Endpoint Protection

 View Only
  • 1.  Reports to Baseline "normal" behavior of SEP clients in your environment

    Posted May 08, 2013 01:11 PM
      |   view attached

     Hello,

    We are trying to determine how to stop virus outbreak before it happens. In our environment, we maybe get one or two each year, and it is easily contained.

    I am trying to determine the type of reports I should create to baseline normal behavior of SEP client. Normal meaning that there are no virus outbreaks, and anything that looks different means there is a sign there may be an outbreak on the horizon.

    There are seven report types that are available

    1. Application and Device Control

    2. Audit

    3. Computer Status

    4. Network Threat Protection

    5. Risk

    6. Scan

    7. System

     

    So far, I narrowed it down to three reports we may want to look at

     

    1. Network Threat Protection

    2. Risk

    3. Scan

     

    But, I am stumped on how to break it down further. For instance Network Threat Protection: Traffic has many options (see attached).

    Are there recommended metrics to use? Perhaps Symantec wrote about this, or there may be case studies on other organizations that have baselined their environment to detect when they are few steps away from a virus outbreak.

    Any guidance is greatly appreciated.



  • 2.  RE: Reports to Baseline "normal" behavior of SEP clients in your environment
    Best Answer

    Posted May 08, 2013 01:25 PM

    I'm not sure of any recent metrics but here are a few that although older still apply:

    Metrics using data from SEPM

    https://www-secure.symantec.com/connect/articles/metrics-using-data-sepm

    Metrics using data from SEPM (Part2)

    https://www-secure.symantec.com/connect/articles/metrics-using-data-sepm-part2

    Metrics using data from SEPM (part three)

    https://www-secure.symantec.com/connect/articles/metrics-using-data-sepm-part-three

     

    Looking at firewall log can be a tedious process. I like to look at outbound traffic to see what is going on and if my clients may be infected. If you can get it into a SIM it can help greatly. It really just comes down to you knowing what should and shouldn't be on your network in regards to traffic.

    For risks, I usually look for patterns with users and who are repeat offenders. They then get put into quarantine where they can't do much.

    I don't use the scan log that much other than to find machines which either cancelled their scan, didn't run one, or was interrupted.



  • 3.  RE: Reports to Baseline "normal" behavior of SEP clients in your environment

    Posted May 09, 2013 07:18 AM

    Hi


    Check out IT-analytics and its KPI feature. I would also recommend using IT-Analytics Pivot function to data mine the data compared to exporting to .Csv.

    https://www-secure.symantec.com/connect/articles/configure-key-performance-indicator-it-analytics-symantec-endpoint-protection-content-pack

    http://www.symantec.com/connect/articles/working-pivot-tables-and-charts-it-analytics-symantec-endpoint-protection-pack

    Torb

     



  • 4.  RE: Reports to Baseline "normal" behavior of SEP clients in your environment

    Posted May 10, 2013 09:53 AM

    Thank you Brian, I'll start on this.