Symantec Security Information Manager + Symantec Endpoint Protection
With SSIM + SEP Dashboards can be created with any out of the box queries or queries that are generated. The dashboard is used to provide a view into the current state of the environment as it relates to malware or attacks that are targeting systems protected by SEP.
When an incident is created in SSIM based on a Malware infection. SSIM will pull remediation data from it’s embedded knowledge base. This information contains a full description of what the Malware is, and information on how to disinfect a machine. This information is valuable and can save a response team a lot of time that would be required to go and find this data on their own. This information is kept up to date from our GIN feed.
Once an incident has been created a workflow can be created and issued out to a ticketing system for action and tracking. When the ticket is issued information about how to respond to the exposure is placed in the ticket. The bi-directional connection between the ticketing system and SSIM allows for ease of tracking of the current state of the ticket
SEP has a firewall and IPS component that can send connection information into SSIM. SSIM uses this connection data to compare to a list of known malicious IP addresses. These IP addresses are classified as being a Bot, BotNet, Worm or Malicious activity. The detection of one of these malicious IP addresses could indicate that the machine has been compromised or about to be the target of an attack. A firewall rule either in SEP or on the corporate firewall can be written to block these.
Using the Network Threat Protection component of SEP, can feed data into SSIM that is compared to a list of rules to look for malicious or suspicious activity. SSIM provides out of the box rules that can trigger based on these events from SEP.
With all of the event details captured in SSIM. You can run queries against this data to see the current state of his environment from a malware perspective, but also the state of the clients and their current version of SEP software and definitions.
Also with the data captured in SSIM, a response team can quickly determine what machines are still infected and if those machines have connected to other systems and potentially spread their infection.
In a large environment that has many SEP managers they can send their data to SSIM for quick reporting across them.
The fact that SSIM stores these events in archives also makes it possible to store these events for a long period of time. SSIM also provides compliance queries that can use this data for internal and external audits
SSIM provides out of the box rules that can be used to further examine the data being sent to it from SEP. SSIM looks at events from all of the components of SEP and can correlate this information together to raise and incident
There are two Collectors for Symantec Endpoint Protection.
1. Symantec Endpoint Event Collector
2. Symantec Endpoint State Event Collector
With both of these collectors you can have complete control on the Operations and Security of SEP