Tales from the Cyber, Episode 1 - The New Kid

You're the new guy and you've walked in to find that the organisation that hired you have ... Nothing. The board have agreed that you can buy just one "thing" What will that be ?

Have you ever played that as a Desktop Scenario Game ? Ever considered that if you could only intoroduce one security tool into an unsecured and unmaintained environment, what would that tool be, and why would you go in that direction ?

While you're contemplating that idea, think about your current environment. What would you do differently if that were your ONLY tool.

I'm going to put Symantec Endpoint Protection down as my choice of tool. Actually, I'm going to go and talk to my Symantec Sales Weasel about Symantec Endpoint Security Complete as a package deal to cover a whole load of bases. Symantec Endpoint Protection is always my Number 1 as far as the Desktop Scenario Game goes, and I'm going to sell my strategy to the board based on what I can save the business in costs.

Let's focus on Symantec Endpoint Protection and the why of my strategy, then we can look at Symantec Endpoint Security Complete, and finally the Rands and Cents of my plan.

You can be pretty certain that our imaginary organisation is having serious issues with Malware, Ransomware, and all kinds of where's. There's a cost involved cleaning systems, there's work and business interuptions, there's no "insight" into what's in the network, or on the machines. We need to try and quantify that cost, as well as the risks to the business. ... and you can't take the easy route of "What's the cost of Ransomeware locking down everything" but you can allude to the fact that if we're calculating Risk, and Probability and Timeframes, Ransomware just keeps moving up over time. I might even suggest that Ransomeware is the new "Breached" and it's not IF that we're looking at, but rather WHEN.

OK, so we have a cost, and a load of work and effort going into putting out fires. The main reason I've chosen Symantec Endpoint Protection is not just that it is going to keep a load of malware out, but that having an agent on every single Windows Machine is going to give me insight into what is happening in the environment.

My quick win is that we now have an idea of what is happening in our environment, and we've stopped a lot of fires from burning. Realistically, we are probably only going to be able to show savings in labour and time for our Help Desk and Desktop / Server support staff. Your challenge is going to be how to link an improvement in overall productivity to a more stable environment.

I have personally seen a SEP deployment remove so many worms from a retail environment that they could put a full Cisco WAN upgrade on ice. Needless to say, Symantec Endpoint Protection was a Silver Bullet for a while.

If you're looking at Symantec Endpoint Protection and thinking Anti-Virus and Definition based protection, then you're about 10 years behind the times, and in Threat Landscape protection terms you're closed to a century out of touch. A decent Endpoint Protection agent should also be able to take advantage Data Science and Machine Learning, and Artificial Intelligence, and still have loads of bells and whistles to help secure your infrastructure. Symantec Endpoint Protection just happens to do all of that, and Symantec Endpoint Security Complete comes with even more bells and whistles.

Symantec Endpoint Protection also comes with Application and Device Control. Device Control is a nice to have, and you can do some interesting things with it, but the Application Control is where you really get to win. You can get really creative with Application lockdown and use it both pro-actively to prevent as well as re-actively to clean, and as a side project you can use it to get an idea of what software is running on your endpoints. To make it even easier you can download some really useful Application Policies to get you up and running. I highly recommend starting with this document and implementing as many components in the attached Policy as you can, on as many systems as you can. TECH132337 Hardening Endpoint Protection with an Application and Device Control Policy to increase security

So now we have SEP Autoprotect keeping the noise down, Application Control making it difficult for malware to launch or run, Let's see what else we can get out of our Endpoint Protection.

One of the features within SEP ADC allows us to gather information on all the applications that run on a machine. We use this information to Allow or Block the application. You don't have to limit yourself to just that, you can use this to manage the type of Software that you run, as well as keep track of the amount of licenses in use.

Along with SEP, Symantec also throw in some "free" stuff, like ITAnalytics, and ICDx, both of which want some effort and investment from you, but will give you even more back in returns.
ITAnalytics is esentially Reporting on Steroids, and to be honest, the default reporting within SEP is adequate for an Administrator, or an Overview, but you really want to be looking at trends and cubes that can be pivoted and massaged to glean deeper insights.
ICDx is another nice "free" that Symantec hand out.

If the only tool you have is a hammer, and every problem looks like a nail, then SEP is the hammer you want to be holding.

If the only tool you have is a hammer, and every problem looks like a nail, then SEP is the hammer you want to be holding.

If the only tool you have is a hammer, and every problem looks like a nail, then SEP is the hammer you want to be holding.

If the only tool you have is a hammer, and every problem looks like a nail, then SEP is the hammer you want to be holding.

If the only tool you have is a hammer, and every problem looks like a nail, then SEP is the hammer you want to be holding.

and fart Unicorn flavoured rainbows.

And don't forget that all your pretty tools and software are worth nothing if you don't have training included in the bigger picture of cost of ownership.