The latest version of Symantec Endpoint Protection, SEP 14.1, adds new capabilities to the signatureless machine learning malware detection SEP product it introduced last year, and integrates with other Symantec security solutions. The stated purpose is to provide end-to-end protection for endpoints in a single agent.
The key features announced this week include the addition of deception and device hardening in SEP 14.1; together with integration with a new version of Symantec Endpoint Detection and Response, and integration with the new Mobile Threat Defense originally acquired with the purchase of Skycure in July 2017.
Deception is new to SEP. It is the deployment of deceptors — or decoy files, folders and registries — within the environment. The deceptors are designed to look valuable to an adversary who succeeds in accessing the system; but they contain nothing of consequence. The idea is to attract the adversary, slow him down on a wild goose chase, and alert the security team to his presence.
“The security team can learn through watching what the adversaries are doing — how they are trying to manifest their malware,” explains Sri Sundaralingam, head of product marketing at Symantec. “The defenders can then neutralize the attack, and include new understanding in their security posture to block any similar type of attack in the future.” Symantec is the first of the traditional endpoint security vendors to integrate deception with their endpoint product. “It means,” continues Sundaralingam, “we provide a multi-level defense against ransomware and zero-day day attacks, and we improve the customer’s overall security posture.”
If a deceptor triggers and alerts the security team, it means that a breach has already occurred. Here the integration with the new EDR product (Advance Threat Protection or ATP 3.0) comes into play to help with incident response.
“The endpoint product will recognize that a bad guy is trying to tamper with one of the deceptors,” Sundaralingam told SecurityWeek, “and it will notify the SOC team through a set of triggered descriptive alerts that will describe how the attacker is tampering with the deceptor files.” This helps the security team understand what the adversary is trying to do. Is there, for example, some unpatched vulnerability on the system? It’s a proactive defense mechanism to help the customer detect and respond to an actual, but perhaps hitherto unknown, compromise.
“Deception firstly detects the presence of a stealthy attack,” he continued; “secondly, it tells the security team what the attackers are trying to do, what system files they are seeking to compromise and so on (providing additional intelligence on how to amend the security posture to eliminate this and similar attacks); and thirdly it can slow the attack down sufficiently for the security team to take action.”
The integration with EDR then enables incident responders to collect data on an ongoing exploitation, providing additional information for them to locate the origins of the breach. “Combining Deception with EDR and Symantec Analytics can give the defenders an end-to-end picture of the incursion, and ensure an effective response,” he said.
Coupled with the new ATP 3.0 EDR, is a new EDR Cloud offering — the same purpose but offered as a cloud-based SaaS. The cloud offering isn’t limited to environments with Symantec endpoints — it works equally well for customers with mixed environments. “It records endpoint activity and collects data that can be used to look for new emerging attacks like fileless attacks.” It enhances investigator productivity with pre-built incident response playbooks that bring the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs, claims Symantec.
Device hardening is a new add-on for SEP 14. “It allows customers to lock down known good applications, to monitor the not so well-known apps, and to isolate suspicious applications — it’s application isolation,” Sundaralingam explained. Every app can be assessed and given a risk rating. Symantec already has what it calls ‘the world’s largest civilian blacklist and whitelist databases’. “Important apps like Office will be protected from unpatched 0-day exploits. Grey-area apps will be monitored, so that files downloaded via those apps can be blocked. We call it castles and jails,” he added: “we put the good apps in the castle and protect them; we put the suspicious apps in the jail and we monitor and control what those apps are doing.”
Also new is mobile threat defense through SEP Mobile. This is the rebranded and integrated mobile security product acquired with the purchase of Skycure. SEP mobile brings desk-top quality security to mobile devices, protecting both BYOD and corporate-owned products across both Android and iOS devices used in the corporate environment.
Sundaralingam believes that the mobile threat vector hasn’t been given sufficient attention. “There are mobile device managers (MDMs) in wide use; but they are just that: managers. They don’t defend the devices. SEP Mobile provides mobile device protection.”
Symantec’s strategy outlined in this week’s announcement combines new products with increased integration around SEP 14.1 as the centerpiece. The purpose is to provide comprehensive endpoint protection through a single framework. Apart from the new products, existing products are now integrated — including, for example, the CloudSOC CASB acquired with BlueCoat. “It’s a very ambitious integration of a wide range of security capabilities,” said Sundaralingam. “We believe we are leapfrogging all the other vendors of endpoint security; both existing vendors and the new emerging products that tend to be limited in the areas they cover.”