Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Benefits of Integrating SEP with SSIM

Created: 14 Jan 2012 • Updated: 20 Jan 2012 | 10 comments
Language Translations
Vikram Kumar-SAV to SEP's picture
+10 10 Votes
Login to vote

Symantec Security Information Manager + Symantec Endpoint Protection

SSIM+SEP.JPG

 

 

•SSIM gives In Depth reporting with out-of-box SEP rule sets.
 
•Using SEP with SSIM you can collect Malware events, Monitor traffic and Correlate traffic against rules and IP lookup tables.
 
•SSIM provides up-to-date response intelligence using Global Intelligence Network.
 
•Once a malware Incident is raised it can directly go to your helpdesk for actionable.
 
•You can Prioritize malicious incidents involving your critical systems/servers.
 
 

With SSIM + SEP Dashboards can be created with any out of the box queries or queries that are generated.  The dashboard is used to provide a view into the current state of the environment as it relates to malware or attacks that are targeting systems protected by SEP.

When an incident is created in SSIM based on a Malware infection. SSIM will pull remediation data from it’s embedded knowledge base. This information contains a full description of what the Malware is, and information on how to disinfect a machine.  This information is valuable and can save a response team a lot of time that would be required to go and find this data on their own.  This information is kept up to date from our GIN feed.

Once an incident has been created a workflow can be created and issued out to a ticketing system for action and tracking. When the ticket is issued information about how to respond to the exposure is placed in the ticket.  The bi-directional connection between the ticketing system and SSIM allows for ease of tracking of the current state of the ticket 

SEP has a firewall and IPS component that can send connection information into SSIM. SSIM uses this connection data to compare to a list of known malicious IP addresses. These IP addresses are classified as being a Bot, BotNet, Worm or Malicious activity.  The detection of one of these malicious IP addresses could indicate that the machine has been compromised or about to be the target of an attack.  A firewall rule either in SEP or on the corporate firewall can be written to block these.

Using the Network Threat Protection component of SEP, can feed data into SSIM that is compared to a list of rules to look for malicious or suspicious activity.  SSIM provides out of the box rules that can trigger based on these events from SEP.

With all of the event details captured in SSIM. You can run queries against this data to see the current state of his environment from a malware perspective, but also the state of the clients and their current version of SEP software and definitions. 

Also with the data captured in SSIM, a response team can quickly determine what machines are still infected and if those machines have connected to other systems and potentially spread their infection.

In a large environment that has many SEP managers they can send their data to SSIM for quick reporting across them.

The fact that SSIM stores these events in archives also makes it possible to store these events for a long period of time.  SSIM also provides compliance queries that can use this data for internal and external audits

SSIM provides out of the box rules that can be used to further examine the data being sent to it from SEP.  SSIM looks at events from all of the components of SEP and can correlate this information together to raise and incident

There are two Collectors for Symantec Endpoint Protection.

1.       Symantec Endpoint Event Collector

2.       Symantec Endpoint State Event Collector

With both of these collectors you can have complete control on the Operations and Security of SEP

Comments 10 CommentsJump to latest comment

Avkash K's picture

Awesome  Article!!

After working on SSIM for so long time, this is something interesting to explore.

Thanks Vikram for such a beautiful share!!

Regards,

Avkash K

0
Login to vote
Srikanth_Subra's picture

Dear Vikram,

How to use or include SSIM with SEP? is that a seperate product we need to purchase?

Kindly explain about that?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
Vikram Kumar-SAV to SEP's picture

SSIM is different Product altogether. Read this

https://www-secure.symantec.com/connect/articles/symantec-security-information-managerssim-note-beginners

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Avkash K's picture

Hi Srikanth, i think you are already having SSIM setup in your environment right??

 

If yes then you can directly integrate your SEPM setup with SSIM using SEP event collector & SEP state event collector.

Regards,

Avkash K

0
Login to vote
Srikanth_Subra's picture

No iam not having SSIM, so only Iam asking..Iam using only SEP..

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
shravzp's picture

All virus info will be available with GIN updates or do we require additional license for this.??

0
Login to vote
Avkash K's picture

Info regarding Viruses will directly updated through GIN only.

If you have your existing GIN license then you don't any additoinal license for this.

Regards,

Avkash K

0
Login to vote
Srikanth_Subra's picture

Ok..i will check and update the status..

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
Swapnil khare's picture

Awesome

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

0
Login to vote
Milan_T's picture

Thanx for sharing. 

0
Login to vote