Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
#SymVisionEmea
#SymVisionEmea
Targeted Attack: Symantec enhanced protection Vision and integration with Next-Gen Firewall
Hervé Doreau – Security Practice Manager
Graham Ahearne– MSS-ATP Product Manager
SYMANTEC VISION SYMPOSIUM 2014 3
Disclaimer: Any information regarding pre-
release Symantec offerings, future updates or
other planned modifications is subject to ongoing
evaluation by Symantec and therefore subject to
change. This information is provided without
warranty of any kind, express or
implied. Customers who purchase Symantec
offerings should make their purchase decision
based upon features that are currently available.
Targeted Attack: Symantec enhanced protection
SYMANTEC VISION SYMPOSIUM 2014
Targeted Attack: Symantec enhanced protection
4
Key Challenges and Focus Areas
Integrating with Next Gen Firewall
Advanced Threat Protection
1
2
3
Roadmap 4
Targeted Attack: Symantec enhanced protection 4
SYMANTEC VISION SYMPOSIUM 2014
Customer Challenges
Realization
Customer Needs Shift
Breach is Inevitable
Understanding Where Important
Data Is
Stopping Incoming Attacks
Finding Incursions
Containing & Remediating
Problems
Restoring Operations
Identify Protect Detect Respond Recover
Protection Only Protection + Detection
& Response
Targeted Attack: Symantec enhanced protection 5
SYMANTEC VISION SYMPOSIUM 2014
Symantec Offers Great Proactive Protection Today
Endpoint Protection
Web Security Email Security
Targeted Attack: Symantec enhanced protection 6
Insight
• File reputation • World’s largest
with intelligence on over 8 billion
SONAR SkepticTM Disarm
• Behavioral analysis
• Analyzes over 1400 behaviors
• Advanced spear phishing heuristics
• 100% unknown virus SLA
• Spear phishing attachment sanitization
• 95% + effectiveness
IPS
• Prevents exploits • Blocks command
and control communication
Symantec Global Intelligence Network
Real Time Link Following
• Real time blocking
• Follows URL to true destination with Skeptic malware analysis
Intelligence Sharing
6
SYMANTEC VISION SYMPOSIUM 2014
Solving the Challenges: Advanced Threat Protection Cynic ™
Designed to draw out VM aware malware
Instrumented to simulate user behaviors to drive malware to execute
Targeted Attack: Symantec enhanced protection 7
Ability to observe user mode and kernel mode behaviors (i.e. file tries to install a driver); SONAR behavioral scoring
Cloud based service enables elastic, fast adoption to changing malware analysis demands & on demand queries
Portable Executables, PDF, Office docs, Java files, containers
SYMANTEC VISION SYMPOSIUM 2014
Today’s Approach
Targeted Attack: Symantec enhanced protection 8
Manual correlation & remediation
Network Security technology detects suspected Malware
• Determines whether malware is known and if SEP has blocked it
• Verifies whether endpoints are compromised
• Determines if / where infection has spread
Initiates endpoint actions (clean, block, quarantine, gather forensics, …)
Launches corrective actions
Network Security Group
Symantec End Point Protection Manager
Endpoint Security Group
TODAY
NetSec VX
SYMANTEC VISION SYMPOSIUM 2014
Solving the Challenges: Advanced Threat Protection Synapse correlation of events across the solution
9
Email.cloud
Gateway SEP
• Provides meaningful prioritization for incident responders, saving time
• Closes the loop from network event to target machine or user
• Synapse supports:
– Event Context (Managed Endpoint or not, blocked on that endpoint or not, IOCs, other Email.cloud recipients, shared bad files, senders, URLs across the environment)
Targeted Attack: Symantec enhanced protection 9
Events Events
Events
Symantec Cloud
SYMANTEC VISION SYMPOSIUM 2014
Symantec Advanced Threat Protection
Targeted Attack: Symantec enhanced protection 10
MSS – Advanced Threat Protection
Advanced Threat Protection Solution
Symantec introduces new advanced threat detection and response capabilities unifying security across the endpoint, email and gateway helping organizations achieve better protection and drive down security OpEx
Incident Response Managed Adversary Services
#SymVisionEmea
Integrating across Network and Endpoint
Targeted Attack: Symantec enhanced protection 11
SYMANTEC VISION SYMPOSIUM 2014
Today’s Approach
Targeted Attack: Symantec enhanced protection
Manual correlation & remediation
Network Security technology detects suspected Malware
• Determines whether malware is known and if SEP has blocked it
• Verifies whether endpoints are compromised
• Determines if / where infection has spread
Initiates endpoint actions (clean, block, quarantine, gather forensics, …)
Launches corrective actions
Network Security Group
Symantec End Point Protection Manager
Endpoint Security Group
TODAY
NetSec VX
12
SYMANTEC VISION SYMPOSIUM 2014
Efficient detection requires integration… Across network and endpoint
Targeted Attack: Symantec enhanced protection
Symantec Endpoint Protection
Network-based Adv. Threat Detection
MSS Advanced Threat Protection
13
SYMANTEC VISION SYMPOSIUM 2014
Managed Security Services: Advanced Threat Protection
Network Security
Endpoint Security
Security Intelligence
Threat Experts
Automated Triage Workflows
Rapid Response | Operational Efficiency | Attack Visibility
Integration
Targeted Attack: Symantec enhanced protection 14
SYMANTEC VISION SYMPOSIUM 2014
Detecting the Unknown
• WILDFIRE: VX scan confirms file malicious
• AMP: Advanced Malware Protection file match
• THREAT EMULATION SERVICE: VX scan confirms file malicious
• Infected client comms (Anti-bot)
• Suspect file sent for virtual execution
Network-based, threat analysis and protection
Targeted Attack: Symantec enhanced protection 15
SYMANTEC VISION SYMPOSIUM 2014
Rapid Assessment of Advanced Threats
Targeted Attack: Symantec enhanced protection
Release 1 (H1 CY2014)
Network
Adv. Threat
Detection
Symantec Endpoint
Protection
16
Symantec Managed
Security Services
Virt Exec
Symantec Global
Intelligence Network
• File Reputation
• Origin Intelligence
• Threat behaviour (VX) • Threat info (multi-source)
Outcome: Protected
• Mitigation guidance
INCIDENT
• Fingerprint
Billions of files (20 million new each week)
150 million endpoints
240,000 sensors across 200 countries
16
SYMANTEC VISION SYMPOSIUM 2014
Increased Efficacy of Threat Investigations
Targeted Attack: Symantec enhanced protection
Sources
Potential Threat List
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malware Download, Endpoint Protected
SEP Recognition File Reputation
Network
FILE A
FILE B
Potential Threat List
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Potential Threat List
Malicious File Downloaded
Malicious File Downloaded
Malicious File Downloaded
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
Malware Download, Endpoint Protected
17
#SymVisionEmea
MSS ATP Demo
Targeted Attack: Symantec enhanced protection 18
SYMANTEC VISION SYMPOSIUM 2014
MSS ATP
Targeted Attack: Symantec enhanced protection 19
SYMANTEC VISION SYMPOSIUM 2014
MSS-ATP Accelerates Detection and Response
Targeted Attack: Symantec enhanced protection
Automated correlation & remediation
Network Security technology detects suspected Malware and alerts MSS-ATP
Analyzes the endpoints to:
• determine whether malware is known and SEP has blocked
• verify whether endpoints are compromised
• understand if / where infection has spread
• identify the malware & blocks IP address
Initiates endpoint actions (clean, block, quarantine, gather forensics)
Symantec Advanced Threat Protection Symantec End Point Protection Manager
TOMORROW
20
SYMANTEC VISION SYMPOSIUM 2014
Network
Adv. Threat
Detection
Symantec Endpoint
Protection
Targeted Attack: Symantec enhanced protection
Symantec Managed
Security Services
Virt Exec
Symantec Global
Intelligence Network
• File Reputation
• Origin Intelligence
• Threat behaviour (VX) • Threat info (multi-source)
Outcome: Not Protected
• Mitigation guidance
INCIDENT
• Fingerprint
Billions of files (20 million new each week)
150 million endpoints
240,000 sensors across 200 countries
Increased Visibility and Directed Response
Adversary & Threat Intelligence
RESPONSE
• Malware clean
• Network containment
• Search for file hash • Search for IOCs
• Increased security policy based on specific IP/app/user
• Quarantine endpoint OUTCOME
Outcome: Protected
Release 2 (coming soon)
21
#SymVisionEmea
Solving the Challenges Advanced Threat Protection Roadmap
SYMANTEC VISION SYMPOSIUM 2014
Advanced Threat Protection Solution Overview
Targeted Attack: Symantec enhanced protection
Advanced Threat Protection Solution
New endpoint security add-on that provides: • Better ability to
identify advanced threats and targeted attacks
• Increased visibility into scope of attack & forensic info
• Global context aids in prioritization for fast response
Endpoint Security: Advanced Threat Protection
Gateway Security: Threat Defense
New gateway that provides: • Better ability to
identify advanced threats and targeted attacks
• Increased visibility into scope of attack & forensic info
• Global context aids in prioritization for fast response
Includes integration with Cynic™ & Synapse.
New cloud-based, multi-platform sandbox environment available to Gateway Security: ATP & Email Security.cloud. Simulates user behavior to remotely execute suspicious files, and combines behavioral analysis with global threat intelligence to return a verdict.
Symantec Cynic™
Symantec Synapse
New technology that enables communication between Gateway Security: ATP, SEP and Email Security.cloud to share threat identification details and define events that require IT security attention. Provides meaningful prioritization for incident responders.
Email Security: Advanced Threat Protection
New email security add-on that provides: • Better ability to
identify advanced threats and targeted attacks
• Increased visibility into scope of attack & forensic info
• Global context aids in prioritization for fast response
Products Technologies
23
SYMANTEC VISION SYMPOSIUM 2014
Use Case: Advanced Threat Protection Solution
Event Correlation & Prioritization Across Endpoint, Email & Gateway
Endpoint Protection
Advanced Threat Protection Solution
Email Security.cloud
1. Initial event, at Gateway ATP, a Cynic™ detection of unique malware, triggers process
4. Synapse checks if the malware infected the destination endpoint, or any other endpoint 5. If so Endpoint ATP provides forensic info across Endpoint Ecosystem
6. Analyst can prioritize and remediate within minutes, not weeks
2. Synapse checks if the malware was detected by email.
3. If so, Email ATP provides forensic info concerning sender, subject, and other emails to the same user.
Customer Security Analyst
Faster Detection & Response = Better Protection & Lower Security OpEx
Targeted Attack: Symantec enhanced protection 24
SYMANTEC VISION SYMPOSIUM 2014
Symantec Gateway Security: Threat Defense
SGSTD
Targeted Attack: Symantec enhanced protection
Internet
BLACKLIST
On-box inspection with proven technologies. In-line = block; TAP-mode = inspect only 1
Asynchronous inspection of suspicious files sent to Cynic™ for analysis 2
Cynic™ assesses file behavior in multiple sandboxing VMs, up to and including bare metal execution for VM-aware malware and utilizes Skeptic and SONAR heuristics
3
Email & Endpoint (ESS, SEPM)
Behaviors are put in global context against Symantec Intelligence Data and correlated to email, endpoint events via Synapse 4
Verdict and an actionable, richly detailed report on what Cynic™ observed is provided, prioritized contextually 5
25
SYMANTEC VISION SYMPOSIUM 2014
Symantec Endpoint Security: Advanced Threat Protection
Targeted Attack: Symantec enhanced protection 26
SEP Client
SES: ATP
SEP Client
SEP Client
Why SES: ATP? New product in development: • Uses scale of the SEP ecosystem to
detect advanced threats • Does this through Aggregate
Endpoint Security – “localised” version of Symantec’s big data vision
SEP Manager
Delivered as an on-prem. VA.
Detect Accurately
Analyze Quickly
Respond with Confidence
Cynic On-Demand GIN
End
po
int
Ente
rpri
se
Glo
bal
SYMANTEC VISION SYMPOSIUM 2014
• Improved visibility into protection: when is a customer targeted, who is targeted, how are they targeted?
• Better detection via Cynic™, leveraging Symantec’s global context
• A feed to the gateway for correlation means better response prioritization & lower cost
Solving the Challenges: Advanced Threat Protection Email Security.cloud: Targeted Attack Reporting
27 Targeted Attack: Symantec enhanced protection 27
#SymVisionEmea
Symantec Gateway Security: Threat Defense
Targeted Attack: Symantec enhanced protection 28
Demo
PREVIEW
SYMANTEC VISION SYMPOSIUM 2014
Symantec Gateway Security: Threat Defense
Targeted Attack: Symantec enhanced protection 29
SYMANTEC VISION SYMPOSIUM 2014 30
Solving the Challenges When can we get it?
Targeted Attack: Symantec enhanced protection
SYMANTEC VISION SYMPOSIUM 2014
New Advanced Threat Protection Summary
Targeted Attack: Symantec enhanced protection
Endpoint Protection
Advanced Threat Protection Solution
Partner Network Security Gateways
GA = June 2014
Beta = coming soon Extended Free Trials
Customer Security Analyst
Email Security
Symantec Global Intelligence Network
MSS – Advanced Threat Protection
Managed Adversary Services
Incident Response
GA = Summer 2014
GA = Fall 2014
31
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
#SymVisionEmea
Targeted Attack: Symantec enhanced protection 32