Symantec looks to banish false alarms

For network managers, it can be like finding the proverbial needle in the haystack: sifting through multitudes of security alerts trying to find the one that is truly a threat to the enterprise. Failing to recognize one in time can have dire consequences, including network downtime, loss of intellectual property and even the loss of a job.

To help remedy the situation, Symantec Corp.’s last month released new security management applications: the Symantec Event Manager for Intrusion Detection and the Symantec Incident Manager. The offerings were created to help enterprises identify and resolve security breaches.

With the Event Manager, network managers have the ability to view the security events in one spot because it combines security data, or events, from different software security components and puts it into one database where it can be examined by the Incident Manager. There are three different versions of Event Manager, including one for intrusion detection, one for firewall and one for antivirus.

Avnet Inc., a shipper of electronics and computer equipment, has been beta testing Event Manager for Intrusion Detection and Incident Manager.

“Your initial payback is just the fact you have one console in front of you and you can gain some efficiencies, and instead of having personnel look at a single console and logging in through four or five GUIs and 20 different systems to get the information, you can get it presented in front of you,” said Steve Jeffers, manager of enterprise security systems for Avnet Inc, based in Phoenix.

The Incident Manager employs a correlation engine that helps determine if any events constitute a security threat, also known as an incident, and is geared to try to eliminate false positives. Whereas an event is simply a message from a security sensor from somewhere within an enterprise, an incident is usually one or more related events. It can be anything from a malformed network packet, potentially indicating a buffer-overflow attack, to a filed login on a computer, that could indicate a hacker, but could also something as simple as a typo.

Some of the correlations criteria are preset, but the user can also tailor the product to suit their needs, such as specifying which systems are most sensitive to security breaches and which are most critical to operations.

Despite these features, Jeffers said that correlation logic still needs to be improved further, not only by Symantec, but by the industry in general.

“Symantec has been very interested in our feedback into that process [of developing effective correlation logic] because I think ultimately all of the vendors talk about correlation, but the real solution has to be business-centric,” Jeffers said.

He added that he is encouraged by what he’s seen from Symantec in this area. “I don’t think there are any vendors that are 100 per cent there yet. I wouldn’t say that’s a knock to Symantec or any of its competitors, but I think Symantec is well on its way of getting us there,” he said.

After the needles in the haystack, or incidents, have been identified, Incident Manager will also track the incident throughout its life cycle until its closure, and help the user prioritize which incidents constitute the biggest threat. Those are dealt with first. And, as the incidents move through their life cycles, they shift on the priority list.

Throughout this process, Incident Manager provides guidance to the user on how to tackle the security threats.

“It’s kind of the where to go, the who to call, the what to do for each phase of the incident,” said John Heath, senior product manager for Symantec. “And that guidance changes dynamically based on the feedback the analyst gives the system, so for each step towards remediation the analyst reports back to the system.”

In addition, Symantec is also working with other software developers in order to develop third-party relays so the network manager can integrate the Event and Incident Managers directly into their network management software. In December, the first of these relays will be ready for IBM Corp.’s Tivoli Risk Manager, including the Tivoli Enterprise Console.

Dan McLean, director, enterprise network services at IDC Canada Inc. in Toronto, said that based on the support Symantec is getting for their security products from other vendors, they seem to be on the right track. And he said there is a need for enterprises to have tools that allow them to gain a centralized view of security events.

Symantec Incident Manager is shipping at the end of the month as is the Event Managers for Intrusion Detection and Anti-Virus. The Event Manager for Firewall be ready by the end of 2002. For more information see Symantec at