Symantec Endpoint Protection: Platform at a Glance
Symantec Endpoint Protection is a software suite that provides comprehensive protection and security management for endpoints in the enterprise. The suite includes advanced malware protection, application control, exploit prevention, Endpoint Detection and Response (EDR) (see our guide on EDR Cybersecurity), and deception tools. Read on to learn how Symantec’s offering is structured and the security features provided by each component.
The Symantec Endpoint Security Suite provides attack prevention, detection and response for endpoints in an organization. It provides a broad feature set including traditional and machine-learning based prevention measures, Endpoint Detection and Response (EDR), application control, and deception technology.
The Endpoint Protection suite provides the following platform-level capabilities:
Attack surface reduction—ranks vulnerabilities and threats by severity and number of affected devices, to help prioritize fixes. Integrates with Active Directory to discover misconfigurations and vulnerabilities. Offers device control including wired and wireless connected devices, application isolation and application control.
Attack prevention—protects against file-based fileless attacks and memory-based exploits, using machine learning to identify new and unknown threats, and blocks attacks in real time. Prevents malware with pre-execution detection, sandboxing, suspicious file monitoring and removal, as well as traditional signature-based methods. Granular control for level of detection and blocking on each device.
Breach prevention—provides a device firewall, deception technology that uses fake files, credentials, network shares, web requests and also fake endpoints to help determine attacker tactics, and delay attackers from reaching real IT resources, and obfuscation to confuse attackers and control their view of the organization’s Active Directory.
Endpoint Detection and Response—leverages the Targeted Attack Analytics database used by Symantec’s 3,000 security researchers to rapidly detect incidents and provide information on the attacker, techniques, impacted machines, and remediation instructions. Identifies advanced attacks leveraging legitimate apps, using data enriched by the MITRE ATT&CK framework. Provides threat hunting tools with built-in security playbooks. Enables security staff to take direct action on the endpoint to remediate it.
Symantec SOC analysts—the platform enables access to Expert SOC Investigators and analysts, who can help detect stealthy attacks and examine suspicious activity.
Symantec Endpoint Protection 15/14/Cloud Features
The Symantec Endpoint Protection Suite is offered in three editions:
Endpoint Protection 15—cloud-delivered endpoint protection (see data sheet)
Endpoint Protection 14—on-premise and hybrid deployment with a single agent (see data sheet)
Endpoint Protection Cloud—security-as-a-service for small to medium businesses (see data sheet)
Below we describe the main features of Endpoint Protection 15. The other editions provide similar features, with different deployment options. For more details see the data sheet for each edition.
Antivirus—scans for malware and removes it.
Firewall and intrusion prevention—controls traffic to the endpoint and prevents malware from spreading to other devices.
Application and device control—controls files, system registry, device access and behavior, and provides application whitelisting and blacklisting.
Power eraser—enables remotely wiping the endpoint to deal with Advanced Persistent Threats (APT) and malware that is difficult to remove.
Host integrity check—verifies endpoints are protected and compliant, detects unauthorized changes and performs damage analysis.
System lockdown option—lets whitelisted applications run normally while blocking blacklisted applications.
Mobile roaming user protection—protects mobile users whether they are connected to the corporate network, to other networks, or completely offline, with complete visibility of all remote mobile devices.
Network integrity protection—identifies rogue Wi-Fi networks using hotspot reputation databases.
Smart VPN—protects device network connections via policy-driven VPN.
Additional Security Features
Global Intelligence Network (GIN)—offers the world’s most extensive civilian threat intelligence network, with data from millions of attack sensors, analyzed by Symantec threat researchers. Endpoint protection tools use the GIN, and machine-learning-based reputation analysis to determine if files and websites are safe.
Emulator sandbox—provides a lightweight sandbox deployed on endpoints, that can detect and detonate polymorphic malware.
Optimized signature database downloads—eliminates the need to download full signature files to endpoints. Only the newest, most relevant threat information is downloaded, reducing signature definition files size by up to 70%.
Flexible deployment—can be deployed via a Windows App Store application or via mobile device management (MDM) tools.
ARM processor support—protects Windows 10 in S mode for Snapdragon processors, Intel and AMD.
Device hardening and app isolation—reduces attack surface by controlling which applications can run and what they can do, performs comprehensive application discovery and conducts risk assessment of apps and their vulnerabilities. Isolates suspicious or malicious apps to prevent the execution of privileged operations, while shielding legitimate applications from exploits.
Application control—enables device lock-down, with default deny to non-whitelisted applications and restricted updates to trusted apps. Provides flexibility by allowing administrators to extend the use of unapproved applications, while notifying of risk.
Deception—plants deceptors on endpoints to expose hidden adversaries and reveal attacker intent and tactics.
Endpoint Detection and Response (EDR)—leverages Targeted Attack Analytics (TAA) which combines local and global telemetry, machine learning analysis and attack research to detect a wide range of attacks. TAA constantly provides new attack analytics and generates custom incident definitions, including attacker methods, impacted machines, and remediation guidance. The EDR module can rapidly and automatically fix endpoints.
Endpoint Protection—Prevention, Detection and Protection with Cynet 360