Posted: 5 Min ReadProduct Insights

Castles, Jails and a New Adaptive Security Layer for Enterprise Endpoints

As malicious hackers step up their game, enterprises can benefit by deploying Symantec’s SEP Hardening product delivering integrated application isolation and anti-malware technologies

Increasing layers of defense have forced the attackers to change their approach, using file-less attack techniques that ‘live off the land’ and are difficult to detect by traditional means. More and more attackers are taking advantage of what already exists on a device to carry out their objectives. What already exists on a device is what an enterprise wants to deploy on those devices. So now, we have good users and good applications being used to do bad things.

For example, many attackers now deploy file-less attack techniques that ‘live off the land’ and are increasingly difficult to detect by traditional means. They exploit what already is installed on a device- known good applications-  to run simple scripts and shellcode in memory, via Windows Power Shell.

These malicious scripts may be hidden in the Windows Registry and Windows Management Instrumentation (WMI). This so-called “living off the land” approach makes use of capabilities built into operating systems and good applications to attack victims.

What makes it harder is that some of these activities look very similar to what an enterprise would do in normal course of its day to day business. Enterprise documents contain links, employees download files and open them, new unsigned applications could be built by enterprise developers etc. and this allows bad guys to do bad things with good applications.

This rapidly evolving constellation of threats calls for a new approach to endpoint security.

Multi-Layered Defense

 At Symantec, our endpoint defense strategy now has four key layers. Think about it as follows:

-        Prevention: SEP 14.1 provides the best antimalware protection in the world. We deploy reputation-based, behavior-based, ML-based multi-stage protections to block incursions, infections, infestations and prevent exfiltration. As we do that, we know your vectors of infection- which users, devices and applications drive the most infections.

-        Detection & Response: SEP EDR (ATP- Endpoint) delivers an additional layer of smart tools and capabilities so that your SOC analysts can monitor, prioritize, analyze, investigate and remediate threats using our Single Agent

-        Deception: Added in SEP 14.1, our endpoint deception capability triggers off well placed deceptors on endpoints to highlight potential breaches missed by Prevention, detection & Response.

-        Adaptation: Added with SEP Hardening, integrated with SEP 14.1. SEP Hardening constantly enables security administrators to improve and harden their security posture using our Single Agent that is already deployed on your endpoints.

With SEP 14.1 and SEP hardening in their arsenal, administrators now know what devices are connected to their network and what apps are running. As always, SEP 14.1 blocks all known and unknown malware. Our new High Intensity Detection Capability will highlight what we deem suspicious but don’t have enough information to convict in your environment.

If it’s a good app, with SEP Hardening, it gets its own Castle that ensures bad things don’t get in. A PDF content file cannot update the PDF viewer for example or content downloaded from a browser cannot update the browser.  

Application isolation enables security admins to protect ‘known good’ (whitelisted) applications, running them in ‘castle’ mode to fortify these trusted applications and protect them from exploitation and tampering through a layered security approach.

Browsers, MS Office applications, Java, PDF viewers etc. can now be hardened with a single click. All the operations that the application doesn’t typically need to perform are blocked by the isolation policy. Note: the end user doesn’t perceive any change when using the application, unless the application engages in malicious behavior – at which time that behavior is blocked. This is a critical requirement for effective application isolation and ensures security does not come at the cost of productivity.

And if it’s a grey or unknown app, the IT department has more information at its disposal to monitor and make an informed judgment about next steps. Until then, the app will run in what we call “jails,” so potentially bad things don’t get out and persist. It will allow the application to run with limited privileges to protect the OS and other good applications from any harm or tampering. It can contain items opened from an untrusted source (email or web, by example) to mitigate any risk they may pose and restrict these applications to only ‘good’ behavior.

The upshot is that the enterprise will be able to manage all three categories for the first time. That’s a big advance over what passed for state-of-the-art endpoint security only a year ago. Any good, vulnerable applications which are deemed to be core to end users’ productivity can still be used without fear of exploit or file-less attacks. That allows organizations to run any applications they need for their employees to do their jobs.

SEP hardening also hardens an application’s network behavior in addition to file, registry and process behavior. SEP knows all the “good behavior” that is allowed on a network for castles and “acceptable behavior” for Jailed applications.

So, if it detects signs of deviant behavior, it will immediately block the intrusion. That’s a different approach from most anti-malware, which will look to reputation or some bad attributes - in other words, situations where you need something bad in the chain before it will take action.

Hardening plus detection around endpoints - this is the essence of a more adaptable approach to security, one where Symantec’s pioneering research is paying dividends.

So, How Good is this Technology?

I made a decision two years ago to test our endpoint security products against new malware found by anyone every day. This allows us to measure if we are as effective today as we were yesterday. If there are gaps, we go fix them. This rigor has allowed us to deliver SEP 14 and SEP 14.1- the best endpoint security products in the industry. We also test the duration between availability of a sample and our conviction so we can eliminate the time between detect and prevent.

With SEP hardening, we had to figure out a new way to test.

And we did. Here is what I can tell you:

We worked with our very capable STAR team. We got access to their very extensive threat database that contains all known threats. We have worked through much of that database and at this time I am proud to report that SEP Hardening blocks all execution patterns we see. Net - The Castles work.

We have been evaluating SEP Hardening jailing behavior as well. We are seeing SEP Hardening effectively and automatically jail all ‘suspicious files’ detected by SEP 14.1 HID capability. Net- the jails work as well. There is an additional bonus- if the security admin is tardy on resolving suspicious detections, SEP Hardening jails them till the security admin can address the detections.

This stellar result is expected and played a strong role in our selection of the technology we used to build out this product line.

Customers have long looked forward to App Isolation in endpoint security. Many startups have tried but failed because of their intrusive and unfriendly user implementations. On the other hand, we have seen great implementations of similar concepts in operating systems like iOS where applications run in their own isolated containers. Symantec delivered the latter experience on Windows with SEP hardening.

The genesis of our current work in endpoint security stems back to our earlier experience with Symantec Critical Systems Protection (SCSP), which isolates apps on servers. It’s provided the world’s most secure technology for that job. Consider this: In the last decade, we haven’t had a single customer report an infection.

But SCSP also required an advanced level of technical expertise. Our challenge was to port that level of functionality to a wider market and make it more usable and accessible to help endpoint security administrators could secure their organizations’ endpoints.

It took us about 15 months and I’m proud to say that we met the challenge. Try it and see. I look forward to your feedback.

If you found this information useful, you may also enjoy:

Endpoint Protection Resources

Cloud Generation Endpoint Security – Protect Your Users Everywhere and On All Devices

Gartner Reviews: Endpoint Protection Platforms


About the Author

Javed Hasan

Senior Vice President, Endpoint, DataCenter & Mobile Symantec

Javed is Senior Vice President of Enterprise Products at Symantec. He is responsible for product management and development of Symantec’s award winning Enterprise Security Products including Endpoint , Datacenter, Storage & Iaas Security product lines.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.