Symantec expands early warning system

In a sign that it is continuing to digest the technology it swallowed with three high-profile purchases last July, Symantec Corp. announced an upgrade to the DeepSight Threat Management System, which it acquired with its purchase of SecurityFocus Inc. in July.

DeepSight Threat Management System is an early warning system that uses a worldwide network of firewall and intrusion detection systems maintained by more than 19,000 data partners to aggregate and correlate attack data.

The system provides security administrators with analysis of emerging threats, customizing those alerts to a customer’s network configuration. The system is designed to prevent or mitigate the effect of attacks with the help of advanced warning and targeted countermeasures, according to Symantec.

Version 4 of the DeepSight Threat Management System, announced on Wednesday, includes a number of new features, according to Symantec. Those features include:

– The addition of firewall data to the threat information tracked by the system, allowing Symantec’s DeepSight security analysts to detect impending attacks from anomalous traffic and port activity.

– Customization features that allow security administrators to filter DeepSight notifications by severity, impact, or affected software version. Administrators can also choose a format in which notifications will be sent, such as e-mail, fax, telephone or short message service.

– Expanded reporting tools and statistics. Security administrators can break out threat activity based on specific IP addresses, events and ports to better understand emerging Internet attacks. In addition, a new reporting wizard will help security administrators set up their own customized reports.

The release of DeepSight Threat Management version 4 follows the November release of Version 4 of the related DeepSight Alert Services, which notifies customers about emerging threats.

Symantec is marketing the DeepSight technology as a hedge against fast-spreading threats such as the recent W32.Slammer worm.

DeepSight began tracking the Slammer worm hours before it began propagating and issued alerts and procedures to administrators to prevent infection, according to Symantec.

Symantec did not provide specific examples of DeepSight preventing infection by the Slammer worm in its announcement, however.

An industry analyst expressed skepticism that subscribing to DeepSight in order to get early word of widely publicized outbreaks such as Slammer would be a worthwhile investment.

“It doesn’t really help if at midnight you’re notified (by DeepSight) that there’s a huge attack taking place because these days, you’re probably hearing about it from your local news,” said John Pescatore, an Internet security researcher at Gartner Inc.

The flood of early warnings about Slammer that were available within hours of the outbreak, for free, undermines the value of the DeepSight subscription for widespread outbreaks, Pescatore said.

The service is more valuable for low profile and targeted attacks, according to Pescatore.

“Symantec can say ‘We’ve got 19,000 companies, and we’re seeing attacks targeting financial services companies or energy companies or banks,'” Pescatore said.

Companies can also determine whether an attack they are experiencing is part of a larger Internet attack, or whether it is targeted specifically at their network, according to Pescatore.

Symantec’s DeepSight service competes against similar services from other antivirus and security vendors such as Trend Micro Inc., Vigilinx Inc. and iDefense Inc.

For example, Trend Micro recently announced enhancements to its enterprise Outbreak Prevention Services, broadening those services to encompass file, Web and messaging servers running on the Solaris, Linux, and Windows operating systems as well as users connected via broadband connections from remote offices.

Like Symantec’s DeepSight service, Trend Micro’s Outbreak Prevention Services uses a network of security analysts to distribute information on developing virus outbreaks to Trend Micro customers prior to the release of a virus pattern file. That information can be used to modify network configurations and prevent or lessen the impact of infection.

While Wednesday’s announcement shows that Symantec is continuing to invest in the SecurityFocus technology, the company will need to navigate tricky waters with its SecurityFocus products and services in the months ahead, according to Pescatore.

In addition to competing against free services such as that offer many of the same features as DeepSight, Symantec needs to retain the thousands of volunteer data partners that make up the DeepSight network.

Those organizations agreed to be part of DeepSight when it was part of SecurityFocus, but may not have the same level of commitment to a huge security vendor, according to Pescatore.

In addition, Symantec will need to convince skeptics that it is managing assets such as the popular Bugtraq vulnerability discussion list impartially.

“The real critical test comes when somebody finds a vulnerability in a Symantec product. Does that get disclosed as quickly as with a similar vulnerability in a product from Cisco (Systems Inc.) or McAfee,” Pescatore said.