10040177 DeepSightTMS tb - Symanteceval.symantec.com/.../ent-techbrief_symantec_deepsight_threat...us.pdf · active threats with an ... reduce the time spent researching and tracking

Symantec™ DeepSight™

Threat Management SystemHelping to protect networks from active threats with an industry-leading early warning security system

TECHNOLOGY BRIEF

Symantec Enterprise Security

INSIDEINSIDE

∆ The growing business risk

∆ Symantec Deepsight Threat Management System: a global early warning system

∆ Benefits of proactive security

Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM

ContentsExecutive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

The growing business risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Proactive security: information, expertise, and configuration . . . . . . . . . . . . . . . . . . . .4

Symantec DeepSight Threat Management System: a global early warning system . . . . . .5

How Symantec DeepSight Threat Management System works . . . . . . . . . . . . . . . . . . .8

Symantec DeepSight Threat Management System in action . . . . . . . . . . . . . . . . . . . . .9

Benefits of proactive security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12


√ Executive summary

Symantec DeepSight Threat Management System is a comprehensive and customizable early

warning system providing notification of global attacks and best-practices countermeasures to help

prevent attacks before they affect the enterprise.

The last few years have seen an extraordinary increase in intrusions, denial of service attacks,

worms, blended threats and other attacks on computer systems. In response, companies have been

forced to take a more strategic approach to network security that relies on systematically gathering,

analyzing, and acting upon detailed risk and vulnerability information. Intrusion Detection Systems

(IDS) are an important weapon in the war against network attacks, but until now their use has been

largely reactive. Network security professionals are so busy trying to keep up—analyzing prior

attacks and putting out fires—that they rarely have the time or resources to anticipate the next attack.

Firewalls provide another layer of protection against attacks. But firewalls are much more effective

when they are properly configured to stop malicious traffic. The challenge for administrators is

knowing what the new threats are, so that they can take the necessary steps to secure their systems,

while not inhibiting their ability to conduct business

This paper describes how Symantec DeepSight Threat Management System delivers actionable,

customized, proactive intelligence from Symantec security experts who track attacks on businesses

around the world every day. With Symantec DeepSight Threat Management System, companies can fine

tune security strategies, reduce the time spent researching and tracking security events, analyze relevant

metrics and attack statistics, and free up security staff to take decisive action before attacks occur.

√ The growing business risks

The Internet’s phenomenal expansion has come with a corresponding explosion in the number of

security threats. As Figure 1 illustrates, CERT (Computer Emergency Response Team)/CC—a major

reporting center that tracks Internet security problems—has seen rapid growth across every incident

category, including:

• Attempts to gain unauthorized access to a system or its data

• Unwanted disruption or denial of service

• Unauthorized use of a system for the processing or storage of data

• Changes to system hardware, firmware, or software characteristics without the owner’s

knowledge, instruction, or consent1

The problem is more than just one of

numbers. As companies worldwide in every

industry rely increasingly on the Internet to

manage and grow their business, the potential

disruptive effects and economic impact of

each attack skyrockets. In 2002, the average

loss per system penetration by an outsider

incident was a staggering $226,000.2

3

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

90,000

200220012000199919981997199619951994199319921991199019891988

Figure 1. The rapid increase in network security incidents has paralleled the phenomenalexpansion of the Internet (source: CERT/CC).

Network intrusions

1. Source: CERT Coordination Center Incident Reporting Guidelines. Copyright © 1998, 1999, 2000, 2001, 2002 Carnegie Mellon University.2. Source: Computer Security Institute/Federal Bureau of Investigation 2002 Computer Crime and Security Survey


With the occurrence and potential cost of network attacks so high—and continuing to rise—

businesses understand that they must marshal all their resources to defend against intruders. For

many companies, the first line of defense is to build stronger and thicker walls around their computer

assets by installing a broad range of logical and physical security mechanisms. As the tools and

techniques of would-be intruders increase in sophistication, so too must the security products.

Businesses now realize that to truly optimize the strength of their security posture, an early warning

system that allows for the proactive management of threats and vulnerabilities is an important piece

of the security puzzle. Effective enterprise information security teams require timely, configuration-

specific, accurate, comprehensive, and actionable knowledge about the risks, vulnerabilities, and

pathology of attacks. A threat management system is vital for IT managers to make quick, accurate,

and informed decisions to protect their systems.

√ Proactive security: information, expertise, and configuration

Developing an effective threat management strategy requires security professionals to gather and

analyze a broad range of general security information from many different sources, including

vulnerability and virus alerts, mailing lists, news articles, and managed security service providers.

Many different systems and services have emerged to help IT experts find, manage, and act upon

this information. Among the weapons in the security arsenal are Intrusion Detection Systems (IDS),

products that continuously monitor networks and keep detailed logs of any intrusions or attacks.

Similarly, Firewalls enable users to filter network activity and keep detailed logs of this activity.

By themselves, Intrusion Detection Systems are limited. They enable IT managers to track and react

to what happens within their own discrete networks. The same applies to the analysis of an individual

organization’s firewall logs. These systems provide an excellent view of current threats to the

enterprise, but may create a highly subjective view of risks and vulnerabilities. Without

understanding the larger context, security professionals may make decisions and formulate

responses that do not maximize their security posture. For example:

• IDS and Firewall logs alone cannot reveal whether activity is specifically targeted at a single

company, or if it is part of a larger attack on multiple organizations.

• IDS products do a good job of identifying current attacks, but do little to help businesses

evaluate and reduce the risk of future attacks, resulting is a reactive security model.

• Firewall systems are only as good as their configuration. It’s only when administrators know

about global threats, that they are able to optimize their firewall to protect their assets.

Organizations need a way to leverage the collective experience and expertise of network security

experts around the world, so they can anticipate and thwart attacks before they happen. However,

most attempts at taking a more proactive approach to threat management have been hampered by

factors such as:

• The lack of a global system of sensors to monitor attack activity

• The sheer volume of data required to create a statistically sound sample set

• The lack of technology to analyze this data

4


Furthermore, the growing number, complexity, and success rate of attacks make it extremely difficult

for security professionals to assess their vulnerability solely by analyzing intrusions occurring within

their perimeter. To help them see patterns and trends, they need access to detailed information

about attacks that are occurring across the industry, across the nation, and across the dateline.

Unfortunately, most businesses have no way of obtaining this kind of information because intrusion

data is highly sensitive. Even if this data were available, making sense of it all would be a tremendous

challenge for two reasons:

1. Each IDS and Firewall product reports incidents using its own unique terminology, thus complicating

any effort to get an aggregate picture of attacks against multiple systems and organizations.

2. There is no way for security professionals to share data from their IDS and Firewall systems in

real time.

Symantec recognizes these challenges, as well as the urgent need for a more proactive approach to

threat management. Symantec DeepSight Threat Management System enables enterprises to better

anticipate and prevent network attacks. Symantec DeepSight Threat Management System bridges

the gap between awareness and action—enabling security professionals to deploy necessary

countermeasures before an intruder targets their systems or harms their operations.

√ Symantec DeepSight Threat Management System: a global early warning system

Symantec DeepSight Threat Management System is a comprehensive and customizable threats.

management solution that provides early warning of attacks and best-practices countermeasures to

prevent attacks before they affect the enterprise. Symantec DeepSight Threat Management System

delivers a meaningful understanding of an organization’s potential exposure by evaluating IDS and

Firewall events from organizations worldwide to identify trends, anomalies and attack patterns. This

enables administrators to answer important questions such as:

• Are businesses with particular characteristics (such as industry, company size, or location)

being targeted for attacks?

• Which IT products and platforms are being targeted, or are particularly vulnerable?

• Which vulnerabilities are most at risk?

• Which systems should be patched and in what order?

• Are attacks originating from specific IP addresses or countries?

• What kinds of attacks are increasing in frequency?

• Does the risk of attack increase during certain days of the week or times of day?

• What verified solutions, patches, or additional references are available to stop specific threats?

Like a long-range weather forecasting system, Symantec DeepSight Threat Management System

enables businesses to take preventive action before disaster strikes. At the heart of the service is a

data-gathering network that includes more than 19,000 registered data partners in over 180

countries. Expert threat analysts at Symantec continuously monitor this data—analyzing global

activity, investigating suspicious traffic, and identifying attacks in their infancy.

5


Symantec DeepSight Threat Management System tracks attacks by type, source, time, location, and

victim profile, and then enables IT personnel to use this data to evaluate risks and vulnerabilities with

a revolutionary correlation engine and powerful analytical tools. This system delivers a snapshot of

current Internet activity, along with a timely, customized, threat analysis for each customer.

Personalized threat alerts, malicious code alerts, and incident activity threshold alerts are delivered

via a secure Web-based console, or email, fax, phone, or SMS text message. In addition, customers

receive daily, weekly, and monthly summary reports. Symantec DeepSight Threat Management

System also allows users to mine the Symantec Event Database through a custom reporting tool.

Table 1 lists the specific reports the Symantec DeepSight Threat Management System provides that

help turn raw global IDS and Firewall log data into action for improved proactive threat mitigation.

Table 1. Reports provided by Symantec DeepSight Threat Management System

Title Description

Event Summary Summary of event activity observed by DeepSight sensors. It is helpful

in determining which events are the most prominent, and determining

the history of these events.

Port Summary Summary of port activity observed by DeepSight sensors. It is helpful

in determining which ports are being targeted, and determining the

trend of this activity.

Category Summary Summary of event activity by the category or class of events that are

being observed by DeepSight sensors.

Target Product Summary Summary of the products and applications that are being

targeted globally.

Origin Summary Summary of where global events are originating. It is helpful in

determining who is targeting DeepSight sensors, and determining the

trend of attack activity from each source.

Destination Summary Summary of the demographics being affected by events reported to

the DeepSight Threat Management System.

IP Analysis Provides insight into the activity of a single IP address that is observed

by DeepSight sensors. This report consists of a number of

components that reflect the activity, habits, and applications that the

IP address is targeting. In correlating a number of these data points,

this report presents the origin of the attacker, and the vulnerabilities

and services targeted by the attacker.

Event Analysis Provides a detailed analysis of activity surrounding a specific event.

The report provides a history of event activity. It outlines who is

originating the activity, and who is targeted.

6


Port Analysis Provides a detailed analysis of activity surrounding a specific port.

The report provides a history of activity targeting the chosen port. It

outlines who is originating the activity, and who is targeted.

Originating ISP Displays the top ten offending ISPs from which the greatest number of

attacks originate, as well as the attack frequency values for each ISP.

Source IP Infection Rate Provides a breakdown of the number of originating source IP addresses

for a chosen criteria. This serves as an indicator of the rate of spread

of a particular threat. In the case of a specific event related to a worm,

it can also serve as an indicator of the number of infected systems.

Originating IPs Provides a summary of the top originating IP addresses responsible

for the chosen network activity. It contains a historical trend graph

depicting the activity seen from the top addresses.

Associated Ports Displays the most common associated source ports being used in an

attack for a user-supplied destination port. The bar graph represents

the top ten most widespread source ports being used in conjunction

with a destination port supplied by the user as well as the corres-

ponding attack frequency values for each source port. This report

indicates any Trojan or exploit patterns in the wild.

Originating Countries Displays the top ten offending countries from which the greatest

number of attacks originate.

Event Time Provides a breakdown of the timeframe when network security events

most commonly occur on your network. Knowledge of when these

events occur allows for the tracking of historical activity and the

allocation of resources for future planning.

Target Countries Displays the top ten victim countries for which the greatest number of

attacks are destined.

Target Industries Displays the frequency of attacks targeted against specific

industry types.

Attacks by Company Size Displays the frequency of attacks targeted against companies of a

particular employee size range.

Attacks by Company Displays the frequency of attacks targeted against companies of a

Revenue particular annual revenue range.

Attack Age Provides an overview of events based around the age of the

vulnerabilities associated with them, and the age of the events

themselves.

7


√ How Symantec DeepSight Threat Management System works

With Symantec DeepSight Threat Management System, companies can focus their security

resources on deploying critical countermeasures to proactively mitigate the impact of attacks, rather

than searching dozens of Web sites or hundreds of emails trying to gather information on an attack

and how to respond to it. Symantec gathers data from its partners, continuously correlating and

analyzing the data to identify potential attacks and give customers timely, actionable, and specific

threat and patch information to facilitate protection. In addition, an expert team of Symantec threat

analysts examines the global data, identifying potential attacks and providing detailed alerts and

analyses. Delivering specific, comprehensive, and actionable information into the hands of the

security professionals immediately enables more efficient prioritization of security spending and

resources, thereby increasing return on investment.

Figure 2 shows the key components of the Symantec DeepSight Threat Management System

architecture.

• SYMANTEC DEEPSIGHT EXTRACTOR is a program that normalizes and transmits events from IDS

and Firewall logs to the Symantec Event Database. A company can automatically upload its

event data to the Symantec Event Database for interpretation and analysis. Symantec

DeepSight Extractor ensures client confidentiality through industry standard secure networking

protocols and optional IP address suppression.

• SYMANTEC DEEPSIGHT ANALYZER gives IT professionals the ability to track and manage

incidents and attacks on their own networks. It automatically correlates attacks from disparate

IDS and Firewall products, giving IT professionals a comprehensive view of their environments.

Symantec DeepSight Analyzer compares incidents against the world’s largest vulnerability

database (maintained by Symantec), tracks attacks and provides details on how to defend

against them, generates statistical incident reports, and manages threats. Symantec DeepSight

Analyzer users anonymously submit suspicious network traffic and intrusion attempts to the

Symantec Event Database via Symantec DeepSight Extractor. Symantec uses this information to

identify patterns in attacks that help serve as a threat-gauging system for the Symantec DeepSight

Threat Management System. In return, participants receive access to a secure, personalized,

Web-based incident console. The system consists of several timesaving utilities that provide

local incident tracking, personalized incident reports, and the ability to generate attacker

notification messages. NOTE: Submitting data to the global Symantec Event database is optional

for Symantec DeepSight Threat Management System users.

• SYMANTEC DEEPSIGHT THREAT MANAGEMENT SYSTEM automatically analyzes the incoming IDS

and Firewall logs for patterns indicative of an attack. When identified, alerts can be

automatically sent to users according to the criteria that they define. In addition, the team of

Symantec Threat Analysts provide another level of review and analysis. This team of analysts

provides a detailed analysis of the threat and actions that the users can implement to secure

their environments.

8


Figure 2. Key components of the Symantec DeepSight Threat Management System architecture

√ Symantec DeepSight Threat Management System in action

SQLEXP WORM (SLAMMER WORM)

On January 25, 2003, the DeepSight Threat Management System registered a sudden and

extremely large increase in UDP traffic targeted at port 1434; this port is commonly associated with

the Microsoft SQL Server Monitor process. This significant rise in attack activity was later confirmed

to be the result of a memory-resident worm named W32.SQLExp.Worm.

W32.SQLExp.Worm exploits a stack overflow vulnerability in the Microsoft SQL Server Monitor

process in order to distribute itself. As a result of SQLExp’s propagation process and generation of

copious amounts of network traffic, degradation of network performance was observed throughout

the Internet during the outbreak.

9

ATTACKDATA

IDS andFirewall Systems

Symantec DeepSightAnalyzer Symantec DeepSight

Threat ManagementSystem

Alerts, Reports, and

Analysis

ThreatAnalysts

Vulnerability and Event Databases

GlobalThreat

Management

LocalIncident

Management

Attack Correlation Engine


The worm did not carry a malicious payload, its primary goal being to propagate as quickly as

possible. This worm could have been significantly more malicious, and could have contained code to

damage infected systems. The primary impact of this worm was a consumption of network

bandwidth, in some cases, causing 100% packet loss on networks. This trait also initially led it to be

mistaken as a denial of service attack.

Figure 3. SQLExp – Ports on the Rise reported by Symantec DeepSight Threat Management System

Symantec DeepSight Threat Management System automatically sent out a Port Alert at 06:00 GMT

on January 25, when increased activity targeting port 1434 was observed by the analysis engine.

Although the Port Alert was not able to determine the cause of the increased traffic, the information

provided in this alert gave users an early warning that a global incident was occurring, so that

customers could immediately block traffic on Port 1434, thereby avoiding infection and reducing the

impact of this threat. Two hours later, Symantec DeepSight Threat Management System issued an

Incident Alert that identified this threat as a worm. As more information became available, the

Incident Alert was updated with more details about the worm itself, the vulnerability being targeted

by the worm and direct links to the patches required to eliminate the vulnerability.

Symantec DeepSight Threat Management System customers received early warning about the

SQLExp worm along with a detailed analysis of the threat, enabling administrators to respond quickly

and effectively to protect their assets.

10


√ Benefits of proactive security

By helping companies anticipate and prevent attacks before they happen, Symantec DeepSight

Threat Management System enables enterprise IT staff to take a proactive approach to threat

management with:

• EARLY WARNING OF ATTACKS. Incident and malicious code alerts pinpoint the sources, causes,

and vulnerabilities of attacks—often within minutes of their propagation. This enables security

staff to immediately take preventive action.

• CONFIGURATION-SPECIFIC ALERTS. Alerts can be customized and based on specific network

infrastructure—no more reading through alerts about irrelevant technologies.

• ALLOCATING SECURITY RESOURCES MORE EFFECTIVELY. Symantec DeepSight Threat Manage-

ment System helps security staff tailor their security strategy toward the specific incidents most

likely to occur and the attacks with the greatest potential to harm their unique IT configuration.

As a result, they can use their existing security infrastructure more strategically by identifying

the most critical changes to implement and any additional investments that need to be made.

• REPLACING GUESSWORK WITH HARD DATA AND EXPERT ADVICE. Symantec DeepSight Threat

Management System provides the objective facts and powerful analysis capabilities necessary

to evaluate risks and make tough decisions such as when to isolate network operations or block

groups of users. Because the data is immediately available from a Web-based console or via e-

mail, fax, phone or SMS alerts, Symantec DeepSight Threat Management System dramatically

reduces the time and effort required for security staff to research and track security events.

They have constant access to alerts and analysis from anywhere in the world.

• PROVIDING A GLOBAL VIEW OF EMERGING SECURITY TRENDS. By comparing company log data

with information from the global Symantec Event Database, Symantec DeepSight Threat

Management System puts IDS and Firewall data into the proper context and perspective. The

Symantec Event Database translates the unique incident reports and descriptions from every

leading IDS and Firewall product into a consistent format, so administrators get the most

accurate and comprehensive look at critical security trends worldwide.

√ Conclusion

Advances in security technology are often surpassed by new tools and techniques for would-be

intruders. As additional physical and logical security mechanisms start to reach the point of

diminishing returns, many businesses are learning that the most important and effective piece of the

security puzzle is a proactive early warning solution.

With Symantec DeepSight Threat Management System, businesses can leverage the collective

experience and expertise of network security experts around the world to better anticipate and help

prevent attacks. By evaluating a company’s network profile and IDS and Firewall log data against

similar information from thousands of other organizations, Symantec DeepSight Threat Management

System delivers timely, specific, comprehensive, and actionable information into the hands of

security professionals, resulting in a more efficient prioritization of security spending and resources.

11

WORLD HEADQUARTERS

20330 Stevens Creek Blvd.

Cupertino, CA 95014 U.S.A.

408.517.8000

800.721.3934

www.symantec.com

For Product information

In the U.S. call toll-free

800.756.7260

Symantec has worldwide

operations in 38 countries.

For specific country offices

and contact numbers please

visit our Web site.

√ Glossary

If you are unfamiliar with any term this report uses, you can find more information and a glossary at

http://securityresponse.symantec.com.

SYMANTEC, THE WORLD LEADER IN INTERNET SECURITY TECHNOLOGY AND SERVICES, PROVIDES A BROAD RANGE OF CONTENT

AND NETWORK SECURITY SOFTWARE AND APPLIANCE SOLUTIONS TO ENTERPRISES, INDIVIDUALS, AND SERVICE PROVIDERS.

THE COMPANY IS A LEADING PROVIDER OF CLIENT, GATEWAY, AND SERVER SECURITY SOLUTIONS FOR VIRUS PROTECTION,

FIREWALL AND VIRTUAL PRIVATE NETWORK, VULNERABILITY MANAGEMENT, INTRUSION DETECTION, INTERNET CONTENT AND E-

MAIL FILTERING AND REMOTE MANAGEMENT TECHNOLOGIES, AS WELL AS SECURITY SERVICES TO ENTERPRISES AND SERVICE

PROVIDERS AROUND THE WORLD. SYMANTEC'S NORTON BRAND OF CONSUMER SECURITY PRODUCTS IS A LEADER IN

WORLDWIDE RETAIL SALES AND INDUSTRY AWARDS. HEADQUARTERED IN CUPERTINO, CALIF., SYMANTEC HAS WORLDWIDE

OPERATIONS IN 38 COUNTRIES. FOR MORE INFORMATION, PLEASE VISIT WWW.SYMANTEC.COM


Symantec, the Symantec logo, and DeepSight are US registered trademarks of Symantec Corporation or its subsidiaries. DeepSight Analyzer, DeepSightExtractor, and Bugtraq are trademarks of Symantec Corporation or its subsidiaries. Other brands and products are trademarks of their respective holders.Copyright © 2003 Symantec Corporation. All rights reserved. Printed in the U.S.A. 04/03. All product information is subject to change. 10040177

Documents

10040177 DeepSightTMS tb - Symanteceval.symantec.com/.../ent-techbrief_symantec_deepsight_threat...us.pdf · active threats with an ... reduce the time spent researching and tracking