Symantec's new Advanced Threat Prevention (ATP) offering aims to reposition the company as a leader in security, providing a comprehensive platform that integrates its existing network, endpoint, and email security products. The ATP platform allows clients to detect, analyze, and remediate threats across multiple data points while addressing market competition from newer startups. Despite its historical strengths, Symantec faces challenges in innovation perception and must effectively communicate product advancements to regain market momentum.

1. 4/29/2016 Can Symantec reboot its own blockbuster success?
https://451research.com/report­short?entityId=88860&type=mis&alertid=41&contactid=0036000001UtPzxAAF&utm_medium=email&utm_campaign=Market­In… 1/7
IMPACT R PORT
Can mantec re oot it own lock u ter ucce ?
APRIL 28 2016
Y ADRIAN ANA RIA, PATRICK DALY (/ IOGRAPHY? ID=912)
Symantec released its Advanced Threat Prevention (ATP) offering last fall. The product builds on its existing network,
endpoint and email offerings, and aims to offer a holistic view of the threats a company faces across those three control
points by analyzing data fed to the appliance from ATP's component parts. Threats are then viewable, and may be
remediated by the customer through ATP's user interface. The offering consists of three modules, which clients can
purchase separately or as a platform and can all leverage Symantec's new Cynic cloud malware analysis sandbox:
Symantec ATP: Endpoint (enhanced SEP functionality)
Symantec ATP: Email (enhancements to Email Security.cloud)
Symantec ATP: Network (new product – an on­premises network sensor)
The 451 Take
Once a titan in the eyes of the industry, Symantec is seen by many as a cautionary tale of what could happen in this
industry, where constant innovation is essential to survival. Following a mostly amicable divorce with Veritas –
also a titan in the adjacent storage industry – Symantec is using its newfound independence and momentum to
breathe new life into an aging product portfolio, and realign with the rest of the industry. Even though there is
catching up to do, the company brings considerable gravitas with it. In fact, Symantec's former glory enables it to
be in the strange position of attempting to regain dominance in a market that technically, it hasn't actually lost
yet. The design and architecture of its ATP offerings show a shrewd approach calculated to introduce new product
(and revenue) with minimal friction. Wisely, ATP makes it easy for existing Symantec Endpoint Protection (SEP)
customers (especially those with a large number of endpoints) to stick with Symantec, and think twice before
leaving. Overall, the intended effect appears to be the ability to forklift existing offerings into parity with the
perceived 'next generation' anti­malware competition, with minimal friction and retooling.

2. 4/29/2016 Can Symantec reboot its own blockbuster success?
https://451research.com/report­short?entityId=88860&type=mis&alertid=41&contactid=0036000001UtPzxAAF&utm_medium=email&utm_campaign=Market­In… 2/7
Context
Even before its $8bn sale of Veritas, Symantec had been planning to overhaul its product portfolio in an effort to
streamline offerings, improve product integration and reestablish its image as a leader in the security space. Although
many have wondered whether the company waited too long to make sorely needed changes, the real question is whether
Symantec can solve the innovation dilemma. Can it keep up with the steady stream of security startups, eager to chisel
away at the incumbent's still sizable revenue stream?
Symantec made a large investment in ATP, dedicated a significant number of employees to its development, and
assigned several product managers exclusively to ATP. The offering was built partly by enhancing existing products,
such as SEP and Email Security.cloud. It is noteworthy that SEP's existing console was designed primarily as a
management console for IT operations, whereas ATP is designed and sold with a company's security operations team
in mind.
While several of the components necessary to make ATP work are already in broad use by Symantec customers, the
Cynic Cloud Sandbox was developed entirely for use in ATP, along with the actual ATP appliance and console that
enables customers to block or delete malicious files and hunt for known threats. Since ATP's launch in December
2015, Symantec has initiated a marketing campaign, new branding and a look that sends a clear message that it intends
to compete head­to­head with newcomers in these markets. Look for more indicators in the near future that indicate
Symantec is aiming to operate more like an agile startup – and shed the clinging 'large ship' image of being slow to
make course corrections.
SEP is the ancestor of the company's oldest and most well­known products. The current name and iteration of the
product was established during the first great endpoint security consolidation – a period of endpoint­security­specific
M&A activity that occurred between 2001 and 2009. However, this well­known lineage has led to the common
assumption that SEP has changed little in the past decade. Several other factors have fueled the perception that
Symantec has been inactive and failed to innovate:
Although Symantec steadily integrates new features and more advanced anti­malware technology to SEP, many
customers aren't aware of these additions and leave them disabled.
With the exception of Cylance and SentinelOne, most endpoint security startups and products labeled as
advanced or next­gen are not capable of replacing existing antivirus products. This contributes to the perception
of 'old' versus 'new,' when the truth is that there is a high amount of overlap across the endpoint­security
ecosystem today.
Most of the newer endpoint­security products on the market are designed to be complementary to AV products
– not replacements. This results in the products missing from the results published by AV­testing
organizations, either because direct comparisons don't make sense, or because samples of the products aren't
made available.

3. 4/29/2016 Can Symantec reboot its own blockbuster success?
https://451research.com/report­short?entityId=88860&type=mis&alertid=41&contactid=0036000001UtPzxAAF&utm_medium=email&utm_campaign=Market­In… 3/7
Product
Symantec ATP is sold as an appliance that sits on­premises. ATP gathers and analyzes data from network, endpoint
and email control points. While the ATP appliance is the core, or the 'brains,' of the platform, it also encompasses a
collection of products that feed it data. It should be noted that the offering doesn't require all components to be in place,
although missing pieces will create blind spots. In the primary and most compelling use case, ATP acts as the brains
directing SEP's functions on the endpoint.
Symantec ATP: Endpoint
ATP starts with the existing SEP endpoint­security product, and enhances it with additional capabilities. The most
notable of these are threat hunting and remediation. The ATP appliance is capable of conducting threat hunting and
remediation through direct integration with SEP agents. Critically, this use case is supported without the need to deploy
new agents for existing SEP customers – a point sure to give any large enterprise pause before considering 'ripping
and replacing' SEP for a competing product. SEP is capable of isolating malicious systems from the rest of the network,
which it does through software since it operates at the kernel level, and it leverages ATP to investigate threats remotely
before deciding on what remediation action to take. SEP agents can send executable files to the cloud­based Cynic
sandbox for analysis.
Leveraging the ATP appliance, security analysts can use the 'organism view' on ATP's dashboard to see malicious files
on an individual host, along with the URLs and IP addresses that those files are associated with. The customer then has
the option to add those files and hashes to a blacklist, blocking them from its network and endpoints. ATP can go even
further by leveraging SEP to isolate infected hosts and keep the attack from spreading. SEP can be instructed to delete
malware, along with removing related artifacts and reversing any changes it made (registry keys, configuration
changes, processes, etc.).
The interface includes an investigator tool, and natural­language free text search to help customers with threat hunting.
The tool allows for two types of search – database and endpoint. The database search looks through all of the threats
that ATP's various components have detected and collected. In contrast, the endpoint search interrogates endpoints in
real time, searching for threats that haven't yet been detected, and therefore won't be in ATP's database.
A single ATP appliance is capable of managing and searching up to 100,000 endpoints, although the speed of the
search is limited by the frequency of SEP's 'heartbeat' setting. The default setting is one hour, which means that it could
be as long as one hour before ATP even receives the search command, but companies have the ability to shorten the
heartbeat frequency. The ATP appliance does not replace the SEP console, which is still used to manage and deploy SEP
agents. It is in the SEP console that this heartbeat setting is managed.
Symantec ATP: Network

4. 4/29/2016 Can Symantec reboot its own blockbuster success?
https://451research.com/report­short?entityId=88860&type=mis&alertid=41&contactid=0036000001UtPzxAAF&utm_medium=email&utm_campaign=Market­In… 4/7
ATP: Network is a network sensor that attempts to detect an analyze threats on­premises. It leveraging machine
learning generated models identify suspicious files, which then go through static threat analysis. Designed to listen on
a network tap, it can be deployed on bare metal or as a virtual machine with the capability to detect both file­ and non­
file­based attacks. It can be thought of as equivalent to a FireEye NX appliance without MVS or similar network sensors
from Lastline or Cyphort that also segregate the detection and dynamic malware­analysis components.
When detection occurs, ATP: Network can determine whether it's necessary to send malware to Cynic, which performs
dynamic analysis, running and analyzing malware in virtualized and emulated environments designed to simulate the
malware authors' targets. The goal is to minimize the load imposed on Cynic by making the static analysis capabilities
of ATP: Network as effective as possible.
There are clear advantages to this model, because sandbox analysis tends to be computationally expensive, limiting
architectural options in deploying the product. This 'monolithic' model has been a common issue for vendors that don't
split out these functions. The typical scenario is that a buyer needs to deploy an appliance to a large number of physical
or network locations, but only has the budget for one or two appliances. Addressing this issue from the start is a wise
move for Symantec, and shows the company is aware of trends and issues in these markets.
Symantec ATP: Email
The third ATP module, ATP: Email, is an add­on for Symantec's existing Email Security.cloud product. It enables email
attachments to be sent to the Cynic sandbox and adds a Targeted Attack Identification service. It should be noted that
ATP customers can correlate email threats in the ATP platform without buying this module – the add­on primarily
enables the addition of the two aforementioned advanced detection options.
Putting it all together: the ATP appliance, Synapse, Cynic and DeepSight
The ATP platform leverages two services that are fully maintained and hosted by Symantec: Cynic and DeepSight.
Cynic, Symantec's new cloud sandbox, is a key asset in the ATP portfolio. While cases can be made for detonating
malware on­premises, Palo Alto Networks and Lastline have achieved significant success with their cloud­based
sandbox approaches. The advantage to being late to a market is reduced risk. Symantec appears to be using the
opportunity to see what the market favors, and to benefit from mistakes made early on.
The data collected by ATP is enriched through integration with DeepSight, Symantec's global intelligence feed.
DeepSight is fed by thousands of honeypots and sensors around the world. This intelligence is correlated with data
already pulled and analyzed from SEP, Criterion, Cynic and Email Security.cloud – applying context from external
threats to internal data.
The actual ATP appliance plays a number of critical roles for the ATP platform. It functions as the central control point
– the analyst's 'console' or UI – and is where the collection and correlation of all the data occurs. This is where the
customer gains visibility into a range of threats to their network and devices, as well as options for remediation.

5. 4/29/2016 Can Symantec reboot its own blockbuster success?
https://451research.com/report­short?entityId=88860&type=mis&alertid=41&contactid=0036000001UtPzxAAF&utm_medium=email&utm_campaign=Market­In… 5/7
Synapse is the name given to the engine responsible for correlating this data on the ATP appliance. Did the malware
detected on a user's laptop originate from an email? In the past, this was a highly manual process performed by the
incident responder. With an integrated platform like ATP and Synapse to do the correlation, the whole process can be
automated, including defining automated responses to threats.
Competition
Because Symantec ATP is composed of a variety of security products, it operates in multiple markets, and will come up
against vendors offering single solutions similar to its components. SEP competitors include essentially any legacy or
'next gen' enterprise antivirus vendor, including Dell, Fidelis, Guidance Software, McAfee, RSA, Tanium, Tenable and
Tripwire.
ATP's endpoint search functionality is especially similar to Tanium's. Although it is slower than Tanium's, ATP scales
more easily, Symantec claims, given that one Tanium appliance manages a maximum of 10,000 endpoints, compared
to ATP's stated limit of 10 times that number per appliance. On the cloud sandbox side, Palo Alto's Wildfire product
will compete with ATP's Cynic, along with FireEye, Lastline and ThreatGRID. Vendors providing competing email­
security products include Proofpoint, FireEye, Websense, Blue Coat and Mimecast.
Although ATP will come into contact with vendors competing with ATP's component products, it will compete most
directly with larger vendors offering similar integrated platforms. Companies like Palo Alto, Blue Coat, FireEye,
McAfee, Fidelis CyberSecurity, Trend Micro, Fortinet and ThreatTrack fall into this category. The market for integrated
security products is highly competitive, and while Symantec already has a strong customer base in endpoint and email
security to sell into, it will need to work to sway customers from their existing products.
WOT Anal i
trength
Symantec has introduced features and use cases that align with younger and seemingly more spry
competitors; but in a way, that avoids the disruption and friction of having to touch every single customer
endpoint.
Weakne e
The largest challenge here could be market perception. Symantec claims many customers aren't aware of
innovations it has made, and often do not enable them – an issue that adds to the notion that Symantec hasn't
been responding to customer needs. Ultimately, it is up to Symantec to educate its customers and raise
awareness of improvements to its products. Some of Symantec's competitors have taken a hard stance on this,
enabling similar advanced features by default, effectively taking the choice away from the customer.
Opportunitie

6. 4/29/2016 Can Symantec reboot its own blockbuster success?
https://451research.com/report­short?entityId=88860&type=mis&alertid=41&contactid=0036000001UtPzxAAF&utm_medium=email&utm_campaign=Market­In… 6/7
Opportunitie
Symantec should emphasize the advantage it has with a platform approach over competitors offering
network, email or endpoint products alone. The value of platforms like ATP is to provide a vantage point from
which the broad context and big picture, in relation to threats, can be made clear in a way that was never
possible with point products in isolation.
Threat
We could state that the numbers show startups are collectively chipping away little of Symantec's foundation,
but what really matters is that the company appears to have lost momentum on the endpoint – a key market
it had a large hand in establishing. Symantec needs to shed its 'big ship' constraints, and become agile enough
to keep up as startups grow and become more serious threats.
Adrian ana ria (/ iograph ?eid=734)
Senior Security Analyst
Patrick Dal (/ iograph ?eid=912)
Research Associate
M&A ACTIVITY Y CTOR
M&A ACTIVITY Y ACQUIR R
ecurit / Premi e network ecurit / Network ehavior anomal detection (N AD) (12)
(http ://mak .the451group.com/re ult ? a ic_ elected_ ector =388)
ecurit / Anti-Malware / General (45) (http ://mak .the451group.com/re ult ? a ic_ elected_ ector =402)
ecurit / General (23) (http ://mak .the451group.com/re ult ? a ic_ elected_ ector =136)
lue Coat tem Inc. [Thoma ravo LLC/Ontario Teacher Pen ion Plan] (8) (http ://mak .the451group.com/re ult ?
a ic_acquirer = lue+Coat tem Inc. [Thoma ravo LLC/Ontario Teacher Pen ion Plan])
Dell Inc. (35) (http ://mak .the451group.com/re ult ? a ic_acquirer =Dell+Inc.)
Fire e, Inc. (2) (http ://mak .the451group.com/re ult ? a ic_acquirer =Fire e,+Inc.)
Fortinet Inc. (10) (http ://mak .the451group.com/re ult ? a ic_acquirer =Fortinet+Inc.)
Guidance oftware, Inc. (2) (http ://mak .the451group.com/re ult ? a ic_acquirer =Guidance+ oftware, Inc.)
McAfee Inc [fka Network A ociate ] (22) (http ://mak .the451group.com/re ult ? a ic_acquirer =McAfee+Inc [fka

7. 4/29/2016 Can Symantec reboot its own blockbuster success?
https://451research.com/report­short?entityId=88860&type=mis&alertid=41&contactid=0036000001UtPzxAAF&utm_medium=email&utm_campaign=Market­In… 7/7
Figure hown indicate num er of tran action
Network A ociate ])
Proofpoint, Inc. (5) (http ://mak .the451group.com/re ult ? a ic_acquirer =Proofpoint,+Inc.)
R A ecurit Inc. [ MC] (8) (http ://mak .the451group.com/re ult ? a ic_acquirer =R A+ ecurit Inc. [ MC])
mantec Corporation (43) (http ://mak .the451group.com/re ult ? a ic_acquirer = mantec+Corporation)
Trend Micro Incorporated (11) (http ://mak .the451group.com/re ult ? a ic_acquirer =Trend+Micro Incorporated)
Tripwire Inc. (1) (http ://mak .the451group.com/re ult ? a ic_acquirer =Tripwire+Inc.)
Verita oftware Corporation (8) (http ://mak .the451group.com/re ult ? a ic_acquirer =Verita + oftware Corporation)
COMPANY M NTION (PRIMARY)
mantec (/ earch?compan = mantec)
COMPANY M NTION (OTH R)
lue Coat , C lance , C phort , Dell , Fideli C er ecurit , Fire e , Fortinet , Guidance oftware , La tline , Intel ecurit ,
Mimeca t , Palo Alto Network , Proofpoint , R A ecurit , entinelOne , Tanium , Tena le Network ecurit , ThreatGRID ,
ThreatTrack ecurit , Trend Micro , Tripwire , Verita oftware (/ earch?compan =Verita + oftware)
CHANN L
Information ecurit , Networking (/da h oard?view=channel&channel=4)
CTOR
All / ecurit / Premi e network ecurit / Network ehavior anomal detection (N AD) (/ earch? ector=388)
All / ecurit / Anti-Malware / General (/ earch? ector=402)
All / ecurit / General (/ earch? ector=136)