What is our primary use case?
Symantec Endpoint Protection has an antivirus with anti-malware and application control capabilities that we use to protect assets like servers, workstations, and ATMs. There's a central management server we use to manage all the endpoints, regardless of the categories, and we install an agent on all the endpoints that reports to the management server.
If I want to check the status of any asset, I need to get the details like the IP address and the hostname of the system. The management server will give me the current status. I have three different kinds of agents on the endpoint that I can use to control access.
The agents for the ATMs and servers aren't as heavy as the ones for workstations. It's a stripped-down version that removes some of the components and add-ons that are not part of the endpoint protection engines, so the agent is lighter and can be deployed faster. The activities on servers and ATMs are dynamic, so the antivirus must also be very light. To centrally manage the antivirus, I have to set up distribution points because I have more than 14,000 endpoints altogether distributed across more than 250 branches in Nigeria.
I set up distributional points on systems and ATMs. The ATMs are always on the network because they're connected with other points at every branch and location. I need them to be distribution points. When I need to send a file to update all the other systems, I send it to these distribution points. These distribution points in Symantec record the data needed to update all the other systems
Let's say I have two different locations. I will have the updated data at location one, and I have other data at location two. These different locations have their own IP subnets, so I will configure the update data so that the IP within that subnet can talk to it and no other IP outside the subnet. This one makes ensures my assets, ATMs, workstations, and servers can update as soon as possible.
I'm always compliant. The servers in the data center don't need to talk to any distribution points. They talk directly to the management server to get the updates regularly because the servers are always on the network at the data center, the workstations that people shut down at the end of the day. Any time people connect to the network, the system will update automatically. That is the normal architecture for Symantec.
How has it helped my organization?
Symantec centralized our intrusion detection system while creating additional layers of security at the endpoint level. We're not relying on the central intrusion detection system. It gave us more value than expected.
The solution also helped give us visibility into compliance within our whole system and ensure everything is updated. I can tell you the number of outdated systems from the same management server. In the same console, I can remotely trigger an update on any system. Symantec offers more flexible administration than other solutions. Most other antivirus products get updates directly from their portal, install them on the management server, and all the endpoints pull the update from it. Sometimes, an endpoint may not update. The update might be on the endpoint, but the system will still not pick up.
Most other antivirus solutions can't do a workaround like Symantec, where you can download the JDB file from the portal and copy the file to a specific path on the problem system. You don't even need to install it. Once you drop the script into the system, it will run automatically. After 20 to 40 seconds, the system will be updated, and the status will turn green.
Using distribution points is also a game changer because it has saved it. Symantec considers that you may have bandwidth issues in this part of the world. You can leverage the update and push the file through locations with inadequate bandwidth. When you push the file through, the update can pull the data file and distribute it across the other endpoints.
Having this flexibility makes the solution easy to use. You can also segment the systems according to assets. It lets you classify servers, ATMs, and workstations separately. You can have different versions because of the flexibility. You can remove some components before generating the agent you are installing on the endpoint.
I get around 95 percent compliance, meaning that 95 percent of the systems are up to date at any time. I also want to take it a step further to achieve around 98% because I have discovered some systems are not updating.
Then there is another file called the JDB in Symantec that I download regularly and distribute across all the ATMs, which I use as my distribution points. I will run a script to pick this JDB file and copy it to a specific path on all the outdated MAA workstations to update them automatically.
Overnight, I usually copy the script to all 256 distribution points across the nation. The next day, I will run another script that goes to the specific distribution point, acquires the JDB file, distributes it to the list of data systems I have prepared by location, and copy the file to those computers. They will be updated automatically.
That has been fully automated. I download the file every day at the close of business. It is shared through a script that is already automated across the distribution points the following day at 9:00 am because it's expected that people will resume work by 8:00 am. By 9:00 am, I expect every system to be on. The outdated systems will be targeted with the JDB and updated.
What is most valuable?
What I like most about Symantec is the intrusion detection module. If you are scanning the environment, it will flag a possible intruder and tell you the IP and where the attack is coming from. Traditional antivirus solutions will never flag that. If you have a traditional SIEM, you might be able to pick that up. Symantec is a holistic endpoint security solution, so when you scan an endpoint, Symantec will let you know that something is happening to it.
Once, there was an unauthorized scan of the environment, and I immediately discovered multiple systems were accessing it. A message will pop up saying that an intrusion was detected scanning from a particular path. We need to check directly because there are multiple similar IP addresses we have to block on our firewall, so the IP cannot access our system again. We've been able to contain attacks using Symantec in the past. It's highly effective.
Another valuable add-on is application control, which I use to prevent some applications from entering my environment. You can block any program installed with the same fingerprint. If the software isn't aligned with the environment, Symantec will stop it automatically. You don't need to buy a different solution, like an app blocker, and deploy it in the background.
What needs improvement?
Symantec's application security module needs some improvement. You need to create a lot of fingerprints for application security. For instance, let's say I have different brands of ATMs in my environment, like Wincor and NCR. I use GRG to deploy an application control to whitelist some applications. I have to get the exact image of the different models of ATMs. When I tested in the past, some machines would not connect to the server without that.
Only the approved software on the ATM should run. Anything outside that should not even come up at all. We did this so that an outside person doesn't introduce malicious software to the ATM. That's the essence of locking down with application control. Using Symantec for application control has been hectic, so I use Carbon Black to do the lockdown.
Checking that data security will work fine with Carbon Black. Carbon Black worked fine. Setting up approval in Carbon Black works differently than Symantec. In Symantec, we first need the fingerprints of the applications running underneath. Before setting up Carbon Black, you first install the agent, allowing it to learn the environment. It will analyze all the software's behavior and provide recommendations for what should be allowed. It's more straightforward, whereas configuring application control in Symantec is a bit cumbersome.
For how long have I used the solution?
I've been using this solution since 2014. Before joining this bank, I used Symantec at another financial institution, so I'm well acquainted with the solution. It's taken care of many aspects, especially the endpoint, regarding the environment's security.
What do I think about the stability of the solution?
Endpoint Security is stable.
What do I think about the scalability of the solution?
When you put it on servers and there are performance issues, you can always check the endpoint that's using the most resources and allow that part to not be scanned.
Symantec has the scalability and flexibility to work in line with what the customer really wants. Some parts of a server are not meant to be scanned. You can still monitor it and get reports. From there, you can decide if it should be excluded. That is one thing I like about Symantec.
How are customer service and support?
I rate Symantec support an eight out of ten. They are pretty solid in terms of technical know-how and support. My only complaint is the process of handing off between two support engineers. Whoever takes over will ask you to start from the beginning. There isn't proper documentation of the call and communication between engineers.
Let's say you have made 60% progress toward resolving your issue. Whoever takes over from that engineer should be able to pick it from 60% and drive it to 100%. In most cases, the new engineer may even take you back down to 20%. It wastes a lot of time.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I use Symantec alongside other security solutions. For example, I don't use Symantec's Global Intelligence Network. I use a different threat intelligence platform called Mandiant in my environment. I also leverage Microsoft for threat hunting. I don't use Symantec for threat hunting.
In the past, I tried Data Center Security on our servers, but since the normal ICP works for us, we did not decide to use it. I tested the features because I was looking for a solution that can lock down some of my legacy systems. During the POC, I compared it with Carbon Black, the solution I have. Carbon Black does a better job and it's cheaper.
I have a separate solution that I use to manage mobile devices. I'm not using Symantec. There's a solution called Sandblast Harmony that is an add-on for Check Point, which I use as a perimeter firewall. This is a solution that was deployed with it, and I have Sandblast on all my mobile devices.
Before you can install anything like office mail on your mobile devices, you need to be onboarded on that platform before you can set it up. If your device does not have Sandblast installed on it, you won't be able to proceed with the setup. So I don't really even use Symantec to protect my mobile devices.
How was the initial setup?
Setting up Endpoint Security isn't complicated. You need to set up a management server to install the agents, then provide the permissions to the appropriate IPs to acquire the update from Symantec. After that, you set up distribution points for the updated data. It's not something that can be completed in a day. For instance, if you have 200 locations, you can set up three or four daily. It depends on the criticality. That's why you deploy distribution points.
If you are operating a centralized approach, all the workstations, irrespective of the location, can pull the updates from the management server and be managed centrally. However, because of bandwidth challenges, some cannot go to the server and pull the updates.
You have the flexibility to determine the components you want to generate. For instance, you can have different agents for workstations, ATMs, and servers by selecting the specific components you want to include. Everything is coming from the same management server. When it's time to update, you can do a workaround by leveraging the JDB from the Symantec portal. You must push that JDB file to a specific path on those affected systems. It will execute and update automatically.
What was our ROI?
There's a return on investment.
What's my experience with pricing, setup cost, and licensing?
Symantec is one of the major players in that space, so the licensing isn't as cheap as some other antivirus products like Trend Micro. It's reasonable but not the cheapest. Any entry-level Symantec user is coughing up a lot of money compared to the other antivirus software.
Windows Defender is practically free for customers. When you have the option of using Microsoft Defender, and you look at the price of Symantec, the gap is wide. Trend Micro is a bit closer, so competitive pricing is something Symantec may also need to consider.
What other advice do I have?
I rate Symantec Endpoint Security a nine out of ten. I use Symantec for multiple endpoints like ATMs, servers, and workstations, but I think Symantec has evolved. They have some specific solutions for ATMs and servers. Generally, I would recommend only using Symantec Endpoint Protection for workstations. For your server, you should deploy different solutions.
When deploying the solution, you should consider each location's bandwidth limitations. You will also need to implement quality of service on the network so bandwidth utilization is prioritized. For example, you might need to schedule workstation updates during off-peak hours.
If it is not managed correctly, all the computers might update simultaneously during the peak period, affecting the whole environment and causing service issues. The proper time for updates should be appropriately identified. In my case, we update around 3:30 pm because we close at 4:00 pm. My peak period is between noon and 1:00 pm, so none of my workstations will update at that time.
Which deployment model are you using for this solution?
Disclosure: I am a real user, and this review is based on my own experience and opinions.