absolute zero trust with cyber security - etda...although, mikrotik actually patched the...

Absolute Zero Trust with Cyber Security

Paskorn Khotchapunsoontorn

[email protected]

Agenda

• Security Report and Security News 2019

• Trend of technology and security 2020

• Security Framework with Zero Trust Network

• Symantec with Zero Trust Networking

Security Report and Security News 2018-2019B1G Numbers

Symantec security report 2019

FormJACKINGAttacks

Target Attacks

IoT Cloud

Web Attacks

Malicious URLs

CryptoJACKINGAttacks Ransomware

Supply Chain Attacks

Malicious Email

Vulnerability

Data Compromise

B1G Numbers


Malicious URLS

40 percent of malicious URLs were found on good domains.

https://www.helpnetsecurity.com/2019/03/01/malicious-urls-good-domains/

Security Report and Security News 2018-2019

https://www.helpnetsecurity.com/2019/03/01/malicious-urls-good-domains/

B1G Numbers


Web AttacksOverall web attacks on

Endpoint increased by 56% in

2018, Symantec was blocking

more than 1.3m unique web

attacks on endpoint machines every day.


B1G Numbers


FORMJACKING AttacksOne of the biggest cyber security

trends of the year

Average 4800 website

compromised with formjacking

code every month 2018, Steal

payment card information from e-

Commerce sites

Symantec Blocking 3.7m in 2018


B1G Numbers


Malicious Email48% of Malicious Email attachments

are office files up from 5% in 2017,

(ransomware ,phishing ,spear-phishing

,spoofing ,MITM ,Whaling/Business

Email Compromise ,SPAM ,Keylogger

,Zero-day exploit and social

engineering)


B1G Numbers


CryptoJACKING Attacks

Trending down, but certainly not out

2017-2018 symantec blocking around 8m

cryptojacking events per month, 2018 69m

cryptojacking events in the 12 month period

Cryptojacking doesn’t just affect websites. In July, Trustwave researchers detected and monitored a large-scale compromise in which attackers modified vulnerable MikroTik routers in Brazil to insert a Coinhive script onto every web page browsed via the router. Although, MikroTik actually patched the vulnerability the previous April, users tend to update devices with security patches much less frequently than they do computers.


B1G Numbers


Supply Chain Attacks

Supply chain attacks continued to be a feature of the threat landscape, with attacks increasing by 78 % in 2018.


Security Report and Security New 2018-2019

B1G Numbers


Ransomware

Overall ransomware down 20% but enterprise ransomware up to 12%. For mobile ransomware increased 33% in 2018-2019

Vulnerabilities

New CVE by year https://lp.skyboxsecurity.com/rs/440-MPQ-510/images/Skybox_Report_Vulnerability_and_Threat_Trends_2019.pdf

2019

18,980 (14-11-2019) ?

https://cve.mitre.org/


https://lp.skyboxsecurity.com/rs/440-MPQ-510/images/Skybox_Report_Vulnerability_and_Threat_Trends_2019.pdf


Vulnerabilities

https://cve.mitre.org/ https://lp.skyboxsecurity.com/rs/440-MPQ-510/images/Skybox_Report_Vulnerability_and_Threat_Trends_2019.pdf



https://lp.skyboxsecurity.com/rs/440-MPQ-510/images/Skybox_Report_Vulnerability_and_Threat_Trends_2019.pdf

Vulnerabilities

https://www.beyondtrust.com/assets/documents/Microsoft-Vulnerabilities-Report-2019.pdf

Break down of Microsoft Vulnerability 2018


https://www.beyondtrust.com/assets/documents/Microsoft-Vulnerabilities-Report-2019.pdf

IoT

Trustwave security report 2019

Cryptojacking doesn’t just affect websites. In July, Trustwave researchers detected and monitored a large-scale compromise in which attackers modified vulnerable MikroTik routers in Brazil to insert a Coinhive script onto every web page browsed via the router. Although, MikroTik actually patched the vulnerability the previous April, users tend to update devices with security patches much less frequently than they do computers.

After a massive increase in Internet of Things (IoT) attacks in 2017, attack numbers stabilized in 2018, when the number of attacks averaged 5,200 per month against Symantec’s IoT honeypot. Routers and connected cameras were by far the main source of IoT attacks, accounting for over 90 percent of all attacks on the honeypot. The proportion of infected cameras used in attacks increased considerably during 2018. Connected cameras accounted for 15 percent of attacks, up from 3.5 percent in 2017. Attackers were also increasingly focused on Telnet as an avenue for attack. Telnet accounted for over 90 percent of attempted attacks in 2018, a jump from 50 percent in 2017.

New Mirai malware variant targets signage TVs and presentation systems, Palo Alto Networks researchers say this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment.

https://www.zdnet.com/article/new-mirai-malware-variant-targets-signage-tvs-and-presentation-systems/


https://www.zdnet.com/article/new-mirai-malware-variant-targets-signage-tvs-and-presentation-systems/

Targeted AttacksThe most likely reason for an organization to experience a targeted attack was intelligence gathering, which is the motive for 96 percent of groups.

Spear-phishing emails remained the most popular avenue for attack and were used by 65 percent of all known groups.

Alongside the rise in popularity of living off the land tactics, the use of zero-day vulnerabilities declined in 2018, with only 23 percent of groups known to have exploited zero days, down from 27 percent in 2017. While still a niche area, the use of destructive malware continued to grow


Data Compromise


SpiderLabs at Trustwave team conducted of malicious data breaches affecting thousands of computer systems in 19 different countries.

Attackers appeared to shift their focus from the Americas to Asia-Pacific (APAC), mainly Australia, Singapore and Hong Kong


Data Compromises


The largest share of incidents involved the retail industry, with traditional brick-and-mortar retailers and e-commerce environments

By Industry


Data Compromise


By Motivation or Type of Data Targeted

About 25 percent of incidents targeted card-not-present (CNP) payment-card data, mostly from e-commerce environments. Overall, payment-card data comprised36 percent of incidents, including track (magnetic stripe) data at 11 percent


Data Compromise

Trustwave security report 2019By Environment and Industry


Method of Compromise



Some of the Reported Data/Privacy Breaches in 2018 - 2019


Some of the Reported Data/Privacy Breaches in 2018-2019

3,500 ล้านบาท6,300 ล้านบาท

21,532 ล้านบาท153,800 ล้านบาทReference: https://www.theguardian.com


https://www.theguardian.com/

Trend of technology and security 2020

TOP 10 CYBER SECURITY TRENDS TO WATCH IN 2020

1. Increased Automation in Cyber Security

A recent Ponemon Institute survey of more than 1,400 IT and IT security specialists demonstrates that 79% of respondents either right now use (29%) automation tools and platforms inside their company or plan to utilize them (50%) within the next couple of years.

https://www.analyticsinsight.net/top-10-cyber-security-trends-to-watch-in-2020/




2. Spending on Cyber Security will Increaseinformation from IDC demonstrates that worldwide spending on cyber security solutions, for example, software, hardware and services is foreseen to top $103 billion this year alone.





3. More use of AI for Attacks

Attackers won’t simply target AI systems, they will enroll AI strategies themselves to supercharge their own crimes. Automated systems controlled by AI could test systems and networks scanning for unfamiliar vulnerabilities that could be exploited. Artificial intelligence could likewise be utilized to make phishing and other social





4. Use of AI for Defending Attacks

The AI security story likewise has a brilliant side. Threat identification systems as of now use machine learning methods to distinguish completely new threats. Also, it isn’t simply attackers that can utilize AI frameworks to probe for open vulnerabilities; protectors can utilize AI to all the more likely solidify their surroundings from attacks





5. Development of Public InfrastructureUtilities are fundamental to a cutting-edge economy and furthermore, make incredible targets for cyber attacks. They give critical framework to a great many individuals and governments around the globe, yet they frequently work utilizing old, obsolete innovation.





6. Growth of 5GVarious 5G network infrastructure deployments commenced for this present year, and 2019 is turning out to be a time of accelerating 5G activity. After some time, more 5G IoT gadgets will connect directly to the 5G network as opposed to by means of a Wi-Fi router. This pattern will make those gadgets progressively defenseless against direct attack.





7. Capturing Data in TransitIn 2019 and past, we can anticipate that increasing endeavors should access home routers and other IoT centers to capture some of the data going through them. Malware embedded into such a router could, for instance, steal banking certifications, catch credit card numbers, or show satirize, malicious website pages to the client to compromise confidential data. Such sensitive information will, in general, be better verified when it is very still today.





8. Shadow of IT resources By 2020, 33% of effective attacks experienced by companies will be on their shadow IT assets. Business units manage the truth of the enterprise and will draw in with any device that causes them to carry out the responsibility. Organizations should figure out how to address shadow IT and make a culture of acknowledgment and protection versus detection and punishment.





9. Exploiting Supply ChainAn inexorably regular objective of attacks is the software supply chain, with attackers embedding malware into generally real software bundles at its typical distribution area. Such attacks could happen during generation at the software vendor or at a third-party provider.





10. Cloud can be a ThreatBy 2020, 80% of new deals for cloud-based access security brokers (CASBs) will be bundled with a network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms. While concerns exist about client migration to the cloud and bundling buys, organizations should evaluate the application deployment guide and choose whether CASB investment is justified.




Security Framework with Zero-Trust Network

What Is a Zero Trust Network?

•The network is always assumed to be hostile.•External and internal threats exist on the network at all times.•Network locality is not sufficient for deciding trust in a network.•Every device, user, and network flow is authenticated and authorized.•Policies must be dynamic and calculated from as many sources of data as possible.

https://learning.oreilly.com/library/view/zero-trust-networks



What Is a Zero Trust Network?

Traditional network security architecture breaks different networks (or pieces of a single network) into zones, contained by one or more firewalls




Zero Trust Control Plane

which the control plane coordinates and configures. Requests for access to protected resources are first made through the control plane, where both the device and user must be authenticated and authorized

There are three key components in a zero trust network: user/application authentication, device authentication, and trust.




Implementing Zero Trust Using the Five-Step Methodology

1. Identify Your Sensitive Data: It's impossible to protect data that you can't see. If you don't know where your enterprise stores data, who specifically uses it, how sensitive it is, or how employees, partners, and customers use it.

2. Map the Data Flows of Your Sensitive Data: It's crucial to understand how data flows across the network and between users and resources. Engaging multiple stakeholders such as application and network architects to create a transaction flow map is important because they bring different information to the conversation

3. Architect Your Network: The actual design of a Zero Trust network should be based on how transactions flow across a network and how users and applications access toxic data

4. Create Your Automated Rule Base: Once the design team has determined the optimum traffic flow, the next step is to determine how to enforce access control and inspection policies at the segmentation gateway.

5. Continuously Monitor the Ecosystem: Another core tenet of the Zero Trust model is to log and

inspect all traffic, not just external traffic, for both malicious activity and areas of improvement.https://www.darkreading.com/attacks-breaches/zero-trust-the-way-forward-in-cybersecurity/a/d-id/1327827


https://www.darkreading.com/attacks-breaches/zero-trust-the-way-forward-in-cybersecurity/a/d-id/1327827

Network Design for Zero Trust Network


Zero Trust Network with NIST Security Framework


CIS Critical Security Controls V.7



CIS to NIST Cybersecurity Framework



Network Design for Zero Trust Network


SEP (CIS 8,19)

ITMS (CIS 1,2,3)

ITMS (CIS 8,19)

WSS,CASB (CIS 7)

WSS,CASB (CIS 7)

ITMS (CIS 1,2,3)

350,000+customers worldwide

~3,500+company wide R&D

$5BFY18E revenue

2100+patents

Leader in 5 Gartner MQsEPP, SWG, DLP, MSS, and CASB

9 SOCthreat response centers

9 Trillion telemetry points

175Mendpoints under protection

Symantec | At a Glance

51

Driving operational improvement following the divestiture of Veritas

• Streamlining operational processes

• Eliminating stranded costs post-Veritas divestiture

Divested Storage

• Enabled Symantec to focus on growing its security business

Transforming Enterprise Security with Integrated Cyber Defense Platform

Leadership across information, users, web, and messaging

Symantec’s Transformation

52

Refocused onCybersecurity1

Improve Enterprise Security Business2

Acquisition3

Acquisition4

Two leading business segmentswith scale, focused management teams,

and strong financial profiles (growth, profitability, cash flow)

Creating Digital Safety Category

Identity Protection transcends hardware refresh

Return to growth, acquisition adjusted

EndpointProtection

EndpointDetection

WorkloadProtection

Management& Compliance

WebProtection

ContentAnalysis

CASB

SecurityAnalysis

Data Protection

Encrypted TrafficManagement

VIP/Identity

InformationCentric Security

EmailProtection

Anti-Phishing

MessageSecurity

Encryption

53

9 global threat response centers

3,800 researchers & engineers

3.7 Trillionlines of telemetry

430 millionnew unique malware

files discovered

40B Web attacks blocked

100Msocial engineering

scams blocked

22,000+cloud apps cataloged

& profiled

WWW

4.5 Billion new queries

processed daily

175MProtected Endpoints 6 Billion

daily Web Intelligence

requests

80MWeb Proxy Users 15,000 Largest

Global Enterprises

CorrelatedData

CorrelatedData

CorrelatedData

CORRELATION ACROSS VECTORS

2017

163MProtected Email Users

2 Billion emails scanned

per day

54

Web Isolation

Endpoint Protection

Mobile

WebSecurityService

DLPSecure Web Gateway

RiskInsight

MessagingGateway

Web Application Firewall

Advanced Threat Protection

MalwareAnalysis

EndpointManagement

Endpoint Protection (SEP, EDR)

Endpoint Protection

CloudVIP

Identity

LocalIntelligence

File

UR

L

Wh

itel

ist

Bla

cklis

t

Cer

tifi

cate

Mac

hin

e Le

arn

ing

SIEM Integration

Data Center Security

EncryptionContent Analysis

Performance Optimization

Cloud DLP CASB

Email Security

WorkloadProtection

Cloud Sandbox

Encryption

Risk &Compliance

Management

EncryptedTraffic

ManagementSecurity Analytics

Third Party Ecosystem

ON

-PR

EM

ISE

SC

LOU

D

Cloud Data Protection

StorageProtection

Cyber SecurityServices

55

SOC Workbench

Integrated Cyber Defense Platform

ASG

MAA

WAF

PacketShaper

DLPSMG

SAP

SSL-VA ATP

AppServer

EmailServer

FileServer

DatabaseServer

CCS ITMS

Server SecurityDCS – Data Center SecurityCCS – Control Compliance SuiteITMS – IT Management Suite

Endpoint SecuritySEP – Symantec Endpoint ProtectionSymantec Endpoint EncryptionDLP EndpointEDR - Endpoint Detection & ResponseVIP – Validation and ID ProtectionSEP Mobile – Mobile Security (Skycure)

Network SecurityASG – Advanced Secure Gateway (Web Gateway)PacketShaper (Bandwidth Management)DLP – Data Loss PreventionMAA – Malware Analysis Appliance (Sandbox)ATP – Advanced Threat ProtectionSSL-VA – SSL Visibility ApplianceSAP – Security Analytic PlatformWAF – Web Application FirewallSMG – Secure Mail GatewayCA+MA – Content Analysis + Malware AnalysisFIREGLASS - Web Isolation

CA+MA

Skycure

FIREGLASS

VIP

Global Intelligence

Network

WebServersDLP

Symantec Blueprint

Server SecurityDCS – Data Center Securityโซลชูัน่รักษาความปลอดภยัส าหรับ serverCCS – Control Compliance Suiteโซลชูัน่ส าหรับตรวจหาชอ่งโหวข่อง server เทียบกบัมาตรฐานหรือข้อบงัคบั ITMS – IT Management Suiteโซลชูัน่ส าหรับบริหารจดัการเคร่ือง client และ server เชน่ ลง patch และ software, เปล่ียน configuration และท า Inventory เป็นต้น

Endpoint SecuritySEP – Symantec Endpoint Protectionซอฟแวร์ส าหรับปอ้งกนั malware เชน่ virus บนเคร่ืองของ usersSymantec Endpoint Encryptionซอฟแวร์ส าหรับเข้ารหสัไฟล์ และ HarddiskDLP Endpointซอฟแวร์ส าหรับปอ้งกนัข้อมลูส าคญัร่ัวไหลEDR - Endpoint Detection & Responseความสามารถในการท างานร่วมกบัระบบ ATP เพ่ือก าจดั unknown malwares ท่ีหลดุมายงัเคร่ืองของผู้ใช้VIP – Validation and ID Protectionซอฟแวร์ส าหรับชว่ยพิสจุน์ตวัตน เพ่ือท า 2 Factor Authentication หรือ One time passwordSkycure – Mobile Securityซอฟแวร์ส าหรับท า security ให้กบัเคร่ือง Mobile (Andriod และ IoS)

Network SecurityASG – Advanced Secure Gateway (Web Gateway)อปุกรณ์เว็บ security ชัน้สงู, กรองเว็บ และปอ้งกนัอนัตราย เชน่ malware จากเว็บPacketShaper (Bandwidth Management)อปุกรณ์บริหารจดัการทราฟฟิค ท า QoS และ monitor การท างานของแอพพลิเคชัน่DLP – Data Loss Preventionระบบตรวจสอบและปอ้งกนัข้อมลูส าคญัร่ัวไหลMAA – Malware Analysis Appliance (Sandbox)อปุกรณ์ตรวจหา unknown malwares หรือ zero-day โดยการ run และตรวจสอบพฤตกิรรมของไฟล์ATP – Advanced Threat Protectionระบบตรวจหาและปอ้งกนั known และ unknown malwares สามารถค้นหาและจ ากดั unknown malwares ท่ีหลดุรอดไปยงัเคร่ือง endpoint ได้SSL-VA – SSL Visibility Applianceอปุกรณ์ถอดรหสัทราฟฟิคประเภท SSLSAP – Security Analytic Platformอปุกรณ์เก็บ packet และชว่ยวิเคราะห์ข้อมลู พร้อมแสดงรายงานทาง security สามารถวิเคราะห์ข้อมลูย้อนหลงัได้WAF – Web Application Firewallอปุกรณ์ไฟล์วอลล์ส าหรับเว็บSMG – Secure Mail Gatewayอปุกรณ์รักษาความปลอดภยัส าหรับ email และปอ้งกนั spamCA+MA – Content Analysis + Malware Analysisอปุกรณ์ชว่ยตรวจจบั known และ unknown malwaresFIREGLASS – Web Isolation อปุกรณ์จ าลองหน้าเว็บด้วยภาพ โดยเปล่ียนหน้าเว็บให้เป็นสตรีมของภาพ สามารถตรวจจบั input ทาง mouse และ keyboard เชน่ การ click หรือ การพิมพ์ข้อความ บนสว่นตา่ง ๆ ของภาพ สามารถปอ้งกนั Malware ได้ 100%

Symantec Blueprint

Endpoint Security for the Cloud Generation

PRODUCTS

Cloud Generation Endpoint Security Portfolio

Single

Agent

PROTECT AGAINST EMERGING THREATS• Adv. Machine Learning

• Behavioral Analysis

• Memory Exploit Mitigation

• Tunable Protection

• Emulator

• SEP Cloud

BLOCK COMMON THREATS• AV Engine

• File reputation

• Intrusion Prevention

• Application and device control

• Power Eraser

• Open API

DETECT AND RESPOND• IOC Hunting and Remediation

• Endpoint Activity Recording

• File-less Threat Detection

• Sandboxing

• Correlation Across Endpoint, Network and Email

• EDR Cloud

HARDEN ENDPOINTS• Application Attack Surface Visibility

• Vulnerability Assessment and Risk Classification

• Untrusted Application Isolation

• Application Defense

PROACTIVESECURITY• Deploy Baits and Decoys

• Enhanced Visibility into Attacker Intent

• High-Fidelity Alerts

• Deception at Scale

SECURE MOBILE ENDPOINTS• Crowd-sourced Intelligence

• Mobile Malware Detection

• Network Threats Protection

• Vulnerability Exploit Protection

PRODUCTS

59

Stop Targeted Attacks and Zero-Day Threats with layered protection

SEP: Most complete protection in the industry

Pre-execution detection of new

and evolving threats

NETWORK FIREWALL & INTRUSION

PREVENTION

DEVICE CONTROL & SYSTEM

LOCKDOWN

BEHAVIOR MONITORING

MEMORY EXPLOIT MITIGATION

REPUTATION ANALYSIS

ADVANCED MACHINE LEARNING

EMULATOR NETWORK FIREWALL & INTRUSION

PREVENTION

Blocks malware before it spreads to your machine

and controls traffic

Determines safety of files and

websites using the wisdom of the community

Monitors and blocks files that

exhibit suspicious behaviors

Blocks zero-day exploits against vulnerabilities in popular software

Control file, registry, and device access and behavior; whitelisting,

blacklisting, etc.

Virtual machine detects malware

hidden using custom packers

Blocks malware before it spreads to your machine

and controls traffic

Enhanced Enhanced Enhanced Enhanced

INCURSIONINFESTATION & EXFILTRATION

INFECTION

65% BETTER SECURITY

EFFICACY OVER SEP 12

Patented real-time cloud lookup for scanning of suspicious files

60

SEP: Most complete protection in the industry

Use APIs to orchestrate a

response from Secure Web

Gateway

POWER ERASER HOST INTEGRITY SECURE WEB GATEWAY

INTEGRATION

SEP EDR(ATP 3.0)

Quarantine, detect unauthorized

change, conduct damage

assessment and ensures

compliance

Aggressive remediation of hard-to-remove

pre-existing infections

Enhanced

Patented real-time cloud lookup for scanning of suspicious files

REMEDIATE

Full endpoint activity recording

and playback. Real-time IOC

hunting, correlation and

response.

PRODUCTS

61

SEP 14Advanced endpoint security solution with hybrid management

that combines Protection, Detection & Response, Deception and Hardening in a single agent and with granular management

SEP CloudAdvanced protection for users and all their devices including

mobile, with fully cloud managed and always up-to-date security that is easy to use and set up in under 5 minutes

• Advanced capabilities: Tunable protection, built-in deception and EDR, Application Isolation and Control add-on, Host Integrity, Mobile Threat Defense (add-on)

• Integrated Cyber Defense: Built-in integrations with web and email gateways and Open APIs for integrations with other vendors

• Advanced capabilities: Cloud EDR add-on, Mobile Security and Device Management, Encryption add-on, Mobile Threat Defense (add-on), Partner Management Console

• Integrated Cyber Defense: Built-in integrations with identity management, and Open APIs for integrations with other vendors

SEP Product Offerings

Same Multilayered Advanced ProtectionMachine Learning, Behavior Analysis, Exploit Prevention, Global Intelligence Network

PRODUCTS

62

Symantec Endpoint Detection & Response Overview

EDR with SEP (ATP: Endpoint) EDR Cloud

Headquarters Data Center

BranchOffice

GINSANDBOX

CORRELATION

Roaming Users & Mac, Linux Endpoints

BranchOffice


Leverage SEP footprintFull Endpoint Activity Recording

Correlation across Endpoint, Network and Email

Extend EDR to non-SEP endpointsPoint-in-time Scanning

Rule-based automation of best practices

Symantec EDR exposes, contains and resolves breaches resulting from advanced attacks

PRODUCTS

63

Provide incident investigation and response, using SEP agent

Symantec Endpoint Detection & Response ATP: Endpoint

Detect and Investigate suspicious events

Hunt for Indicators of Compromise

Record all events and get complete visibility with incident playback

Fix impacted endpoints, with one click

No new endpoint agent required

SEP Manager

Global Intelligence

Correlation

ATP: EndpointAppliance

Hybrid Sandbox

ATP Console

PRODUCTS

64

SEP Family Provides Complete Endpoint Security with a Single Agent

Anti-Malware

Advanced Malware

Protection

Application Isolation &

Control

Endpoint Detection &

Response

Deception

Mobile Threat Defense

PRODUCTS

65

#1 Reason why customers are adopting SEP14

Effective Protection against Ransomware

WANNACRY:1 billion+ infections

blocked!

PETYA:ZERO reported

infections on SEP 14 endpoints

PRODUCTS

66

Symantec positioned highest for ability to execute and furthest for completeness of vision in the leaders quadrant of 2019 MQ for Endpoint Protection Platforms

This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Symantec. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose

Source: Gartner, Inc., Magic Quadrant for Endpoint Protection Platforms, Ian McShane, Avivah Litan, Eric Ouellet, Prateek Bhajanka, Jan 24, 2018

PRODUCTS

67

Data Loss Prevention

PRODUCTS

Symantec DLP Overview

Locate where your sensitive information resides across your cloud, mobile, network, endpoint and storage systems

DiscoverUnderstand how your sensitive information is being used, including what data is being handled and by whom

MonitorStop sensitive information from being leaked or stolen by enforcing data loss policies and educating employees

Protect

PRODUCTS

69

DISCOVER MONITOR PROTECT

DLP MANAGEMENT CONSOLE

SECURED CORPORATE LANRoaming

DLP ENDPOINT

DMZ

SPAN Port or Tap

MTA or Proxy

DLP NETWORK

DLP STORAGE

DLP CLOUD

PRODUCTS

70

IMAGES

FORM RECOGNITIO

N

Scanned or Electronically-Filled Forms

UNSTRUCTURED TEXT

MACHINE LEARNING

Source Code, Product Designs

DESCRIBED DATA

DESCRIBED CONTENT

MATCHING

Non-indexable data

STRUCTURED DATA

EXACT DATA MATCHING

Account Numbers, Credit Cards,

Government IDs,

UNSTRUCTURED DATA

INDEXED DOCUMENT MATCHING

Financial Reports, Marketing Plans

“Symantec offers the most comprehensive sensitive data detection techniques in the market, with advanced functionality that can cover a wide breadth of data loss scenarios.”Magic Quadrant for Data Loss Prevention, Gartner, January 2016

Gives you the highest accuracy and minimizes false positives

Most comprehensive data detection

EMAIL

FTP

WEB

IM

IPv6

SHAREPOINT

NAS FILERS

DESKTOP EMAIL

WEB APPS

VIRTUAL DESKTOPS

REMOVABLE STORAGE

BOX

O365 EXCHANGE

GMAIL

ManagementFILE SERVERS

EXCHANGE

DATABASES

CLOUD APPS

DLP for Network

DLP for Storage

DLP for Endpoint

DLP for Cloud

Broadest coverage of data loss channels

Unmanaged devicesExtended perimeter

Symantec DLP Management

Console

Managed devices with DLP Endpoint Agent

PoliciesIncidents

Corporate Datacenter

PoliciesIncidents

Extending DLP Cloud with CASB

Apply Fine-Tuned Policies to Cloud Leverage Workflow IntegrationsGain CASB Functionality

• Shadow IT Analysis•Granular Visibility and Control•User Behavior Analytics

Extend DLP to 60+ Cloud Apps

PoliciesIncidents

SymantecCloudDLP

SymantecCASB

PRODUCTS

73

VIP (Validation and ID Protection)

PRODUCTS

81% of Data Breaches Involve Leveraging Weak or Stolen Passwords

Source: Verizon Data Breach Report 2017

RegionalOffice


Remote Workforce

Personal Devices

Cloud Applications

3rd Party Vendors

PRODUCTS

75

MFA (Multi-Factor Authentication) is the Easiest Way to Protect Passwords

1. Somethingyou KNOW

2. Somethingyou HAVE3. Something

you ARE

PRODUCTS

What is MFA?

76

VIP and VIP Access Manager

Symantec Identity Access Management Solution

• Multi-Factor Authentication (MFA)

• Single Sign On (SSO)

Network(Enterprise Gateway)

Cloud Applications(Access Manager)

Consumer (CDK/API)

PRODUCTS

Made to protect both Enterprise Access as well as Consumer Applications

77

Protect Credentials by Locking Down All Access with Strong Multi-Factor Authentication (MFA)

78

Cloud VPN

NetworkData

PRODUCTS

78

Why VIP?

Cloud-based and zero capital investment(Bring-Your-Own-Credential)

Easy DeploymentAll-in-one pricing, many credential

modalities, and even for consumersEasy authentication methods and

enrollment means end users enjoy a great VIP experience.

Easy-to-Use Designed to Integrate

With the security and trust you expect from Symantec

APICDK

FIDOOATHPUSH

B2CB2E

RadiusSAML

PRODUCTS

79

Email Security for the Cloud Generation

PRODUCTS

Integrated

Solution

Email Security Portfolio Overview

PREVENT DATA LEAKAGE• Advanced Detection Technologies

• Multi-Channel Data Protection

• Policy-Driven Controls

• Push & Pull Encryption

PROACTIVELY PREVENT ATTACKS• Customizable Security Assessments

• Detailed Reporting & Visibility

• Integrated User Education

ISOLATE DANGEROUS THREATS• Malicious URL Isolation

• Attachment Isolation

• Credential Theft Protection

PROTECT AGAINST EMERGING THREATS• Machine Learning & Sandboxing

• Click-Time Protection

• Advanced Email Security Analytics

• SOC Integration

• Threat Remediation

STOP PHISHING ATTACKS• Link Protection

• Impersonation Controls

• Phishing Variant Detection

• Behavioral Analysis

BLOCK COMMON THREATS• Heuristics

• Reputation Analysis

• Connection-level Detection

• AV Engine

PRODUCTS

81

The Cloud Generation Email Security Solution

Solution Overview

• Protects against targeted attacks, ransomware, spear phishing & business email compromise

• Gives deep visibility into advanced attacks and accelerates threat response

• Controls sensitive data and helps meet compliance & privacy requirements

• Reduces business risks by training employees to recognize & report email attacks

Cloud Service or On-premises Appliance

On-Premises Email Server

Third-Party Email Server

Inbound/Outbound

Inbound/Outbound

Inbound/Outbound

ImpersonationControls

Security Awareness

Data ProtectionPolicy-Based Encryption

Anti-SpamAnti-Malware

Advanced Threat Protection

Threat Isolation

Email Analytics

Messaging Gateway

PRODUCTS

82

Most Complete Protection in the Industry

CONNECTION LEVEL

MALWARE & SPAM DEFENSE

ADVANCED MACHINE LEARNING

LINK PROTECTION

BEHAVIOR ANALYSIS

IMPERSONATION CONTROL

SANDBOXING

SMTP firewall, sender reputation

and authentication

reduce risks and throttle bad connections

Evaluates malicious links at

email delivery and time of click with advanced

phishing variant detection

Analyzes code for malicious

characteristics

Heuristics, reputation, and signature based engines evaluate files and URLs for

email malware & spam

Detonates only truly unknown files in both

physical and virtual environments

Global Intelligence Network

MALWARE & SPAM PROTECTION

Identifies new, crafted, and

hidden malware by examining the

behavior of suspicious email

PHISHING DEFENSE EMERGING THREAT PREVENTION

Blocks Business Email Compromise and other spoofing

attacks

PRODUCTS

83

Phishingemail

Isolated site+

Read-only

User clickson link

Mail serverSymantec Cloud Email Security

Links transformed to redirect through Web Isolation

Email Isolation Portal

Email Threat IsolationPRODUCTS

84

Visibility Into Targeted & Advanced AttacksAdvanced Email Security

Analytics

60+ Data Points on Clean and Blocked Emails

Email Volume

Malicious Email Senders & Recipients

Severity Level

Sandbox Detonation Information

Malware Category

URLInformation

Malicious Email Theme or Topic

Detection Method

File Hashes

ATP Platform

Symantec Managed Security

Services

Correlation & Response

Export Intelligence

Identify targeted attack recipients

Correlate threats with endpoints

Feed URLs into web proxy

Find patterns in threats

Monitor email logs

Benefits

Accelerate Threat Response

PRODUCTS

85

Gain Complete and Integrated Email Security with a Single Vendor Email Security

Advanced Threat

Protection

Email Encryption

Threat Isolation

Data Loss Prevention

Security Awareness

PRODUCTS

86

Symantec Web Isolation (Fireglass)

PRODUCTS

KnownBad

uncategorized or potentially risky* domains

Unknown/Risky

KnownGood

The Threat of the Unknown Web

THE CHALLENGE• Millions of new sites created every day

• 71% of all host names exist for 24 hours or less

• Many are legitimate, but some offer ideal cover for hackers launching attacks

• Difficult to assess w. traditional “detection” approaches

• Customizing protection without over-blocking

“HOW CAN I INCREASE SECURITYWITHOUT OVER-BLOCKING?”

Parameter

BLOCK

ALLOW

/BLOCK?

ALLOW?

PRODUCTS

88

Market View on Web Isolation

• Web isolation is a new threat prevention approach • Sometimes referred to as Remote

Browsing, but has broader applications for use

• Identified as top technology in 2016 & 2017

• Gartner predicts that over 50% of enterprises will adopt web isolation

“Evaluate and pilot a remote browser solution in 2017 as one of the most significant ways an enterprise can reduce the ability of web-based attacks on users to cause damage”

PRODUCTS

89

Web Isolation Fundamentals

Browsing session is secured through isolation; access not blocked• Everything assumed to be malicious

• All code and content prevented from reaching endpoints

• Enables access to unknown/risky content where there is a legitimate need

Web isolation eliminates patient zero• Isolation prevents infections before

they ever happen• Even zero-day vulnerabilities

• Malware has become extremely violent (e.g. ransomware) with close to zero dwell time for detection and remediation

PRODUCTS

90

RenderExecuteDownload

Web Isolation Architecture

Web

Email

Documents

Risks User

User gestures

100% safe rendering information

Seamless browsing experience

Isolate both web and email, including documents

Secure Disposable Container



100101001010110100110010101

101010011010

011110

100101001010110100110010101

101010011010

011110

100101001010110100110010101

101010011010

011110

Symantec Web Isolation

PRODUCTS

91

Problem: Over-blocking the “Middle Ground” Sites

Web access policy:• Always allow

certain categories/sites

• Always block certain categories/sites

• Key Issue –Middle Ground• Over-block –

creates user issues

• Under-block –Increased risk of malware

Allowed Categories

Categories where some access may be required

Uncategorized Threat Cats

Health, Financial Services, etc.

Dynamic DNS Host

File Storage/Sharing

Hacking Uncategorized SuspiciousMalicious in/out…

…

ALLOW

ALLOW or DENY… DENY… MOSTLY

DENYDENY

…depending on organizational needs

Often requires additional ops to whitelist specific

domains/users

…for securitybest practices at the expense

of user experience.

Often requires additional ops

to whitelist specific

domains/users

SomeAllow

SomeAllow

LIST (WEB)

92

Web isolation with proxy using website categories

Stop Over-blocking

Web access policy:• Always allow

certain categories/sites

• Always block certain categories/sites

• Middle ground categories/sites get isolated• Expanded access

with no malware risk

Allowed Categories

Categories where some access may be required

Uncategorized Threat Cats

Health, Financial Services, etc.

Dynamic DNS Host

File Storage/Sharing

Hacking Uncategorized SuspiciousMalicious in/out…

…

ALLOW ISOLATE DENY

LIST (WEB)

93

Email Integration (Cloud and On-premises)

Phishingemail

Isolated site+

Read-only

User clickson link

Mail serverSymantec Messaging Solutions

Messaging Gateway rewrites link to direct to Symantec Click-Time URL Protection

Web Isolation Portal

URL risk rating analyzed in real-time to accurately isolate unknown or

suspicious sites

Global Threat Intelligence Network (GIN)

Click-time URLProtection

PRODUCTS

94

Web Security Service

PRODUCTS

Network Security Challenges

Mobile Workers


PublicCloud

IaaS/PaaS

PublicSaaSApps

WEB & SHADOW IT

Can I use cloud to simplify the ongoing use and operation of my

entire network security stack?

How can I ensure compliance & security of sensitive data in

O365, Dropbox, SFDC, and other cloud apps?

How do I protect myself from advanced threats

hidden inside traffic that is increasingly encrypted?

How can I secure my transforming network,

which is being stressed by web/cloud adoption and

remote/mobile users?

RegionalOffice

Stress on existing architecture:Backhauling to leverage security stack in datacenter- Expensive and slow - Complex security and compliance challenges

PRODUCTS

96

A Full Network Security Stack Delivered In the Cloud



Complete Network Security and the Power of HTTP Proxy to Secure AccessDeep Proxy for Web, Mobile, & Cloud Applications

Advanced Threat ProtectionMultiple antimalware inspection engines & sandbox, plus complete web isolation (Spring 18)

Information ProtectionEnterprise grade DLP from Symantec or data orchestration to your preferred vendor

Advanced User AuthenticationUser and group policy integrated with SYMC VIP and leading 3rd Identity Services

Secure SSL/TLS Decrypt to Enable InspectionStrong cipher & protocol support doesn’t degrade security, with privacy compliant selective decrypt

High Availability, High Capacity Global Access Backbone That Accelerates User Performance

Architect for High Availability

3rd PartyMonitoring

Telco POPBackbone

Elastic CloudSvc Structure

Accelerate Performance of O365 & Cloud Apps

Content Peering &Connection Scaling

Automated Policy & Content Acceleration

RoamingUsers

Remote Sites


PRODUCTS

97

Multiple Layers of Cloud Malware/ATP Defense

USER

Requests a File Download

Web Security Service Malware Analysis Service

Web Filtering and Categorization

1

Proxy Function

Web Threat Protection

Granular policy control fed by GIN, SSL

inspection and web application controls

Equivalent to ProxySGfunctionality

Black/White Lists + Multi-layered Analysis

2

Content Analysis

Allow Known Good, Block Known Bad

White/black lists (60+ vendors/4B+ files), dual anti-malware engines

Predictive file analysis (“known bad” static indicator matching)

Sandboxing and Behavioral Analysis

3

Malware Analysis

Analyze Unknown Files and Hold for Verdict at

the ProxyDual detonation

(virtual / emulation)

Behavioral and static (YARA) analysis, interact with

malware during detonation, custom risk scoring

PRODUCTS

98

Web Isolation With Web Security Service

99

Browsing session is secured through isolation; access not blocked• Everything assumed to be malicious

• All code and content prevented from reaching endpoints

• Enables access to unknown/risky content where there is a legitimate need

▪ Selective isolation of risky/uncategorized sites

▪ Full isolation of web browsing of privileged users

PRODUCTS

App Rating Database

Logs

Intelligence of 21,000+ Apps

Shadow IT Visibility

Scalable Proxy Policy to Control & Manage Risk

CASB Audit

Analytics

Web Security Service Audit & Policy Integration

Integrate CASB with Web Access Governance

OfficesRoaming/Mobile Users

Audit – AppFeed

GIN

Symantec Web Security Service

100

PRODUCTS

Simplified Governance & Accelerated User Experience

Optimized for Office 365

End

User

WSS4

2

3

Content Provider9

6

517

WIT

HO

UT

PEE

RIN

G

8

WIT

H P

EER

ING

End

User

2

Content Providers

1

WSS4

3

Auto-Alignment: Simplify Powerful Proxy

Policy for O365

Automate Classification of Office 365 Application Traffic

Synchronize Rapidly Changing O365 IP’s and URLs with MSFT

Enforce Security Policy

Simplify Governance

Accelerate Connections with TCP Window Scaling

Wider Transfer Windows

Increased Bandwidth Throughput

Fewer Round Trips & Reduced Latency

Accelerate User Experience

Optimize Content Delivery with Content Peering

Fewer “Hops”

Faster Path

Lower Latency

Quality of Service Controls

O365 Bandwidth Controls

TCP Window

PRODUCTS

101

SSAE16ISO 27001

Symantec WSS Global Cloud Infrastructure

• Any customer / any data center

• Standard 99.999% availability SLA

• Automatic closest data center selection

• >50% capacity utilization expansion trigger

• Hosted at top tier infrastructure providers

• Redundant within and between locations

• >55 service points https://www.symantec.com/products/web-and-cloud-security/cloud-delivered-web-security-services/resources

Symantec Web Security Service Cloud Footprint

102

PRODUCTS

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjN2s79-53MAhVB9mMKHWC0BucQjRwIBw&url=http://www.a-lign.com/5-benefits-annual-compliance-reports/&bvm=bv.119967911,d.cGc&psig=AFQjCNFBQHE1iU9f3iybJCVczxN3XWASAg&ust=1461267546766771

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjN2s79-53MAhVB9mMKHWC0BucQjRwIBw&url=http://www.a-lign.com/5-benefits-annual-compliance-reports/&bvm=bv.119967911,d.cGc&psig=AFQjCNFBQHE1iU9f3iybJCVczxN3XWASAg&ust=1461267546766771

9 global threat response centers

3,800 researchers & engineers

3.7 Trillionlines of telemetry

430 millionnew unique malware

files discovered

40B Web attacks blocked

100Msocial engineering

scams blocked

22,000+cloud apps cataloged

& profiled

WWW

4.5 Billion new queries

processed daily

175MProtected Endpoints 6 Billion

daily Web Intelligence

requests

80MWeb Proxy Users 15,000 Largest

Global Enterprises

CorrelatedData

CorrelatedData

CorrelatedData

CORRELATION ACROSS VECTORS

163MProtected Email Users

2 Billion emails scanned

per day

103

Deploy to Match Your Needs

True Hybrid Security

Private

Physical

Virtual Appliances

Virtual

IaaS

Public

Services

SaaS

ProxySG & ASGAppliances

VSWG SG VA

VSWGAWS AMI

Web SecurityService

Universal Policy

104

Consistent Policy for On-Prem, Mobile Users, Virtual

Centralize Reporting, Admin, & Policy with Management Center

Simply Extend Policy to Cloud Web Security Service

PRODUCTS

Cloud Access Security Broker (CASB)

PRODUCTS

25% of Cloud Docs are Broadly Shared1

1 1H 2016 Shadow Data Report

Proliferation of Cloud Apps

Variety of Endpoints

Shadow Data Problem

Compromised Accounts

Risk Assessment

Intrusion Detection

Proxy/Firewall

DLP

Incident Response

Investigations

Malware Detection

New Challenges

106

CASB Architecture

OutsidePerimeter

EnterprisePerimeter

Proxy Sec Events

CASB APIs

CASB Gateway

Shadow IT Discovery & Controls

Cloud Compliance

Tokenization

Cloud Incident Response

Cloud Investigations

Cloud Policy & Remediation

Cloud DLP

Cloud Intrusion Detection

Cloud Malware Detection

PRODUCTS

107

CASB 1.0PRODUCTS

108

Endpoint Security

Data LossPrevention

WebSecurity

Encryption

UserAuthentication

ATP

CASB 2.0 - CloudSOC™ PRODUCTS

109