So far in this blog series, we’ve taken a deep dive into the important innovations built into Symantec Endpoint Protection 14 – specifically advanced machine learning, memory exploit mitigation, and the Emulator– and how they work together to fight malware attacks.
This week we want to take a closer look at the critical role performance plays in securing the endpoint. Ultimately, if endpoint protection is cumbersome, if it slows down device performance or frustrates the user, then it doesn’t matter how innovative the technology is – users will turn it off. That’s why security software development requires a constant balancing act between increasing protection and minimizing performance impact.
That balancing act was top of mind as we created Symantec Endpoint Protection 14. Our development teams invested in three key areas to deliver multi-layered defense without compromising end-user or IT productivity. Let’s take a look at each area in detail.
Smaller footprint
We knew each new weapon in our endpoint arsenal would need to be carefully optimized so as to not slow down either the network or the end user, in effect bolstering security while prioritizing efficiency. For example, we deploy our machine learning technology to both the endpoint and the cloud – analyzing file attributes and behaviors locally on the device, while analyzing relationships and reputation using big data at scale in our cloud. That delivers incredible intelligence for endpoint protection without requiring a bulky application.
We also optimized and enhanced the core application to minimize the volume of signature definitions stored locally. All told, the typical application footprint for a fresh install was reduced 68% for core definitions from SEP 12.1, an impressive delta that reflects both a smaller application footprint and reduced definitions file updates.
Reduced downloads
Intelligent Threat Cloud is one of the breakthrough technology innovations in Symantec Endpoint Protection 14. The use of machine learning has reduced our dependence on signatures, but using them wisely still adds value. We built Intelligent Threat Cloud to provide real-time “on demand” cloud lookup for signatures, so we don’t need to keep all definitions on the endpoint – allowing updates to focus on the newest threat information. This reduces the frequency and size of signature definition files, which in turn lowers network usage and increases performance.
Based on our testing to date, the use of Intelligent Threat Cloud has helped reduce daily updates by 70% (comparing SEP 14 with core definitions to SEP 12.1). That’s roughly the equivalent of two emails per day, versus nearly two megabytes per day in the prior release. What happens if we can’t connect to the cloud? Multiple signature-less technologies such as machine learning and memory exploit mitigation are already in position to deliver a fairly definitive verdict at the endpoint – so if we can’t corroborate it, we convict it.
Intelligent Threat Cloud is powered by a variety of advanced techniques including data pipelining, trust propagation, and batched queries. And while some security vendors would like you to believe signatures are obsolete, as we mentioned above, the reality is that signature-based detection systems still play an essential role in preventing known threats – while machine learning, exploit prevention and virtual sandboxes are used to tackle the unknown. Deploying one without the other is akin to installing a fancy new alarm system on your house and then intentionally taking the locks off your doors.
Faster scan times
Last but not least, our development teams worked hard to deliver better protection with faster scanning times via Symantec Endpoint Protection 14. The new software conducts set scans on samples that combine both clean files and those that contain malware nearly 20% faster, an increase that can be attributed in large part to the addition of Intelligent Threat Cloud.
Real-time scanning of new files also works incredibly fast. The Emulator, for example, uses virtual sandboxing to shut down custom packer attacks, deploying sophisticated technology that mimics operating systems, APIs and processor instructions, all while managing virtual memory and running various heuristics and detection technologies. The Emulator operates in milliseconds – an average of 3.5ms for clean files and 300ms for malware – significantly minimizing detection and response impact on the network and user experience.
One agent, multiple layers of protection
The threat landscape is always changing, and malware can infiltrate the enterprise at any point in the attack chain. The reality is no single technology can stop all malware, all the time. Multiple technologies are a fundamental requirement for the future of endpoint security. At the same time, users don’t want the performance hit of multiple agents – and IT doesn’t need the headache of separate applications from multiple vendors, with the need to install, patch, update, troubleshoot and integrate each of them separately.
With Symantec Endpoint Protection 14, we combine new and established technologies in a single, lightweight agent to stop known and unknown threats across multiple vectors, going far beyond the reach and capability of point products. That includes machine learning, exploit prevention, antivirus, and reputation and behavioral analysis all within a single high-performance agent. That same agent can also collect the data you need to feed endpoint detection and response (EDR) via Symantec and third-party consoles.
Bottom line: Organizations no longer need to install and manage multiple endpoint agents for prevention, detection and response. With the consolidated technologies of Symantec Endpoint Protection 14, they can reap the enormous benefit of next generation protection, all while improving the user experience, reducing IT burden, and lowering total cost of ownership. All the better to focus on fighting the bad guys.
# # #
Check out our webinar with Adrian Sanabria from 451 Research to learn more about next-generation endpoint protection, and watch this space for regular blog posts that drill deeper into key capabilities with insights from Symantec and third-party experts.