IT-Security-Symposium 2019I T - S e c u r i t y i m F o k u sUmfassender IT-Schutz: Mehr als klassische Schutzansätze –Cloud, DLP, EndpointPatrick K. Kuttruff, Cyberdefense Strategist, Symantec
Umfassender IT-Schutz
Mehr als klassische Schutzansätze
Patrick K. Kuttruff CISM
Cyberdefense Strategist
Cloud, Netzwerk, Endpoint, Data
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
HeadquartersData Center
Regional Office
Roaming Users
Delivering a Comprehensive Security Model for the Cloud GenerationSymantec Integrated Cyber Defense
The CLOUD
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
25% of Cloud Docs are Broadly Shared1
1 1H 2016 Shadow Data Report
Proliferation of Cloud Apps
Variety of Endpoints
Shadow Data Problem
Compromised Accounts
Risk Assessment
Intrusion Detection
Proxy/Firewall
DLP
Incident Response
Investigations
Malware Detection
New Challenges
5
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Visibility of Shadow IT Protection Against Malicious AttacksGranular Control of Sensitive Data
CASB 1.0
Data SecurityVisibility Threat Protection
6
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
CASB 1.0
How can I automate control of Shadow IT?
Can I apply my existing DLP policies to data in cloud apps?
Can I encrypt data and control who has access regardless of where it goes?
Which files in my cloud apps are malware?
Can I dynamically trigger MFA for risky transactions?
Can I track roaming users as part of my Shadow IT analysis?
Can I have my cloud activity be monitored by a Managed Service?
The NETWORK(PERIMETER)
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Enriched traffic recording delivers unparalleled evidence
Security Camera and DVR for Your Network
Security Analytics –System of Record
24/7 lossless full packet recording
Intelligent/enriched system of record
Days, weeks or months of traffic
Appliance or VM
PE SCANNER
JSUNPACK
GEOLOCATION
MORE…
MA
“At a minimum, organizations should capture 30 days’ of
packet data. 60 days’ worth is even better.”
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
How does your organization stack up?
Maturing Incident Response Capabilities
THREAT/ANOMALY DETECTION
• All file, web, mail
• Machine learning
MALWARE ANALYSIS
• Static / behavioral
• Emulation
RECORD
• Full packet capture
• Evidence preservation
REPLAY
• File reconstruction
• File analysis
SEARCH / METADATA
• Real-time data capture
• Comprehensive application awareness (3,200+)
3RD – PARTY INTELLIGENCE
• Packet data enriched with URL and file reputation
• Global community threat intelligence
SECURITY TOOL INTEGRATION• SIEM
• NGFW
• IDS/IPS
• Endpoint
R E TA I NE V I D E N C E &
I M P A C T
E N R I C H E DI N V E S T I G AT I O N
P R OAC T I V EI N C I D E N T R E S P O N S E
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Security Analytics
Remediate& Fortify
Reconstruct Incidents & Extract Evidence
Incident Response & Advanced Network Forensics
Detect Breaches & Integrate Context
THE SECURITY CAMERA & DVR FOR YOUR NETWORK
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Full visibility of all traffic
Security Camera for Your Network:
Detect Breaches & Integrate Context
• Complete, lossless packet capture on high-speed network (24/7 – all ports/all traffic)
• Comprehensive DPI with layers 2-7 indexing (over 3,200 applications classified)
• Actionable intelligence, anomaly detection and event reconstruction (full packet, flow, session & file)
• Chronological display of all network events validates compliance and acceptable use policies
• Scalable deployment as either appliance/software/virtual appliance for days/weeks/months of traffic
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Details for every alert
Security Camera for Your Network:
Reconstruct Incidents & Extract Evidence
• Know what happened before, during and after an alert, with complete, clear supporting evidence
• Multiple sources for real-time integrity & reputation of URL, IP address, file hash or email address
• Trace back and discover Tactics, Techniques & Procedures and identify Indicators of Compromise
• Integrated workflows with leading network and endpoint security tools to add context and improve effectiveness
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Reduce time-to-resolution
Security Camera for Your Network:
Remediate & FortifyIncreased Time-to-Action
• Retrospective forensics analysis on any attack
• Answer critical “post-breach” questions that plague CISOs – how? what? who? when? …
• Root Cause Explorer quickly identifies the source of attack, reducing time-to-resolution
• Faster time-to-identification/action/reaction with Security Analytics allows up to 85% faster resolution
• Global Intelligence Network updated with newly-discovered threat intelligence
The ENDPOINT
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Critical questions investigators need to answer
Limited Endpoint Visibility
• What happened on my endpoints?
• Which files were used and where did they come form?
• Did malware spread to other endpoints?
• What process has been changed on my endpoints?
• Did attackers establish persistence on the endpoint?16
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
• Most effective ransomware protection
• Defend against file-less threats including memory based exploits
• Virtual patching for critical vulnerabilities
• Block polymorphic malware
• Detect stealthy threats
• Investigate and Hunt IoCs
• Rapidly fix endpoints
• Automate IR tasks
• Identify hidden adversaries
• Expose attackers’ intent and tactics to enhance security posture
• Auto-assess application risk
• Protect IT approved apps from exploits
• Isolate suspicious apps to prevent privileged operations
• Stop persistent threats on Active Directory
• Use world’s largest civilian GIN to block common threats
• Block lateral movement and command & control traffic
• Device-level control and lockdown (USB, system files)
• Remediate malware infections
Symantec Endpoint Portfolio Delivers Cutting Edge Technologies
Multilayered, Single-agent, Endpoint Protection
APPLICATION CONTROL
NETWORK FIREWALL & INTRUSION
PREVENTION
DEVICE CONTROL & POWER ERASER
REPUTATION ANALYSIS
Agent
Anti-malware
ANTIVIRUS
Advanced Malware Protection
BEHAVIOR MONITORING
ADVANCED MACHINE LEARNING
EMULATOR
Agent
MEMORY EXPLOIT MITIGATION
Agent
EDR
EDRHardening
APPLICATION ISOLATION
Agent
DECEPTION
Deception
AgentSingle Agent
THREAT DEFENSE FORACTIVE DIRECTORY
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Symantec EDR delivers incident investigation and response across Windows, macOS and Linux.
Get alerted to threats that ‘hide in plain sight’
Detect StealthyThreats
Rapidly FixEndpoints
Hunt and Investigate IoCs
Automate and Integrate
Find suspicious objects, inspect, convict and
contain
Remediate impacted endpoints with one-click
Enhance productivity for analysts at every level
Symantec EDR Overview
18
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
See system and process changes threats made to endpoints Feed these events to cloud-based analytics for custom detections
Endpoint Recording and Playback
Retrieve and playback everything available on the local queue
Continuous recording over time
Request data1 2 3 4 5
Endpoint Activity Recorder
Investigate
19
Event Type Event Description
Session User session logon and logoff
Process Launch and terminate
Module Loads and unloads
File Create, Read, Delete, Rename
Folder Folder operations
Registry Key Operations on registry key
Registry Value Operations on registry values
Network Actor process network
Named object Named object attributes
Run custom analytics on recorded events, create custom detections and alerts
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Find suspicious objects and related events
Investigate, Hunt and Prioritize
Endpoint IoCSearch
• Search for IoCs in real-time across database and endpoints
• Search Endpoint Activity Recorder streamed events
• Leverage quick filters
• Customer extended scan areas (e.g. \Downloads, \Box )
Forensic Collection
Real-time Auto IncidentGeneration / Sandbox
• Memory exploit detections
• Suspicious PowerShell
• Risk scored recorder events
• Automatically submit suspicious files to sandbox (on-premises or cloud)
• Full endpoint and file/process dumps
• Acquire process-memory
• Collect PE and non-PE files
• Acquire OS forensic artifacts (e.g. Prefetch, MFT, Brower history)
Investigate
20
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Complete and Rapid Endpoint Repair
• Blacklist or whitelist a file
• Delete a file, reverse load point changes, return endpoint to a pre-infection state
• Quarantine compromised endpoints
• Fortify against future infection
.EXE
.EXE
Blacklist a malicious file Isolate an
endpoint
.EXEDelete a malicious file
Fully remediate across endpoints from a single console with one click.
EDR with SEP
Respond
21
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Interactive graphics simplifies complex investigations
Visualization
• Visual incident diagrams and alerts• Connect impacted endpoints with actors and objects,
pivot for more detail
• Quickly learn the source, timing and impact of an incident
• Visual link analysis• Understand contextual relationship between unrelated
data types
• Transform large amounts of data into interactive graphics and reports• Focus on relevant activity with machine-assisted
analysis
• Simplify reporting
Investigate
22
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Manual activities and processes hinder SOC productivity
Complex Manual Workflows
SOC managers need to reduce the mean time to resolution, lower cost:
• Skilled analysts are hard to find and retain
• Must speed triage and prioritize alerts
• Need to capture and reuse the best practices of skilled analysts to enhance incident response and threat hunting
People, process and infrastructure need to be integrated to streamline operations:
• Simplify the management of data flows and initiate actions across control points
• Require more from existing investments in SIEM and ticketing products 23
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Leverage built-in playbooks, create custom workflows
Automate Investigation and Artifact Collection
Built-in Playbooks Custom Workflows Artifact Collection
Quickly initiate cyber security functions and leverage expert investigation methods with built-in playbooks.
Automate repetitive manual tasks and create custom investigation flows.
Gain in-depth visibility into endpoint activity with automated artifact collection.
Automate
24
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Only Symantec delivers integrated cyber defense
Integrations with Symantec and Partner Products
25
ControlPoints
Email Security
WebGateway
Cloud Security
SIEM
Orchestration & Automation
Ticketing
Global Intelligence Network
Data Loss Prevention
Encryption
SOC Integration
Advanced Threat
Protection
EDR
Content Analysis
SEP + EDR
ITMSSecurityAnalytics
Integrate
The DATA
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
BEST IN CLASS TERMINATION POINTS & PROTECTION
DEEP ARTIFICIAL INTELLIGENCE & AUTOMATION
A DARK INTERNETTHE COMING FISCAL CRISIS
Pressing Problems in Data ProtectionChanging usage models will mandate a platform architecture
28
Data Breaches
Targeted threats aim to steal sensitive data from critical devices
Regulations Compliance
Increased scrutiny demands data visibility, access controls and leakage risk
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Foundation to a Data Protection Program
Superior Detection
Integrated Platform
Visibility Everywhere
30
Comprehensive detection methods
Visibility and protection on all channels and locations
Integration with the rest of your security architecture
Provider Ecosystem
Third-Party Integrations
Information Exchange Layer
Managed Security Services Provider
Custom Outcomes
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Cloud Access Security Broker
Web Gateways
Data Detection and Protection in The CloudData protection must be consistent across all channels
31
Endpoint Storage Network
DATA DETECTIONAND PROTECTION
SaaS/IaaS(AWS, Box, OneDrive, SFDC…)
Web(LinkedIn, Facebook, Twitter…)
Email (O365, Gmail)
Cloud
DATA DETECTION
AND PROTECTION
POLICIES MANAGEMENTPOLICIES MANAGEMENT
Email Security
Detection in the cloud All control points Single pane of glass Mobile & BYOD
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Locate where your sensitive information resides across
your cloud, mobile, network, endpoint and storage systems
DISCOVER
Where does your confidential data live?
Understand how your sensitive information is being
used, including what data is being handled and by whom
MONITOR
How is it being used?
Stop sensitive information from being leaked or stolen
by enforcing data loss policies and educating employees
PROTECT
How do you prevent data loss?
33Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Answers these critical questions about your information
Data Loss Prevention
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
From DLP to An Integrated Data Security Platform
Data Loss PreventionEndpoint, Storage, Network, Cloud
Cloud Access Security Broker (CASB)
Data Classification (ICT)
User and Entity Behavior Analytics (ICA)
Identity and Access Management (VIP)
Web Gateways (ProxySG, WSS, Mobile)
Digital Rights Management (ICE)
Email Security, Encryption, SSLV, SEP, CCS…
Key products
Web Gateways
ICT
ICA SEP
VIP ICE
CASB
Endpoint Security (SEP)
Next Steps
Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Where do we go from here?
• Engage• Teil des 360°IT Security Workshop• Meet & Greet the New Symantec• Solution Overview (Face-to-Face, WebEx)• Demo• Architecture Workshop
• Evaluate• Existing Environment: Health Check• Proof of Concept (PoC)• Advanced Threat Assessment
• Network
• Endpoint• Cloud
• Deploy & BE SAFE ☺
Thank You!