007