Symantec Advanced Threat Protection (ATP) performs the critical security tasks that detect, protect, and respond to threats to your network. ATP: Platform comprises the following control points:
Processes the network stream in real time across all Internet ports and protocols and passes it through various filters and detection engines. ATP can detect events on unmonitored endpoints as traffic passes through the scanner. Since ATP doesn't have Symantec Endpoint Protection agent's information, ATP cannot provide all of the information about the endpoint. Such information includes the user name, last check-in, or Symantec Endpoint Protection Manager group.
Gathers the information by proxying communications between Symantec Endpoint Protection clients and Symantec and by leveraging Symantec Endpoint Protection's Endpoint Detection and Response (EDR) functionality.
Integrates with Symantec Email Security.cloud to uncover the attacks that enter your organization through email.
Collects the events from Symantec ATP: Roaming and correlates them with events from your other integrated control points.
ATP uses Synapse™ to correlate network event data with email event data, web event data, and endpoint event data. The Synapse correlation engine automatically matches events with Symantec Endpoint Protection, Email Security.cloud, Web Security.cloud, and ATP to reduce the volume of security alerts. As incidents are detected, they are correlated with other incidents discovered on your network to show overall attack patterns and prioritize the most significant threats.
ATP employs the following detection technologies:
Vantage is a signature-based detection engine that finds threats in the network stream.
Insight accesses the world's largest reputation database and has reputation intelligence on over 8 billion files. Insight is a Symantec-owned reputation request service for Insight reputation queries. This service gathers information about the Windows executable files that are observed on endpoints.
Mobile Insight performs similar analyses for Android applications as Insight does for Windows executable files. In addition to tackling malware detection, Mobile Insight also detects privacy and performance issues in mobile apps.
The Antivirus engine is a signature-based technology that detects malware.
Symantec's sandboxing technologies detonate files in a virtual sandbox environment, analyze the results, and report each step of the observed behavior. Sandboxes use machine-learning technology to compare the results to known, bad attributes. They then correlate your data with real-world data provided by the Symantec Global Intelligence Network to determine if the files are malicious.
Blacklists and Whitelists
Symantec global blacklist and whitelist feeds, which are updated on ATP appliances regularly, accelerate detection and optimize performance. You can also create custom blacklists and whitelist that you maintain through ATP.
Symantec Endpoint Protection includes Symantec Online Network for Advanced Response (SONAR) technology for process behavior detection and remediation. However, Symantec Endpoint Protection provides no insight into these details. When you integrate ATP and Symantec Endpoint Protection, ATP can provide insight into SONAR detections. SONAR detects the system changes that have occurred on your managed endpoints, the order that they occurred, and related file attributes. This information gives you greater visibility into the activity that occurs in your environment.
SONAR uses a heuristics system that leverages Symantec's online intelligence network with proactive local monitoring on Symantec Endpoint Protection endpoints to detect emerging threats. SONAR also detects changes or behavior on the endpoints that you should monitor. SONAR does not make detections on application type, but on how a process behaves.
Suspicious file classifier
ATP uses a file classifier to analyze files with unknown dispositions. The file classifier breakdowns files by their attributes to determine if the file is good or malicious. The classifier uses the decision trees that are trained with millions of files.
This technology uses machine-learning instead of signatures or sandbox detonation.