1. Your role in the organization/company (CTO, CIO, CEO, SysAdmin, etc)?
Security Analyst
2. What was your data protection criterion, concerns and related issues, and how did Symantec Endpoint Protection resolve them?
Users will be users and there are always odd bunch of them who get the threats from somewhere and then there are also nerds who like to experiment and when you are learning you don’t know the basic things like a test machine for everything. The important part is that the AV has to do what it’s supposed to do. I am working for a client who has SAV for the client machines and Trend Micro ServerProtect for the servers and have started the migration. The SAV primary and secondary servers also have trend on it and the auto protect is thus disabled. The configuration has been working wonderfully well but with the new threat landscape AV alone is not sufficient and you have to have a combination of AV, firewall, IPS\IDS, and a fully patched machine to prevent or recover quickly from an outbreak. We do have the Sygate 4.1 installed on all the client machines but since the product has reached EOSL and the vendor (Symantec) accepts that they can only offer the best effort support, it’s not working out for us.
SEP on the other hand is a complete built-in solution for the Endpoint security needs. I have been involved thoroughly with SEP since its conception and particularly like the IPS feature and it's very helpful esp. during the virus outbreaks on identifying the client machines and the remote hosts and blocking the activity. We don’t use the application and device control as there is no need for it yet and whatever we apply we do it through the GPO. NTP has come a long way than what it started off from, The logs are written in a way that perfectly suits an administrator and can be pulled up with a query, like what websites the users are visiting.
Other than this, we also believe that the following criterions are important for the evaluation of any AV product:
1) Vendor support: Probably the most important. (Excellent support so far.)
2) Footprint of the client. (Well optimized with the later versions)
3) Compatibility with other installed standard applications. (We haven’t had an issue so far.)
4) Low false positive rate. (Well known fact and also refer to the links posted underneath.)
5) Logging and reporting from the console.
6) Anti "Anti Virus" Protection efficiency. (Tamper Protection.)
7) What else do they offer with the AV? (Like firewall, IPS.......)
8) Response time upon submission of a sample. (2- 4 hours for us.)
9) Update Technology (Incremental or Full)
10) GUI protection from the end users. (Like password protection or hiding the icon.)
It is important for us to make sure that the vendor we choose is the leader in the market as we pay a huge amount for the ~37000 workstations. The definitions released by Symantec falls under the “The ICSA Anti-Virus Certification Scheme”, http://www.icsalabs.com/icsa/icsahome.php and have the following criterions.
1) Testing performed by an independent organization
2) Testing performed by an unbiased organization
3) Tests done on the most current version of the products
4) All major products are tested
5) All significant platforms are used for testing
6) Tested on an on-going basis (at least monthly)
7) Test criteria are objective
8) Tests are "real-world" oriented
9) Tests check for viruses "in the wild"
10) Test criteria are made public
11) Tests are "peer-reviewed"
12) Anti-virus product developers are consulted
13) Independent anti-virus experts are consulted
14) Large corporate users of AV products are consulted
15) Large computer security firms are consulted
16) Test results are made public
17) And, the certification can be revoked for the failure of a product to maintain these standards.
The reports issued by independent organizations was also a very important factor before we could recommend SEP and Symantec has been amongst the top with almost all the test cases. (http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf) and (http://www.virusbtn.com/vb100/archive/results?display=summary ), Registration required to view the page.
The new ICSA certification scheme is designed to focus on the real threat to corporate PCs: those viruses known to be in the wild. In order to be certified, a product must pass the following tests:
1) Certified products must detect 100% of all those viruses defined as 'in the wild' according to the upper part of the Wild List. As new viruses are discovered all the time, the Wild List used is the one which was current two months prior to the date of the certification test.
2) Certified products must still detect a minimum of 90% of the ICSA virus 'Zoo', made up of samples of some of the 6000+ other viruses known.
3. What were the strategic or financial reasons you chose Symantec Endpoint Protection Solutions?
The environment is made up of SAV 10.x and Sygate 4.1 for the client machines. The migration to SEP from SAV is a relatively simple process compared to other vendors. The only issue is the Sygate uninstall as ver. 4.1 is not supported for migration to SEP. We will be creating a single package for the uninstall of Sygate, reboot and then migration of SAV. The implementation has been outsourced to Symantec and they are doing a great job with the architecture. We have around ~2,000 servers and ~37,000 client machines. Once the product is implemented, the extrapolations suggest that the management cost will decrease with an increase in efficiency considering the complete centralized architecture and I have been involved with almost a similar environment before and the client couldn’t believe how much resources they eventually saved.
4. What were the technical criteria/reasons you chose Symantec Endpoint Protection Solutions?
The analysis that we have done is based on the following points other than those mentioned in 2) above.
a) Ease of migration.
b) Cost involved.
c) Fallback measures(DRP)
d) Threat detection rates.
e) Robustness.
5. Symantec was the right choice because
of
excellent support, excellent product, Hearing the customers needs and requirements (Remember the multiple view for the clients)
6. How has your Symantec Security Solutions helped you be more successful?
I am an AV Admin and if the AV is not doing its job, for the management I am not doing my job. It’s very simple. By far SEP is the best security solution suite for the end user that they have come up with. It makes an administrators job fun to be at and the troubleshooting is relatively easier than all the previous versions. I have been involved with providing trainings for SEP as we expect more projects for SEP to come in. Obviously.