Endpoint Protection

 

 

Good day everyone,

My name is Jeff Wichman, from the "Symantec Twin Cities Security & Compliance User Group." If you are responsible for your organization’s Information Assurance, use Symantec for some part of your security program, and in the Minneapolis/St Paul area I highly suggest you join us at one of our quarterly meetings. No I do not work for Symantec, I am just happy with what I have experienced with the SEP product. I am going to leave the name of my employer out of this article simply because these are my opinions and not necessarily those of my employer. We are a currently running close to 10,000 clients with SEP (11.0.4202.75). Approximately half of our clients are remote users connecting to various WiFi hotspots, untrusted third party networks, and occasionally in one of our main remote offices. The other half consists mainly of windows based servers and 4,000 internal corporate clients located in either of our two primary locations. We also have 300 full time telecommuters. 
 

One of my primary responsibilities is analyzing our endpoint security posture. This includes how we secured our endpoints in the past, what the current security controls are, and what direction we need to take for future protective controls. On a monthly basis reports are run to gather statistics regarding the threats we are encountering, where (and how) we detect these threats, and who (which) types of users are posing the greatest threat to our organization.   These reports help guide my team (of three) in determining what additional layers of protection we need, where we can enhance our security awareness program and any potential weaknesses in our defenses.

My organization previously relied on SAV 10.x for our antivirus protection and another vendor supplying firewall/IDS protection. We have been a Symantec customer (from an AV perspective) for more than 10 years (to my knowledge). In my time with the company we only had one instance where Symantec had an issue with missing a new variant of a virus. All-in-all the company was happy with Symantec. My team however was looking for a product that would offer more than simply antivirus.  We wanted a product that would offer a simplified installation (less products to install), a lower footprint on the client systems, one management interface that allows multiple administrators to access simultaneously, greater flexibility with logging client actions, and even greater awareness for network bandwidth considerations when updating definitions.
 

The firewall/IDS vendor’s product was good in many respects; however there were a couple of areas which we had concerns with. Two of the major areas we had concerns with were the lack of flexibility in firewall rule creation and customization of IDS rules. The inability (or lack of an easy method) to customize or create customized IDS rules for our clients caused stumbling blocks that we faced on multiple occasions. Some of my analysts like to work with cutting edge firewall and IDS rulesets from www.emergingthreats.net The lack of an easy method to import a large number of hosts into the previous firewall vendor limited the usefulness of the EmergingThreats website.
 

When our Symantec Representative came in for a dog-and-pony show prior to the SEP gold release I was skeptical that the product would be able to perform as claimed. However, the list of interesting features had me tweaked (yes technical term) to say the least. How could someone in the field of Information Assurance not look into a product that claimed to provide so many features? The following features are really what prompted us to continue looking at the Symantec product line for our endpoint protection needs. 

 

We continue to enable features in the SEP suite in a phased approach. We found it was easier to troubleshoot issues if we took it one component at a time. I would love to say we are running everything in the SEP suite, but we are currently limited to Anti-virus/spyware, IDS, and application control. We are testing the firewall component (and importing of EmergingThreats firewall rulesets) and beginning to examine Device control. Somewhere down the road we will begin looking/testing SNAC to see if it is a fit for our organization.
 

Strategically we chose the SEP suite because of the rich feature set found in the product. The ability to control/command over 8,000 clients from one management interface proved to be a major point in my organization. Simply put, the fewer tools my team has to perform our duties the better. Rather than training each of us on multiple systems, we can all work with one solution and cross train each other. Each of us has a specific area of expertise and act as a backup for the others. Additionally in the current economy we needed to be very cognizant of our spending on security controls. Cost savings should be core to each of our security practices. By focusing on one product, that we had no plans on leaving, and (planning to) eliminate the other vendor firewall; we were able to offer substantial savings to my organization.   The initial savings will happen when we decommission the other vendor firewall/IDS. We have also indirectly reduced other costs because:

There were multiple technical reasons we chose to continue our relationship with Symantec. Many of the reasons we chose to remain with Symantec were the reliability behind the AV product, Network Threat Protection, Proactive Threat Protection, and Application/Device Control. 
 

Symantec’s Corporate Edition has been a reliable source for my organization’s anti-virus protection for many years. In the past, the anti-virus solution has worked well protecting our endpoints from malicious software and maintaining a small footprint on my organization’s systems. 
 

The Network Threat Protection component of SEP is one of my favorite components to the SEP suite. The firewall component (from the Sygate acquisition) allows organizations to finely tune the firewall configuration. This alone made SEP stand out in the eyes of my organization. The number of configuration parameters in the firewall configuration and the ability to create Management Host Lists made the SEP firewall easily overwhelm the ability of our previous host-based firewall vendor. As stated earlier, the IDS component for SEP provided what my team considered excellent coverage from threats. Symantec releases a number of IDS signature/rule updates, which cover many of the threats my organization faces. Additionally, the ability for my team to develop custom IDS signatures set the product above the current vendor. Even though the IDS rules are based on the older rule form, it allows my team some ability to create specialized rules. 

Proactive Threat Protection so far has proven its worth in gold. While it has yet to detect something that is an unknown malware type, it has detected unauthorized versions of VNC located throughout our network. 
 

Application and Device Control has many technical features which I will enjoy digging into when I have more time. So far some of the work we have done with Application control is detecting unauthorized USB devices, prevented USB drive writing, disabled U3 capable USB devices, and disabled CDR/DVDR type devices from recording material.
 

Symantec was the correct choice for my employer because we already had an existing relationship with the vendor, contained the necessary components to secure our endpoints (now and in the future), and had an excellent track record (for my employer).   Sometimes I have difficulties with phone based support, however those are often overcome with a call to my sales representative or my dedicated sales engineer. 

Another added bonus, which I actually stumbled upon, is Symantec Connect (formerly STN). I have learned a great deal from many of the dedicated followers/users of SEP. Many answers can be found or addressed in Connect faster than by calling support. Unfortunately, there are some un-useful responses to filter out, but after following the boards for awhile it is easy to find the right answers. 
 

Also I have made some great connections in the local Symantec User Groups. Our first session was great and contained a lot of useful information. It is a great opportunity for Symantec customers to relate with each other, find out how we are addressing our problems and help each other out under some circumstances. I am looking forward to the next Twin Cities Security & Compliance User Group meeting in October 2009.
 

Symantec Security has helped my team be more successful in multiple ways. First it has greatly improved our security posture of our endpoints. The use of anti-malware, IDS, application and device control, and firewall in one solution provides my organization with some relief from the never ending bad news stories. 
 

The Symantec Endpoint Protection suite has provided me with the details which our executive team wants to know. Statistics related to where viruses are coming in from, who are the infectious users, how the threats are impacting our endpoints and where we can enhance our protective measures. I rely on the Symantec reporting functionality to put myself directly in front of our management team to answer the questions they need to hear regarding our state of security. In some cases the reporting functionality does not get me enough information so I will reach directly into the database and export the necessary information for analysis. By Symantec releasing the database schema, they empowered me (and my team) to build the information necessary for me to respond to management, suggest improvements for our security awareness training program, and provides clear-cut examples on educating users in Lunch-n-Learn seminars.

Finally, while it may be too late for the contest, it is never too late to share a story.  I have a couple of Articles on Connect for SEP and have plans on writing more.  Hopefully they will help someone with their setup/configuration of SEP.

Cheers!