Threat Landscape

The threat landscape is escalating rapidly in both numbers and complexity

On average, Symantec has seen more than 1M new malware variants created on a daily basis. Not only is the volume of threats growing significantly, but malware is also getting smarter and more sophisticated.

Today, targeted attacks and Zero-Day vulnerabilities are the two most common advanced threats. A zero-day vulnerability could result in tons of attacks, as anyone could easily leverage a malware toolkit to launch malicious attacks. Moreover, zero-day vulnerabilities are discovered only after they are exploited by attackers. Symantec found 10 of them within a month last year, but there may be many more that remain undiscovered and attackers are keeping to themselves for now.

It’s easy to get lost in the stats and lose sight of one of the key points when it comes to protection – attacks are designed to enter your environment from many different vectors so an endpoint security solution that detects and blocks threats regardless of the threat or how it attacks your endpoint is critical.

SEP – Symantec Endpoint Protection

Symantec Endpoint Protection can help detect, prevent, and respond to today’s most complex advanced attacks, across endpoints.

Customers recognise tangible benefits when they implement SEP 14 Superior protection with our breadth of technologies including new next-gen capabilities, granular controls to block specific application or devices, and the ability to quickly orchestrate a response to stop the spread of infection. Better performance with optimised deliver of content. Support for diverse environments through a single management console will simplify administration and reduce IT burden.

There are a variety of tangible benefits, but they all roll up to one intangible – “peace of mind” that you have the best protection possible

SEP 14 offers protection against mass malware, targeted attacks, and emerging threats. It offers superior protection across diverse environments delivered by a high performance next-gen agent that also includes powerful response technologies.

SEP is built using layers of protection that are a unique combination of essential and next-gen technologies.

SEP 14, with it’s extensive list of next-gen technologies and key features is the biggest release in years, and an unbeatable Next Generation product.

The new technologies are built on the foundation of protection that SEP 12 provides. Advanced Machine Learning addresses unknown threats. Memory Exploit Mitigation blocks attacks against vulnerabilities found in many popular applications. The new Emulator identifies hard to detect polymorphic malware. And finally the Intelligent Threat Cloud works to ensure you have access to the most up to date threat information.

Essential capabilities such as Device Control has also been enhanced to enable Administrators to control the type of devices allowed to connect to a managed Mac computer, similar to what we’ve had for Windows PCs. Additionally, behavioral monitoring now provides a level of monitoring even if SONAR is turned off.

With SEP 14 we are enhancing protection at all levels in the attack chain.

SEP 14 improves performance using our new Intelligent Threat Cloud. 

Although all files can be convicted at the endpoint with our machine learning or other analysis technologies, in some cases we look for corroboration in our cloud to quickly check suspicious files before they execute. To do so we now have Intelligent Threat Cloud. It uses patented real-time cloud lookup, which delivers faster scanning time with advanced design techniques, like pipelining, trust propagation, and batched queries to provide the most up to date protection. What happens if we can’t connect to the cloud? We have a definitive verdict already at the endpoint, so if we can’t corroborate it, we convict it.

The fact that we have Machine Learning on the endpoint to enhance our detection of unknown threats and we can quickly lookup signatures in the cloud means that we don’t need to keep all the data on the endpoint and can update it only with the newest threat information. This reduces the frequency and size, by up to 70%, of our virus definition updates, which in turn lowers network usage and increases performance.

Certain environments may not wish to use Intelligent Threat Cloud and instead keep all signature information on the endpoint – that option is also available.

Being able to quickly respond to threats is vital to minimise the damage to the organisation

Being able to provide or accept data from other applications and security tools, while orchestrating a quick response to threats improves an organisation’s security posture. In SEP 14 we’ve introduced programmable REST APIs to allow integration with the SEP management (SEPM) console to orchestrate SEPM functionality from other applications and scripts (built into SEPM). This, for example, allows the Secure Web Gateway to not only query SEPM for infections on endpoints, but orchestrate a response to black list applications or quarantine the infected endpoints.

Given that a layered approach to security is paramount; your endpoint protection product must be considered from a holistic point of view.

Why Symantec Endpoint Protection?

To sum it up… SEP 14 enables business through a single management console and high performance next-gen agent that stops threats regardless of how they attack your endpoint, and delivers powerful response capabilities for superior protection across diverse environments.

SEP Data Sheet

This data sheet provides additional information around SEP

Visibility Challenge

The threat landscape is more challenging than ever as it is escalating rapidly in both numbers and complexity

Symantec has seen over 430M new pieces of malware in 2015. On average, that’s more than 1M new malware variants created on a daily basis. We also saw a 55% increase in targeted attacks. Preventing threats is simply not enough. A recent Gartner report indicates that over 40% of end users were compromised despite using malware blocking technologies. In addition, it takes 120 days on average for incident responders to remediate found vulnerabilities.

It becomes more difficult for security staff to stay ahead of today’s sophisticated attack techniques

While email continues to be the primary attack vector, endpoints remain the easy targets. Attackers leverage endpoint systems in order to infiltrate their target organisations, whether by exploiting vulnerabilities, through social engineering, via phishing websites, or some combination of all of these. And once inside the victim’s infrastructure, targeted attacks use endpoint systems to traverse the network, steal credentials, and connect with command-and-control servers, all with the goal of compromising the organisations’ most critical systems and data.

Visibility is key!

Because most of today’s security products are not integrated, security analysts need to examine many distinct sources of security data, or find some way to combine this data manually, and then hope they can “connect the dots” to get visibility into suspicious activity in their environment – also making it time consuming and difficult to clean up after an attack. Without integrated security products, analysts need to manually retrieve files from endpoint machines and they need to roll out individual updates to each separate product in order to remove and block the file everywhere else. Moreover, incident response teams are often overwhelmed with too many alerts and have a huge queue. Additionally, the team doesn’t always know which incident requires immediate action.

Now that we understand customers’ challenges, let’s see how Symantec Advanced Threat Protection can help

To address today’s threat landscape, customers need more than threat prevention. When a stealthy threat slips through, customers need to quickly detect, contain, and remediate it. Symantec Advanced Threat Protection is a comprehensive solution that addresses those pressing security concerns for customers. It uncovers potential threats and provides visibility into malicious activity. ATP investigates suspicious events, allowing customers to search for indicators-of-compromise and get rich threat intelligence from data feeds. It correlates suspicious events across all Symantec-protected control points, and prioritises threat events in a single console, so that security analysts can take immediate action to respond to those incidents that pose the most risk to the organisation.

ATP Suite

Symantec Advanced Threat Protection, ATP, is a unified platform that can detect, prioritise threats across multiple control points, and remediate advanced threats from one single console.

It can be delivered in a hardware appliance or a virtual appliance. Today, there are four ATP modules- ATP Endpoint, ATP Network, ATP: Email, and ATP: Roaming that was introduced in November, 2016. ATP: Endpoint and ATP: Network sit on the appliance, while ATP: Email and ATP: Roaming sit in the cloud. These modules send information from different control points to the ATP platform where we correlate and prioritise all the threat events by leveraging our correlation technology and global threat intelligence, allowing customers to focus on what matters the most. Suspicious events are submitted through ATP platform to our cloud-hosted sandbox that allows for physical and virtual detonation for further analysis.

Today ATP offers 4 control points:

  • ATP:Endpoint integrates with SEP and enables customers to search, discover and remediate any attack artefacts across all endpoints.
  • ATP:Network detects advanced threats using mukliple layers of technology, including ML, IPS, Reputation and Sandbox.
  • ATP:Email: Integrates with Email to detect advanced threats entering via email and uses the sandbox to detect targeted attacks.
  • ATP:Roaming allows customers to protect the endpoints when they are out of the corporate network. It supports HTTPS, it integrates with the cloud sandbox and ll its events are sent back into the ATP platform for correlation with the other control points.

ATP Endpoint – Symantec ATP: Endpoint Detection and Response (EDR) solution

Symantec’s EDR solution is deployed as an appliance. Customers can use the Symantec Advanced Threat Protection appliance hardware, or VMWare’s ESX platform.

When a threat slips past, customers want to quickly contain and remediate it. Symantec ATP: Endpoint provides EDR capability that allows customers to investigate suspicious events and get in-depth visibility into all endpoints across their organisation. You can look up or submit any suspicious file to our unique cloud-scale sandbox for further investigation. Our Cynic sandboxing technology leverages advanced machine learning combined with global threat intelligence. It uncovers stealthy threats and provides granular details of a files capabilities and all of its execution action, such as which malicious file was downloaded from which website, and from whom.

You can also conduct an instant search for any attack artefact or query every endpoint for specific Indicators-of-Compromise in real-time, such as a file hash or a registry key, shortening the time for incident responders to identify potential threats.

Once an attack component has been identified as malicious, customers can remediate all instances of threats in minutes with our EDR solution. With a single click, they can quickly block, remove, or blacklist a file across all endpoints, so that no one can execute the malicious file on their endpoints. Customers can also isolate an endpoint from the corporate network for further investigation and add it back once the issue has been resolved. All with one click of a button from one single console.

ATP Endpoint Datasheet

This Datasheet provides further information and specification for ATP Endpoint.

Symantec Advanced Threat Protection: Network

This is deployed a a network appliance that inspects traffic over common ports and protocols, for both inbound and outbound traffic. It can be deployed to a physical appliance from the Symantec Advanced Threat Protection hardware line, or as a virtual appliance on VMWare’s ESX platform.

ATP: Network fuses intelligence from Symantec-protected sensors, as well as Symantec’s massive global sensor network, to block, uncover, and investigate threats that others miss. By monitoring all traffic coming into or out of the network, it is able to inspect traffic using multiple advanced detection technologies. It includes reputation-based detection which looks at how prevalent a file is, and whether Symantec has seen it before, as well as a number of other sophisticated techniques, such as sandboxing and correlation. Suspicious files processed by ATP: Network appliance are sent automatically to our cloud-scale sandbox for further analysis. Hence, ATP: Network is able to identify suspicious incoming network traffic and helps locate machines inside the network that are communicating with malicious Command-and-Control servers. It provides the most up-to-date visibility into new attack sources on the internet.

ATP: Network customers can conduct a quick search for any indicators-of-compromise of files and URLs, reducing the time for incident responders to identify potential threats. When malware is detected, Symantec ATP: Network uses the correlation technology to verify whether the threat was blocked by Symantec Endpoint Protection. If the threat was NOT blocked, an incident is created automatically. This advanced analysis and correlation means that Security analysts can quickly focus on the most critical incidents that requires immediate action. Customers can then blacklist any files and URLs identified as malicious.

ATP Network Datasheet

This Datasheet provides further information and specification for ATP Network protection.

Symantec Advanced Threat Protection: Email

Email is still the top vector for attacks of all types, whether targeted, advanced or mass mailed. The ATP: Email module enhances the already excellent threat prevention capabilities of Symantec Email

It adds the Cynic sandbox detection capability to uncover and block advanced threats that are delivered by email and includes our unique targeted attack identification functionality. Suspicious events are submitted automatically to our cloud-based sandbox with both physical and virtual execution.

With rich threat intelligence, ATP: Email exposes data from malicious emails to customers. It also provides detail reporting, such as file hashes, IP address, URL info, all of these attack artefacts through one single console.

Customers can also export the threat intelligence into their SIEM, which would allow them to quickly correlate and respond to threats.

ATP: Email sits in the cloud. It requires Symantec Email because that’s how it collects all email related events. In other words, Symantec Email customers can leverage their existing Symantec investment and get advanced threat protection for email without adding new agent. ATP Email automatically correlates Email detection events with the other ATP modules, reducing the volume of security alerts and prioritising the most significant threats.

ATP Email Datasheet

This Datasheet provides further information and specification for ATP Email protection.

Symantec ATP Roaming is the new ATP module that recently introduced. 

Just like ATP: Email, ATP: Roaming is also a cloud-based solution. It uncovers and blocks advanced threats embedded in both HTTP and HTTPS encrypted traffic. Today’s advanced attacks hide themselves on legitimate websites, leverage new and unknown vulnerabilities, and enter targeted organisations via HTTP or HTTPS. While organisations are seeking for ways to secure their network, roaming users could be another issue. 70% of organisations support BYOD, implying a great chance that advanced threats can infiltrate into endpoints while end users are browsing the internet outside of corporate network. ATP: Roaming is designed to address that issue.

It protects users from advanced threats no matter where they are browsing the internet. Users can be browsing at the airport, café, home, accessing their personal email, checking out various websites. By leveraging reputation-based analysis, IPS, AV, as well as our Cynic sandbox and detonation, ATP Roaming can detect and block advanced threats even if they are embedded in encrypted traffic, ensuring users are safe when they’re not connected to VPN.

Symantec ATP also correlates threat events detected from ATP: Roaming with those from other Symantec-protected control points to greatly reduce the number of incidents that a security analyst needs to examine. Again, allowing customers to prioritise and focus on what matters the most.

ATP Roaming Datasheet

This Datasheet provides further information and specification for ATP Roaming protection.

Why Symantec?

Why Symantec?

The global threat intelligence network is one of Symantec’s key competitive advantages against other competitors. Symantec identifies new threats first as they see more – they collect threat insights from over 175 million endpoints and 57 million attack sensors across different organisations, industries, and geographies. That all adds up to more than 3.7 trillion rows of security-relevant data. They leverage the collective wisdom from this diverse threat data and turn it into predictive technologies that feed into their Machine Learning and Analysis.

In additional, Symantec’s cyber security analysts monitor the latest threat landscape 24×7 throughout the year, identifying new threats as they emerge and feeding that data back into the intelligence network.

Get in touch

Kontex Security Ltd

T: +353 (0) 62 43937

E: [email protected]

United States:

345 Park Ave # 1702, New York, NY 10154, USA


Maynooth Works, Maynooth University, Kildare, Ireland