Endpoint Detection and Response (EDR)

 View Only
Expand all | Collapse all

Best Way to Implement EDR With Existing SEP/SEPM Environment

  • 1.  Best Way to Implement EDR With Existing SEP/SEPM Environment

    Posted Aug 12, 2021 02:15 PM
    Edited by JASON LINDSEY Aug 12, 2021 02:18 PM
    Hello,

    I am looking for information on the best way to implement Symantec EDR with my current Symantec Endpoint Protection environment.  Currently, I am running a Symantec Endpoint Protection Manager server that manages roughly 70 Symantec Endpoint Protection clients.  This has not been enrolled to the cloud yet.  I am interested in deploying EDR to my environment for such things as ransomware security and I would like to know what would be the best approach in doing this. 

    I know that Symantec offers the Symantec Advanced Threat Protection 8840 appliance, which seems to integrate with SEP, so would this be the best approach to my current setup, or is there a better solution to incorporate EDR into SEP?  I would like to keep this on-premises if possible, but I am open to cloud solutions if that is a better approach.    

    Any information is appreciated. 

    Thank you


  • 2.  RE: Best Way to Implement EDR With Existing SEP/SEPM Environment

    Broadcom Employee
    Posted Aug 13, 2021 07:28 AM
    Hello Jason,

    For an on-premises implementation of EDR for an environment of this size we recommend implementing a virtual appliance for the EDR manager application. The virtual appliance is supported running on VMware.  There is no need to enrolled you on-premises SEP Manager to the cloud for this to work. The on-premises EDR Manager application will integrate directly with your SEP Manager.

    The ATP 8840 appliance only supported EDR endpoint management for the 2.x generation of software and for 3.x and 4.x releases was intended to be used for EDR Network Sensor roles. 

    Both of the older generation appliances, the ATP 8840 and 8880, are "end of sale" and have been replaced by a new model of physical appliance, the S550.  The S550 is designed to support EDR environment with  up to 50,000 endpoints, while the Virtual Appliance option will support up to 10,000 endpoints.

    Reference material is available online here: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-6/introduction-v119804561-d38e3280/sizing-the-management-console-v125116902-d38e2117.html

    For clarity "ECC 2.0" was the terminology for the endpoint activity recorder functionality that was introduced with the ATP 3.x software and forms a core capability for modern EDR solutions.

    regards,
    Gavin Fulton, EDR PM


  • 3.  RE: Best Way to Implement EDR With Existing SEP/SEPM Environment

    Posted Aug 13, 2021 10:26 AM
    Gavin, unfortunately my virtual environment runs on Microsoft Hyper-V, which I don't believe is supported, so the virtual appliance is not an option for us otherwise I would have heavily considered it.  It's really unfortunate Hyper-V isn't supported to be honest. 

    It seems that I am getting conflicting answers as to whether the cloud option will work for us.  In a previous post another Broadcom employee stated that the cloud option would work fine for our size of 100 endpoints.  Are you saying this won't work and I should consider the S550 over cloud?


  • 4.  RE: Best Way to Implement EDR With Existing SEP/SEPM Environment

    Broadcom Employee
    Posted Aug 13, 2021 10:37 AM
    Hi Jason,

    Our cloud option would also be a great solution for an environment of your size (or any size for that matter).

    What I was calling out was that to deliver EDR capabilities integrated with your on-premises SEP Manager, you will need to have an on-premises EDR Manager appliance.

    However you can migrate to the cloud management functionality for both endpoint protection (SEP) AND EDR features, which requires no on-premises management components.

    Regards,
    Gavin



  • 5.  RE: Best Way to Implement EDR With Existing SEP/SEPM Environment

    Posted Aug 13, 2021 10:43 AM
    Ok, thank you for the clarification.  Would it be possible to migrate to the cloud and see how well that works out, and if it doesn't provide the functionality that we would like that an appliance would have, could we migrate back to on-premises?  Is this something that would be more trouble than what it's worth in your opinion?


  • 6.  RE: Best Way to Implement EDR With Existing SEP/SEPM Environment

    Broadcom Employee
    Posted Aug 13, 2021 12:28 PM
    Hi Jason,

    Yes, it is a relatively simple task to change a SEP client from SEPM Management on-premises to ICDm management from the cloud.

    There are various options depending upon your own specific situation, and some excellent documentation about your options here: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Upgrading.html

    We use the term "Symantec Endpoint Security" to refer to a SEP endpoint managed from the cloud (by our ICDm Platform) and "Symantec Endpoint Security" to refer to a SEP endpoint managed by a SEPM on-premises.

    There is even a command line that can be executed on an SEP endpoint to change it between SEPM and ICDm management and back.
    Details are available in the online documentation: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/appendices/windows-commands-for-the-endpoint-protection-clien-v9567615-d19e6200.html


  • 7.  RE: Best Way to Implement EDR With Existing SEP/SEPM Environment

    Posted Aug 13, 2021 12:56 PM
    Very helpful information!  My main goal with this is to finally start using EDR technologies and from what I have read so far it seems that I would need to use my current SEPM server with an S550 appliance in order to achieve that, or take everything to cloud management.  Would you say that is accurate?  If I run in a 'hybrid' deployment, can I manage my clients on my SEPM server, but then use EDR from the cloud and have all the functionality available to me without having to use an appliance?  I don't believe this would be possible but thought I'd ask for clarification.


  • 8.  RE: Best Way to Implement EDR With Existing SEP/SEPM Environment

    Broadcom Employee
    Posted Aug 16, 2021 04:46 AM
    Hi Jason,

    You are correct, you would need to use your current SEPM server with an S550 appliance in order to achieve that, or take everything to cloud management.

    regards,
    Gavin



  • 9.  RE: Best Way to Implement EDR With Existing SEP/SEPM Environment

    Posted Aug 16, 2021 12:05 PM
    At this point I think I am going to try the full cloud solution first to see how it goes.  In your opinion, are there any major downsides to cloud vs on-premises that should be noted?  Pretty much everything I read claims that the cloud option is practically the same parity as on-premises now.


  • 10.  RE: Best Way to Implement EDR With Existing SEP/SEPM Environment

    Broadcom Employee
    Posted Aug 17, 2021 04:40 AM
    Hi Jason,
    No, there are no major downsides to cloud vs on-premises management and both can be equally valid approaches for a wide range of scenarios. Each approach has some unique features that are approached differently based on the management paradigm. I always recommend that customers review the specific features and functions they have implemented on-prem with SEPM and check to see how that use case is addressed though ICDm from the cloud.

    regards,
    Gavin


  • 11.  RE: Best Way to Implement EDR With Existing SEP/SEPM Environment

    Posted Sep 02, 2021 10:44 PM
    Hi Gavin,

    We are also looking to incorporate EDR in our on prem setup SEPM setup (currently 14.3 MP1).

    Upon reviewing the documentation "Quick reference for Symantec Endpoint Protection -managed versus Symantec Endpoint Security -managed features in ICDm"

    It looks to me that unless I use the Symantec endpoint security complete suite I will only have the ability to manage an FDR policy with our current on prem but I will not have access to behavioral forensics, threat hunting and rapid response, or expert SOC investigator.

    I'm also gathering that our SEP license will not be sufficient and that we will required to have a SES subscription in order to leverage EDR.


  • 12.  RE: Best Way to Implement EDR With Existing SEP/SEPM Environment

    Broadcom Employee
    Posted Sep 03, 2021 06:20 AM
    Edited by Gavin Fulton Sep 03, 2021 07:00 AM
    Hi William,

    The SEP license only ever provided entitlement to the prevention feature of the SEP Agent. The EDR features of the agent were always an additional cost entitlement.

    More specifically, the SEP license (subscription or perpetual) was/is an entitlement for the full set of preventative features of a SEP agent managed by an on-prem SEP Manager. There was historically a separate EDR license (subscription only) entitlement for the on-prem EDR Management platform and capability to enable the SEP Agent's EDR features. Existing customers with both SEP & EDR entitlements can continue to renew these.

    Last year there was a simplification of the licensing models and the "SES Complete" (aka SESC) subscription license now provides a single entitlement that covers SEP and EDR functionality, as well as a range of other features (including Threat Deference for Active Directory and Secure Connection). This SESC also provides entitlement to both on-prem and cloud management as appropriate for the various features. Customers that had not previously purchased an EDR license can now purchase a SESC license if they wish to use the EDR features.

    The table you are referring to in the online documentation is comparing the functionality of a SEP license  with the full functionality of the "Symantec Endpoint Security Complete (aka SESC).

    I hope this clarifies the situation. I am sure your Symantec reseller partner will be able to provide more specific guidance for your circumstances.

    regards,
    Gavin