Sales Play: At-A-Glance

Symantec Endpoint Detection and Response

How to Sell At-A-Glance

Product Overview Customer Challenges

Symantec EDR exposes advanced attacks with precision machine Enterprises are increasingly under threat from sophisticated attacks.
learning and global threat intelligence minimizing false positives and These Advanced Persistent Threats use stealthy techniques to evade
helps ensure high levels of productivity for security teams. detection and bypass traditional security defenses. Security teams face
Symantec EDR capabilities allow incident responders to quickly the following challenges when attempting to detect and fully expose
search, identify and contain all impacted endpoints while the extent of an advanced attack:
investigating threats using a choice of on-premises and cloud-based
sandboxing. Also, Symantec EDR enhances investigator productivity • Large amounts of data from disparate sources require manual
with automated incident playbook rules and user behavior analytics searching and human correlation of incidents
that brings the skills and best practices of the most experienced
security analysts to any organization, resulting in significantly lower • Security teams don’t have visibility into critical control points
costs. where indicators of a comprise can be found

• Large numbers of alerts and false positives make investigation

time-consuming and staff intensive

• Once an attack is confirmed security teams find it difficult to

identify all the impacted endpoints to delete malware and
associated artifacts and update policies to block the threat from
entering the organization again

In addition, continuous and on-demand recording of system activity

supports full endpoint visibility. Symantec EDR utilizes behavioral
analytics at the endpoint and in the cloud to detect stealthy attacks
such as breach detection, command and control beaconing, lateral
movement and suspicious power shell executions. Why We Win
Detect
• Record critical system activity including file operations,
registry key changes, process activity, load point changes and
user login and logoff (continuous or on-demand)
• View PowerShell processes, rules-based detection identifies
and creates incidents for suspicious scripts
• Memory Exploits detect by SEP will automatically generate
incidents for investigator to analyze for associated artifacts

Investigate
• Search EDR database and endpoints directly 1. Single Agent Stack – With highest efficacy anti-malware, advanced
• Quickly filter for specific attributes, identify uncommon protection, app isolation, app control, deception, and EDR
values and pivot to relevant entity page 2. Superior Detection Analytics – Local and global telemetry apply to
• Detonate suspicious files using cloud-based or on-premises AI-driven analytics and backed by world class attack researchers
sandboxing (TAA), Advanced Attack Technique detection, MITRE CAR Analytics
• Cloud sandbox supports physical and virtual suspicious file 3. Unequaled Threat Intelligence – Global Intelligence Network, the
awareness largest civilian threat collection network that tracks over 700,000
• Leverage file reputation, network traffic analysis and global global adversaries
telemetry (GIN) 4. Extensive IR Automation – Built-in automated investigation
playbooks enable a quick start for threat hunting
• Quarantine endpoint
5. Integrated Cyber Defense – Orchestrate security across cloud and
on-premises, Symantec and third-party products
Remediate
• Blacklist files and urls, delete files
• Easily clean up every attack artifact across all endpoints and Discovery Questions
return endpoint from a pre-infection state. • How many security events do you face daily?
• What security controls have you deployed?
Automate • Do you have a SOC team or IR team?
• Replicate the best practices and analysis of skilled • How do you determine which security events are the most critical?
investigators with automated incident playbook rules • How do you tie external threat intelligence back into what’s
• Gain in-depth visibility into endpoint activity with automated happening in your environment?
artifact collection • What’s your goal time for incident response?
• Initiate cyber security functions and learn expert • How important is it to you to have visibility into incursions or
investigation methods with built-in playbooks possible suspicious activity?
• How long does it take for you to identify compromised endpoints?
Highlight: Targeted Attack Analytics • How long does it take for you to remediate threats?
• How do you correlate information across your organization?
• How many people are required for this correlation and how much
Targeted Attack Analytics (TAA), leverages Symantec’s massive time does it take?
telemetry dataset, top security data scientists and Attack
Investigator Team to create artificial intelligence (AI) and machine
learning (ML) algorithms that expose attack patterns actually
Overcoming Objections
occurring in the customer environment.
Objection: I already have advanced protection with Endpoint
Highlight: Advanced Attack Detections Protection. Why do I need EDR?
Response: Endpoint Protection focuses on prevention.
Symantec EDR goes beyond prevention to focus on
Symantec EDR also leverages endpoint behavioral polices, detection and response to catch today’s most elusive and
continually updated by Symantec researchers, to detect advanced destructive breaches.
attack methods instantly at the endpoint. These detections detail Objection: Other EDR vendors can do endpoint analysis
activity that may indicate attacks in progress including file and today, but Symantec can’t
registry changes, suspicious network and processes activity and use Response: Symantec now has full Endpoint Activity
of specific Windows API’s that can be used to start a malicious Recording and real-time queries
thread within an existing process. Objection: Your EDR solution is new to the market and is
still maturing. I need a mature EDR solution.
Highlight: MITRE ATT&CK and CAR Support Response: Symantec EDR is:
• Leader Gartner EPP MQ
Symantec EDR provides tools to detect and visualize the attack • Leader in Radicati APT Report
lifecycle based on the MITRE ATT&CK framework. The EDR tool • Built on top of existing technologies
describes attack methods based on the standard tactics and • 500+ customers, including renewals
techniques in the ATT&CK matrix. In addition, quick filters make it Objection: I don’t have Symantec on my endpoints. I have
easy for investigators to narrow results to one or more phases of the (McAfee, Sophos, or Kaspersky)
MITRE ATT&CK lifecycle including initial access, persistence, lateral Response: Symantec EDR can be deployed to non-SEP endpoints
movement and command and control. without deploying additional agents.

Critically, Symantec EDR supports MITRE Cyber Analytics Additional Resources

through automated investigation playbooks. MITRE recommends For more information and sales resources, visit Sales Central
organizations implement a zero-trust approach to forensic (https://syminfo.symantec.com/content/salescentral/SalesCentralHome/product
collection and investigation by interrogating autorun differences, s-services/endpoint-data-center-security/edr.html ) where you will find:
suspicious run locations, potential DDL injections and SMB event • Customer Presentation
monitoring.
• Datasheets
Target Market and Buyers • Licensing Guides
• Competitor Battle cards, and more
Firms with 1000 endpoints or more and Security Operations Centers.
• Customers looking for Endpoint Detection and Response (EDR) Licensing Information
capabilities to search and remediate their environment.
• Customers who have dedicated security analysts focused on
investigation and remediation. EDR, Network Sensor, Email Threat Detection and Response
Symantec Endpoint Detection and
Per User
Following are the key buyers and influencers within an Response
organization. Endpoint Detection and Response with
Per User
Network Sensor
Endpoint Detection and Response with
• CISO/ Director of IT Security Per User
Email Threat Detection and Response
• Head of Security Operations/ SOC Manager Endpoint Detection and Response with
• Threat Hunters Network Sensor and Email Threat Per User
• Incident Investigators and Responders Detection and Response
• Triage Analysts
Bundle
Symantec Endpoint Protection with
Per User
Endpoint Detection and Response

In addition, quote Managed EDR and EDR Pro-Launch package (fixed

price consulting services):

Add these to your EDR quote

Managed Endpoint Detection and
Per User
Response
Consulting, Packaged Offering, Fixed
Per Engagement
Price

See Consulting Services for EDR data sheet for details on the fixed price
offering for EDR deployment - https://symantecb2b--
symantecdsa.na32.visual.force.com/apex/DSA_Main#/content/06938000002texlAAA
Use Cases

• Detect Anomalies, Investigate Suspicious Events and Fix

Impacted Endpoints - Although SEP is blocking the vast majority
of threats, attackers can still find their way in. Customers need
to shorten the window of exposure when a threat slips through,
contain the incident and quickly fix any compromised endpoints.

Symantec multilayer protection ensures that Incidents Responders are only

alerted to stealthy threats and targeted attack patterns

• Conduct Endpoint Investigations with Continuous and

on-demand recording - In event of a compromise, customers
need to know every system and process change made to
endpoints. Customers need to quickly investigate an attack and
understand every change and action performed in historical
sequence.

• Detect, Investigate, Remediate and Automate IR Tasks across

Window, macOS and Linux - Need visibility and forensics
analysis for endpoints where an agent is not deployed. Need to
conduct investigations on non-SEP, roaming endpoints, macOS
and Linux devices. Use ML-driven playbooks to leverage the best
practices of skilled investigators.
 Competition

What the
Competitor How to Block the Competition
Competition Says
Carbon Black Symantec EDR lacks Symantec EDR now has continuous and on-demand recording. Carbon Black requires multiple agents
endpoint recording. (SEP + EDR = single agent). Carbon Black is twice the TCO of Symantec. Carbon Black has limited
Not “next-gen”. threat intelligence and nothing that matches TAA.

CrowdStrike Not “next-gen”. No Symantec EDR has cloud-based tools capabilities that include tools for threat hunting, forensics and
cloud offering. IR automation. CrowdStrike only detects active endpoint threats. SEP 14 + EDR offers protection,
detection and response. CrowdStrike has limited threat intelligence nothing that matches TAA.
Customer haver reported is issues with too many false positives when using CrowdStrike.
Microsoft Part of Windows Defender ATP is Windows centric. Symantec EDR can secure all environments. Defender ATP does
licensing options. not have a network sensor. Symantec EDR correlates threats across endpoint, network and email.
CrowdStrike has limited threat intelligence nothing that matches TAA.

About Symantec
Symantec Corporation (NASDAQ: SYMC), the world’s leading cyber security company, helps organizations, governments and people secure their most important data wherever it lives.
Organizations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and infrastructure. Likewise, a global
community of more than 50 million people and families rely on Symantec’s Norton and LifeLock product suites to protect their digital lives at home and across their devices. Symantec
operates one of the world’s largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats. For additional information, please visit
www.symantec.com or connect with us on Facebook, Twitter, and LinkedIn.

350 Ellis St., Mountain View, CA 94043 USA | +1 (650) 527 8000 | 1 (800) 721 3934 | www.symantec.com

Copyright © 2018 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.