Understanding the Difference Between SDCS:SA and SEP
search cancel

Understanding the Difference Between SDCS:SA and SEP

book

Article ID: 150400

calendar_today

Updated On:

Products

Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

 

Resolution

Symantec Data Center Security: Server Advanced 6.5 v/s Symantec Endpoint Protection 12.1

Understanding the difference between SDCS:SA and SEP
 

Symantec Data Center Security: Server Advanced (DCS:SA)

Symantec Data Center Security: Server Advanced (DCS:SA) provides a policy-based approach to endpoint security and compliance. The intrusion prevention and detection features of DCS:SA operate across a broad range of platforms and applications. It provides:

  • A policy-based host security agent for monitoring and protection.
  • Proactive attack prevention using the least privilege containment approach.
  • A centralized management environment for enterprise systems that contain Windows, UNIX, and Linux computers.
 
The major features of DCS:SA are as follows:

 

1) Intrusion detection facility for compliance auditing

  • Real-time file integrity monitoring
  • Granular change detection of registry values, file contents, and attributes
  • Operating system and application log monitoring
  • Local event correlation and smart response actions
 
2) Intrusion Prevention facility for malware prevention and system lockdown

 

  • Sandbox containment of operating system and application processes by an in-kernel reference monitor
  • Granular access control of network, file systems, registry, process-to-process memory access, system calls, and application and child process launches
  • Privileged user and program behavior
 
3) Anti-malware security

 

DCS:SA Security Virtual Appliance (SVA) provides agentless anti-malware security services for the virtualized network through integration with the VMware Network and Security Virtualization (NSX) platform. SVA provides two types of policies: Antivirus policies, and configuration policies.

  • Comprehensive out-of-the-box policies for complete system monitoring and protection of physical and virtual systems.
  • Security orchestration using Operations Director. Operations Director is intended to:
    • Automate security provisioning workflow.
    • Provide application-centric security service.
    • Seamlessly integrate with VMware NSX.
    • Provide out-of-box security product integration.
  • Centralized management environment for administering agents, policies, and events
  • Integration with Security Information and Event Management (SIEM) and other security tools, as well as enterprise infrastructure components such as Active Directory, SMTP, and SNMP
  • Broad platform support across Windows, Linux, UNIX and virtual environments for critical servers, workstations, laptops, and standalone systems
 
The major benefits of DCS:SA are as follows:

 

  • Reduces emergency patching and minimizes patch-related downtime and IT expenses through proactive protection that does not require continuous updates.
  • Reduces incidents and remediation costs with continuous security. Once the agent has a policy, it enforces the policy even when the computer is not connected to the corporate network. And even if a computer is unable to obtain the latest patches in a timely fashion, DCS:SA continues to block attacks so that the computer is always protected.
  • Provides visibility and control over the security posture of business-critical enterprise assets.
  • Uses predefined compliance and hardening policies to provide efficient security management, reporting, alerting, and auditing of activities. Also provides compensating controls for compliance failures.
 
Prevention Strategies for Physical and Virtual Servers:
 
  • Application Whitelisting and Protected Whitelisting: Discover applications via system inspection for creating default-deny policies, or allow applications to run in a restricted sandbox.
  • Targeted Prevention Policies: Respond to server incursion or compromise immediately with quickly customizable hardening policies.
  • Granular Intrusion Prevention Policies: Protect against zero day threats and restrict the behavior of approved applications even after they are allowed to run with least privilege access controls.
  • File, System and Admin Lockdown: Harden virtual and physical servers to maximize system uptime and avoid ongoing support costs for legacy operating systems.
 
Detection Strategies for Physical and Virtual Servers:
 
  • File Integrity Monitoring: Identify changes to files in real-time, including who made the change and what changed within the file.
  • Configuration Monitoring: Identify policy violations, suspicious administrators or intruder activity in real-time.
 
Key Benefits

 

  • Enforce server protection strategies without requiring foreknowledge of complex server applications.
  • Stop zero-day exploits and targeted attacks on servers with targeted prevention policies.
  • Secure legacy systems and mitigate patching requirements by hardening the OS and sandboxing applications.
  • Make security responsive to new software defined data center architectures — controls and policies follow servers across the virtual infrastructure.
  • Provide real-time visibility and control into compliance, in a single real-time monitoring and prevention solution.
  • Achieve complete protection for vSphere leveraging out-of-the-box policies based on the latest vSphere hardening guidelines.
 
Symantec Endpoint Protection 12.1

 

Symantec Endpoint Protection Enterprise Edition 12.1 - Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Mac computers, and servers in your network against malware such as viruses, worms, Trojan horses, spyware, and adware.

Additionally it is able to provide protection against even the more sophisticated attacks that evade traditional security measures such as rootkits and zero-day attacks.

The suite comprises of Antivirus / Antimalware protection, Firewall, IPS and Application and Device Control.

In Symantec Endpoint Protection 12.1 version, SEP is built on multiple additional layers of protection, including Symantec Insight and SONAR both of which provide protection against new and unknown threats. The most recent Symantec Endpoint Protection version is 12.1 RU6.

Support for Linux Client Management

The Symantec Endpoint Protection Manager now supports Linux clients, allowing administrators to configure antivirus policies the same way they would for Windows and Macs.

Power Eraser integration

Power Eraser has been fully integrated into Symantec Endpoint Protection, allowing administrators to remotely scan an infected endpoint and remediate the infection remotely from the management console.

Remote deployment for Macs

Administrators can remotely install Mac clients from the Symantec Endpoint Protection Manager.

Competitive uninstaller

Removes over 300 products from more than 60 vendors, ensuring endpoint safety during any update.

The layers of protection that are integrated into Symantec Endpoint Protection

Layer

Type of protection

Description

Symantec Endpoint Protection technology name

1

Network-based protection

The firewall and the intrusion prevention system block over 60% of malware as it travels over the network and before it arrives at the computer.

This primary defense protects against drive-by downloads, social engineering, fake antivirus programs, individual system vulnerabilities, rootkits, botnets, and more.  Stopping malware before it reaches your computer is definitely preferred to identifying a vulnerability that has already been exploited.

Network Threat Protection:

  • Firewall
  • Protocol-aware IPS

Virus and Spyware Protection:

  • Browser protection

2

File-based protection

This traditional signature-based antivirus protection looks for and eradicates the malware that has already taken up residence on a system. Virus and Spyware Protection blocks and removes the malware that arrives on the computer by using scans.

Unfortunately, many companies leave themselves exposed through the belief that antivirus alone keeps their systems protected.

Virus and Spyware Protection:

  • Antivirus engine
  • Auto-Protect
  • Bloodhound

3

Reputation-based

protection

Insight establishes information about entities, such as websites, files, and IP addresses to be used in effective security.

Download Insight determines the safety of files and websites by using the wisdom of the community. Sophisticated threats require leveraging the collective wisdom of over 200 million systems to identify new and mutating malware. Symantec’s Insight gives companies access to the largest global intelligence network available to allow them to filter every file on the internet based on reputation.

Virus and Spyware Protection:

  • Domain reputation score
  • File reputation (Insight)

4

Behavioral-based

protection

SONAR looks at processes as they execute and use malicious behaviors to indicate the presence of malware.

SONAR watches programs as they run, and blocks suspicious behaviors. SONAR catches targeted and unknown threats by aggressively monitoring file processes as they execute and identify malicious behavior. SONAR uses artificial intelligence, behavior signatures, and policy lockdown to monitor nearly 1,400 file behaviors as they execute in real time. When SONAR is combined with Insight, this technology is able to aggressively stop zero-day threats without increasing false-positives.

Proactive Threat Protection

(Virus and Spyware Protection policy): SONAR

5

Repair and remediation

tools

When malware does get through, Power Eraser scrubs hard-to-remove infections and gets your system back online as quickly as possible. Power Eraser uses aggressive remediation on hard-to-remove infections.

Power Eraser:

  • Boot to clean operating system
  • Power Eraser uses aggressive heuristics
  • Threat-specific tools

6

System Lockdown

System Lockdown lets you limit the applications that can run. System Lockdown operates in either a whitelisting or a blacklisting mode. In either mode, System Lockdown uses checksum and file location parameters to verify whether an application is approved or unapproved.

System Lockdown

7

Application control

Application control monitors and controls an application's behavior.

Application control protects against unauthorized access and attack by controlling what applications can run. Application control blocks or terminates processes, limits file and folder access, protects the Windows registry, and controls module and DLL loading.

Application control

8

Device control

Device control restricts and enables the access to the hardware that can be used on the client computer. You can block and control the devices that are connected to your systems, such as USB devices, FireWire, serial, and parallel ports. Device control can prevent all access to a port or allow access only from certain devices with a specific vendor ID.

Device control

Difference between

Symantec Data Center Security : Server Advanced

and

Symantec Endpoint Protection (Antivirus)

Sr. No

Pointers

Symantec Data Center Security : Server Advanced

Symantec Endpoint Protection (Antivirus)

  1.  

Features

1)IPS/IDS
2)SVA (agentless anti-malware)
3)System hardening
4)Logons/Logoffs Monitoring
5)Configuration monitoring
6)Least privilege access control.
1)Firewall, protocol aware IPS, Browser Protection
2)File based Protection  (AV, Autoprotect)
3)Reputation based Protection (Insight, File Reputation)
4)Behavioral  based Protection (SONAR)
5)System Lockdown
6)Application and Device Control
7)SVA

2.

AV Protection

Agentless Anti-Malware  protection for  all Windows Virtual machines. 

DCS agentless AV does not support Linux VM’s currently. Symantec is working with Vmware but this is not a GA feature.

Anti-Malware / Anti-Virus for all physical and virtual machines (Windows / Linux / Mac) .

3.

IPS Policies

Comprehensive Host Intrusion Prevention policies

Focused HIPS Policies

4.

VMware Support

Using the Security Virtual Appliance (SVA) you can protect guest virtual machines against malware. SVA provides agentless anti-malware security for VMware guest virtual machines through deep integration with VMware NSX platform.

The Security Virtual Appliance

integrates with VMware’s  vShield Endpoint. The Shared Insight Cache runs in the appliance and lets Windows-based Guest Virtual Machines (GVMs) with the Symantec Endpoint Protection client installed share scan results.

5.

Updates and Signatures

Does not use signatures or require continual updates to content.

This traditional signature-based antivirus protection looks for and eradicates the malware that has already taken up residence on a system. Virus and Spyware Protection blocks and removes the malware that arrives on the computer by using scans.

6.

File-based protection

Process / Rule Based.

This traditional signature-based Virus and Spyware Protection:

- Antivirus engine
- Auto-Protect
- Bloodhound

7.

Firewall

Integrated firewall: blocks inbound and outbound TCP/UDP traffic; administrator can block traffic per port, per protocol, per IP address or range

Network Threat Protection:

 - Firewall

 - Protocol-aware IPS

Virus and Spyware Protection:

  • Browser protection

8.

Integrity

Real-time File Integrity Monitoring detection on AIX, Windows, and Linux.

The Host Integrity policy ensures that the endpoints are protected and compliant.

9.

System Lockdown

Hardened systems: lock down OS, applications, and databases; prevent unauthorized executables from being introduced or run

System Lockdown lets you limit the applications that can run. System Lockdown operates in either a whitelisting or a blacklisting mode. In either mode, System Lockdown uses checksum and file location parameters to verify whether an application is approved or unapproved.

10.

Application Control

Better control over Applications

Application control it is limited.

11.

Device Control

More control over Device you can block devices for Application, users or Groups.

Can either block or Unblock a Device.

12.

Priority / Precedence

Priority to specific application than general rules.

Precedence is based on sequence of the policy.

13.

Focus

Focuses on Zero-day Exploits and in Depth Application Control

Focused on USB control and blocking an application

14. Day-zero protection Stops malicious exploitation of systems and applications; prevent introduction and spread of malicious code Protection against even the most sophisticated attacks that evade traditional security measures, such as rootkits, zero-day attacks, and spyware that mutates.
15. Platform support
  • Microsoft Windows
  • Sun™ Solaris™
  • Red Hat® Enterprise Linux
  • CentOS Linux
  • Oracle Linux
  • SUSE® Enterprise Linux
  • IBM® AIX®
  • Hewlett-Packard® HP-UX®
  • Microsoft Windows
  • Red Hat® Enterprise Linux
  • Ubuntu
  • Oracle Linux
  • SUSE® Enterprise Linux
  • Novell Open Enterprise Server
  • CentOS Linux
  • Debian 6.0.5 Squeeze; 32-bit and 64-bit
  • Fedora
  • Windows Embedded
  • Mac OS X
16.

Integrationwith SIEM

Yes

Yes

Conclusion:

• If no prevention policy or a 'disabled' prevention policy is in use, full 'real-time' anti-virus is still definitely recommended.

• With the 'core' prevention policy in full prevention mode, 'real-time' anti-virus becomes less important, but still a good idea. The 'core' policy locks down the main attack points that viruses and hacking attacks use, but any application that is not specifically called out by the policy operates as a 'safe' application - i.e. it can still modify executables and infect a system.

• With a 'strict' or 'limited execution', the system is significantly protected against threats, so 'real-time' AV protection is not needed as much. No application can be changed or modified without either user intervention or modification by a privileged app (i.e. software distribution tool). Turning off SEP Auto-Protect ('real-time' protection) would improve file access performance and reduce memory impact.

• For 'core', 'strict' and 'limited execution' I would still recommend AV with at least regular file scans (scheduled or manual scan), just to make sure no infected files linger around on a system. Otherwise infected files could be dropped on the system in lesser protected locations (assuming they are not executable files) and end up being 'distributed' to other users download these files - a particularly likely case for Sharepoint, file servers and web servers. Office files would be good examples of files that could be infected but would not be controlled/blocked by SDCS, but would be caught by AV.

PLEASE NOTE: Symantec Data Center Security provides antimalware / antivirus policies for only virtual environment and does not provide anti-virus protection on physical machines.

In other words, you would require Symantec Endpoint Protection (Antivirus) for all physical machines.

Also consider the following benefits that SEP provides when installed on the same system as SDCS:

1. Cleans systems regardless of how they’ve been infected once the signatures are up to date.

2. Protects against the types of attacks that are “normal behaviors” in SDCS’s various Behavior Controls. One example is a Word macro virus that just wants to be malicious and delete all of the files on your system.