In a world in which threats never stand still but evolve to assume new and ever more dangerous shapes, you can never have too much cyber security information. Or can you? If you have multiple cyber security tools- but can’t pull cohesive data from them, correlate it and draw actionable conclusions-then yes, you can have too much information. Without system integration, copious threat information is likely to create more confusion than clarity and/or leave your Security Operations team overwhelmed trying to react to every alert—leaving your organization vulnerable to attack as new threats emerge.
The answer to this conundrum is Integrated Cyber Defense (ICD), our strategy for deeply integrating Symantec and third-party solutions into a single architecture that can correlate and share threat intelligence. The ability to aggregate, integrate and make sense of cyber security information from multiple sources is key to building an effective defensive strategy, whether Zero-Trust or SASE. Because today’s enterprise data crisscrosses public and private clouds, your tools need to identify threats anywhere.
Here are some key Symantec integrations that will enable you to turn cyber security data into actionable intelligence to defend against evolving threats:
1. Network Integrated with Threat Analytics tools and the Endpoint
As your employees access files and the corporate network to do their work, there’s a good chance one of those files will be bad news. If your systems identify a suspicious activity, you need to identify that file, understand the threat, and get rid of it as quickly as possible. Enter SSLV Visibility, Security Analytics, Content Analysis, and Endpoint Security Complete—all working together.
Our SSLV Visibility solution decrypts your network traffic and sends it on to Security Analytics for analysis. What’s powerful about SSLV Visibility is that you can inspect any traffic, even if it’s encrypted.
Security Analytics is Symantec’s network traffic analysis and forensics solution. It’s like having a camcorder for your security data. It records everything so you can go back and look into the details of any threat. Security Analytics analyzes the file and tries to identify what it is. If traditional security rules aren’t able to easily draw a conclusion, then Content Analysis can take over to more deeply analyze malicious messages.
If your systems identify a suspicious activity, you need to identify that file, understand the threat, and get rid of it as quickly as possible.
Content Analysis is the most effective way to detect file based malware. It combines multiple engines – allow list, deny list, dual anti-virus, and advanced machine learning – to identify advanced malware. It also has the option for full emulation and virtual detonation sandbox to replace less effective sandbox technologies.
Now integrate Content Analysis with our Endpoint Security Complete solution, and Content Analysis can then forward on a deny list to Endpoint Security Complete and have that malicious file removed from all endpoints on the network.
2. Threat Analysis Tools Integrated with a Range of Control Points
Threat telemetry comes in from all different sources—laptops, mobile phones, the network, cloud apps, web traffic, data centers. The more you can collect and analyze, the stronger your threat intelligence will be. Enter Information Centric Analytics (ICA).
ICA is a platform that collects alert data from many Symantec and third-party tools to identify risks present in your organization. It focuses on entities like endpoints and users so it can correlate and aggregate telemetry from your controls—a key capability of the SASE and Zero Trust frameworks. By understanding normal behaviors ICA can help detect deviations—revealing potential insider threat as well outside threat present in our environment.
ICA’s threat analysis gives tremendous visibility into threats because it integrates with Data Loss Prevention (DLP), CloudSOC, Endpoint Security Complete (SES Complete), Web Security Service (WSS), Proxy SG, Data Center Security (DCS), Control Compliance Suite (CCS), and third-party solutions.
3. Collecting Data Across Symantec and Third-Party Solutions
Collecting data across a variety of control points plus third-party solutions seems fairly straight-forward. It’s not. Each of the control points stores data in its own format so the first step is to collect the data and normalize it. Enter Integrated Cyber Defense Exchange (ICDx).
ICDx collects, parses, and normalizes telemetry information across control points, such as emails, endpoints, web, network and DLP. ICDx then forwards high fidelity data to Security Operations Center front-ends like Splunk and Elastica. With this intelligence integrated into your security environment, you get faster, more effective correlation and response. You can also send it on to your own APIs to help your Threat Hunters dive into the data.
You can read more about data normalization through ICDx in the blog “Symantec XDR: Data Normalization is Key”.
4. Third-party Solutions to Deepen Threat Intelligence
Integrations within our own portfolio are key and yet we know that Symantec will not be your only vendor. That’s why we built in easy ways to integrate with third-party solutions. Take Anomali Match as an example. The integration between Symantec and the Anomali platform offers a powerful mechanism to aggregate, enrich, and analyze existing data from the entire Symantec security suite.
Anomali Match matches Symantec product events against validated threat intelligence to determine which events are malicious and merit further human investigation. Security analysts gain additional insight through threat bulletins, vulnerability information, and other indicators of compromise. Joint customers save a significant amount of time and effort, deal with less complexity, and take action more quickly.
Sure, you could integrate some of these cyber security capabilities yourself. But doesn’t it make sense to take advantage of the work of a trusted organization with years of experience and global resources? Symantec has already done the heavy lifting by integrating these tools—not only helping you get more value out of the tool you already own, but also removing the need for hours of your manual engineering effort.
The malware that is well known is easy to stop. Because bad actors are always looking for new exploits and new vectors of penetration, you need to be on the lookout for evolving threats that don’t fit known profiles. To do that you need broad visibility across your infrastructure, including public and private clouds as well as endpoints.
The evolution of threat actors has made it so that we must look across our security control point to detect sophisticated threats—if we do it correctly we can identify those threats, understand them, isolate and remove them before they cause an impact to the organization we're protecting.
Delivering on Outcomes of XDR: Threat Analytics and Visualization
Watch a special webinar with Kyle Black and Jeremy Follis of Symantec at Broadcom, as they talk in-depth about threat analytics and visualization.
Packets or It Didn't Happen: Network-Driven Incident Investigations
In this webcast, SANS Senior Instructor Jake Williams and Symantec's Broadcom's Alan Hall examine the use of network traffic capture in today's incident response environment. Thursday, May 20, 2021 at 2:00 PM EDT (2021-05-20 18:00:00 UTC)
We encourage you to share your thoughts on your favorite social platform.