You are on page 1of 31

Symantec Advanced Threat Protection

Any information regarding pre-release Symantec


offerings, future updates or other planned modifications
is subject to ongoing evaluation by Symantec and
therefore subject to change.

This information is provided without warranty of any


kind, express or implied.

Customers who purchase Symantec offerings should


make their purchase decision based upon features that
are currently available.

Symantec Confidential. Subject to NDA


You see the results daily. How many go undetected and unreported?

Unencrypted POS post-Target


Total Data 5 months to detection
Breaches 2 weeks to uncover
JANUARY 2014 DECEMBER 2014 Via vendor + 0-day vulnerability

312



56 million credit cards stolen

Attackers wanted instant impact


4 unreleased movies
25GB, 33K files
Disabled email, wifi
Delayed paychecks
Total Identities
Exposed 1 months to detection

JANUARY 2014 DECEMBER 2014
5 DB admins compromised

348
MILLION


80 million medical records stolen
Medical records 10 times more valuable
than credit cards on black market

Symantec Confidential. Subject to NDA


Even with the best prevention technologies, can you stop advanced
persistent threats?

PREPARE PREVENT DETECT RESPOND RECOVER

Understanding Where
Stopping Incoming Finding Incursions Containing & Restoring Operations
Important Data Is &
Attacks Remediating Problems
Who Can Access It

While prevention is still very important.

you need to prepare to be breached.

Symantec Confidential. Subject to NDA


If you are breached, how fast can you
detect, respond and recover?

PREPARE PREVENT DETECT RESPOND RECOVER

Understanding Where
Stopping Incoming Finding Incursions Containing & Restoring Operations
Important Data Is &
Attacks Remediating Problems
Who Can Access It

Symantec Advanced
Our Future: Threat Protection

Symantec Confidential. Subject to NDA


Symantec Advanced Threat Protection

CLOUD SANDBOX CORRELATION INVESTIGATION REMEDIATION Global Intelligence


Physical & Virtual and Detect once, Block, Clean, Fix
Detonation Prioritization Find everywhere in real-time

Exported Data

ENDPOINT NETWORK EMAIL 3RD PARTY


More Intelligence | Better Detection & Faster Response | Correlated Across Control Points | Integrated with Endpoint Protection

Symantec Confidential. Subject to NDA


WHY IS SYMANTECS ADVANCED THREAT PROTECTION BETTER?
Unmatched Intelligence & Analytics
Endpoints: 175M total, 120M enterprise, 12M server
Advanced Email boxes: 850M total, 25M enterprise (SEG only)
Threat Protection New focus areas: Threat analytics & adversary threat intelligence

Unparalleled Prevention
Consistent leader in endpoint & email protection

Global Intelligence Exported Data


Unequaled Detection (15% better according to early 3rd party tests)
Complete coverage of control points: endpoint, email, and network
And threat vectors: C2 callbacks, behavioral, reputation, exploits,
Advanced Threat Protection Complemented by new techniques: Cynic cloud payload detonation, Synapse correlation
Detect Prioritize Investigate Remediate
Unbeatable Response
Prioritize via correlation with the endpoint and enterprise context
Investigate efficiently: Where is a threat? How did it get in?
Contain the threat across the enterprise & remediate with one click

Endpoint Network Email 3rd party Delivered at the Lowest Security OpEx
Integrated with Endpoint Protection & Email Security
Cloud payload detonation
A single console, a partner ecosystem, and an API driven approach
ATP in Action
Suspicious File via Email
Email with
1 Suspicious File
or URL
3 Cynic convicts file
5 Admin drills down to
Cynic conviction

Admin runs power eraser


Cynic TM
Synapse TM
Portal on infected endpoints

ATP ATP ATP


7
Email Endpoint Network

ATP: Email flags High


2 suspicious, sends to
Cynic
4 priority
event
! 6 Admin can block file at ATP Network,
ATP Endpoint and ATP Email

Symantec Confidential. Subject to NDA


Comprehensive Detection

Symantec Confidential. Subject to NDA


Detection Pipeline
Technologies tested and proven on >200 M endpoints for faster more accurate detection

Blacklist, Whitelist Vantage File Insight Cynic


Blocks or allows per Blocks malware as it Scans and eradicates Determines the safety of files Malware analysis finds
Symantec sourced tries to spread over malware files that arrive & websites using the unknown malware that
blacklist and customer the network on a system wisdom of the crowd bypassed the pipeline
created whitelist (analytics)
Protocol aware IPS Antivirus Engine Various Windows,
C&C detections Domain/IP Reputation Office, Adobe,
Vulnerability and Auto Protect versions
GIN Exploit blocking File Reputation
Malheur Bare Metal for VM-
Android APK Reputation evasive payloads
On Box Cloud
Symantec Confidential. Subject to NDA
SYMANTEC CYNIC SYMANTEC SYNAPSE
NEW: CLOUD-BASED PAYLOAD DETONATION NEW: CORRELATION AND PRIORITIZATION

Broad coverage: Office Effective Prioritization:


docs, PDF, Java applets, Prioritizes high for active
containers, portable infection or low for blocked
executables infection

More Effective: Mimics Forensic Investigation:


human interaction in Intelligent grouping for
realistic environments, runs campaigns, threat
on virtual & bare metal evolution, and resolution

Cloud Advantages: Ease of Use: No new


Innovative techniques such
as malware clustering, and agents or complex SIEM
scales to meet demands rules, integrated console
Symantec Confidential. Subject to NDA
Symantec Advanced Threat Protection: Network
Network Traffic

Internet
Endpoints

Real-time Inspection SATP:N


BLACKLIST
On-box inspection with proven technologies. In-line =
1 block; TAP-mode = inspect only
Blacklist Vantage Insight AV Mobile Insight

Asynchronous inspection of suspicious files sent to


2 Cynic for analysis

Cynic assesses file behavior in multiple sandboxing


Symantec big data VMs, up to and including bare metal execution for VM-
intelligence
3 aware malware and utilizes Skeptic and SONAR
heuristics
Symantec Cloud
Cynic
Behaviors are put in global context against Symantec
Intelligence Data and correlated to email, endpoint
Email & Endpoint (ESS, SEPM) 4 events via Synapse
Synapse Correlation

Verdict and an actionable, richly detailed report on


5 what Cynic observed is provided, prioritized
contextually
Conviction, Actionable
intelligence
Symantec Confidential. Subject to NDA 13
Symantec Advanced Threat Protection: Endpoint
ATP Endpoint Endpoints, Users

Internet

Virtual Appliance: Scales to 60k endpoints


ATP Endpoint Detection Pipeline Focuses on what SEP does not block
Insight, SONAR, File and Vantage,
automatically and continuously identify
suspicious events and send to ATP: Endpoint

Machine learning component on appliance


reduces noise and prioritizes suspicious
events received from all endpoints

Cynic Criterion Cynic and the body of evidence help move


suspicious events to a state of high conf.

In the On the Agent Evidence of compromise search


Symantec Cloud Appliance (i.e. SEP 12.1)
Blacklisting & containment
Symantec Confidential. Subject to NDA
Symantec Advanced Threat Protection: Email
End-users

Internet

Email Security.cloud
Customer mail server
(or hosted mailbox
provider)
Core service ATP: Email

ATP: Email R1 (Summer 2015)


Targeted Attack identification
Detailed malware reporting
Data feed for SIEM
Connection Process Brightmail Symantec AV Cynic
Data feed to Synapse for
correlation in ATP solution
Malware analysis finds
unknown malware that
bypassed the pipeline
ATP: Email R2 (Winter 2015)
Various Windows,
Office, Adobe versions Cynic integration better
Skeptic Real-time Bare metal for VM- detection and behavioral
evasive payloads
Link Following reporting

Symantec Confidential. Subject to NDA


Comprehensive Detection: Cynic

Symantec Confidential. Subject to NDA


Detection Type

Whois, Safeweb results

VirusTotal lookup
0/57 detection ratio

Symantec Confidential. Subject to NDA


Where else Symantec has seen the file, and by what name.
Often, newer detections havent been seen before
Behaviors classified as Malicious,
Suspicious, Informational

Symantec Confidential. Subject to NDA


Each incident shows related
incidents by IP or File

Symantec Confidential. Subject to NDA


Faster Response: Synapse Investigation, Endpoint Search

Symantec Confidential. Subject to NDA


SEP Blocked events are
correlated, and lowest priority

Symantec Confidential. Subject to NDA


Synapse Investigation By id,
hash, url, file name

Symantec Confidential. Subject to NDA


Symantec Confidential. Subject to NDA
Search all endpoints for file
hash or reg key

Symantec Confidential. Subject to NDA


1 endpoint returned with
this file hash

Symantec Confidential. Subject to NDA


Unproven, low prevalence

Pivot to endpoints

Symantec Confidential. Subject to NDA


View of all files on the
machines, both clean and
suspicious

Symantec Confidential. Subject to NDA


ATP: Email Add-On Service
Targeting Attack Identification, Detailed Reporting

Symantec Confidential. Subject to NDA


Targeted Attack Identification in Email

Clean emails delivered


to recipient

X Malicious emails blocked by


Email Security.cloud
Skeptic and Link Following
Emails sent for
further analysis

Targeted Attack Analysis

STAR analysts examine Look for zero-day malware Targeted attacks categorized
malicious emails and targeted content based on thresholds Customer Dashboard and
Detailed Report updated

Symantec Confidential. Subject to NDA


Enhance visibility of advanced malware
Email ATP Add-on: Detailed Malware Report
The Advanced Threat Protection module for Symantec Email Security.cloud will provide more detailed reporting on
blocked malware:

Malware details
Email details
Malware name
Date, time, timezone

Domain of recipient email


Malicious URL or attachment file hash
Rcpt To Envelope Recipient RFC5321 Summary of what the URL does
To Header RFC5322
Detection method e.g. Skeptic, Link Following
Source IP - sender IP address

Geo-location of source Targeted Attack Yes/No


Mail From Envelope Sender RFC5321
Why Symantec deems attack to be targeted (summary)
From Header RFC5322

Subject Line Threat Category - Trojan, InfoStealer etc.

Severity Level indicating threat sophistication

Symantec Confidential. Subject to NDA


Malware by category,
detailed breakdown of
threats inbound and
outbound

API to pull down data


from events, streamed
on request over
HTTPS, CSV format

Symantec Confidential. Subject to NDA


Thank you!

Copyright 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by
law. The information in this document is subject to change without notice.

You might also like