search cancel

Understanding the Difference Between SDCS:SA and SEP

book

Article ID: 150400

calendar_today

Updated On:

Products

Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

Resolution

Symantec Data Center Security: Server Advanced 6.5 v/s Symantec Endpoint Protection 12.1

Understanding the difference between SDCS:SA and SEP

Symantec Data Center Security: Server Advanced (DCS:SA)

Symantec Data Center Security: Server Advanced (DCS:SA) provides a policy-based approach to endpoint security and compliance. The intrusion prevention and detection features of DCS:SA operate across a broad range of platforms and applications. It provides:

A policy-based host security agent for monitoring and protection.
Proactive attack prevention using the least privilege containment approach.
A centralized management environment for enterprise systems that contain Windows, UNIX, and Linux computers.

The major features of DCS:SA are as follows:

1) Intrusion detection facility for compliance auditing

Real-time file integrity monitoring
Granular change detection of registry values, file contents, and attributes
Operating system and application log monitoring
Local event correlation and smart response actions

2) Intrusion Prevention facility for malware prevention and system lockdown

Sandbox containment of operating system and application processes by an in-kernel reference monitor
Granular access control of network, file systems, registry, process-to-process memory access, system calls, and application and child process launches
Privileged user and program behavior

3) Anti-malware security

DCS:SA Security Virtual Appliance (SVA) provides agentless anti-malware security services for the virtualized network through integration with the VMware Network and Security Virtualization (NSX) platform. SVA provides two types of policies: Antivirus policies, and configuration policies.

Comprehensive out-of-the-box policies for complete system monitoring and protection of physical and virtual systems.
Security orchestration using Operations Director. Operations Director is intended to:
- Automate security provisioning workflow.
- Provide application-centric security service.
- Seamlessly integrate with VMware NSX.
- Provide out-of-box security product integration.
Centralized management environment for administering agents, policies, and events
Integration with Security Information and Event Management (SIEM) and other security tools, as well as enterprise infrastructure components such as Active Directory, SMTP, and SNMP
Broad platform support across Windows, Linux, UNIX and virtual environments for critical servers, workstations, laptops, and standalone systems

The major benefits of DCS:SA are as follows:

Reduces emergency patching and minimizes patch-related downtime and IT expenses through proactive protection that does not require continuous updates.
Reduces incidents and remediation costs with continuous security. Once the agent has a policy, it enforces the policy even when the computer is not connected to the corporate network. And even if a computer is unable to obtain the latest patches in a timely fashion, DCS:SA continues to block attacks so that the computer is always protected.
Provides visibility and control over the security posture of business-critical enterprise assets.
Uses predefined compliance and hardening policies to provide efficient security management, reporting, alerting, and auditing of activities. Also provides compensating controls for compliance failures.

Prevention Strategies for Physical and Virtual Servers:

Application Whitelisting and Protected Whitelisting: Discover applications via system inspection for creating default-deny policies, or allow applications to run in a restricted sandbox.
Targeted Prevention Policies: Respond to server incursion or compromise immediately with quickly customizable hardening policies.
Granular Intrusion Prevention Policies: Protect against zero day threats and restrict the behavior of approved applications even after they are allowed to run with least privilege access controls.
File, System and Admin Lockdown: Harden virtual and physical servers to maximize system uptime and avoid ongoing support costs for legacy operating systems.

Detection Strategies for Physical and Virtual Servers:

File Integrity Monitoring: Identify changes to files in real-time, including who made the change and what changed within the file.
Configuration Monitoring: Identify policy violations, suspicious administrators or intruder activity in real-time.

Key Benefits

Enforce server protection strategies without requiring foreknowledge of complex server applications.
Stop zero-day exploits and targeted attacks on servers with targeted prevention policies.
Secure legacy systems and mitigate patching requirements by hardening the OS and sandboxing applications.
Make security responsive to new software defined data center architectures — controls and policies follow servers across the virtual infrastructure.
Provide real-time visibility and control into compliance, in a single real-time monitoring and prevention solution.
Achieve complete protection for vSphere leveraging out-of-the-box policies based on the latest vSphere hardening guidelines.

Symantec Endpoint Protection 12.1

Symantec Endpoint Protection Enterprise Edition 12.1 - Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Mac computers, and servers in your network against malware such as viruses, worms, Trojan horses, spyware, and adware.

Additionally it is able to provide protection against even the more sophisticated attacks that evade traditional security measures such as rootkits and zero-day attacks.

The suite comprises of Antivirus / Antimalware protection, Firewall, IPS and Application and Device Control.

In Symantec Endpoint Protection 12.1 version, SEP is built on multiple additional layers of protection, including Symantec Insight and SONAR both of which provide protection against new and unknown threats. The most recent Symantec Endpoint Protection version is 12.1 RU6.

Support for Linux Client Management

The Symantec Endpoint Protection Manager now supports Linux clients, allowing administrators to configure antivirus policies the same way they would for Windows and Macs.

Power Eraser integration

Power Eraser has been fully integrated into Symantec Endpoint Protection, allowing administrators to remotely scan an infected endpoint and remediate the infection remotely from the management console.

Remote deployment for Macs

Administrators can remotely install Mac clients from the Symantec Endpoint Protection Manager.

Competitive uninstaller

Removes over 300 products from more than 60 vendors, ensuring endpoint safety during any update.

The layers of protection that are integrated into Symantec Endpoint Protection

Layer	Type of protection	Description	Symantec Endpoint Protection technology name
1	Network-based protection	The firewall and the intrusion prevention system block over 60% of malware as it travels over the network and before it arrives at the computer. This primary defense protects against drive-by downloads, social engineering, fake antivirus programs, individual system vulnerabilities, rootkits, botnets, and more. Stopping malware before it reaches your computer is definitely preferred to identifying a vulnerability that has already been exploited.	Network Threat Protection: Firewall Protocol-aware IPS Virus and Spyware Protection: Browser protection
2	File-based protection	This traditional signature-based antivirus protection looks for and eradicates the malware that has already taken up residence on a system. Virus and Spyware Protection blocks and removes the malware that arrives on the computer by using scans. Unfortunately, many companies leave themselves exposed through the belief that antivirus alone keeps their systems protected.	Virus and Spyware Protection: Antivirus engine Auto-Protect Bloodhound
3	Reputation-based protection	Insight establishes information about entities, such as websites, files, and IP addresses to be used in effective security. Download Insight determines the safety of files and websites by using the wisdom of the community. Sophisticated threats require leveraging the collective wisdom of over 200 million systems to identify new and mutating malware. Symantec’s Insight gives companies access to the largest global intelligence network available to allow them to filter every file on the internet based on reputation.	Virus and Spyware Protection: Domain reputation score File reputation (Insight)
4	Behavioral-based protection	SONAR looks at processes as they execute and use malicious behaviors to indicate the presence of malware. SONAR watches programs as they run, and blocks suspicious behaviors. SONAR catches targeted and unknown threats by aggressively monitoring file processes as they execute and identify malicious behavior. SONAR uses artificial intelligence, behavior signatures, and policy lockdown to monitor nearly 1,400 file behaviors as they execute in real time. When SONAR is combined with Insight, this technology is able to aggressively stop zero-day threats without increasing false-positives.	Proactive Threat Protection (Virus and Spyware Protection policy): SONAR
5	Repair and remediation tools	When malware does get through, Power Eraser scrubs hard-to-remove infections and gets your system back online as quickly as possible. Power Eraser uses aggressive remediation on hard-to-remove infections.	Power Eraser: Boot to clean operating system Power Eraser uses aggressive heuristics Threat-specific tools
6	System Lockdown	System Lockdown lets you limit the applications that can run. System Lockdown operates in either a whitelisting or a blacklisting mode. In either mode, System Lockdown uses checksum and file location parameters to verify whether an application is approved or unapproved.	System Lockdown
7	Application control	Application control monitors and controls an application's behavior. Application control protects against unauthorized access and attack by controlling what applications can run. Application control blocks or terminates processes, limits file and folder access, protects the Windows registry, and controls module and DLL loading.	Application control
8	Device control	Device control restricts and enables the access to the hardware that can be used on the client computer. You can block and control the devices that are connected to your systems, such as USB devices, FireWire, serial, and parallel ports. Device control can prevent all access to a port or allow access only from certain devices with a specific vendor ID.	Device control

Difference between

Symantec Data Center Security : Server Advanced

and

Symantec Endpoint Protection (Antivirus)

Sr. No	Pointers	Symantec Data Center Security : Server Advanced	Symantec Endpoint Protection (Antivirus)
	Features	1)IPS/IDS 2)SVA (agentless anti-malware) 3)System hardening 4)Logons/Logoffs Monitoring 5)Configuration monitoring 6)Least privilege access control.	1)Firewall, protocol aware IPS, Browser Protection 2)File based Protection (AV, Autoprotect) 3)Reputation based Protection (Insight, File Reputation) 4)Behavioral based Protection (SONAR) 5)System Lockdown 6)Application and Device Control 7)SVA
2.	AV Protection	Agentless Anti-Malware protection for all Windows Virtual machines. DCS agentless AV does not support Linux VM’s currently. Symantec is working with Vmware but this is not a GA feature.	Anti-Malware / Anti-Virus for all physical and virtual machines (Windows / Linux / Mac) .
3.	IPS Policies	Comprehensive Host Intrusion Prevention policies	Focused HIPS Policies
4.	VMware Support	Using the Security Virtual Appliance (SVA) you can protect guest virtual machines against malware. SVA provides agentless anti-malware security for VMware guest virtual machines through deep integration with VMware NSX platform.	The Security Virtual Appliance integrates with VMware’s vShield Endpoint. The Shared Insight Cache runs in the appliance and lets Windows-based Guest Virtual Machines (GVMs) with the Symantec Endpoint Protection client installed share scan results.
5.	Updates and Signatures	Does not use signatures or require continual updates to content.	This traditional signature-based antivirus protection looks for and eradicates the malware that has already taken up residence on a system. Virus and Spyware Protection blocks and removes the malware that arrives on the computer by using scans.
6.	File-based protection	Process / Rule Based.	This traditional signature-based Virus and Spyware Protection: - Antivirus engine - Auto-Protect - Bloodhound
7.	Firewall	Integrated firewall: blocks inbound and outbound TCP/UDP traffic; administrator can block traffic per port, per protocol, per IP address or range	Network Threat Protection: - Firewall - Protocol-aware IPS Virus and Spyware Protection: Browser protection
8.	Integrity	Real-time File Integrity Monitoring detection on AIX, Windows, and Linux.	The Host Integrity policy ensures that the endpoints are protected and compliant.
9.	System Lockdown	Hardened systems: lock down OS, applications, and databases; prevent unauthorized executables from being introduced or run	System Lockdown lets you limit the applications that can run. System Lockdown operates in either a whitelisting or a blacklisting mode. In either mode, System Lockdown uses checksum and file location parameters to verify whether an application is approved or unapproved.
10.	Application Control	Better control over Applications	Application control it is limited.
11.	Device Control	More control over Device you can block devices for Application, users or Groups.	Can either block or Unblock a Device.
12.	Priority / Precedence	Priority to specific application than general rules.	Precedence is based on sequence of the policy.
13.	Focus	Focuses on Zero-day Exploits and in Depth Application Control	Focused on USB control and blocking an application
14.	Day-zero protection	Stops malicious exploitation of systems and applications; prevent introduction and spread of malicious code	Protection against even the most sophisticated attacks that evade traditional security measures, such as rootkits, zero-day attacks, and spyware that mutates.
15.	Platform support	Microsoft Windows Sun™ Solaris™ Red Hat® Enterprise Linux CentOS Linux Oracle Linux SUSE® Enterprise Linux IBM® AIX® Hewlett-Packard® HP-UX®	Microsoft Windows Red Hat® Enterprise Linux Ubuntu Oracle Linux SUSE® Enterprise Linux Novell Open Enterprise Server CentOS Linux Debian 6.0.5 Squeeze; 32-bit and 64-bit Fedora Windows Embedded Mac OS X
16.	Integrationwith SIEM	Yes	Yes

Conclusion:

• If no prevention policy or a 'disabled' prevention policy is in use, full 'real-time' anti-virus is still definitely recommended.

• With the 'core' prevention policy in full prevention mode, 'real-time' anti-virus becomes less important, but still a good idea. The 'core' policy locks down the main attack points that viruses and hacking attacks use, but any application that is not specifically called out by the policy operates as a 'safe' application - i.e. it can still modify executables and infect a system.

• With a 'strict' or 'limited execution', the system is significantly protected against threats, so 'real-time' AV protection is not needed as much. No application can be changed or modified without either user intervention or modification by a privileged app (i.e. software distribution tool). Turning off SEP Auto-Protect ('real-time' protection) would improve file access performance and reduce memory impact.

• For 'core', 'strict' and 'limited execution' I would still recommend AV with at least regular file scans (scheduled or manual scan), just to make sure no infected files linger around on a system. Otherwise infected files could be dropped on the system in lesser protected locations (assuming they are not executable files) and end up being 'distributed' to other users download these files - a particularly likely case for Sharepoint, file servers and web servers. Office files would be good examples of files that could be infected but would not be controlled/blocked by SDCS, but would be caught by AV.

PLEASE NOTE: Symantec Data Center Security provides antimalware / antivirus policies for only virtual environment and does not provide anti-virus protection on physical machines.

In other words, you would require Symantec Endpoint Protection (Antivirus) for all physical machines.

Also consider the following benefits that SEP provides when installed on the same system as SDCS:

1. Cleans systems regardless of how they’ve been infected once the signatures are up to date.

2. Protects against the types of attacks that are “normal behaviors” in SDCS’s various Behavior Controls. One example is a Word macro virus that just wants to be malicious and delete all of the files on your system.

Feedback

thumb_up Yes

thumb_down No