The world of security continues to change, sometimes faster than you want. People now work from anywhere, not just from their corporate headquarters. And BYOD has added billions of devices into the enterprise ecosystem. That is why Symantec, as a division of Broadcom, continues to be your vendor of choice on this journey with our Endpoint Security solutions. Symantec Endpoint Security, a SaaS application, delivers the most complete, integrated endpoint security platform on the planet. As an on-premises, hybrid, or cloud-based solution, the single-agent Symantec platform protects all your traditional and mobile endpoint devices, and uses artificial intelligence (AI) to optimize security decisions. A unified cloud-based management system simplifies protecting, detecting and responding to all the advanced threats targeting your endpoints.
We spoke recently with Alpesh Mote, Product Management Lead for Endpoint Security about the latest Symantec Endpoint Security release (14.3 RU1) that supports our flagship Symantec Endpoint Security products. Here are some of the highlights from our conversation:
Q: Let’s start by talking about the security gains in the new Symantec Endpoint Protection 14.3 RU1 release; namely living off the land protections and blocking untrusted, non-portable executable files. How do these security innovations help our customers?
A: Adversaries have been using non-Portable Executable (PE) files like office documents and PDFs embedded with either malicious links or actual malicious active content as delivery vehicles to launch targeted attacks. Security Admins would have to find and delete every copy of these files or ask end users to not open the document; neither of these is a reliable or scalable solution. 14.3 RU1 offers a reliable and easy-to-use method in which administrators can now proactively block malicious non-PE files using hash, size and other parameters.
Additionally over the past few years, Symantec has observed a shift in the threat landscape towards targeted attacks utilizing increasingly sophisticated techniques. These include a wide range of living-off-the-land tactics with attackers taking advantage of native applications, tools and services already present on targeted systems. This allows the attackers to achieve their goals without needing to create and deploy their own binary files on disk— operating fileless, so to speak—or to blend in with the daily work of a system administrator who uses the same dual-use tools. Symantec Endpoint Protection (SEP) has several new features that enable better protection and prevention of targeted attacks that utilize living-off-the-land techniques including ransomware and supply chain threats. With SEP 14.3 RU1, we have enhanced our parsing technology to prevent threats utilizing Office files such as Excel to deliver their attack and improved heuristic capabilities for common file types used in living-off-the-land attacks (e.g. .LNK, .MSI, .PDF, .SCT, task scheduler XML). We have also enhanced our behavior detections for ransomware such as Ryuk and Egregor and optimized scoring heuristic protection for the packed malware (.NET, VB and Delphi packer)
Symantec Endpoint Security, a SaaS application, delivers the most complete, integrated endpoint security platform on the planet.
Q: I see that Symantec made significant enhancements across a number of operating systems. Let’s start with the macOS agent. What new elements do customers enjoy with this release?
A: In a recent article posted by ComputerWorld, IDC confirmed that Mac's market growth has reached a 23% share in US enterprises. What used to be a niche capability to offer protection for Mac is now becoming mainstream. Unmanaged, unprotected Macs pose significant risk to enterprises. That is why with SEP 14.3 RU1 there are significant improvements to our Mac agent. This agent provides support for the latest Apple Big Sur release. It also enhances the protection capabilities by offering behavioral analysis, which analyzes good and bad behaviors to prevent new and unknown threats. It includes a new Intrusion Prevention engine for blocking network-based vulnerabilities and malware/threats. The latest agent enables SOC analysts to gain improved visibility into advanced threats. You can check out more information about protection for macOS on our blog; Symantec Endpoint Security on MacOS
Q: And what about the Linux agent? What can Symantec customers expect to see with RU1?
A: Protecting Linux assets is critical to our customers. Most customers will use Linux on servers and we want to make sure we have the best security available for our customers to help protect these crown jewels in their environment. With SEP 14.3 RU1, we have made significant changes to the Linux agent. The new Linux agent is a single agent that can be deployed and managed from either the on-premises Symantec Endpoint Protection Manager or the Integrated Cyber Defense Manager cloud console. The new agent brings in the Symantec Endpoint Foundation similar to the Windows and Mac agent offering advanced protection technologies like Machine Learning and emulator. This release also makes it easy for administrators to deploy and maintain the agent by supporting deployment using RPM and DEB packages on Linux. It also offers improved support for newer Linux kernels by regular updates to the kmod packages.
The new Linux agent is a single agent that can be deployed and managed from either the on-premises Symantec Endpoint Protection Manager or the Integrated Cyber Defense Manager cloud console.
Q: Symantec is also offering protection for endpoint and users from web-based attacks, please tell us more about that.
A: As you already know, many users in an enterprise receive phishing emails or phishing URLs every day. Phishing & malicious distribution URLs are used by adversaries to distribute malware with the goal to obtain passwords and user/other account information. A simple click on a phishing email link can kick off a ransomware attack. The newly integrated Web based threats protection and Intrusion Prevention policy helps protect against Phishing URLs, Botnet CnC URLs, and Malware distribution URLs.
The unique thing about this capability is that it brings together our 2 most powerful protection capabilities Intrusion Prevention and our WebPulse global URL intelligence information that are second to none in the industry. Symantec’s Intrusion Prevention System (IPS) is one of the crown jewels in the endpoint protection stack and it is our first line of defense. Nearly every attack arrives via the network – IPS provides early protection in the Incursion Phase by blocking attacks even before it lands on the machine. Bringing the 2 technologies together helps bolster our network protection capabilities to provide protection against unknown and known threats, exploits, and CnC traffic by leveraging the URL reputation information.
Q: Can you talk more about Web and Cloud Access Protection (Network Traffic Redirection) integration with SEP 14.3 RU1?
A: Web and Cloud Access Protection (NTR) in SEP 14.3 RU1 forwards internet traffic to Symantec Web Security Services (WSS) for policy based handling. This protects endpoints and users from web-based attacks on malicious sites, as well as blocking access to categories of sites that are contrary to corporate policy.
Q: How Does Web and Cloud Access Protection Work?
A: The Symantec agent on endpoint uses the PAC file or integration token from Symantec Web Security Service (WSS) portal. Based on the policy settings, all traffic from the endpoint is either redirects it to the WSS server for analysis, blocked or allowed it to continue to its destination
The beauty of this integration is that all this capability is delivered via a Single Agent, the same Symantec agent that is running on endpoint. Administrators do not have to deploy and manage additional agents which can be expensive to maintain.
I have one last thing to call out here, the SEP 14.3 RU1 agent can run with Windows Defender in coexistence mode which allows us to execute advanced detection stack alongside Microsoft basic AV.
The most dangerous and damaging threat is the one you don’t see coming. As targeted attacks increase in sophistication and volume, enterprises need to reduce the overall number of incidents analysts have to investigate and ensure that responders are focused on the highest priority incidents. SEP 14.3 RU1 agent is an important part of that solution for Enterprise customers.
We encourage you to share your thoughts on your favorite social platform.