Symantec Advanced Threat Protection

Symantec Advanced Threat Protection
Any information regarding pre-release Symantec

offerings, future updates or other planned modifications
is subject to ongoing evaluation by Symantec and
therefore subject to change.
This information is provided without warranty of any
kind, express or implied.
Customers who purchase Symantec offerings should
make their purchase decision based upon features that
are currently available.
Symantec Confidential. Subject to NDA
You see the results daily. How many go undetected and unreported?
Total Data
Breaches
JANUARY 2014 DECEMBER 2014
312
Total Identities
Exposed
JANUARY 2014 DECEMBER 2014
348
MILLION
Unencrypted POS post-Target

5 months to detection
2 weeks to uncover
Via vendor + 0-day vulnerability
56 million credit cards stolen
Attackers wanted instant impact

4 unreleased movies
25GB, 33K files
Disabled email, wifi
Delayed paychecks
1 months to detection
5 DB admins compromised
80 million medical records stolen
Medical records 10 times more valuable
than credit cards on black market
Even with the best prevention technologies, can you stop advanced
persistent threats?
PREPARE
PREVENT
DETECT
RESPOND
RECOVER
Understanding Where
Important Data Is &
Who Can Access It
Stopping Incoming
Attacks
Finding Incursions
Containing &
Remediating Problems
Restoring Operations
While prevention is still very important.

you need to prepare to be breached.
If you are breached, how fast can you

detect, respond and recover?
PREPARE
PREVENT
DETECT
RESPOND
RECOVER
Understanding Where
Important Data Is &
Who Can Access It
Stopping Incoming
Attacks
Finding Incursions
Containing &
Remediating Problems
Restoring Operations
Our Future:
Symantec Advanced
Threat Protection
Symantec Advanced Threat Protection

CLOUD SANDBOX
Physical & Virtual
Detonation
CORRELATION
and
Prioritization
INVESTIGATION
REMEDIATION
Detect once,
Find everywhere
Block, Clean, Fix

in real-time
Global Intelligence
Exported Data
ENDPOINT
NETWORK
EMAIL
3RD PARTY
More Intelligence | Better Detection & Faster Response | Correlated Across Control Points | Integrated with Endpoint Protection
WHY IS SYMANTECS ADVANCED THREAT PROTECTION BETTER?

Unmatched Intelligence & Analytics
Advanced
Threat Protection
Endpoints: 175M total, 120M enterprise, 12M server

Email boxes: 850M total, 25M enterprise (SEG only)
New focus areas: Threat analytics & adversary threat intelligence
Unparalleled Prevention
Consistent leader in endpoint & email protection
Global Intelligence
Exported Data
Advanced Threat Protection

Detect
Prioritize
Investigate
Remediate
Unequaled Detection (15% better according to early 3rd party tests)

Complete coverage of control points: endpoint, email, and network
And threat vectors: C2 callbacks, behavioral, reputation, exploits,
Complemented by new techniques: Cynic cloud payload detonation, Synapse correlation
Unbeatable Response
Prioritize via correlation with the endpoint and enterprise context
Investigate efficiently: Where is a threat? How did it get in?
Contain the threat across the enterprise & remediate with one click
Endpoint
Network
Email
3rd party
Delivered at the Lowest Security OpEx

Integrated with Endpoint Protection & Email Security
Cloud payload detonation
A single console, a partner ecosystem, and an API driven approach
ATP in Action
Suspicious File via Email
Email with
Suspicious File
or URL
Cynic
Synapse
ATP
Email
ATP
Endpoint
TM
2
Cynic convicts file
ATP: Email flags

suspicious, sends to
Cynic
TM
High
priority
event
Admin drills down to

Cynic conviction
Portal
ATP
Network
Admin runs power eraser

on infected endpoints
Admin can block file at ATP Network,

ATP Endpoint and ATP Email
Comprehensive Detection
Detection Pipeline
Technologies tested and proven on >200 M endpoints for faster more accurate detection
Blacklist, Whitelist
Vantage
File
Insight
Cynic
Blocks or allows per

Symantec sourced
blacklist and customer
created whitelist
Blocks malware as it
tries to spread over
the network
Scans and eradicates

malware files that arrive
on a system
Determines the safety of files

& websites using the
wisdom of the crowd
(analytics)
Malware analysis finds

unknown malware that
bypassed the pipeline
C&C detections
GIN
Protocol aware IPS
Antivirus Engine
Vulnerability and
Exploit blocking
Auto Protect
Malheur
On Box
Domain/IP Reputation
File Reputation
Android APK Reputation
Various Windows,
Office, Adobe,
versions
Bare Metal for VMevasive payloads
Cloud
SYMANTEC CYNIC
SYMANTEC SYNAPSE
NEW: CLOUD-BASED PAYLOAD DETONATION
NEW: CORRELATION AND PRIORITIZATION
Broad coverage: Office

docs, PDF, Java applets,
containers, portable
executables
Effective Prioritization:
Prioritizes high for active
infection or low for blocked
infection
More Effective: Mimics

human interaction in
realistic environments, runs
on virtual & bare metal
Forensic Investigation:
Intelligent grouping for
campaigns, threat
evolution, and resolution
Cloud Advantages:
Innovative techniques such
as malware clustering, and
scales to meet demands
Ease of Use: No new

agents or complex SIEM
rules, integrated console
Symantec Advanced Threat Protection: Network

Network Traffic
Internet
Endpoints
Real-time Inspection
SATP:N
BLACKLIST
Blacklist
Vantage Insight
AV
On-box inspection with proven technologies. In-line =

block; TAP-mode = inspect only
Asynchronous inspection of suspicious files sent to

Cynic for analysis
Cynic assesses file behavior in multiple sandboxing

VMs, up to and including bare metal execution for VMaware malware and utilizes Skeptic and SONAR
heuristics
Mobile Insight
Symantec big data

intelligence
Symantec Cloud
Cynic
Email & Endpoint (ESS, SEPM)
Behaviors are put in global context against Symantec

Intelligence Data and correlated to email, endpoint
events via Synapse
Verdict and an actionable, richly detailed report on

what Cynic observed is provided, prioritized
contextually
Synapse Correlation
Conviction, Actionable
intelligence
13
Symantec Advanced Threat Protection: Endpoint

ATP Endpoint
Endpoints, Users
Internet
Virtual Appliance: Scales to 60k endpoints
ATP Endpoint Detection Pipeline Focuses on what SEP does not block
Insight, SONAR, File and Vantage,

automatically and continuously identify
suspicious events and send to ATP: Endpoint
Machine learning component on appliance
reduces noise and prioritizes suspicious
events received from all endpoints
Cynic
In the
Symantec Cloud
Criterion
On the
Appliance
Cynic and the body of evidence help move

suspicious events to a state of high conf.
Agent
(i.e. SEP 12.1)
Evidence of compromise search
Blacklisting & containment
Symantec Advanced Threat Protection: Email

End-users
Internet
Email Security.cloud
Core service
Customer mail server

(or hosted mailbox
provider)
ATP: Email
Connection Process
Brightmail
Symantec AV
Cynic
Malware analysis finds
unknown malware that
bypassed the pipeline
Skeptic
Real-time
Link Following
Various Windows,
Office, Adobe versions
Bare metal for VMevasive payloads
ATP: Email R1 (Summer 2015)

Targeted Attack identification
Detailed malware reporting
Data feed for SIEM
Data feed to Synapse for
correlation in ATP solution
ATP: Email R2 (Winter 2015)
Cynic integration better
detection and behavioral
reporting
Comprehensive Detection: Cynic
Detection Type
Whois, Safeweb results

VirusTotal lookup
0/57 detection ratio
Where else Symantec has seen the file, and by what name.
Often, newer detections havent been seen before
Behaviors classified as Malicious,

Suspicious, Informational
Each incident shows related

incidents by IP or File
Faster Response: Synapse Investigation, Endpoint Search
SEP Blocked events are

correlated, and lowest priority
Synapse Investigation By id,

hash, url, file name
Search all endpoints for file

hash or reg key
1 endpoint returned with

this file hash
Unproven, low prevalence
Pivot to endpoints
View of all files on the

machines, both clean and
suspicious
ATP: Email Add-On Service

Targeting Attack Identification, Detailed Reporting
Targeted Attack Identification in Email

Clean emails delivered
to recipient
Email Security.cloud
Malicious emails blocked by

Skeptic and Link Following
Emails sent for

further analysis
Targeted Attack Analysis
STAR analysts examine

malicious emails
Look for zero-day malware

and targeted content
Targeted attacks categorized

based on thresholds
Customer Dashboard and

Detailed Report updated
Enhance visibility of advanced malware

Email ATP Add-on: Detailed Malware Report
The Advanced Threat Protection module for Symantec Email Security.cloud will provide more detailed reporting on
blocked malware:
Malware details
Email details
Malware name
Date, time, timezone

Domain of recipient email
Malicious URL or attachment file hash
Rcpt To Envelope Recipient RFC5321
Summary of what the URL does
To Header RFC5322
Source IP - sender IP address
Geo-location of source
Mail From Envelope Sender RFC5321
Detection method e.g. Skeptic, Link Following

Targeted Attack Yes/No
Why Symantec deems attack to be targeted (summary)
From Header RFC5322

Subject Line
Threat Category - Trojan, InfoStealer etc.

Severity Level indicating threat sophistication
Malware by category,
detailed breakdown of
threats inbound and
outbound
API to pull down data

from events, streamed
on request over
HTTPS, CSV format
Thank you!
Copyright 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by
law. The information in this document is subject to change without notice.

Symantec Advanced Threat Protection

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Symantec Advanced Threat Protection

Uploaded by

Copyright:

Available Formats

Symantec Advanced Threat Protection

Any information regarding pre-release Symantec

Symantec Confidential. Subject to NDA

Unencrypted POS post-Target

Attackers wanted instant impact

While prevention is still very important.

If you are breached, how fast can you

Symantec Confidential. Subject to NDA