DATA SHEET

Symantec Endpoint Detection

and Response
Rapid threat discovery and remediation

At-a-glance
Detect and Expose – Reduce time to breach discovery and Resolve – Rapidly fix endpoints and ensure the threat
quickly expose scope does not return
• Apply Machine Learning and Behavioral Analytics to expose • Delete malicious files and associated artifacts on all
suspicious activity, detect and prioritize incidents impacted endpoints
• Automatically identify and create incidents for suspicious • Blacklist and whitelist files at the endpoint
scripts and memory exploits • Enhanced reporting allows any table to be exported for
• Expose memory-based attacks with analysis of process memory incident resolution reports

Investigate and Contain – Increase incident responder Integrate and Automate – Unify investigator views,
productivity and ensure threat containment orchestrate data and work flows
• Ensure complete incident playback with continuous recording • Easily integrate incident data and actions into existing
of endpoint activity, view specific endpoint processes SOC infrastructure including Splunk and ServiceNow
• Hunt for threats by searching for indicators of compromise • Replicate the best practices and analysis of skilled
across all endpoints in real-time investigators with automated incident playbook rules
• Contain potentially compromised endpoints during investigation • Gain in-depth visibility into endpoint activity with
with endpoint quarantine automated artifact collection

Enterprises are increasingly under threat from sophisticated

attacks. In fact, research has found that threats dwell in
Symantec EDR Solution
a customer’s environment an average of 190 days.1 These Symantec EDR exposes advanced attacks with precision
Advanced Persistent Threats use stealthy techniques to evade machine learning and global threat intelligence minimizing
detection and bypass traditional security defenses. Once an false positives and helps ensure high levels of productivity
advanced attack gains access to a customer environment for security teams. Symantec EDR capabilities allow incident
the attacker has many tools to evade detection and begin responders to quickly search, identify and contain all impacted
to exploit valuable resources and data. Security teams face endpoints while investigating threats using a choice of on-
multiple challenges when attempting to detect and fully expose premises and cloud-based sandboxing. Also, Symantec EDR
the extent of an advanced attack including manual searches enhances investigator productivity with automated investigation
through large and disparate data sources, lack of visibility into playbooks and user behavior analytics that brings the skills and
critical control points, alert fatigue from false positives, and best practices of the most experienced security analysts to any
difficulty identifying and fixing impacted endpoints. organization, resulting in significantly lower costs.

1
“Cost of a Data Breach Report, Ponemon 2018” https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=55017055USEN&
In addition, continuous and on-demand recording of system
activity supports full endpoint visibility. Symantec EDR utilizes
Cloud-based Attack Analytics
advanced attack detections at the endpoint and cloud-based and Endpoint Advanced
analytics to detect targeted attacks such as breach detection,
command and control beaconing, lateral movement and
Attack Detections
suspicious power shell executions. Symantec EDR includes Targeted Attack Analytics (TAA). TAA
parses global activity, the good and the bad, across all enterprises

Increase Visibility and that comprise our telemetry set. Our cloud-based artificial
intelligence algorithms and advanced machine learning adapts
Productivity to new attack techniques automatically. TAA creates a real-time
incident—with a detailed analysis of the attacker, techniques,
Symantec EDR increases investigator productivity by prioritizing
impacted machines, and remediation guidance—and streams
incidents by risk. And Symantec EDR automatically generates
it to the EDR console. This approach streamlines the efforts of
incidents for targeted attacks identified through Symantec’s
incident responders and enhances productivity for the entire
Target Attack Analytics and Dynamic Adversary Intelligence.
security team (TAA is provided at no additional cost to Symantec

Investigators can take advantage of Endpoint Activity Recording customers using Advanced Threat Protection 3.1 or higher).

to hunt for Indicators of Attack and perform endpoint analysis.

Symantec EDR also leverages endpoint behavioral polices,
Symantec EDR supports continuous and on-demand retrieval
continually updated by Symantec researchers, to detect
for a wide range of events including session, process, module
advanced attack techniques (AAT) instantly at the endpoint
load point modifications, file and folder operations and registry
(over 350 currently available). These detections detail activity
changes. In addition, critical network events are recorded for that may indicate attacks in progress including file and registry
multiple protocols (customers can configure which supported changes, suspicious network and processes activity and use
protocols they prefer to record). Network events recorded of specific Windows API’s that can be used to start a malicious
include session start and end time, first URL associated with thread within an existing process. Specific incidents from AAT
session, IP Protocol, source and destination IP port and more. detections can be whitelisted if they are determined to be
normal for your organization.
According to Symantec Internet Safety and Threat Report
(ISTR), more than 20% of the malware is VM-aware which
means they evade detection in a traditional sandbox. Symantec Hunt for Anomalies
EDR includes sandboxing that can detect such VM-aware
threats by employing advanced techniques that include
Across Endpoints
mimicking human behavior and if necessary, using physical Symantec EDR simplifies the hunt for attackers within the
servers for detonation. Symantec EDR supports the automatic environment by providing an across the board view of software,
submission of suspicious files to the sandbox for analysis. memory, user, and network baseline activity. When attackers
operate in the environment, their malware and user activity
SEARCHABLE EVENT DATA stand out as anomalies or outliers.
Process Injections
Symantec EDR expose outliers across the environment including:
Processes spawned
in a system folder
from non-system ID
Software outliers – Expose endpoints that have uncommon
• 
software, build discrepancies, unpatched or old operating
Load Point Modifications
system (OS) releases
RISK-SCORED STREAMING DATA Memory outliers – Detect memory-resident outliers using
• 
forensic examination of process memory, file and OS object,
ON-DEMAND DATA RETRIEVAL
and system settings
User outliers – User behavior analytics detect attackers
• 
Symantec EDR provides smart incidents alerts to enhance
acting as legitimate users performing unusual activity
investigator productivity
Network outliers – Leverage statistical analysis to identify
• 
anomalous IP addresses, reputation lookups identify IP
addresses and domains associated with data exfiltration
DATA SHEET  |  CLOUDSOC™ GATEWAY
02
These outlier detections are provided via cloud-based service Symantec Agent with EDR
and are available using built-in and custom playbooks that
produce specific reports on wide variety of anomalous activity.

MITRE ATT&CK Event

Enrichment and Cyber
Blacklist a EDR on-premises
malicious file appliance

Analytics
Symantec EDR provides tools to detect and visualize the attack
lifecycle based on the MITRE ATT&CK framework. The EDR
tool describes attack methods based on the standard tactics
and techniques in the ATT&CK matrix. In addition, quick filters Delete malicious Quarantine
files and artifacts an endpoint
make it easy for investigators to narrow results to one or more
phases of the MITRE ATT&CK lifecycle including initial access,
persistence, lateral movement and command and control.

Critically, Symantec EDR supports MITRE Cyber Analytics Symantec EDR ensures endpoint are returned to a
through automated investigation playbooks. MITRE pre-infection state.
recommends organizations implement a zero-trust approach to
forensic collection and investigation by interrogating autorun
differences, suspicious run locations, potential DDL injections
Automate Skilled
and SMB event monitoring. Symantec EDR makes it easy to Investigator Practices
run scheduled sweeps across endpoints to determine if any
Symantec EDR supports playbooks that automate the complex,
attacks can be detected using common knowledge of the MITRE
multi-step investigation workflows of security analysts. Built-
community of adversary models.
in playbooks quickly expose suspicious behaviors, unknown
threats, lateral movement and policy violations. Symantec EDR
Complete and Rapid includes an extensive set of playbooks to identity “Living off

Endpoint Repair the Land” (LOTL) tactics including the use of legitimate tools
to hide attacks in normal activity. Symantec EDR now supports
Symantec EDR supports rapid remediation of impacted over 50 of these LOTL playbooks. Selected playbooks can be
endpoints including file deletion, blacklisting and endpoint schedule to run on a specific date, time or interval.
quarantine. Using powerful eraser capabilities built into the
Symantec Agent, responders can take action from the EDR The security team can view the playbooks to learn expert
console and with one click apply a fix across multiple endpoints. hunting and investigation techniques. In addition, Investigators
can create their playbooks to automate best practices and
document specific threat hunting scenarios.

On Execute Create Result

Name Result
Save Non-Empty
Query Merge Results Graph Result

Query Retrieved Nodes Base Result Merged Result Result Saved

Limit Merge Results
+ Args + Merge Results

Symantec EDR has powerful, automated playbooks for artifact collection, investigation and response

DATA SHEET  |  CLOUDSOC™ GATEWAY

03
Flexible Deployment In combination with Symantec EDR tools, Managed EDR
adds additional expertise and global coverage many Security
Options Operations teams require.

The Symantec EDR is a flexible solution that can be deployed

on-premises or in the cloud. Symantec Endpoint customers can Enhance Security
leverage integrated EDR capabilities in the Symantec Single
Agent architecture. Using the EDR appliance, organizations can
Investments
quickly deploy EDR into existing Symantec Endpoint on-premises Symantec’s Integrated Cyber Defense approach enhances your
environments. In addition, customers can add modules that organizations existing investment in security infrastructure.
provide visibility and correlation of network and email events Symantec EDR solutions integrate with security operations
(Email module requires Symantec Email Security.cloud). tools, via Symantec Integrated Cyber Defense Exchange
(ICDx) Collectors or APIs, for event and incident management,
Endpoints with or without Symantec Agent installed can ticketing, automation and orchestration including:
leverage the EDR cloud-based portal for cyber data analytics,
forensic analysis and investigation automation using a • Pre-built apps for Splunk, IBM QRadar and ServiceNow
dissolvable agent and on-premises collection server (or • Integrated automation and orchestration using Phantom,
optional collection services agent). Symantec’s cloud-based Demisto and CyberSponse
EDR capabilities deploys in minutes and quickly collects data • Public APIs covering detection, investigation and response
from endpoints with no impact on end-user experience. capabilities

Extend Your Security Requirements and

Operations Team Certifications
Symantec Managed Endpoint Detection and Response service For complete requirements of Symantec EDR visit our system
ensures enterprises of all sizes can extend the capabilities of requirements pages: https://www.symantec.com/products/
existing SOC teams or leverage Symantec world-class SOC endpoint-detection-and-response#requirements
Analysts to fully leverage Symantec for incident triage, threat
Symantec EDR is ISO 27001 Certified.
hunting, forensic analysis and endpoint containment.

Symantec’s Managed EDR delivers unmatched expertise and

global scale that fortifies security teams with: To learn more about Symantec EDR, ICDx and Symantec
Managed EDR visit our product pages:
• 24 x 7 dedicated team of analysts assigned based on the
https://go.symantec.com/edr
customers geographic and industry focus
https://go.symantec.com/managed-edr
• Proactive threat hunting that applies to minimize the
business impact of possible incursions https://www.symantec.com/theme/integrated-cyber-
• Seamless transition from the Managed EDR service to an defense-exchange
Incident Response engagement if required

About Symantec
Symantec Corporation (NASDAQ: SYMC), the world’s leading cyber security company, helps organizations, governments and people secure their most important data
wherever it lives. Organizations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and
infrastructure. Likewise, a global community of more than 50 million people and families rely on Symantec’s Norton and LifeLock product suites to protect their digital
lives at home and across their devices. Symantec operates one of the world’s largest civilian cyber intelligence networks, allowing it to see and protect against the most
advanced threats. For additional information, please visit www.symantec.com, subscribe to our blogs, or connect with us on Facebook, Twitter, and LinkedIn.

350 Ellis St., Mountain View, CA 94043 USA | +1 (650) 527 8000 | 1 (800) 721 3934 | www.symantec.com

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 20B283601_DS_EDR_EN