You ll learn about our roadmap across the Symantec and gateway security offerings.

(1)

(2)

In this session you will hear how Symantec continues to focus our

comprehensive security expertise, global intelligence and portfolio on

giving organizations proactive, targeted attack protection today and in

the future.

You’ll learn about our roadmap across the Symantec email and gateway

security offerings.

We’ll reveal our expanded vision of Targeted Attack Protection spanning

email, gateway and cloud platforms to provide far greater protection, a

100% detection rate and rapid remediation of both common and

(3)

#SymVisionEmea

Gateway, cloud and targeted attacks

Our vision, strategy and roadmap

Patrick Gardner

VP, Engineering

Advanced Threat Protection by Symantec

3

Jane Wong

Director, Product Management

(4)

(5)

SYMANTEC VISION SYMPOSIUM 2014

Targeted attacks against organizations by size

(6)

66% Breaches went

undetected for

30 days or more

243 days

before detection

4 months

to remediate

(7)

SYMANTEC VISION SYMPOSIUM 2014

The shift in mindset

(8)

(9)

SYMANTEC VISION SYMPOSIUM 2014

Symantec Advanced Threat Protection Solution

Advanced Threat Protection by Symantec

9

Advanced Threat

Protection Solution

New advanced threat detection and response

capabilities unifying security across the endpoint, email

and gateway helping organizations achieve better

protection and drive down security operations costs

Detection: Better ability to identify targeted attack scope

Visibility: Improved insight into events and trends

Response: Increased logging of forensic information

Context:

Global context from the Symantec GIN

Endpoint Security:

Advanced Threat

Protection

Gateway Security:

Threat Defense

New cloud based

sandbox analysis

Combines global

threat analysis and

behavioral analysis

Symantec

Cynic

Symantec

Synapse

New correlation

across endpoint,

email, & gateway

Provides

prioritization for

incident responders

Email Security:

Advanced Threat

Protection

Products

Technologies

(10)

Protect, detect & respond

Protect - identify new threat

at any control point, real-time

local block across all

Detect – discover new

malware via Cynic, search all

endpoints for similar

behaviors (IOC’s)

Respond – discover new

(11)

SYMANTEC VISION SYMPOSIUM 2014

Symantec Advanced Threat Technology

(12)

Rapid detection of malware - cynic

Reports Portable Executables, PDF, Office docs, Acrobat, Java files, containers

Draws out VM

aware malware

Mimics human

interaction

Cloud based service

enables rapid scale,

and fast updates to

analysis

(13)

SYMANTEC VISION SYMPOSIUM 2014

Accurate prioritization of events - synapse

Advanced Threat Protection by Symantec

13

• Threat correlation across gateway, endpoint and email enables effective prioritization

• High prioritization of assets to be remediated due to active infection

(14)

Symantec Gateway Security:

(15)

SYMANTEC VISION SYMPOSIUM 2014

Threats to gateway security

Advanced Threat Protection by Symantec

15

2 ND

Watering hole attacks

are 2

nd

_{only to Spear}

phishing

77%

Websites have

vulnerabilities

23 Zero day exploits

discovered in 2013

% of Unmanaged Endpoints increases the

complexity of the problem faced by Sec Ops today

16%

Of these are critical

Source: Symantec Internet Security Threat Report volume 19

(16)

Symantec Gateway Security: Threat defense

Endpoints

SGSTD

Internet

Blacklist Vantage Insight AV Mobile Insight BLAC

KLIST

Real-time Inspection

On-box inspection with proven

technologies. In-line = block; TAP-mode

= inspect only

1 Symantec Cloud

Asynchronous inspection of suspicious

files sent to Cynic for analysis

2 Cynic assesses file behavior in multiple

sandboxing VMs, up to and including

bare metal execution for VM-aware

malware and utilizes Skeptic and

SONAR heuristics

3 Cynic

Symantec big data

intelligence

Email & Endpoint (ESS, SEPM)

Synapse Correlation

Behaviors are put in global context

against Symantec Intelligence Data and

correlated to email, endpoint events via

Synapse

4 Conviction, Actionable

Verdict and an actionable, richly

detailed report on what Cynic observed

is provided, prioritized contextually

5

(17)

SYMANTEC VISION SYMPOSIUM 2014

Symantec Gateway Security: Threat defense futures …

Advanced Threat Protection by Symantec

17

Enhanced visibility into all inspection events

across control points to aid in forensic

investigation, includes encrypted traffic view

Enhanced ability to pinpoint the user under

attack and create a profile of “normal

activity”; i.e. the CEO’s administrative assistant

versus a new hire to the finance department

Additional options for malware analysis (i.e.

on-site as a black box appliance, uploading of

custom o/s images, etc.)

Enhanced integration to the web gateway

products to extend ATP capabilities

(18)

Symantec Email Security:

(19)

SYMANTEC VISION SYMPOSIUM 2014

Threats to email security

Source: Symantec Internet Security Threat Report volume 19

1 in 392

emails are a

phishing attack

1 in 196

emails are a

malware attack

66%

of all email

worldwide is spam

25%

of malware in email is

delivered via a link

Advanced Threat Protection by Symantec

91%

_{Increase in targeted attacks in 2013 vs 2012}

Email is top incursion vector for attacks

(20)

Vision

Detailed reporting on advanced malware

blocked

by Symantec, including targeted attacks

Accurate prioritization of threat activity across

control points via

Synapse™ data correlation

Detect new malware via

Cynic™ sandboxing

including virtual and physical execution

Detailed

behavioural reporting

– what was the

malware trying to do?

Gain

campaign insights

via Symantec threat actor

intelligence

(21)

SYMANTEC VISION SYMPOSIUM 2014

Severity Levels

Advanced Threat Protection by Symantec

Symantec Email Security: Advanced Threat Protection

Email Details

Date, time, timezone Domain of recipient email

Rcpt To Envelope Recipient RFC5321 To Header RFC5322

Source IP - sender IP address Geo-location of source

Mail From Envelope Sender RFC5321 From Header RFC5322

Subject Line

Malware Details

Malware name

Malicious URL or attachment file

hash

Detection method – e.g. Skeptic,

Link Following

Targeted Attack – Yes/No

Why Symantec deems attack to be

targeted (summary)

Threat Category - Trojan,

InfoStealer etc.

Severity Level indicating threat

sophistication

HIGH

Targeted Attack

MEDIUM

Zero-day or

new malware

LOW

Blocked

malware

21

V1: Enhanced visibility of advanced malware

(22)

• SIEM integration

– API to pull down detailed data on malicious emails that have

been blocked by Email Security.cloud

• Mechanism

– Data Feeds are streamed on request through a URL

– HTTPS secures and encrypts the data, CSV format

• More detail

– 23 data points (vs. 9 in current Anti-Virus Detailed report)

– New data includes Targeted Attack analysis, Severity Level,

Geolocation of attacker and SHA256 hashes

• Synapse integration

– Event correlation drives prioritization and supports response

today, sets stage for automated protection in future releases

Reduce response time and effort with data correlation

(23)

SYMANTEC VISION SYMPOSIUM 2014

Better detection of new malware, via integration

with Symantec Cynic™ sandboxing technology

Detailed behavioral reporting – what did

Symantec observe the malware trying to do?

Submit blocked email samples for analysis

Enhanced Synapse™ correlation data feed with

additional data to further strengthen accuracy of

event prioritization across control points

Gain intelligence on adversaries and their modus

operandi, via Symantec threat actor intelligence

23

Advanced Threat Protection by Symantec

Symantec Email Security: Advanced Threat Protection

Futures …

V2 FO

(24)

Symantec Endpoint Security:

(25)

SYMANTEC VISION SYMPOSIUM 2014

Symantec Endpoint Security: Advanced Threat Protection

Automatic, continuous suspicious event prioritization

“Convicts” file and

locally blacklists to

immediately

contain the attack.

Analyzes global and

local context data

to determine scope

and severity.

Optionally sends to

Cynic for behavior

reporting

Automatically

generates

prioritized list of

suspicious events

Advanced Threat Protection by Symantec

Analyze

Quickly

Detect

Accurately

Respond with

Confidence

 Global intelligence

benchmarking

 Cynic results

 Comprehensive body

of evidence for SIEM

integration

 Endpoints send

suspicious activity in

real-time

 Machine-learning based

algorithm (SEAA)

applied to data

 Immediately prevents

additional downloads

 Instructs SEPM to

blacklist locally via

policy

(26)

Suspicious event analytics algorithm

Goal

• Provide high fidelity and automatically generated prioritized list of suspicious events

• Automates the “job” of finding suspicious events across your endpoints

• Informs you of attacks quicker and requires less effort

How

• Machine learning based algorithm

• Developed in collaboration with STAR

• Validated against specific enterprise data sets as opposed to broad, global data from enterprises

Requires

• Full visibility into all PE files created on the endpoint

• Full visibility into all AV and IP Ping data

(27)

SYMANTEC VISION SYMPOSIUM 2014

Symantec Advanced Threat

Protection Solution

(28)

How we solve the problem ….

Tell me about advanced threats

faster and better than anyone else

Give me actionable intelligence

so that I can defend my organization

Highlight the most important events

so I can prioritize my time

Protect, Detect, Respond

• Elastic cloud technologies detect 0-day

evasive threats through many techniques

of code execution and analysis

• Visibility into threats targeting both

managed and unmanaged clients

Advanced Threat Solution

• Synapse-driven event prioritization across

all Symantec control points

• Greater Symantec context gives you

additional intelligence: URL sources,

origin, files downloaded by that file,

processes created, etc.

• Deep file analysis provides a full

(29)

Thank you!

the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

#SymVisionEmea

Advanced Threat Protection by Symantec

[email protected]

(30)

Email ATP Add-on:

Detailed Malware Report | Threat Categories

Enhance visibility of advanced malware

Worm

The ability to replicate from across a network. Threats that do not require host files or sectors and

self-replicate across disks (e.g., copying oneself to the floppy drive and from the floppy to the hard drive).

Viruses

(File Infector)

The ability to self-replicate on the same host.

Backdoor

Program or feature in a program that allows unauthorized remote control and access to the system on which it is installed without notice and consent. The program that controls (and often connects to) the backdoor can be considered a component of the backdoor even if it installs with notice and consent.

InfoStealer

Contains functionality that is intended to collect confidential data from the target system without adequate notice and without receiving appropriate consent. Confidential data includes information that most people would not be willing to share with someone and includes bank details, credit card numbers, and passwords.

Downloader

Installs or causes other malware to be installed on the system. Program whose sole purpose is to download

programs without adequate notice or consent.

Trojan

Without user consent, purposely modifies or deletes system components in such a way that the program

effectively disrupts the host computer's functionality so that activities that would have been possible before it was installed would not be possible after install. This includes changes made to a system to prevent it from accessing other resources on a network or Internet.