Symantec Endpoint Detection and Response

Enterprises are increasingly under threat from sophisticated attacks. In fact, research has found that threats dwell in a customer’s environment an average of 190 days.  These Advanced Persistent Threats use stealthy techniques to evade detection and bypass traditional security defenses.  Once an advanced attack gains access to a customer environment the attacker has many tools to evade detection and begin to exploit valuable resources and data.  Security teams face multiple challenges when attempting to detect and fully expose the extent of an advanced attack including manual searches through large and disparate data sources, lack of visibility into critical control points, alert fatigue from false positives, and difficulty identifying and fixing impacted endpoints. Symantec EDR exposes advanced attacks with precision machine learning and global threat intelligence minimizing false positives and helps ensure high levels of productivity for security teams. Symantec EDR capabilities allow incident responders to quickly search, identify and contain all impacted endpoints while investigating threats using a choice of on-premises and cloud-based sandboxing. Also, Symantec EDR enhances investigator productivity with automated investigation playbooks and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs. In addition, continuous and on-demand recording of system activity supports full endpoint visibility. Symantec EDR utilizes advanced attack detections at the endpoint and cloud-based analytics to detect targeted attacks such as breach detection, command and control beaconing, lateral movement and suspicious power shell executions. Capabilities: Detect and Expose – Reduce time to breach discovery and quickly expose the scope

• Apply Machine Learning and Behavioral Analytics to expose suspicious activity, detect and prioritize incidents
• Automatically identify and create incidents for suspicious scripts and memory exploits
• Expose memory-based attacks with analysis of process memory

Resolve – Rapidly fix endpoints and ensure the threat does not return

• Delete malicious files and associated artifacts on all impacted endpoints
• Blacklist and whitelist files at the endpoint
• Enhanced reporting allows any table to be exported for incident resolution reports

Investigate and Contain – Increase incident responder productivity and ensure threat containment

• Ensure complete incident playback with continuous recording of endpoint activity, view specific endpoint processes
• Hunt for threats by searching for indicators of compromise across all endpoints in real-time
• Contain potentially compromised endpoints during an investigation with endpoint quarantine

Integrate and Automate – Unify investigator views, orchestrate data and workflows

• Easily integrate incident data and actions into existing SOC infrastructure including Splunk and ServiceNow
• Replicate the best practices and analysis of skilled investigators with automated incident playbook rules
• Gain in-depth visibility into endpoint activity with automated artifact collection