Symantec XDR: Automatically Reducing Attack Surfaces

A skillful boxer knows how to make himself a smaller target – to reduce his attack surface. It’s a strategy that has proven effective in many a bout -- just check out some of Muhammad Ali’s fights on YouTube. In cyber security, the same principle applies. If your attack surface is reduced, a bad actor has fewer points of your organization to target, strengthening your ability to defend by focusing on those attack vectors.

Security teams continue to struggle in fundamental areas like detecting and responding to threats as quickly as possible due the overwhelming number of incidents and alerts that require their attention. One way to do this better, is to reduce your attack surface through Extended Detection and Response (XDR). Symantec Integrated Cyber Defense enables XDR and is our strategy for simplifying and uniting cyber security tools, with these key capabilities:

• Threat data collected across all fully-integrated control points and normalized for correlation
• Visibility with rich context and correlation across control points
• Attack surface reduction by leveraging conviction Metadata, deception technologies, and cross-control point actions
• Collaborative response to incidents through workflows
• Automatic end-to-end remediation of threats at any control point
• Auto-enhancing security based on correlated customer telemetry and real-time local context within the customer environment
• Risk score that represents the enterprise security posture and recommendations to improve posture

Your attack surface consists of all the places where your organization is exposed to attack. By identifying risky behaviors across your security stack, you can isolate questionable behaviors and thereby reduce your attack surface. Symantec’s Integrated Cyber Defense (ICD) puts into place controls that reduce attack surfaces, and the telemetry collected through Integrated Cyber Defense Exchange (ICDx) helps mitigate risky behaviors and targeted attacks. 

Detecting these various threats and risky behaviors, then taking action to reduce or eliminate attack surfaces is a key outcome of XDR. Below we highlight some key technologies in ICD that help reduce various attack surfaces.

Attack Surface: Public Cloud Workloads

With the global outbreak of Covid, almost every organization transitioned to the cloud overnight. While many organizations planned a digital transformation over time, the outbreak forced many to move much faster. The cloud is an open frontier for adversaries—an abundance of attack surfaces. Those attack surfaces become even more visible when an organization misconfigures a workload in the public cloud. According to IBM X-Force, there was a 424% increase in data breaches due to cloud misconfigurations.

Enter Cloud Workload Assurance—a cloud security posture management solution (CSPM) for public cloud infrastructure-as-a-service (IaaS) platforms, including AWS and Microsoft Azure. It’s a cloud-native, API-driven service that provides continuous security monitoring and compliance checking. It monitors your cloud resources for critical misconfigurations and provides easy-to-follow, guided remediation steps—all within a single console. With CWA, you can remove configuration of your public cloud workloads as one attack surface.

Attack Surface: Multi-cloud Environments

While many companies are shifting to public clouds, they don’t just choose one public cloud. According to IDG’s 2020 Cloud Computing study, more than half (55%) of organizations currently use multiple public clouds. Of this group, 34% say their organization uses two public clouds, 10% use three public clouds and 11% use more than three public clouds. In shifting to public clouds, organizations are responsible for securing what’s in the cloud, whereas public cloud companies like AWS and Google secure the cloud infrastructure itself. This is the “Shared Responsibility” model that public clouds adopted quite a while ago. Many cloud providers typically use proprietary infrastructure and orchestration tools to secure their cloud infrastructure. Clearly what’s needed is a simple and cost-effective way for enterprises to secure workloads and reduce risk.

Enter Cloud Workload Protection (CWP). Symantec Cloud Workload Protection automatically discovers and inventories all workloads running on AWS, GCP, Azure, and OCI public cloud platforms. Workloads are profiled and categorized according to security risk, for example: Do virtual instances have CWP agents installed? Have the right security policies been applied to them? Have workloads been attacked or compromised? All workloads and their security status are then displayed on a simple visual topology map.

Usage of an organization’s cloud will surge and dissipate, as employees access the cloud workloads in peak and/or low periods of activity. CWP’s cloud-native integration enables security that deploys and scales automatically with workloads based on intelligent and customizable rule sets. It automatically applies security and monitoring policies to all new workloads as they are spun up or spun down.

With cloud workloads protected, the question now moves to Storage. How do you remove cloud storage as a potential attack surface? Enter Cloud Workload Protection Storage—an anti-malware and scanning solution for Amazon S3 and Azure Blobs. It utilizes industry-leading Symantec Endpoint Protection (SEP) anti-malware technologies and while scanning, it keeps storage contents in a protective environment until the “All Clear”. CWP Storage is integrated with our Data Loss Prevention solution so that your on-premises policies are automatically applied to your cloud storage.

Both Cloud Workload Assurance (CWA) and Cloud Workload Protection (CWP) are integrated with our industry-leading Data Loss Prevention (DLP) solution. This key integration lets you audit your cloud assets, monitor them for attacks, and be able to tell you which cloud assets are holding sensitive data. That’s the power of XDR in the cloud.

Attack Surface: Active Directory

Active Directory, a directory service developed by Microsoft, is a database and set of services that connect users with the network resources they need to get their job done in any organization. It contains critical information about a company’s environment, including what users and computers there are and who is allowed to do what. Information that any adversary would love to know. Active Directory has a 95% market share among the Fortune 500 companies, so is widely used. How can you protect an attack on your Active Directory?

In Symantec’s comprehensive Endpoint Security Complete, we include a feature called Threat Defense for Active Directory (TDAD). It effectively controls an attacker’s perception of the organization’s internal resources—all endpoints, servers, users, applications, and locally stored credentials. It autonomously learns the organization’s Active Directory structure in its entirety and uses this data to create an authentic and unlimited obfuscation. In other words, we remove Active Directory as an attack surface by making the data in Active Directory obscure or confusing to the attacker.

Attack Surface: Employee Behavior

Employees and how they behave—what apps they access, what links they click, what sites they visit, what data they download—has become a fast emerging attack surface. Adversaries take advantage of unsuspecting and at times, naive, employee actions inside the firewall and remotely. Detecting these threats and responding to them is critical for organizations. That’s where Behavior Isolation comes in. Behavioral Isolation works to reduce attacks upon the network, and ensures employees and customers can access the services and programs they need in a safe environment. As part of Symantec Endpoint Security Complete, the Behavior Isolation feature helps organizations identify app behavior that is unusual and potentially risky, gain better visibility of risky behavior and manage that risky behavior more easily. Ultimately, it reduces this potential attack surface by blocking behavior that is unusual, and allows behavior that is authorized. 

Attack Surface: Remote Devices

With use of mobile devices has increased astronomically, given the global pandemic and employees working from home during lockdown. Reducing mobile devices as attack surfaces is tricky—an organization doesn’t want to wait for a mobile device to be compromised before “responding” to the threat. That’s where cross-control point sharing comes in. One of the biggest values of XDR is the ability to share data and identify a threat on one control point, and proactively mitigate it on another. With the integration of Symantec Endpoint Security Complete and Web Security Service (WSS), that’s exactly what happens. If WSS detects a malicious file on the network, it informs SES Complete which then checks every device for that same malicious file. If found, SES Complete isolates the affected endpoint from the network proactively and can scan for and isolate the file across any endpoint, anywhere in the world. You can read more about how this works in our blog called “XDR: Helping Keep Your Users Safe” by Jeremy Follis.

But how about unmanaged devices? With the onslaught of Covid-19, many organizations have had to deal with employees using their own devices to access networks. Symantec’s CloudSOC Mirror Gateway (an add-on feature for CASB) enforces the same level of security controls on an unmanaged device as on a managed device, without needing an agent.  You can read more about CloudSOC Mirror Gateway in our blog called “Symantec CloudSOC Mirror Gateway: Solving the Unmanaged Device Problem” by my colleague Dori Varas.

With XDR you can reduce your attack surface and let security teams continue to focus on fundamental areas like detecting and responding to threats as quickly as possible.  At Symantec we are here to help you do this through our strategy for simplifying and uniting cyber security tools.  Don’t leave yourself open for a knock-out punch from your attackers - XDR can help you fight back.