The information that appears on the Executive Report is dependent on many factors, such as how you configured Symantec Advanced Threat Protection (ATP), your organization's remediation policies, and the types of threats that target your users. As such, the best way to use this report is to validate whether its information adheres to your organization's processes for identifying and remediating threats, assessing your current threat level, and then adjusting your strategy to mitigate future attacks. Often, this is a collaborative effort that involves multiple parties which may take several iterations of month-over-month analysis.
In the short term, though, the Executive Report is designed to create a dialog between controllers and the executive team regarding your current threat level. As a controller, you may be required to provide answers to the questions that are posed by the executive team based on the report's information. The following are examples of such questions:
Recently Infected Endpoints
Why are there endpoints that are not protected by SEP?
Are they new endpoints or rogue endpoints?
Are the same endpoints being detected month-over-month?
If so, who do these endpoints belong to?
Are certain types of endpoints being detected; for example, a database server?
Is the number of unprotected endpoints trending upwards or downwards month-over-month?
Domains Showing Threat Behavior
What types of domains are targeting our endpoints the most?
If phishing, how can we increase detection on our endpoints at the network level?
If botnet, has malware taken control of one or more of our endpoints?
Do we tend to see spikes in attacks based on certain times of the week, month, or year?
Is the number of attacks for any given domains trending upwards or downwards month-over-month?
High and Medium Open Incidents
Why is it taking so long to resolve high incidents?
Isn't our policy to resolve them in 3 days?
What types of threats are associated with these incidents?
What is our plan to protect ourselves against these types of threats in the future?
How do we plan on responding to the endpoints for which these incidents are open?
Has other malware been detected on these endpoints?
Is the number of open incidents trending upwards or downwards month-over-month?