When my two boys were young, we taught them to differentiate between good and bad. As they grew up, they learned that the world is complicated and that things are not always what they seem. Learning to be aware of their environment and realizing that even good people can be manipulated into doing the wrong thing was important. Both ultimately they grew into smart, fine young men and learned to navigate this complex world with aplomb.
Our security industry consists of very smart people as well. We discover everything that exists on a device – an application, a file, a process, a script etc. – and then can determine its reputation, monitor its behavior, and apply advanced machine learning to continuously evaluate and determine what is good and what is bad. No one does it better in the world than Symantec’s STAR organization given the visibility we have across the Symantec and Norton portfolio. Yet the industry struggles dealing with the suspicious and gray areas while securing the good so that it can’t get manipulated into doing bad things. Historically, we have created only two mitigations for all our detections – Allow or Block (good or bad). If allowed to run, irrespective of reputation, it runs unrestricted. We know better, much better, just like our kids do in real life.
Wouldn’t it be great if we could do the following?:
- If something’s known bad or ‘knowable’ bad, block it.
- If it’s a suspicious app, constrain it. Let it run restricted, so it cannot do bad things.
- If it’s unknown, monitor it for any malicious intent or behavior to determine whether it is good or bad - for instance, an unknown application accessing active directory for user credentials and trying to move laterally across your network.
- If it’s good, protect it so it cannot be exploited. Like days of old, let it run in a castle so bad things can’t get in.
- If it is a suspicious network, secure the connection with a network jail. Middle men cannot gain access to user’s network traffic.
If we had these controls in place, policies would automatically ensure far stronger security.
All significant breaches in recent years have involved a compromised Active Directory.
Our key productivity applications, such as browsers, MS Office, Java, Adobe, and some custom-developed applications, would securely reside in castles and could only be updated by trusted updaters.
The content that these applications use or opened would be jailed if it came from the internet. For example, an Excel file downloaded through a browser could be opened, updated, saved and then later be opened by Excel. But it would be allowed to run a script that updated the spreadsheet file and not the application files.
Think “MS Excel Application in Castle, Content in Jail.” In practice, that would mean that any Excel spreadsheet file created by a user would have more rights than one downloaded from the internet.
If something was deemed to be suspicious, you would be able to run it in a jail so that any bad things won’t be able to get out and inflict damage. If it was an unknown, you’d want to monitor it. For example, an organization’s developers building their own apps might have an unknown reputation. So, you could set a policy where developers – but not sales and finance - run unknown applications.
Thinking more broadly about this, you can imagine a myriad of other security benefits. How about a global whitelist that you propagate to all your devices? So even if a device did not connect back for months, it would still be constrained to the global whitelist. Users would be able to add applications as long as they remained on the global whitelist. When employees traveled and connected to unsecured Wi-Fi, wouldn’t it be great if these hotspots also had reputations and connections to your enterprise that were automatically secured?
Reducing the Attack Surface: Automated Remediation
All significant breaches in recent years have involved a compromised Active Directory. Without reputation-based controls, unknown processes and scripts can utilize the open nature of the active directory to easily move laterally in an enterprise. Hence, late last year we bought Javelin Networks. We believe securing Active Directory access from domain connected devices creates a layer of protection unmatched in the industry. Javelin Networks technology coupled with reputations from SEP enables us to create a smart, easy to deploy layer of protection that chokes out all AD-breach linked lateral movement.
I’m fond of the old saying that "prevention is better than cure" applies to security as well. The more threats you can proactively prevent, the less overwhelmed your Detect and Respond operations will be – even with the smartest Endpoint Detection and Response (EDR) and IR products in the world like Symantec’s EDR Product line. Now these smart folks not only investigate, analyze and hunt, they also can help define these fine-tuned policies. Automated Remediation is the next complimentary step to reduce attack surface and manage risk.
There is an additional benefit of these advanced policy controls. In most advanced threats you have minutes to respond than days. Automated Policy based remediation enables you to react smartly and proactively rather than react post breach.
So I am proud to announce that we are launching a new suite that does exactly that. Symantec Complete Endpoint Defense provides the fine-grained controls to protect your users and organization from advanced threats and dynamic adversaries.
We offer the only portfolio in the world that gives you the most complete defense. Symantec Complete Endpoint Defense adds the following to our market-leading Symantec Endpoint Protection Product lines:
- Symantec Endpoint Application Control that will help customers defend against advanced attacks by only allowing known, good applications to run. This is a modern whitelisting product that greatly simplifies management and manageability.
- Symantec Endpoint Application Isolation enables users to download and use any application safely by ensuring every application is restricted to safe and authorized behavior. Good applications run in castles, unknown in jails and their content is jails.
- Symantec Endpoint Cloud Connect Defense delivers dynamic protection by assuring network integrity through a policy-based smart VPN to defend against risky Wi-Fi and carrier networks. This technology provides an additional layer of protection for Windows 10 devices and provides you detection for malicious hot spots.
- Symantec Endpoint Threat Defense for Active Directory ensures that malicious actors on domain-connected endpoints cannot exploit Active Directory to gain access to critical assets. Threat Defense for AD restricts post-exploit incursions by preventing credential theft and lateral movement – this is the only solution that can protect Active Directory directly from the endpoint.
- Symantec Endpoint Detection & Response: Symantec’s EDR 4.0 continuously updates AI-driven detection engines using threat research from Symantec’s elite team of researchers and global telemetry from 175 million endpoints to train analytics to detect new attack patterns. EDR 4.0 is now available for any device, anywhere, before or after an attack
These unique capabilities integrate deeply with our flagship endpoint protection product, Symantec Endpoint Protection (SEP) providing customers with the most advanced and complete defense to protect a heterogeneous endpoint environment.
Our goal has always been to offer a solution that reduces complexity, so that organizations don’t wind up needing to cobble together a jumble of point solutions – single agent architecture is key to achieving that goal. We have now extended that with a single console for these offerings- in the cloud. A portfolio that is easy to deploy and manage using a single agent, managed by a single console, with smart, automated policy controls that adapt to protect against current threat conditions and deliver a new security standard for your endpoint environment. A new AutoManage capability delivers smart AI- recommendations making admins more productive and continuously improving your security posture.
Symantec Complete Endpoint Defense provides enterprises with the visibility and coordinated capabilities they require to orchestrate the protection of their endpoint environment. We’ve got you covered with detection and prevention, deception and hardening, and we keep your data safe from known and new, advanced attacks.