Extending Adaptive Protection to On-Premise Environments

We’ve lately seen a significant rise in “living off the land” (LOTL) techniques–a technique in which threat actors execute sophisticated attacks through legitimate operating system features or tools. Nearly half of recent ransomware attacks involved LOTL techniques. In fact, out of the 10 tools most commonly used in ransomware attacks, six were legitimate software.  

Many of those targeted tools exist on assets within organizations’ own data centers or self-managed private cloud environments. Those tools (and those environments) need a strong defense, but most security software vendors tend to focus on cloud-delivered solutions. That’s because 60% of the world’s most sensitive corporate data is stored in the cloud.

Repatriating data from the cloud

That appears to be changing. Analysts are finding that organizations are repatriating their data from cloud to on-premise environments. An IDC survey found that 80% of organizations were migrating workflows off cloud platforms and back to on-premise data centers and their own private clouds. The reasons for keeping data close to home include:

• Cost reductions. While cost savings represent a major initial driver of cloud adoption, some organizations (especially those with consistent and predictable workloads) are finding that bringing data and services back on premises can save them money over time.
• Compliance. Organizations in highly regulated industries (including healthcare and financial services), as well as those that process and store sensitive customer data, simply may not be able to commit much of their data to the cloud.
• Control. Making moves to exert more careful and secure control over data can reduce business risk. Meanwhile, rapidly evolving regulations, particularly for publicly held companies, require organizations to demonstrate that they have complete visibility and control over their environment.
• Customization. Some organizations require more options for customization to accommodate complex or highly specific IT environments.
• Legacy systems. Some legacy systems simply are not designed for cloud migration, and ensuring these assets are protected is vital.

It doesn’t help that cloud platforms are increasingly subject to attacks from sophisticated APTs and nation-state sponsored threat groups. In some cases, repatriating data is perceived as a safe haven compared to public cloud platforms.

These organizations need cyber defenses that evolve with the rapidly advancing threats targeting them. Fortunately, a uniquely effective protection is now available for on-premise environments.

Adaptive Protection: Now stopping LOTL attacks everywhere 

One way to stop LOTL attacks and other threats is to proactively block unauthorized and anomalous use of system functions and tools–use that falls outside the standard ways an organization uses those tools. Adaptive Protection, previously available only for Symantec Endpoint Security, is now available for Symantec Endpoint Protection Manager, a management platform that gives security teams a way to administer endpoint security for on-premise desktop and mobile operating systems and clients, while ensuring proper setup and security policy management.

By adding Adaptive Protection to Symantec Endpoint Protection Manager, administrators can build a highly customized policy that allows behaviors commonly seen within their organization while blocking all others–effectively stopping unsanctioned use of legitimate software and, in turn, stopping LOTL attacks. By introducing this powerful and effective protection to on-premise environments, Symantec is extending protections against LOTL attacks to every corner of the IT stack.

This is how we do it

Adaptive Protection begins by observing how an organization or workgroup normally uses tools. That monitoring period can last 90, 180 or 365 days, after which an administrator reviews those actions and determines which should be allowed and which should be blocked. Actions that have never been observed within normal use can safely be blocked without impacting productivity. Security teams can block more than 450 individual actions, thus creating an environment where unusual use of otherwise legitimate software–the essence of LOTL attacks–is automatically blocked. The set of allowed behaviors constitutes a policy customized to that organization. Any action that falls outside those allowed behaviors is simply not allowed to execute.

By identifying and blocking anomalous (and potentially malicious) behaviors, Adaptive Protection shrinks the attack surface of the organization it’s protecting. 

Best of all, it works. A recent battery of independent, real-world tests showed that Adaptive Protection blocks LOTL attacks faster than traditional security tools do.

With Symantec Endpoint Protection Manager, administrators can efficiently orchestrate security protections for on-premise environments. And now with the addition of Adaptive Protection, this powerful management platform delivers an even more robust defense against an increasingly popular and potentially devastating attack technique.