Endpoint Protection

Introduction

This is the eighth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated December 2017.

In the spirit of A Helpful LiveUpdate Administrator 2.x Analogy, here is an offbeat way to understand the various components that comprise the Symantec Endpoint Protection suite of security.

Wait, SEP is Not Just Antivirus?

AV alone is not enough against today’s sophisticated threats.  Symantec AntiVirus (an AV alone product) reached its end of life years ago.  Today’s SEP is a whole collection of security technologies that complement each other.  A flashy video introduction to each of the technologies:

Move Beyond Antivirus with Intelligent Security (3:05)

But, I am a crime fiction fan and like to image it differently….

Think of your Computer as a City.

Your computer has resources, pathways, people and cars running around, new stuff, old stuff, infrastructure, laws, onramps to the good old Information Superhighway.  There’s usually an Irish pub to be found in there, too (or at least vacation photos from one).  There’s work done in this place, and fun, and important business.  Some of it is frequently visited and kept shiny and new.  Some of its districts were built many years ago and are seldom visited.  Other regions became defunct and are no longer used for their original purpose but have not yet been knocked down.  Bad things happen in these places, even in broad daylight.

Is this a Walled City or Wide-Open?

A traditional Windows XP machine, freshly installed, is wide-open.  (The original releases of it were really not designed with security in mind.)  Think of it as on a plain with rivers, roads, hiking trails running into and out of it.  It’s easy for legitimate traffic and illegitimate to slip in and out.

Now install Network Threat Protection, SEP’s Firewall component.  This has thrown a big wall up around it, a control to ensure that connections are only made through approved points of entry.

Beyond Antivirus with NTP

A Ha! I’ve Heard a Story About A Trojan Horse and a Walled City.

You’re catching on to the analogy!

Who’s Keeping Watch inside the City?

The AntiVirus component is like the city’s police force.  There are patrols on watch, pouncing on any dangerous actor or illegal process as soon as it kicks off (Auto-Protect).   Hopefully the force is also carrying out raids on a suspicious premises and manhunts searching for suspicious activity (scheduled scans and manual scans).  This police department is briefed several times per day on the latest dodgy characters to watch for (new definitions) but they also have street sense that can tell when something’s not right, even without a specific mug shot (heuristics).

Of course, the most important cop in town is the Chief of Police (security admin of the computer).  There may be national laws that guide how the Chief can work (company policies and security configurations) but all reports and information should ultimately cross the Chief’s desk, prompting any necessary reactions.

What’s Stopping Bad Stuff from Coming into Town?

One of the most powerful tools is IPS.  Think of this as the (unfairly underrated) Postal Inspection Service: it inspects all the packets on the way into or out of the city and stops what it knows to be malicious before any harm is done.  PIS (and IPS) can work efficiently on a massive scale without interfering with legitimate traffic.  Not only that, it has the power to determine who sent the dangerous package so that it can be tracked down.

IPS is absolutely crucial.  It is the most effective defense against drive-by downloads.

Blocked by Symantec Endpoint Protection

Not all Security in a City belongs to the Police Force.

True.  Think of all the bouncers on duty at all the pubs, clubs, shops and bars.  SEP’s SONAR component  (also known as BASH and as Proactive Threat Protection) is similarly behavioral based.  It jumps into action whenever a process starts making trouble.  “I don’t care who you are, you’re not acting like that in here!”

It can also be an excellent source of intelligence about which residents of the city should be on the chief's radar.

Using SEPM Alerts and Reports to Combat a Malware Outbreak
https://www-secure.symantec.com/connect/articles/using-sepm-alerts-and-reports-combat-malware-outbreak

ADC?  Is that like FBI?

Well, it’s three letters.  Application and Device Control (ADC) is SEP’s optional component which lets the administrator create powerful custom policies for their environment.

For example: say there is a problem with hoodie-wearing skateboard kids hanging out in public squares.  Skateboarding is not a crime (the program that does not meet Symantec’s criteria for detection), but the Chief of police wants to block this.  It’s possible to put through a local ordinance (ADC policy) that will prevent that behavior from running within city limits.

All About Grayware
https://www-secure.symantec.com/connect/articles/all-about-grayware

So Where’s the FBI in this Analogy?

In SEP 12.1 RU5 and above, it is possible for an administrator to remotely send in a special on-demand in-depth kind of scan called Power Eraser.  Like the FBI, this can identify malicious material that other components did not.

Starting Power Eraser analysis from Symantec Endpoint Protection Manager
Article URL: http://www.symantec.com/docs/HOWTO101778

What to do in an Emergency?

If there’s a cataclysmic event, it’s possible for the Chief to lock the city down.  Putting the National Guard or Army on the streets enforcing a strict curfew is an extreme measure, but it is sometimes done.   SEP offers the ability to take similar drastic action with System Lockdown.

How to utilize SEP 12.1 for Incident Response - PART 2
https://www-secure.symantec.com/connect/articles/how-utilize-sep-121-incident-response-part-2

What about Download Insight?  And the Mail Plug-In Components?

These are speciailized divisions of the police force, whose duties focus them on one specific area.   Think of that as Special Branch watching the train station, questioning shady-looking newcomers to ensure they are not up to no-good.  (Download Insight scans certain executable file types when they arrive through particular portals, stepping in to block those who have a bad or unknown reputation)

Symantec Endpoint Protection 12: Demonstration of Insight Reputation Technology
https://www.youtube.com/watch?v=jN0KI3TVF8M

SEP’s mail plug-ins focus in on scanning the incoming email traffic.  They are a line of defense against mail-borne threats the same way that transit police maintain a presence only on the subway.

How about Private Investigators?

In certain instances it can be useful for third-party tools to be used to identify and bring down especially crafty adversaries.  Tools from Microsoft’s Sysinternals are an excellent example: they can provide a researcher with unbeatable insight into the murky depths of Windows Operating Systems.

Just like in countless books and movies, though, these third-parties can sometimes conflict with the official investigators.  It is a bad idea to attempt running more than one file-based scanning tool on a computer at one time, for instance.

Also, remember: neither the mayor and chief of police are responsible for the actions of a PI.  Symantec may recommend that customers use a third party tool for a specialized job, but these are not Symantec tools and are not supported by Symantec.

Does all this Eliminate Crime?

There will be some level of crime even in a real-world walled city with a robust police force, FBI, border guards, bouncers and every other form of security personnel.  Incidents will occasionally happen.  The same is true of computers.

Cybercrime, like all crime, cannot ever completely be stamped out.  No matter what Symantec or any other security vendor does, there will be malware authors who will (for instance) send out mails with malicious “Financial Trojan” attachments designed to steal banking information.  These are sophisticated operations with their own QA departments who test that the newly-minted malware can evade the latest security products. Some of these new samples inevitably slip past defenses, for a short while at least.

What SEP (and real-world security) can do is reduce the risk.  A city defended only by a police force has a degree of security, but one protected by police, walls, and several agencies with specific focused missions is far safer.  The more components there are involved in the effort, the more effective it will be at preventing harm.  Use every protection you can!

Add or remove features to existing Endpoint Protection clients
Article URL: http://www.symantec.com/docs/TECH90936

The organized gangs of bad guys are unlikely to settle down and take up legitimate jobs, but ample defenses can prompt them move on to another town.

Back to the Real World: After Deploying All SEP Components, What Else Can We Do?

• Don’t be an easy target. Ultimately it is up to you to make sure that your doors and windows are locked, your valuables are secured, and that careless behavior does not make crime easy.  The computer equivalent is to keep computers patched, ensure passwords are unique and strong, and that employees are trained against the approaches that malware takes today.
• Be familiar with what’s going on in the threat landscape.  To be aware of the your attackers’ tactics, techniques and trends, read sources of information like the annual Internet Security Threat Report, the monthly Symantec Intelligence Report and Symantec’s Security Response Blog.
• Be familiar with what is going on in your environment.  The Symantec Endpoint Protection Manager (SEPM) is a fantastic source of intelligence about malicious and suspicious activity in your network.  Its reporting and alerting capabilities can inform administrators of suspicious files and infected computers in the network.  See Using SEPM Alerts and Reports to Combat a Malware Outbreak for examples.
• Have a plan in place.  Respond to threats. If suspicious activity is seen, react to it!

Virus removal and troubleshooting on a network
http://www.symantec.com/docs/TECH122466

• Identify and submit undetected samples to Security Response.  There are approximately one million new malicious files created per day.  Security Response can build defenses against them once we have received a copy.   See Symantec Insider Tip: Successful Submissions for details, and be aware that new Rapid Release definitions are released approximately every hour in response to the latest known malicious files.  Definitely a good idea to implement these at your mail gateway!
• Learn from incidents and developments so you do not get hit again.

The Day After: Necessary Steps after a Virus Outbreak
https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

Conclusion

Many thanks for reading!  If you'd like to do some additional reading, this article's title is a play on Gold Dagger Award winner Gene Kerrigan's fantastic crime novel Dark Times in the City. Well worth tracking down!