Symantec Advanced Threat Protection

Comments

Transcription

Symantec Advanced Threat Protection
Symantec Advanced Threat Protection
Any information regarding pre-release Symantec
offerings, future updates or other planned modifications
is subject to ongoing evaluation by Symantec and
therefore subject to change.
This information is provided without warranty of any
kind, express or implied.
Customers who purchase Symantec offerings should
make their purchase decision based upon features that
are currently available.
Symantec Confidential. Subject to NDA
You see the results daily. How many go undetected and unreported?
Total Data
Breaches
JANUARY 2014 – DECEMBER 2014
312
Total Identities
Exposed
JANUARY 2014 – DECEMBER 2014
348
MILLION
Symantec Confidential. Subject to NDA
•
•
•
•
•
Unencrypted POS post-Target
5 months to detection
2 weeks to uncover
Via vendor + 0-day vulnerability
56 million credit cards stolen
•
•
•
•
•
Attackers wanted instant impact
4 unreleased movies
25GB, 33K files
Disabled email, wifi
Delayed paychecks
•
•
•
•
1 ½ months to detection
5 DB admins compromised
80 million medical records stolen
Medical records 10 times more valuable
than credit cards on black market
Even with the best prevention technologies, can you stop advanced
persistent threats?
PREPARE
PREVENT
DETECT
RESPOND
RECOVER
Understanding Where
Important Data Is &
Who Can Access It
Stopping Incoming
Attacks
Finding Incursions
Containing &
Remediating Problems
Restoring Operations
While prevention is still very important….
…you need to prepare to be breached.
Symantec Confidential. Subject to NDA
If you are breached, how fast can you
detect, respond and recover?
PREPARE
PREVENT
DETECT
RESPOND
RECOVER
Understanding Where
Important Data Is &
Who Can Access It
Stopping Incoming
Attacks
Finding Incursions
Containing &
Remediating Problems
Restoring Operations
Our Future:
Symantec Confidential. Subject to NDA
Symantec Advanced
Threat Protection
Symantec Advanced Threat Protection
CLOUD SANDBOX
Physical & Virtual
Detonation
CORRELATION
and
Prioritization
INVESTIGATION
REMEDIATION
Detect once,
Find everywhere
Block, Clean, Fix
in real-time
Global Intelligence
Exported Data
ENDPOINT
NETWORK
EMAIL
3RD PARTY
More Intelligence | Better Detection & Faster Response | Correlated Across Control Points | Integrated with Endpoint Protection
Symantec Confidential. Subject to NDA
WHY IS SYMANTEC’S ADVANCED THREAT PROTECTION BETTER?
Unmatched Intelligence & Analytics
Advanced
Threat Protection
• Endpoints: 175M total, 120M enterprise, 12M server
• Email boxes: 850M total, 25M enterprise (SEG only)
• New focus areas: Threat analytics & adversary threat intelligence
Unparalleled Prevention
• Consistent leader in endpoint & email protection
Global Intelligence
Exported Data
Advanced Threat Protection
Detect
Prioritize
Investigate
Remediate
Unequaled Detection (15% better according to early 3rd party tests)
• Complete coverage of control points: endpoint, email, and network
• And threat vectors: C2 callbacks, behavioral, reputation, exploits, …
• Complemented by new techniques: Cynic cloud payload detonation, Synapse correlation
Unbeatable Response
• Prioritize via correlation with the endpoint and enterprise context
• Investigate efficiently: Where is a threat? How did it get in?
• Contain the threat across the enterprise & remediate with one click
Endpoint
Network
Email
3rd party
Delivered at the Lowest Security OpEx
• Integrated with Endpoint Protection & Email Security
• Cloud payload detonation
• A single console, a partner ecosystem, and an API driven approach
ATP in Action
Suspicious File via Email
1
Email with
Suspicious File
or URL
3
Cynic
Synapse
ATP
Email
ATP
Endpoint
TM
2
Symantec Confidential. Subject to NDA
5
Cynic convicts file
ATP: Email flags
suspicious, sends to
Cynic
4
TM
High
priority
event
!
Admin drills down to
Cynic conviction
Portal
ATP
Network
6
Admin runs power eraser
on infected endpoints
7
Admin can block file at ATP Network,
ATP Endpoint and ATP Email
Comprehensive Detection
Symantec Confidential. Subject to NDA
Detection Pipeline
Technologies tested and proven on >200 M endpoints for faster more accurate detection
v
Blacklist, Whitelist
Vantage
File
Insight
Cynic
Blocks or allows per
Symantec sourced
blacklist and customer
created whitelist
Blocks malware as it
tries to spread over
the network
Scans and eradicates
malware files that arrive
on a system
Determines the safety of files
& websites using the
“wisdom of the crowd”
(analytics)
Malware analysis finds
unknown malware that
bypassed the pipeline
• C&C detections
• GIN
• Protocol aware IPS
• Antivirus Engine
• Vulnerability and
Exploit blocking
• Auto Protect
• Malheur
On Box
Symantec Confidential. Subject to NDA
• Domain/IP Reputation
• File Reputation
• Android APK Reputation
• Various Windows,
Office, Adobe,
versions
• Bare Metal for VMevasive payloads
Cloud
SYMANTEC CYNIC™
SYMANTEC SYNAPSE™
NEW: CLOUD-BASED PAYLOAD DETONATION
NEW: CORRELATION AND PRIORITIZATION
Broad coverage: Office
docs, PDF, Java applets,
containers, portable
executables
Effective Prioritization:
Prioritizes high for active
infection or low for blocked
infection
More Effective: Mimics
human interaction in
realistic environments, runs
on virtual & bare metal
Forensic Investigation:
Intelligent grouping for
campaigns, threat
evolution, and resolution
Cloud Advantages:
Innovative techniques such
as malware clustering, and
scales to meet demands
Ease of Use: No new
agents or complex SIEM
rules, integrated console
Symantec Confidential. Subject to NDA
Symantec Advanced Threat Protection: Network
Network Traffic
Internet
Endpoints
Real-time Inspection
SATP:N
BLACKLIST
Blacklist
Vantage Insight
AV
1
On-box inspection with proven technologies. In-line =
block; TAP-mode = inspect only
2
Asynchronous inspection of suspicious files sent to
Cynic for analysis
3
Cynic assesses file behavior in multiple sandboxing
VMs, up to and including bare metal execution for VMaware malware and utilizes Skeptic and SONAR
heuristics
Mobile Insight
Symantec big data
intelligence
Symantec Cloud
Cynic
Email & Endpoint (ESS, SEPM)
4
Behaviors are put in global context against Symantec
Intelligence Data and correlated to email, endpoint
events via Synapse
5
Verdict and an actionable, richly detailed report on
what Cynic observed is provided, prioritized
contextually
Synapse Correlation
Conviction, Actionable
intelligence
Symantec Confidential. Subject to NDA
13
Symantec Advanced Threat Protection: Endpoint
ATP Endpoint
Endpoints, Users
Internet
• Virtual Appliance: Scales to 60k endpoints
ATP Endpoint Detection Pipeline – Focuses on what SEP does not block
• Insight, SONAR, File and Vantage,
automatically and continuously identify
suspicious events and send to ATP: Endpoint
• Machine learning component on appliance
reduces noise and prioritizes suspicious
events received from all endpoints
Cynic
In the
Symantec Cloud
Symantec Confidential. Subject to NDA
Criterion
On the
Appliance
• Cynic and the body of evidence help move
suspicious events to a state of high conf.
Agent
(i.e. SEP 12.1)
• Evidence of compromise search
• Blacklisting & containment
Symantec Advanced Threat Protection: Email
End-users
Internet
Email Security.cloud
Core service
Customer mail server
(or hosted mailbox
provider)
ATP: Email
Connection Process
Brightmail
Symantec AV
Cynic
Malware analysis finds
unknown malware that
bypassed the pipeline
Skeptic
Symantec Confidential. Subject to NDA
Real-time
Link Following
• Various Windows,
Office, Adobe versions
• Bare metal for VMevasive payloads
ATP: Email R1 (Summer 2015)
• Targeted Attack identification
• Detailed malware reporting
• Data feed for SIEM
• Data feed to Synapse™ for
correlation in ATP solution
ATP: Email R2 (Winter 2015)
• Cynic™ integration – better
detection and behavioral
reporting
Comprehensive Detection: Cynic
Symantec Confidential. Subject to NDA
Detection Type
Whois, Safeweb results
VirusTotal lookup –
0/57 detection ratio
Symantec Confidential. Subject to NDA
Where else Symantec has seen the file, and by what name.
Often, newer detections haven’t been seen before
Behaviors classified as Malicious,
Suspicious, Informational
Symantec Confidential. Subject to NDA
Each incident shows related
incidents by IP or File
Symantec Confidential. Subject to NDA
Faster Response: Synapse Investigation, Endpoint Search
Symantec Confidential. Subject to NDA
SEP Blocked events are
correlated, and lowest priority
Symantec Confidential. Subject to NDA
Synapse Investigation By id,
hash, url, file name
Symantec Confidential. Subject to NDA
Symantec Confidential. Subject to NDA
Search all endpoints for file
hash or reg key
Symantec Confidential. Subject to NDA
1 endpoint returned with
this file hash
Symantec Confidential. Subject to NDA
Unproven, low prevalence
Pivot to endpoints
Symantec Confidential. Subject to NDA
View of all files on the
machines, both clean and
suspicious
Symantec Confidential. Subject to NDA
ATP: Email Add-On Service
Targeting Attack Identification, Detailed Reporting
Symantec Confidential. Subject to NDA
Targeted Attack Identification in Email
Clean emails delivered
to recipient
X
Email Security.cloud
Malicious emails blocked by
Skeptic and Link Following
Emails sent for
further analysis
Targeted Attack Analysis
STAR analysts examine
malicious emails
Symantec Confidential. Subject to NDA
Look for zero-day malware
and targeted content
Targeted attacks categorized
based on thresholds
Customer Dashboard and
Detailed Report updated
Enhance visibility of advanced malware
Email ATP Add-on: Detailed Malware Report
The Advanced Threat Protection module for Symantec Email Security.cloud will provide more detailed reporting on
blocked malware:
Malware details
Email details
Malware name
Date, time, timezone
Domain of recipient email
Malicious URL or attachment file hash
Rcpt To Envelope Recipient RFC5321
Summary of what the URL does
To Header RFC5322
Source IP - sender IP address
Geo-location of source
Mail From Envelope Sender RFC5321
Detection method – e.g. Skeptic, Link Following
Targeted Attack – Yes/No
Why Symantec deems attack to be targeted (summary)
From Header RFC5322
Subject Line
Threat Category - Trojan, InfoStealer etc.
Severity Level indicating threat sophistication
Symantec Confidential. Subject to NDA
Malware by category,
detailed breakdown of
threats inbound and
outbound
API to pull down data
from events, streamed
on request over
HTTPS, CSV format
Symantec Confidential. Subject to NDA
Thank you!
Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by
law. The information in this document is subject to change without notice.

Similar documents