SEP 14.1: Prevention Evolved - better security through tunable machine learning

In late 2016 – we launched Symantec Endpoint Protection 14 which set the standard for how classical layered protection can be augmented with breaking innovations like multi-dimensional machine learning. We delivered the best endpoint protection solution in the industry; one that has won multiple awards in independent 3rd party tests as well as in the analyst community. Recent outbreaks like WannaCry and Petya have caused wide spread havoc in the world – but customers running SEP 14 have been proactively protected and safe from this menace. We could not be happier for our customers as well as in the validation of our conviction that the best protection comes from a layered defense in depth approach having safeguards at every stage of the infection lifecycle – incursion, infection, infestation and exfiltration.

But enough about SEP 14!! As much as we love our creation, it is time to talk about our next release – SEP 14.1. SEP 14.1 was conceived under the premise all malware outbreaks in an enterprise network comes from unknown files that are continually being introduced into your environment. Unknown files are not always necessarily malicious – but they start out being suspicious before either trending good or trending bad. By catching these files early and taking appropriate action – one can avoid dealing with a bigger problem later.

Quick Detour on Detections v/s Falsing

Better detection can be always be achieved if one is willing to make a more mistakes (false detections). A "false" is a condition where a product can mistakenly convict a good file or fail to convict a bad file – the first condition is called a false positive and the second – a false negative. This is essentially the tradeoff that first-gen ML anti-malware competitors made – achieve higher detection by compromising accuracy. Falses are the bane of any security product and at the scale at which we operate (over 125 million endpoints worldwide) having a high false rate can cause significant cost and productivity overruns. Therefore, SEP 14 was tuned to provide a high degree of protection (over 99.9%) while having very low "falseing" (< 0.1%) out of the box. The machine learning engine at the heart of SEP14 can be tuned to detect more malware however we must be careful to control the corresponding increase in falseing. SEP 14.1 solves this problem!!

Intensive Threat Protection for more detections

SEP 14.1 achieves better prevention by having better visibility through higher detections. We have introduced a new configuration called Intensive Threat Protection (ITP) which controls the sensitivity (or intensity) of the machine&learning detection engine in the product. With 5 different settings – ranging from conservative (Level 2: SEP 14 level) to Aggressive (Level 5: which can stop anything remotely suspicious).

SEP 14.1 decouples the notion of monitoring from that of blocking. It can detect at a certain level and block at a different level. This will ensure that the admin, is not disruptively blocking new files without understanding their behavior, reputation and prevalence and yet retaining maximum visibility on newly entered files. The endpoint policy can have high monitoring and blocking levels for low change environments like a call center, and a less intensive blocking threshold for a group of developers that write and test new applications.

Furthermore, we are opening our massive GIN (global intelligence network) to give you deep insights on every new file that is discovered in your environment – including risk scores, global prevalence, local prevalence and historical stats for each detection. This allows the product to uncover up to 20% additional detections over and above what SEP 14 achieves.

Improvements across the board

But that is not all … 14.1 builds on the improvements that were done in SEP 14 around content size optimization. SEP 14 achieved up to 70% savings on content footprint over SEP 12. SEP 14.1 with its ML based platform takes this one step further. We are introducing a "low-bandwidth" policy that will put your endpoints in a state where they need less frequent content updates given that the ML engine can be tuned to run at a higher detection intensity. This mode will be useful in bandwidth constrained environments. Given the recent proliferation of memory based exploits 14.1 will also introduce several additional exploit mitigation techniques to supplement those that were introduced in the previous release.

Net-Net, with 14.1 you have a highly tunable ML detection platform that can bubble up new suspicious files in your environment before they become actual threats … served with rich context from our GIN … laid out in a modern intuitive UX … with better detection than SEP14 … at an FP rate that is still orders of magnitude lower than the competition. Ergo .. prevention evolved!!

Note: SEP 14.1 is currently in limited preview with some of our early customers and slated for general availibility soon..