What is our primary use case?
In one of our client's environments, they need securing of their Active Directory. The solution is the only product with a separate feature to secure Active Directory as part of Symantec Endpoint Security Complete. The client was also looking for an automated endpoint detection solution. That's why we went ahead with it.
How has it helped my organization?
The very comprehensive machine learning platform has been very helpful and we have been able to prevent most attacks and detect and respond to those threats within minutes.
The reaction time for any incident has been reduced drastically. When there is an incident, the EDR engine is based on AI/ML behavioral analytics. It takes direct action and remediates the infected file, isolating the endpoint, and establishing communication between the endpoint and Symantec's threat-hunting SOC. It submits the file automatically, meaning that no manual intervention is required. If there is an attack on a weekend, we can completely rely on Symantec, rather than needing someone to manually upload these things.
Most of our incidents, no matter what has occurred, are automatically addressed. This has reduced our efforts and the time we spend on incidents. That has a direct impact on our business operations. It has improved the efficiency of our operations.
The major benefit of having Symantec's API is that you get access to all the methodologies and mechanisms, and it's accessed in a single dashboard. That makes it a one-stop solution, where you can have everything integrated. It also helps us in orchestrating and correlating our security incidents.
An added benefit is that if you have it integrated with your ticketing system, tickets will also be triggered. You get an SMS alert or an email notification, but that's a secondary thing.
The solution has helped organizations enhance their security posture considerably. We haven't faced any breaches so far, meaning we have been protected adequately. We actively perform quality assessments, penetration testing, and we do forensic analysis. In addition, we have third-party SIEM software monitoring all our assets on a day-to-day basis and they haven't identified any anomalies. That means that Symantec is protecting us well, and we have implemented it and been running it for the last three-plus years for multiple clients.
What is most valuable?
The most valuable features include the
- Active Directory security
- application controls
- endpoint detection and response.
Whenever there is an issue with respect to Active Directory, Symantec identifies the issues and tries to create a signature to mimic the Active Directory-related attacks in their backend labs. They obfuscate the request going to Active Directory. Even though there may be an issue with patches still not being updated by Microsoft, we have compensating control to prevent those kinds of attacks from happening. Once Microsoft releases patches, we immediately implement them. But until then, Symantec will prevent Active Directory compromises.
And, in some cases, the architecture itself is an important feature because Symantec is one of the very few endpoint services that provides an on-premises management system. Currently, most antivirus and protection providers operate entirely from the cloud. That's a differentiating factor with Symantec. This is very critical in an instance where you should not have access to the internet, or you wanted to have it on-premises. In those situations, Symantec is the go-to product.
In addition, for threat hunting, the API is integrated so that we get real-time updates. The threat-hunting is excellent. They're one of the largest civilian cyber intelligence networks. Symantec was an early starter with respect to threat hunting. They have a global SIEM and a global threat-hunting team. They have custom, built-in tools, and their own threat-hunting intelligence mechanism. We completely depend on Symantec's threat-hunting methodology. We have no complaints so far, and it has been an excellent experience working with their threat-hunting team.
Most incidents come through machine learning. In one or two cases we might need the experts, but most of our issues are known. They have a very good AI/ML engine. Based on the signature or the anomaly, when something is detected, the object that is compromised is isolated and we get an immediate response. A link is then initiated between the infected device and Symantec's threat-hunting team.
Symantec is one of a very limited number of products that supports the entire gamut of devices. It is not only Windows devices that it covers but also mobile devices, Mac, Android, iOS, et cetera.
What needs improvement?
In a few cases, when we enable the IPS/IDS feature, there are performance-related issues on the end devices. If we run quite a few features of Symantec, especially the IPS/IDF, it consumes a lot of processing and memory capacity. We would like to enable all the features, but doing so should not have a direct impact on the performance of the system. If they can come up with an agent that consumes less memory, that would be a great enhancement.
Also, Symantec is not being promoted from a marketing standpoint. I don't see any promotions for it. There are no road shows, marketing efforts, training, or anything organized by Symantec these days, at least in my region. The product is good, but if you're not marketing it people think "Okay, we haven't gotten any updates about the product." We need to have more road shows and promotions, and we need to have people trained in the technical aspects to gain market share.
For how long have I used the solution?
I have been using Symantec Endpoint Security for about four years.
What do I think about the stability of the solution?
We don't have any issues with respect to its performance, in general. I rate the stability at nine out of 10.
What do I think about the scalability of the solution?
It is on the cloud so scaling up is not that difficult. I would rate it a 10 out of 10. It's been helping us for the last three years. We have definitely been growing and Symantec has grown along with us.
How are customer service and support?
Because the threat hunting is done by AI/ML, we have only had to reach out to support when there is an issue. If we write them an email, we get responses promptly.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We are actively using other solutions aside from Symantec because we cater to different clients. We have used CrowdStrike, Sophos, and Palo Alto XDR to name a few.
How was the initial setup?
We have multiple architectures in place. A few of our clients use it on the cloud and a few have a hybrid with on-prem. The cloud-based setup is very straightforward. Once we create the account, it doesn't take more than 30 to 45 minutes for us to get the setup done.
The steps involved for a cloud instance are that an account is created, the agent is downloaded, and you probably have to push the agent to different systems. That can be done via different means and depends on the number of client machines. We can push it via SCCM or other modules or can push it manually from the central drive by having end-users download it. The process is seamless and we have been able to install Symantec on at least 150 machines within three hours. We had three resources deploying the agents on those machines in parallel.
We do regular preventive maintenance as part of our managed services, but with the cloud instance, we have never had any issues. It is on autopilot. What we do is that we regularly check for threats and whether the threats have been quarantined. We download the daily and weekly reports. The maintenance is done by one person.
What was our ROI?
We have definitely seen a return on investment. In our clients' environments, we haven't faced any downtime because of ransomware or malware attacks. That itself is a good 30 percent return on investment.
And when it comes to employees' time for detecting and responding to threats it has saved them about 50 percent. They never spend days off or weekends working. There is no need to have anyone attend to this set of problems. If the system is up and we have EDR running, it takes care of everything, from isolating the devices to quarantining the file and uploading the file back to the Symantec backend SOC. Everything is automated and it's seamless.
What's my experience with pricing, setup cost, and licensing?
The pricing is pretty much at the market standard. I don't see any issues with it. It depends on case to case. Symantec is not that cheap and it's not that expensive compared to CrowdStrike. I would put them in the "middle block."
Which other solutions did I evaluate?
When compared to other solutions, I would give Symantec Endpoint Protection 4.5 out of five. It has interesting features, starting with Active Directory Security. There is no other endpoint solution that will help you in preventing lateral-movement attacks on Active Directory. And Active Directory is one of the more critical assets within an organization. Nine out of 10 organizations use Active Directory, and it is so often a targeted asset. Symantec is the only product that has Active Directory security.
Also, it enables us to have a hybrid architecture in which we can have Symantec Endpoint Security on-prem and integrated with the cloud. We can also have the API integrated into our SIEM and SOAR.
We have been using other endpoint security products as well. The advantage of Symantec is that you don't need a separate product to protect your assets such as Linux or Android. It's equivalent to Intune where we can have a single dashboard and have all devices onboarded.
On top of that, with Symantec, we have application control and DLP to a certain extent. It means we don't have to have multiple products running in the ecosystem. It acts as a consolidated solution with multiple features and functionalities. This reduces the costs and resources that you would need to manage different products. When you have different products, it leads to cumbersome processes and it is very complex to manage infrastructure. Having Symantec on the cloud makes endpoint protection seamless. We can download the agent, run it, and we are up and running within 30 minutes.
What other advice do I have?
I would recommend it, but you should do a PoC. Every use case is different, so I would definitely recommend seeing whether it blocks legitimate traffic or a legitimate application or process.
There is a famous saying that only 40 percent of organizations know they are being hacked. The other 60 percent are not aware that they are being compromised. A product like Symantec would certainly enhance the security posture of an organization. It gives senior management pretty decent confidence they have a robust and scalable product with a purpose. We are approaching mitigating 99 to 99.5 percent of attacks from happening. Having said that, other threat-hunting and endpoint detection and response platforms will enhance the overall security posture and drastically bring down the risk level of the ecosystem.
Disclosure: My company has a business relationship with this vendor other than being a customer: Implementer