Enabling Adaptive Protection in Symantec Endpoint Protection
What is Adaptive Protection?
Adaptive Protection protects enterprise environments from the shift in the threat landscape toward sophisticated and targeted attacks. Attackers no longer use general-purpose attack tools. Attackers customize attacks based on tools that exist in the enterprise environment itself. These Living off the Land (LOTL) techniques help attackers move across an environment and evade security providers. To protect an enterprise against targeted attacks, Adaptive Protection uses a rich behavioral analysis engine as well as the global threat telemetry and expertise to:
- Identify the behaviors of trusted applications that have been used as part of an attack chain.
- Profile the normal behavior of trusted applications and processes in the enterprise environment.
- Analyze prevalence to get visibility into the potential impact of eliminating specific behaviors in the environment.
For more information about Adaptive Protection, see:
You can either view this custom protection balance using the on-premises
Symantec Endpoint Protection Manager(SEPM). Or you can fine-tune the protection by managing the Adaptive Protection from the
Symantec Integrated Cyber Defense Managercloud console.
How do I get Adaptive Protection in Symantec Endpoint Protection Manager?
To view Adaptive Protection, you must have a Symantec Endpoint Security Complete subscription and both a 14.3 RU3 management server and Windows clients. Support for 14.3 RU1 and RU2 is available in the future.
- LiveUpdate downloads the Adaptive Protection content to theSymantec Endpoint Protection Managerone time. TheAdvanced Securitypage replaces theCloudpage.If you have a Symantec Endpoint Security Enterprise subscription, you continue to see theCloudpage.
- The Adaptive Protection page shows an empty heat map for up to 3 or 4 days until Symantec learns enough about the behaviors in your environment, and SEPM communicates with the cloud console.
- For SEPM to activate with the cloud, you must have telemetry enabled. In the SEPM, make sure thatSend anonymous data to Symantec to receive enhanced threat protection intelligenceoption is enabled. For information on how to enable this setting, see:
Viewing the Adaptive Protection heat map
The Adaptive Protection page shows a heat map widget that uses the color coding to show the prevalence of trusted application behaviors in your environment. Heat map data is collected from all devices that use a particular Adaptive Protection policy. The data in the heat map is based on telemetry that is collected from devices in the past 90 days.
The following icons in the heat map show the prevalence of the application behavior pairs.
- Zero prevalenceThis application behavior is not prevalent. No devices would be affected by a change in the policy action.
- Low prevalenceThis application behavior is not prevalent. Few of your devices would be affected by a change in the policy action.
- Medium prevalenceThis application behavior is somewhat prevalent. Some of your devices would be affected by a change in the policy action.
- High prevalenceThis application behavior is very prevalent. If you change the policy action for this application behavior, you affect up to 80 percent of your devices.
- LearningAdaptive Protection is still learning about this application behavior and does not have enough current data to assign a prevalence value. This may also occur if up to 5% of your devices are new. For example, your organization may replace laptops with new images frequently. Adaptive Protection assigns a prevalence after it observes the application behavior for 90 days.
Initially, all application behaviors are set to
Learningwith an action of Monitor.
Managing the Adaptive Protection policy in the cloud
If you want to adjust Adaptive Protection for your environment, you must switch your management from the on-premises management only to the hybrid management. Hybrid management lets you manage your clients from either the on-premises
Symantec Endpoint Protection Manageror the ICDm cloud console. However, you manage Adaptive Protection policies from the cloud console and not the
Symantec Endpoint Protection Manager. For hybrid management, enroll the
Symantec Endpoint Protection Managerdomain in the cloud console.
Step 1: Enroll the Symantec Endpoint Protection Manager domain in the cloud console.
Step 2: In the cloud console, create an Adaptive Protection policy.
In the Integrated Cyber Defense Manager cloud console, create an Adaptive Protection policy and apply the policy to the
Symantec Endpoint Protection Manager-managed devices.
For more information on how to use the Adaptive Protection feature in the cloud console, see: Using Adaptive Protection
If you manage Adaptive Protection from the cloud console and do not want to refresh the application behavior heat map in
Symantec Endpoint Protection Manager, go to
Settingsand turn off