Symantec Data Center Security: Server Advanced (DCS:SA)
Symantec Data Center Security: Server Advanced (DCS:SA) provides a policy-based approach to endpoint security and compliance. The intrusion prevention and detection features of DCS:SA operate across a broad range of platforms and applications. It provides:
- A policy-based host security agent for monitoring and protection.
- Proactive attack prevention using the least privilege containment approach.
- A centralized management environment for enterprise systems that contain Windows, UNIX, and Linux computers.
The major features of DCS:SA are as follows:
1) Intrusion detection facility for compliance auditing
- Real-time file integrity monitoring
- Granular change detection of registry values, file contents, and attributes
- Operating system and application log monitoring
- Local event correlation and smart response actions
2) Intrusion Prevention facility for malware prevention and system lockdown
- Sandbox containment of operating system and application processes by an in-kernel reference monitor
- Granular access control of network, file systems, registry, process-to-process memory access, system calls, and application and child process launches
- Privileged user and program behavior
3) Anti-malware security
DCS:SA Security Virtual Appliance (SVA) provides agentless anti-malware security services for the virtualized network through integration with the VMware Network and Security Virtualization (NSX) platform. SVA provides two types of policies: Antivirus policies, and configuration policies.
- Comprehensive out-of-the-box policies for complete system monitoring and protection of physical and virtual systems
- Security orchestration using Operations Director. Operations Director is intended to:
- Automate security provisioning workflow.
- Provide application-centric security service.
- Seamlessly integrate with VMware NSX.
- Provide out-of-box security product integration.
- Centralized management environment for administering agents, policies, and events
- Integration with Security Information and Event Management (SIEM) and other security tools, as well as enterprise infrastructure components such as Active Directory, SMTP, and SNMP
- Broad platform support across Windows, Linux, UNIX and virtual environments for critical servers, workstations, laptops, and standalone systems
The major benefits of DCS:SA are as follows:
- Reduces emergency patching and minimizes patch-related downtime and IT expenses through proactive protection that does not require continuous updates.
- Reduces incidents and remediation costs with continuous security. Once the agent has a policy, it enforces the policy even when the computer is not connected to the corporate network. And even if a computer is unable to obtain the latest patches in a timely fashion, DCS:SA continues to block attacks so that the computer is always protected.
- Provides visibility and control over the security posture of business-critical enterprise assets.
- Uses predefined compliance and hardening policies to provide efficient security management, reporting, alerting, and auditing of activities. Also provides compensating controls for compliance failures.
Prevention Strategies for Physical and Virtual Servers
- Application Whitelisting and Protected Whitelisting: Discover applications via system inspection for creating default-deny policies, or allow applications to run in a restricted sandbox.
- Targeted Prevention Policies: Respond to server incursion or compromise immediately with quickly customizable hardening policies.
- Granular Intrusion Prevention Policies: Protect against zero day threats and restrict the behavior of approved applications even after they are allowed to run with least privilege access controls.
- File, System and Admin Lockdown: Harden virtual and physical servers to maximize system uptime and avoid ongoing support costs for legacy operating systems.
Detection Strategies for Physical and Virtual Servers
- File Integrity Monitoring: Identify changes to files in real-time, including who made the change and what changed within the file.
- Configuration Monitoring: Identify policy violations, suspicious administrators or intruder activity in real-time.
Key Benefits
- Enforce server protection strategies without requiring foreknowledge of complex server applications.
- Stop zero-day exploits and targeted attacks on servers with targeted prevention policies.
- Secure legacy systems and mitigate patching requirements by hardening the OS and sandboxing applications.
- Make security responsive to new software defined data center architectures — controls and policies follow servers across the virtual infrastructure.
- Provide real-time visibility and control into compliance, in a single real-time monitoring and prevention solution.
- Achieve complete protection for vSphere leveraging out-of-the-box policies based on the latest vSphere hardening guidelines.
Symantec Endpoint Protection 12.1
Symantec Endpoint Protection Enterprise Edition 12.1 - Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Mac computers, and servers in your network against malware such as viruses, worms, Trojan horses, spyware, and adware.
Additionally it is able to provide protection against even the more sophisticated attacks that evade traditional security measures such as rootkits and zero-day attacks.
The suite comprises of Antivirus / Antimalware protection, Firewall, IPS and Application and Device Control.
In Symantec Endpoint Protection 12.1 version, SEP is built on multiple additional layers of protection, including Symantec Insight and SONAR both of which provide protection against new and unknown threats. The most recent Symantec Endpoint Protection version is 12.1 RU6.
Support for Linux Client ManagementThe Symantec Endpoint Protection Manager now supports Linux clients, allowing administrators to configure antivirus policies the same way they would for Windows and Macs.
Power Eraser integrationPower Eraser has been fully integrated into Symantec Endpoint Protection, allowing administrators to remotely scan an infected endpoint and remediate the infection remotely from the management console.
Remote deployment for MacsAdministrators can remotely install Mac clients from the Symantec Endpoint Protection Manager.
Competitive uninstallerRemoves over 300 products from more than 60 vendors, ensuring endpoint safety during any update.
The layers of protection that are integrated into Symantec Endpoint Protection
Layer | Type of protection | Description | Symantec Endpoint Protection technology name |
|---|---|---|---|
1 | Network-based protection | The firewall and the intrusion prevention system block over 60% of malware as it travels over the network and before it arrives at the computer. This primary defense protects against drive-by downloads, social engineering, fake antivirus programs, individual system vulnerabilities, rootkits, botnets, and more. Stopping malware before it reaches your computer is definitely preferred to identifying a vulnerability that has already been exploited. | Network Threat Protection:
Virus and Spyware Protection:
|
2 | File-based protection | This traditional signature-based antivirus protection looks for and eradicates the malware that has already taken up residence on a system. Virus and Spyware Protection blocks and removes the malware that arrives on the computer by using scans. Unfortunately, many companies leave themselves exposed through the belief that antivirus alone keeps their systems protected. | Virus and Spyware Protection:
|
3 | Reputation-based protection | Insight establishes information about entities, such as websites, files, and IP addresses to be used in effective security. Download Insight determines the safety of files and websites by using the wisdom of the community. Sophisticated threats require leveraging the collective wisdom of over 200 million systems to identify new and mutating malware. Symantec’s Insight gives companies access to the largest global intelligence network available to allow them to filter every file on the internet based on reputation. | Virus and Spyware Protection:
|
4 | Behavioral-based protection | SONAR looks at processes as they execute and use malicious behaviors to indicate the presence of malware. SONAR watches programs as they run, and blocks suspicious behaviors. SONAR catches targeted and unknown threats by aggressively monitoring file processes as they execute and identify malicious behavior. SONAR uses artificial intelligence, behavior signatures, and policy lockdown to monitor nearly 1,400 file behaviors as they execute in real time. When SONAR is combined with Insight, this technology is able to aggressively stop zero-day threats without increasing false-positives. | Proactive Threat Protection (Virus and Spyware Protection policy): SONAR |
5 | Repair and remediation tools | When malware does get through, Power Eraser scrubs hard-to-remove infections and gets your system back online as quickly as possible. Power Eraser uses aggressive remediation on hard-to-remove infections. | Power Eraser:
|
6 | System Lockdown | System Lockdown lets you limit the applications that can run. System Lockdown operates in either a whitelisting or a blacklisting mode. In either mode, System Lockdown uses checksum and file location parameters to verify whether an application is approved or unapproved. | System Lockdown |
7 | Application control | Application control monitors and controls an application's behavior. Application control protects against unauthorized access and attack by controlling what applications can run. Application control blocks or terminates processes, limits file and folder access, protects the Windows registry, and controls module and DLL loading. | Application control |
8 | Device control | Device control restricts and enables the access to the hardware that can be used on the client computer. You can block and control the devices that are connected to your systems, such as USB devices, FireWire, serial, and parallel ports. Device control can prevent all access to a port or allow access only from certain devices with a specific vendor ID. | Device control |
Difference between
Symantec Data Center Security : Server Advanced
and
Symantec Endpoint Protection (Antivirus)
Sr. No | Pointers | Symantec Data Center Security : Server Advanced | Symantec Endpoint Protection (Antivirus) |
|---|---|---|---|
IPS Policies | Comprehensive Host Intrusion Prevention policies | Focused HIPS Policies | |
2. | Application Control | Better control over Applications | Application control it is limited. |
3. | Device Control | More control over Device you can block devices for Application, users or Groups. | Can either block or Unblock a Device. |
4. | Priority / Precedence | Priority to specific application than general rules. | Precedence is based on sequence of the policy. |
5. | Focus | Focuses on Zero-day Exploits and in Depth Application Control | Focused on USB control and blocking an application |
6. | System Lockdown | Hardened systems: lock down OS, applications, and databases; prevent unauthorized executables from being introduced or run | System Lockdown lets you limit the applications that can run. System Lockdown operates in either a whitelisting or a blacklisting mode. In either mode, System Lockdown uses checksum and file location parameters to verify whether an application is approved or unapproved. |
7. | Firewall | Integrated firewall: blocks inbound and outbound TCP/UDP traffic; administrator can block traffic per port, per protocol, per IP address or range | Network Threat Protection: - Firewall - Protocol-aware IPS Virus and Spyware Protection:
|
8. | Integrity | Real-time File Integrity Monitoring detection on AIX, Windows, and Linux. | The Host Integrity policy ensures that the endpoints are protected and compliant. |
9. | VMware Support | Using the Security Virtual Appliance (SVA) you can protect guest virtual machines against malware. SVA provides agentless anti-malware security for VMware guest virtual machines through deep integration with VMware NSX platform. | The Security Virtual Appliance integrates with VMware’s vShield Endpoint. The Shared Insight Cache runs in the appliance and lets Windows-based Guest Virtual Machines (GVMs) with the Symantec Endpoint Protection client installed share scan results. |
10. | Platform support |
|
|
11. | File-based protection | Not File Based. | This traditional signature-based Virus and Spyware Protection:
|
12. | Updates and Signatures | Does not use signatures or require continual updates to content. | This traditional signature-based antivirus protection looks for and eradicates the malware that has already taken up residence on a system. Virus and Spyware Protection blocks and removes the malware that arrives on the computer by using scans. |
13. | Day-zero protection | Stops malicious exploitation of systems and applications; prevent introduction and spread of malicious code | Protection against even the most sophisticated attacks that evade traditional security measures, such as rootkits, zero-day attacks, and spyware that mutates. |
Conclusion:
• If no prevention policy or a 'disabled' prevention policy is in use, full 'real-time' anti-virus is still definitely recommended.
• With the 'core' prevention policy in full prevention mode, 'real-time'anti-virus becomes less important, but still a good idea. The 'core' policy locks down the main attack points that viruses and hacking attacks use, but any application that is not specifically called out by the policy operates as a 'safe' application - i.e. it can still modify executables and infect a system.
• With a 'strict' or 'limited execution', the system is significantly protected against threats, so 'real-time'AV protection is not needed as much. No application can be changed or modified without either user intervention or modification by a privileged app (i.e. software distribution tool). Turning off SEP AutoProtect ('real-time' protection) would improve file access performance and reduce memory impact.
• For 'core', 'strict' and 'limited execution'I would still recommend AV with at least regular file scans (scheduled or manual scan), just to make sure no infected files linger around on a system. Otherwise infected files could be dropped on the system in lesser protected locations (assuming they are not executable files) and end up being 'distributed' to other users download these files - a particularly likely case for sharepoint, file servers and web servers. Office files would be good examples of files that could be infected but would not be controlled/blocked by SDCS, but would be caught by AV.
Also consider the following benefits that SEP provides when installed on the same system as SDCS:
1. Cleans systems regardless of how they’ve been infected once the signatures are up to date.
2. Protects against the types of attacks that are “normal behaviors” in SDCS’s various Behavior Controls. One example is a Word macro virus that just wants to be malicious and delete all of the files on your system.
You may also like to check this below article:
Symantec Critical System Protection and how is it different from Symantec Endpoint Protection