Connect with us

Hi, what are you looking for?


Endpoint Security

Symantec Enhances Endpoint Protection Capabilities

The latest version of Symantec Endpoint Protection, SEP 14.1, adds new capabilities to the signatureless machine learning malware detection SEP product it introduced last year, and integrates with other Symantec security solutions. The stated purpose is to provide end-to-end protection for endpoints in a single agent.

The latest version of Symantec Endpoint Protection, SEP 14.1, adds new capabilities to the signatureless machine learning malware detection SEP product it introduced last year, and integrates with other Symantec security solutions. The stated purpose is to provide end-to-end protection for endpoints in a single agent.

The key features announced this week include the addition of deception and device hardening in SEP 14.1; together with integration with a new version of Symantec Endpoint Detection and Response, and integration with the new Mobile Threat Defense originally acquired with the purchase of Skycure in July 2017.

Deception is new to SEP. It is the deployment of deceptors — or decoy files, folders and registries — within the environment. The deceptors are designed to look valuable to an adversary who succeeds in accessing the system; but they contain nothing of consequence. The idea is to attract the adversary, slow him down on a wild goose chase, and alert the security team to his presence.

“The security team can learn through watching what the adversaries are doing — how they are trying to manifest their malware,” explains Sri Sundaralingam, head of product marketing at Symantec. “The defenders can then neutralize the attack, and include new understanding in their security posture to block any similar type of attack in the future.” Symantec is the first of the traditional endpoint security vendors to integrate deception with their endpoint product. “It means,” continues Sundaralingam, “we provide a multi-level defense against ransomware and zero-day day attacks, and we improve the customer’s overall security posture.”

If a deceptor triggers and alerts the security team, it means that a breach has already occurred. Here the integration with the new EDR product (Advance Threat Protection or ATP 3.0) comes into play to help with incident response.

“The endpoint product will recognize that a bad guy is trying to tamper with one of the deceptors,” Sundaralingam told SecurityWeek, “and it will notify the SOC team through a set of triggered descriptive alerts that will describe how the attacker is tampering with the deceptor files.” This helps the security team understand what the adversary is trying to do. Is there, for example, some unpatched vulnerability on the system? It’s a proactive defense mechanism to help the customer detect and respond to an actual, but perhaps hitherto unknown, compromise.

“Deception firstly detects the presence of a stealthy attack,” he continued; “secondly, it tells the security team what the attackers are trying to do, what system files they are seeking to compromise and so on (providing additional intelligence on how to amend the security posture to eliminate this and similar attacks); and thirdly it can slow the attack down sufficiently for the security team to take action.”

The integration with EDR then enables incident responders to collect data on an ongoing exploitation, providing additional information for them to locate the origins of the breach. “Combining Deception with EDR and Symantec Analytics can give the defenders an end-to-end picture of the incursion, and ensure an effective response,” he said.

Advertisement. Scroll to continue reading.

Coupled with the new ATP 3.0 EDR, is a new EDR Cloud offering — the same purpose but offered as a cloud-based SaaS. The cloud offering isn’t limited to environments with Symantec endpoints — it works equally well for customers with mixed environments. “It records endpoint activity and collects data that can be used to look for new emerging attacks like fileless attacks.” It enhances investigator productivity with pre-built incident response playbooks that bring the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs, claims Symantec.

Device hardening is a new add-on for SEP 14. “It allows customers to lock down known good applications, to monitor the not so well-known apps, and to isolate suspicious applications — it’s application isolation,” Sundaralingam explained. Every app can be assessed and given a risk rating. Symantec already has what it calls ‘the world’s largest civilian blacklist and whitelist databases’. “Important apps like Office will be protected from unpatched 0-day exploits. Grey-area apps will be monitored, so that files downloaded via those apps can be blocked. We call it castles and jails,” he added: “we put the good apps in the castle and protect them; we put the suspicious apps in the jail and we monitor and control what those apps are doing.”

Also new is mobile threat defense through SEP Mobile. This is the rebranded and integrated mobile security product acquired with the purchase of Skycure. SEP mobile brings desk-top quality security to mobile devices, protecting both BYOD and corporate-owned products across both Android and iOS devices used in the corporate environment.

Sundaralingam believes that the mobile threat vector hasn’t been given sufficient attention. “There are mobile device managers (MDMs) in wide use; but they are just that: managers. They don’t defend the devices. SEP Mobile provides mobile device protection.”

Symantec’s strategy outlined in this week’s announcement combines new products with increased integration around SEP 14.1 as the centerpiece. The purpose is to provide comprehensive endpoint protection through a single framework. Apart from the new products, existing products are now integrated — including, for example, the CloudSOC CASB acquired with BlueCoat. “It’s a very ambitious integration of a wide range of security capabilities,” said Sundaralingam. “We believe we are leapfrogging all the other vendors of endpoint security; both existing vendors and the new emerging products that tend to be limited in the areas they cover.”

Related: Symantec Unveils Evolutionary Update to Endpoint Protection Offering

Related: Symantec’s Latest DLP Offering Aids GDPR Compliance 

*Updated headline

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...