Enabling Adaptive Protection in Symantec Endpoint Protection

What is Adaptive Protection?

Adaptive Protection protects enterprise environments from the shift in the threat landscape toward sophisticated and targeted attacks. Attackers no longer use general-purpose attack tools. Attackers customize attacks based on tools that exist in the enterprise environment itself. These Living off the Land (LOTL) techniques help attackers move across an environment and evade security providers. To protect an enterprise against targeted attacks, Adaptive Protection uses a rich behavioral analysis engine as well as the global threat telemetry and expertise to:
  • Identify the behaviors of trusted applications that have been used as part of an attack chain.
  • Profile the normal behavior of trusted applications and processes in the enterprise environment.
  • Analyze prevalence to get visibility into the potential impact of eliminating specific behaviors in the environment.
You can use the prevalence analysis that is coupled with correlated MITRE techniques to help determine what application behaviors can be blocked. Any behaviors that are not used or seldom used can be safely blocked. Based on the latest attack trends, Symantec continuously adds behaviors that you can manage with Adaptive Protection.
For more information about Adaptive Protection, see:
You can either view this custom protection balance using the on-premises
Symantec Endpoint Protection Manager
(SEPM). Or you can fine-tune the protection by managing the Adaptive Protection from the
Symantec Integrated Cyber Defense Manager
cloud console.

How do I get Adaptive Protection in Symantec Endpoint Protection Manager?

To view Adaptive Protection, you must have a Symantec Endpoint Security Complete subscription and both a 14.3 RU3 management server and Windows clients. Support for 14.3 RU1 and RU2 is available in the future.
  • LiveUpdate downloads the Adaptive Protection content to the
    Symantec Endpoint Protection Manager
    one time. The
    Advanced Security
    page replaces the
    Cloud
    page.
    If you have a Symantec Endpoint Security Enterprise subscription, you continue to see the
    Cloud
    page.
  • The Adaptive Protection page shows an empty heat map for up to 3 or 4 days until Symantec learns enough about the behaviors in your environment, and SEPM communicates with the cloud console.
  • For SEPM to activate with the cloud, you must have telemetry enabled. In the SEPM, make sure that
    Send anonymous data to Symantec to receive enhanced threat protection intelligence
    option is enabled. For information on how to enable this setting, see:

Viewing the Adaptive Protection heat map

The Adaptive Protection page shows a heat map widget that uses the color coding to show the prevalence of trusted application behaviors in your environment. Heat map data is collected from all devices that use a particular Adaptive Protection policy. The data in the heat map is based on telemetry that is collected from devices in the past 90 days.
The following icons in the heat map show the prevalence of the application behavior pairs.
  • Zero prevalence
    This application behavior is not prevalent. No devices would be affected by a change in the policy action.
  • Low prevalence
    This application behavior is not prevalent. Few of your devices would be affected by a change in the policy action.
  • Medium prevalence
    This application behavior is somewhat prevalent. Some of your devices would be affected by a change in the policy action.
  • High prevalence
    This application behavior is very prevalent. If you change the policy action for this application behavior, you affect up to 80 percent of your devices.
  • Learning
    Adaptive Protection is still learning about this application behavior and does not have enough current data to assign a prevalence value. This may also occur if up to 5% of your devices are new. For example, your organization may replace laptops with new images frequently. Adaptive Protection assigns a prevalence after it observes the application behavior for 90 days.
Initially, all application behaviors are set to
Learning
with an action of Monitor.

Managing the Adaptive Protection policy in the cloud

If you want to adjust Adaptive Protection for your environment, you must switch your management from the on-premises management only to the hybrid management. Hybrid management lets you manage your clients from either the on-premises
Symantec Endpoint Protection Manager
or the ICDm cloud console. However, you manage Adaptive Protection policies from the cloud console and not the
Symantec Endpoint Protection Manager
. For hybrid management, enroll the
Symantec Endpoint Protection Manager
domain in the cloud console.
Step
Description
Step 1: Enroll the Symantec Endpoint Protection Manager domain in the cloud console.
Step 2: In the cloud console, create an Adaptive Protection policy.
In the Integrated Cyber Defense Manager cloud console, create an Adaptive Protection policy and apply the policy to the
Symantec Endpoint Protection Manager
-managed devices.
For more information on how to use the Adaptive Protection feature in the cloud console, see: Using Adaptive Protection
If you manage Adaptive Protection from the cloud console and do not want to refresh the application behavior heat map in
Symantec Endpoint Protection Manager
, go to
Settings
and turn off
Adaptive Protection
.