How SES Complete Can Protect Against Sophisticated Attacks Such As Sunburst

We expect most security conversations for the next several months, at least, to be around the Sunburst/SolarWinds attack.  Former homeland security advisor, Thomas Bossert, has said “The magnitude of this ongoing attack is hard to overstate.”  Using a supply chain attack, 18,000 customers of SolarWinds had their network breached.  This included 100 Symantec customers.  At this time only a small number of the 18,000 have had an active attacker in their networks, but all are compromised.

Symantec has notified our affected customers and published detailed information on the attack and its techniques.  Protection has been put in place.  But it’s natural to ask, what can Symantec’s product do to protect me from this and similar attacks?  It’s a conversation we would love to have.

Symantec Endpoint Security Complete (SESC) was specifically created to help protect against this type of attack. While many vendors offer EDR to help find intrusions, as does Symantec, there are gaps.  We call these gaps blind spots and there are technologies in SESC to eliminate them.

Symantec Endpoint Security Complete addresses these blind spots by identifying and stopping reconnaissance early in the attack chain, preemptively reducing the attack surface to prevent living off the land (LotL) attacks and enhancing EDR by providing essential expertise from Symantec Threat Hunters to understand the subtle signals that attackers emit even when attempting to be stealthy. Three major ways SESC addresses these blind spots are:

• Threat Defense for Active Directory will identify and stop reconnaissance used by Sunburst and other sophisticated attackers by disrupting any domain reconnaissance LDAP queries made by the adversary, obfuscating all domain assets and admins, thus denying their ability to perform lateral movement undetected. SES Complete is the only endpoint security solution today providing additional layers of protection in the post-exploitation phase, to fully protect Active Directory regardless of the tools that the adversary is using.       
• Behavioral Isolation proactively eliminates attack pathways utilized in the Sunburst attack.  The use of trusted processes as part of the attack chain has become more common and is referred to as living off the land. Defense is often handcuffed because legitimate software can’t be blocked.  However, Behavioral Isolation can prevent the use of legitimate tools as part of the attack chain.  Behavior Isolation identifies and blocks abuse of trusted processes, breaking the attack chain and raises awareness of a potential attack.                    
• Threat Hunter gives a SOC the global context to recognize unknown threats.  Symantec’s Threat Hunter team provides in product alerts and notification of high-profile incidents.  SESC received this alert on the Sunburst attack – an alert, verified by a Symantec Threat Hunter, of the Sunburst intrusion.

Downloading a malicious trojan due to a sophisticated supply chain attack, as in the case of Sunburst, is nearly impossible to prevent. But the tools associated with the Sunburst attacks are detected and blocked on machines running Symantec Endpoint products. And SESC protected against these threats as mentioned above.  There were many other ways we protect against Sunburst - more to come on that. 

There is one more important detail.  Like other sophisticated attacks, Sunburst will look for certain endpoint security agents and tools running on a machine and will attempt to disable them. For example, Sunburst attempts to deactivate the CrowdStrike Falcon sensor.  Once disabled, any further malicious activity will not be detected or prevented.  This is bad guys 101.  Other security vendors appear to have been slow to catch on to this.  Many are new to the game and still learning. The whole family of Symantec Endpoint Security products uses proprietary technology that prevents and alerts on such tampering.  This was not an issue for our customers.

Symantec Endpoint Security Complete offers a comprehensive, layered approach to secure your endpoints, eliminating the blindspots left by the traditional approach of only using EPP and EDR. We look forward to sharing more of the details with you.