Symantec Endpoint Protection (SEP) is an endpoint security platform that can use an agent on physical devices or can run in a hybrid agentless/agent-based mode for VDI environments. SEP is centrally managed by an on-premises server. SEP Cloud also is offered as an option for a pure cloud-based deployment. The product actually is a tightly integrated suite of powerful engines, each with its own particular task. It provides cross-platform support (Windows, Mac and Linux). SEP can export in Syslog format for input to SIEMs or other tools that consume Syslogs.
These engines are network firewall and intrusion prevention, application and device control, memory exploit mitigation, reputation, file attributes (advanced machine learning), emulation, real-time file scanning and behavior analysis. A couple of these merit special discussion. First, the firewall really looks both ways so it not only provides intrusion prevention, it also acts as a DLP device. The emulator is a sandbox for detecting malware with encryption. The behavior analysis engine is called SONAR and it watches for suspicious activity.
The intrusion prevention can be customized to prevent specific IPs from interacting with the protected enterprise. For example, you could set it up to prevent communication with the TOR network. We dropped into the landing page as we usually do and were presented with plenty of opportunities for drill-down, and were presented with a limited number of the graphs that we usually expect to see. This dashboard is no-nonsense and everything you need to know at first glance is readily at hand, including a summary from Symantec Security Response (Symantec's threat center feed). When a threat occurs, Exploit Mitigation is triggered.
We selected the monitors from the sidebar menu. This is where we found the graphs we expected on the landing page. We liked that. It keeps the landing page from becoming cluttered without sacrificing completeness. Drilling down further we found detailed information about an event we were analyzing.
Like most products of its type, SEP is policy-driven. Building, deploying and managing policies is straightforward with its own comprehensive set of menus. There are some very noteworthy features in the policy management system. Policies can be granular to the point where you can lock critical parts of a policy - making it inaccessible to users. This keeps a user - or malware - from editing the policy in ways that make it less secure.
Whenever a new file is downloaded into the enterprise it is checked for reputation - both at the file level and at the origin level. As one would expect, SEP is quite strong on anti-malware protection. The anti-malware policies are somewhat more granular that most of the others and allow the sensitivity to malicious files to be controlled on a scale of one to nine. We have seen cases where over-aggressive anti-malware can detect and delete files that are not really malware. This weighting factor allows you to match the sensitivity of your malware detection to the security policies within your organization.
There are several features that we don't often see on most products of this type. For example, SEP has multi-level administration, allowing you to have a master admin and specialized administrators for particular tasks. Anti-tamper protection keeps malicious activity from altering the anti-malware functionality. Additionally, system lockdown lets you decide how you want a particular computer to be used while locking out everything else. So, for example, a point-of-sale terminal should only be running those applications and performing only those functions required for it to do its duties. In that case, such things as internet browsing or installing software by anyone except the administrator can be locked out.
Support is provided at no cost for the "Essential" level and there are additional plans with fees attached. Updates are provided at no additional cost over the first year. The website is, as one would expect, extensive.