SEP and SNAC - An Unbeatable Combination
Today Endpoint protection has become very critical. As Information technology has progressed over these years, its enemies have also increased. Starting from worms and viruses, today we face a lot of enemies waiting to attack our computers. Some of the most well known enemies are Virus, Spywares, Malwares, Hackers and many others who may require some important data that we possess. Without a complete computer protection, we are susceptible to computer damage, financial loss. When we talk about an organization and the individuals working with these organization, these data become more critical and protecting these data are the most important priority.
Is Antivirus our solution? When we think about it, we find that Antivirus can protect us from one of the enemy but what about the rest? Do we really need a better solution than an Antivirus? The answer would be a simple YES. We need a solution which will protect the organization and its employees from most of its enemies.
Many vendors came up with these solutions which we commonly refer to as a complete Endpoint Protection. Everyone has their own Advantages and Disadvantages. There are few who perform better than the others. There are few who have better features than the others. There are few who give more protection than other software’s.
I have worked on few of these software’s however as per my experience goes I think that Symantec Endpoint protection has a distinct advantages over other competitor software’s. It gives us all the protection that we expect from Endpoint software, It has lot of features that gives an added protection and advantage. Performance wise its par or better than the other competitive software that I have worked on
This is a story of one of our Customer, in the financial sector running about 1000 Endpoints. They were using Trend Micro office scan as their endpoint security. Not only were they facing some issues, they were unsure if they had a complete protection in their Endpoints. To make their Protection stronger they were looking out for a Network Access control solution. Basically they had heard of NAC solutions from Cisco and they were trying to approach a vendor who would show them a POC and implement the NAC solution in their environment.
The Customer was facing lot of Network issues and they found that the network was very slow than it used to be. As they were not sure if everything was working right in their environment and out of some Security fears, they decided to conduct a basic Audit of their Workstations. They wanted to check if there was a security threat in any of their endpoints, If all the workstations were getting properly updated and other basic audit checks.
This was the time they contacted us and I want selected as a consultant for them for this Audit Project. We took about 5 to 6 days to complete the audit. At the end we found out few issues
1. About 25% of the systems were not getting updated regularly for some or the other reasons. Some of the systems had a virus definition of 15 days old; some had even 30 – 40 days old definitions.
2. There were about 15% systems not detected / Displayed in the management console
3. There were about 20 Systems not present in the inventory
4. Presences of viruses were found on many systems. Actually these systems were causing the Entire network to slow down.
5. No device control was present / implemented due to which any employee would come and plug in USB devices.
6. There was lack of application control. Everyone was free to use and install and use any application.
7. Most of the systems had dual processor and 1024 MB memory installed on them. However, the systems were very slow compared to their actual performance
8. The Management server was getting restarted automatically at least once a day. Many a times, the performance was so slow that it was difficult to see any reports on them.
There were a lot of other issues and the customer was worried. We gave a detailed presentation to the customer. We also gave the customer an overview of the technologies that was required to control the environment. The Customer was still not satisfied and actually wanted a complete solution architecture design by us. We had mentioned about how Network access control could be useful in the presentation. The customer told us that he was looking to purchase a NAC solution and he was looking out for Cisco NAC. He asked us whether Cisco NAC would be useful in their environment along with the endpoint protection features of Trend Micro. He also asked us if we could suggest any alternate solution which would be a better fit in the environment.
With a complete unbiased view, we told him about Symantec Endpoint Protection (SEP) and Symantec Network Access Control (SNAC). We described him the features and how the features would be useful in their organization. We made a complete presentation describing the features and the how the feature could be useful to them. Following are the important points of the presentation
1. Integration of SEP and SNAC:- We highlighted this feature and thought that it would be a very good start to the presentation. We told him that SEP and SNAC are installed using a single installation file and managed using a single agent. They are tightly integrated with each other. Above all they are managed using a single console. In case of going with a different NAC solution, this primary feature would be missed and manageability task would become more difficult. By using SEP and SNAC, the management task would become simpler and administrative efforts would be significantly reduced.
2. Proactive threat scanning:- This is one of the best protective features of SEP. It is a Behavioural based protection which protects against zero-day threats and the threats which have never happened or seen before. This feature is very unique to Symantec, as this scan scores both the good and bad behaviour of unknown applications. This feature helps in providing more accurate malware detection than what other products do. It also helps to reduce the number of false positives.
3. Device Control:- We told him that this is something which was required to implement immediately in all the endpoints. Symantec can block all the removable devices like USB thumb drives. This feature can protect Sensitive and confidential data from being leaked. The customer told us that since they were using USB Keyboard and mouse on most of the machines, blocking USB devices may also cause their USB keyboard and mouse to be blocked. However the answer for this was very simple. With Symantec, you can not only exclude Human Interface Devices but also exclude devices of the same class using the device ID. The customer was quite happy to know this feature.
4. Application Control:- This was also required for his organization. Application control access to specific processes, files, and folders by users and other applications. It enables administrators to restrict certain activities deemed as suspicious or high risk.
The customer asked us how we can learn what applications are running on the machines. The answer again was very simple. Symantec provides an option to search for all application that is running on an endpoint or the endpoint group. It can also automatically learn the applications and the processes that are running in the environment. This feature could be very useful for preventing Malware and especially locking down the endpoints to prevent data leakage.
5. RootKit Detection and Removal:- This is a very interesting feature which is integrated using the patent and famous VERITAS technology VxMS (VERITAS Mapping Service). It actually provides access below the operating system to allow thorough analysis and repair. It can detect and remove the most difficult rootkits which other software may find it difficult.
6. Firewall and IPS:- We didn’t speak much about this feature as the customer was already aware of it. But we highlighted the use of this technology and Symantec giving all these features in a Single agent and console
7. Policy Flexibility:- Symantec give us an advantage of defining user based as well as machine based policy. We specially highlighted the use of this feature in his organization.
8. Compliance:- Symantec NAC helps the organization to achieve compliance as it blocks or quarantines the non complaint devices from accessing the network. It can perform Host Integrity tests for patch level, service packs, antivirus, and personal firewall status, as well as custom created checks tailored for the enterprise environment and then treat the device as complaint or non-complaint as per the customer requirements.
9. Self Enforcement:- One of the benefits of the SEP and SNAC integration is self enforcement. Once SNAC detects an endpoint as non complaint, it can use SEP host based firewall feature to block the Endpoint for accessing any network resource. We spoke about other enforcement option but didn’t want to put any additional device without getting the basics right.
We also used the above points to compare SEP features with Trend Micro. However, we didn’t had to compare the products much since the customer was already convinced that SEP would be a right fit in his organization. So the Customer asked us to conduct a POC for the same in a very controlled environment consisting of 30 Endpoints.
So this was a chance to prove that we had suggested the right solution and SEP and SNAC would be an ideal solution for the organization. We were able to do a perfect planning as we already had the audit data. The Customer gave us a good server for the installation and we did the POC using the following Process.
1. We checked if the System that was provided was meeting the requirements as suggested by Symantec
2. We installed the Symantec Endpoint protection manager. This was a simple installation process. The installation also guided us to create the Site and automatically created the database.
3. Once the installation was completed, the migration and deployment wizard started automatically on the machine. Using this wizard, we created default client software packages.
4. We then used the migration and deployment wizard to deploy the client packed to all the 30 identified endpoints.
5. As per the customer’s request we created two groups, One a Highly restricted group and one a less restricted group and moved the clients to the appropriate groups that we created
6. We created different policies for these two groups. We configured Antivirus and Antispyware policies, Application and Device control policies, Firewall and IPS policies. Once these policies were created we updated all the endpoints with these policies.
7. We then installed the SNAC component on the server.
8. We configured the host integrity policy. This policy checked the requirements for firewalls, antivirus, antispyware, patches, service packs on all the identified endpoints. Configuring host integrity policy was done through pre defined templates which made the task very easy. It specifies what conditions should be checked for and what actions the client takes in response to the condition.
The POC was a real successful one and the client was very happy. In fact a straight comparison was made between two machines one running Trend Micro and the other running Symantec Endpoint Protection. There was a noticeable difference between the memory usages between the 2 computers. The Memory that was used by SEP was about 30 MB and the memory used by Trend Micro was more than 50 MB. The memory used by the SEP during the full scan was about 42 MB and the memory used by Trend Micro for the full scan was more than 72 MB. The CPU usage of SEP was also less compared to the CPU usage in the machines running Trend Micro. One of the main convincible points was SEP was able to detect some viruses which Trend Micro had not detected on the computers.
The customer was happy for several reasons and few of them were.
1. Performance of the computer running SEP
2. Overall protection coverage that was provided by SEP
3. Overall features that was provided by SEP. The customer really felt that he would have required to purchase more products had it not been the integrated protection of SEP and SNAC
4. Ease of use. Easy GUI to manage the complete environment
5. Quick reports.
No surprise that the customer purchased this product. We were also happy with the results. It was also a baseline for us for defining a complete endpoint solution for our future projects. Personally I would like to tell that SEP and SNAC are a wonderful solution and when planned properly, most of the security risks in an organization are detected and prevented.
The Customer also felt the same and I would like to end this article with the 3 statements by the customer, which were really a complement to us and Symantec.
“I will have a much better sleep”
“You guys really did a wonderful job”
“SEP and SNAC really works as described by Symantec”