Upload
dangliem
View
216
Download
0
Embed Size (px)
Citation preview
Symantec™ DeepSight™
Threat Management SystemHelping to protect networks from active threats with an industry-leading early warning security system
TECHNOLOGY BRIEF
Symantec Enterprise Security
INSIDEINSIDE
∆ The growing business risk
∆ Symantec Deepsight Threat Management System: a global early warning system
∆ Benefits of proactive security
Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM
ContentsExecutive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
The growing business risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Proactive security: information, expertise, and configuration . . . . . . . . . . . . . . . . . . . .4
Symantec DeepSight Threat Management System: a global early warning system . . . . . .5
How Symantec DeepSight Threat Management System works . . . . . . . . . . . . . . . . . . .8
Symantec DeepSight Threat Management System in action . . . . . . . . . . . . . . . . . . . . .9
Benefits of proactive security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM
√ Executive summary
Symantec DeepSight Threat Management System is a comprehensive and customizable early
warning system providing notification of global attacks and best-practices countermeasures to help
prevent attacks before they affect the enterprise.
The last few years have seen an extraordinary increase in intrusions, denial of service attacks,
worms, blended threats and other attacks on computer systems. In response, companies have been
forced to take a more strategic approach to network security that relies on systematically gathering,
analyzing, and acting upon detailed risk and vulnerability information. Intrusion Detection Systems
(IDS) are an important weapon in the war against network attacks, but until now their use has been
largely reactive. Network security professionals are so busy trying to keep up—analyzing prior
attacks and putting out fires—that they rarely have the time or resources to anticipate the next attack.
Firewalls provide another layer of protection against attacks. But firewalls are much more effective
when they are properly configured to stop malicious traffic. The challenge for administrators is
knowing what the new threats are, so that they can take the necessary steps to secure their systems,
while not inhibiting their ability to conduct business
This paper describes how Symantec DeepSight Threat Management System delivers actionable,
customized, proactive intelligence from Symantec security experts who track attacks on businesses
around the world every day. With Symantec DeepSight Threat Management System, companies can fine
tune security strategies, reduce the time spent researching and tracking security events, analyze relevant
metrics and attack statistics, and free up security staff to take decisive action before attacks occur.
√ The growing business risks
The Internet’s phenomenal expansion has come with a corresponding explosion in the number of
security threats. As Figure 1 illustrates, CERT (Computer Emergency Response Team)/CC—a major
reporting center that tracks Internet security problems—has seen rapid growth across every incident
category, including:
• Attempts to gain unauthorized access to a system or its data
• Unwanted disruption or denial of service
• Unauthorized use of a system for the processing or storage of data
• Changes to system hardware, firmware, or software characteristics without the owner’s
knowledge, instruction, or consent1
The problem is more than just one of
numbers. As companies worldwide in every
industry rely increasingly on the Internet to
manage and grow their business, the potential
disruptive effects and economic impact of
each attack skyrockets. In 2002, the average
loss per system penetration by an outsider
incident was a staggering $226,000.2
3
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
90,000
200220012000199919981997199619951994199319921991199019891988
Figure 1. The rapid increase in network security incidents has paralleled the phenomenalexpansion of the Internet (source: CERT/CC).
Network intrusions
1. Source: CERT Coordination Center Incident Reporting Guidelines. Copyright © 1998, 1999, 2000, 2001, 2002 Carnegie Mellon University.2. Source: Computer Security Institute/Federal Bureau of Investigation 2002 Computer Crime and Security Survey
Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM
With the occurrence and potential cost of network attacks so high—and continuing to rise—
businesses understand that they must marshal all their resources to defend against intruders. For
many companies, the first line of defense is to build stronger and thicker walls around their computer
assets by installing a broad range of logical and physical security mechanisms. As the tools and
techniques of would-be intruders increase in sophistication, so too must the security products.
Businesses now realize that to truly optimize the strength of their security posture, an early warning
system that allows for the proactive management of threats and vulnerabilities is an important piece
of the security puzzle. Effective enterprise information security teams require timely, configuration-
specific, accurate, comprehensive, and actionable knowledge about the risks, vulnerabilities, and
pathology of attacks. A threat management system is vital for IT managers to make quick, accurate,
and informed decisions to protect their systems.
√ Proactive security: information, expertise, and configuration
Developing an effective threat management strategy requires security professionals to gather and
analyze a broad range of general security information from many different sources, including
vulnerability and virus alerts, mailing lists, news articles, and managed security service providers.
Many different systems and services have emerged to help IT experts find, manage, and act upon
this information. Among the weapons in the security arsenal are Intrusion Detection Systems (IDS),
products that continuously monitor networks and keep detailed logs of any intrusions or attacks.
Similarly, Firewalls enable users to filter network activity and keep detailed logs of this activity.
By themselves, Intrusion Detection Systems are limited. They enable IT managers to track and react
to what happens within their own discrete networks. The same applies to the analysis of an individual
organization’s firewall logs. These systems provide an excellent view of current threats to the
enterprise, but may create a highly subjective view of risks and vulnerabilities. Without
understanding the larger context, security professionals may make decisions and formulate
responses that do not maximize their security posture. For example:
• IDS and Firewall logs alone cannot reveal whether activity is specifically targeted at a single
company, or if it is part of a larger attack on multiple organizations.
• IDS products do a good job of identifying current attacks, but do little to help businesses
evaluate and reduce the risk of future attacks, resulting is a reactive security model.
• Firewall systems are only as good as their configuration. It’s only when administrators know
about global threats, that they are able to optimize their firewall to protect their assets.
Organizations need a way to leverage the collective experience and expertise of network security
experts around the world, so they can anticipate and thwart attacks before they happen. However,
most attempts at taking a more proactive approach to threat management have been hampered by
factors such as:
• The lack of a global system of sensors to monitor attack activity
• The sheer volume of data required to create a statistically sound sample set
• The lack of technology to analyze this data
4
Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM
Furthermore, the growing number, complexity, and success rate of attacks make it extremely difficult
for security professionals to assess their vulnerability solely by analyzing intrusions occurring within
their perimeter. To help them see patterns and trends, they need access to detailed information
about attacks that are occurring across the industry, across the nation, and across the dateline.
Unfortunately, most businesses have no way of obtaining this kind of information because intrusion
data is highly sensitive. Even if this data were available, making sense of it all would be a tremendous
challenge for two reasons:
1. Each IDS and Firewall product reports incidents using its own unique terminology, thus complicating
any effort to get an aggregate picture of attacks against multiple systems and organizations.
2. There is no way for security professionals to share data from their IDS and Firewall systems in
real time.
Symantec recognizes these challenges, as well as the urgent need for a more proactive approach to
threat management. Symantec DeepSight Threat Management System enables enterprises to better
anticipate and prevent network attacks. Symantec DeepSight Threat Management System bridges
the gap between awareness and action—enabling security professionals to deploy necessary
countermeasures before an intruder targets their systems or harms their operations.
√ Symantec DeepSight Threat Management System: a global early warning system
Symantec DeepSight Threat Management System is a comprehensive and customizable threats.
management solution that provides early warning of attacks and best-practices countermeasures to
prevent attacks before they affect the enterprise. Symantec DeepSight Threat Management System
delivers a meaningful understanding of an organization’s potential exposure by evaluating IDS and
Firewall events from organizations worldwide to identify trends, anomalies and attack patterns. This
enables administrators to answer important questions such as:
• Are businesses with particular characteristics (such as industry, company size, or location)
being targeted for attacks?
• Which IT products and platforms are being targeted, or are particularly vulnerable?
• Which vulnerabilities are most at risk?
• Which systems should be patched and in what order?
• Are attacks originating from specific IP addresses or countries?
• What kinds of attacks are increasing in frequency?
• Does the risk of attack increase during certain days of the week or times of day?
• What verified solutions, patches, or additional references are available to stop specific threats?
Like a long-range weather forecasting system, Symantec DeepSight Threat Management System
enables businesses to take preventive action before disaster strikes. At the heart of the service is a
data-gathering network that includes more than 19,000 registered data partners in over 180
countries. Expert threat analysts at Symantec continuously monitor this data—analyzing global
activity, investigating suspicious traffic, and identifying attacks in their infancy.
5
Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM
Symantec DeepSight Threat Management System tracks attacks by type, source, time, location, and
victim profile, and then enables IT personnel to use this data to evaluate risks and vulnerabilities with
a revolutionary correlation engine and powerful analytical tools. This system delivers a snapshot of
current Internet activity, along with a timely, customized, threat analysis for each customer.
Personalized threat alerts, malicious code alerts, and incident activity threshold alerts are delivered
via a secure Web-based console, or email, fax, phone, or SMS text message. In addition, customers
receive daily, weekly, and monthly summary reports. Symantec DeepSight Threat Management
System also allows users to mine the Symantec Event Database through a custom reporting tool.
Table 1 lists the specific reports the Symantec DeepSight Threat Management System provides that
help turn raw global IDS and Firewall log data into action for improved proactive threat mitigation.
Table 1. Reports provided by Symantec DeepSight Threat Management System
Title Description
Event Summary Summary of event activity observed by DeepSight sensors. It is helpful
in determining which events are the most prominent, and determining
the history of these events.
Port Summary Summary of port activity observed by DeepSight sensors. It is helpful
in determining which ports are being targeted, and determining the
trend of this activity.
Category Summary Summary of event activity by the category or class of events that are
being observed by DeepSight sensors.
Target Product Summary Summary of the products and applications that are being
targeted globally.
Origin Summary Summary of where global events are originating. It is helpful in
determining who is targeting DeepSight sensors, and determining the
trend of attack activity from each source.
Destination Summary Summary of the demographics being affected by events reported to
the DeepSight Threat Management System.
IP Analysis Provides insight into the activity of a single IP address that is observed
by DeepSight sensors. This report consists of a number of
components that reflect the activity, habits, and applications that the
IP address is targeting. In correlating a number of these data points,
this report presents the origin of the attacker, and the vulnerabilities
and services targeted by the attacker.
Event Analysis Provides a detailed analysis of activity surrounding a specific event.
The report provides a history of event activity. It outlines who is
originating the activity, and who is targeted.
6
Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM
Port Analysis Provides a detailed analysis of activity surrounding a specific port.
The report provides a history of activity targeting the chosen port. It
outlines who is originating the activity, and who is targeted.
Originating ISP Displays the top ten offending ISPs from which the greatest number of
attacks originate, as well as the attack frequency values for each ISP.
Source IP Infection Rate Provides a breakdown of the number of originating source IP addresses
for a chosen criteria. This serves as an indicator of the rate of spread
of a particular threat. In the case of a specific event related to a worm,
it can also serve as an indicator of the number of infected systems.
Originating IPs Provides a summary of the top originating IP addresses responsible
for the chosen network activity. It contains a historical trend graph
depicting the activity seen from the top addresses.
Associated Ports Displays the most common associated source ports being used in an
attack for a user-supplied destination port. The bar graph represents
the top ten most widespread source ports being used in conjunction
with a destination port supplied by the user as well as the corres-
ponding attack frequency values for each source port. This report
indicates any Trojan or exploit patterns in the wild.
Originating Countries Displays the top ten offending countries from which the greatest
number of attacks originate.
Event Time Provides a breakdown of the timeframe when network security events
most commonly occur on your network. Knowledge of when these
events occur allows for the tracking of historical activity and the
allocation of resources for future planning.
Target Countries Displays the top ten victim countries for which the greatest number of
attacks are destined.
Target Industries Displays the frequency of attacks targeted against specific
industry types.
Attacks by Company Size Displays the frequency of attacks targeted against companies of a
particular employee size range.
Attacks by Company Displays the frequency of attacks targeted against companies of a
Revenue particular annual revenue range.
Attack Age Provides an overview of events based around the age of the
vulnerabilities associated with them, and the age of the events
themselves.
7
Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM
√ How Symantec DeepSight Threat Management System works
With Symantec DeepSight Threat Management System, companies can focus their security
resources on deploying critical countermeasures to proactively mitigate the impact of attacks, rather
than searching dozens of Web sites or hundreds of emails trying to gather information on an attack
and how to respond to it. Symantec gathers data from its partners, continuously correlating and
analyzing the data to identify potential attacks and give customers timely, actionable, and specific
threat and patch information to facilitate protection. In addition, an expert team of Symantec threat
analysts examines the global data, identifying potential attacks and providing detailed alerts and
analyses. Delivering specific, comprehensive, and actionable information into the hands of the
security professionals immediately enables more efficient prioritization of security spending and
resources, thereby increasing return on investment.
Figure 2 shows the key components of the Symantec DeepSight Threat Management System
architecture.
• SYMANTEC DEEPSIGHT EXTRACTOR is a program that normalizes and transmits events from IDS
and Firewall logs to the Symantec Event Database. A company can automatically upload its
event data to the Symantec Event Database for interpretation and analysis. Symantec
DeepSight Extractor ensures client confidentiality through industry standard secure networking
protocols and optional IP address suppression.
• SYMANTEC DEEPSIGHT ANALYZER gives IT professionals the ability to track and manage
incidents and attacks on their own networks. It automatically correlates attacks from disparate
IDS and Firewall products, giving IT professionals a comprehensive view of their environments.
Symantec DeepSight Analyzer compares incidents against the world’s largest vulnerability
database (maintained by Symantec), tracks attacks and provides details on how to defend
against them, generates statistical incident reports, and manages threats. Symantec DeepSight
Analyzer users anonymously submit suspicious network traffic and intrusion attempts to the
Symantec Event Database via Symantec DeepSight Extractor. Symantec uses this information to
identify patterns in attacks that help serve as a threat-gauging system for the Symantec DeepSight
Threat Management System. In return, participants receive access to a secure, personalized,
Web-based incident console. The system consists of several timesaving utilities that provide
local incident tracking, personalized incident reports, and the ability to generate attacker
notification messages. NOTE: Submitting data to the global Symantec Event database is optional
for Symantec DeepSight Threat Management System users.
• SYMANTEC DEEPSIGHT THREAT MANAGEMENT SYSTEM automatically analyzes the incoming IDS
and Firewall logs for patterns indicative of an attack. When identified, alerts can be
automatically sent to users according to the criteria that they define. In addition, the team of
Symantec Threat Analysts provide another level of review and analysis. This team of analysts
provides a detailed analysis of the threat and actions that the users can implement to secure
their environments.
8
Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM
Figure 2. Key components of the Symantec DeepSight Threat Management System architecture
√ Symantec DeepSight Threat Management System in action
SQLEXP WORM (SLAMMER WORM)
On January 25, 2003, the DeepSight Threat Management System registered a sudden and
extremely large increase in UDP traffic targeted at port 1434; this port is commonly associated with
the Microsoft SQL Server Monitor process. This significant rise in attack activity was later confirmed
to be the result of a memory-resident worm named W32.SQLExp.Worm.
W32.SQLExp.Worm exploits a stack overflow vulnerability in the Microsoft SQL Server Monitor
process in order to distribute itself. As a result of SQLExp’s propagation process and generation of
copious amounts of network traffic, degradation of network performance was observed throughout
the Internet during the outbreak.
9
ATTACKDATA
IDS andFirewall Systems
Symantec DeepSightAnalyzer Symantec DeepSight
Threat ManagementSystem
Alerts, Reports, and
Analysis
ThreatAnalysts
Vulnerability and Event Databases
GlobalThreat
Management
LocalIncident
Management
Attack Correlation Engine
Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM
The worm did not carry a malicious payload, its primary goal being to propagate as quickly as
possible. This worm could have been significantly more malicious, and could have contained code to
damage infected systems. The primary impact of this worm was a consumption of network
bandwidth, in some cases, causing 100% packet loss on networks. This trait also initially led it to be
mistaken as a denial of service attack.
Figure 3. SQLExp – Ports on the Rise reported by Symantec DeepSight Threat Management System
Symantec DeepSight Threat Management System automatically sent out a Port Alert at 06:00 GMT
on January 25, when increased activity targeting port 1434 was observed by the analysis engine.
Although the Port Alert was not able to determine the cause of the increased traffic, the information
provided in this alert gave users an early warning that a global incident was occurring, so that
customers could immediately block traffic on Port 1434, thereby avoiding infection and reducing the
impact of this threat. Two hours later, Symantec DeepSight Threat Management System issued an
Incident Alert that identified this threat as a worm. As more information became available, the
Incident Alert was updated with more details about the worm itself, the vulnerability being targeted
by the worm and direct links to the patches required to eliminate the vulnerability.
Symantec DeepSight Threat Management System customers received early warning about the
SQLExp worm along with a detailed analysis of the threat, enabling administrators to respond quickly
and effectively to protect their assets.
10
Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM
√ Benefits of proactive security
By helping companies anticipate and prevent attacks before they happen, Symantec DeepSight
Threat Management System enables enterprise IT staff to take a proactive approach to threat
management with:
• EARLY WARNING OF ATTACKS. Incident and malicious code alerts pinpoint the sources, causes,
and vulnerabilities of attacks—often within minutes of their propagation. This enables security
staff to immediately take preventive action.
• CONFIGURATION-SPECIFIC ALERTS. Alerts can be customized and based on specific network
infrastructure—no more reading through alerts about irrelevant technologies.
• ALLOCATING SECURITY RESOURCES MORE EFFECTIVELY. Symantec DeepSight Threat Manage-
ment System helps security staff tailor their security strategy toward the specific incidents most
likely to occur and the attacks with the greatest potential to harm their unique IT configuration.
As a result, they can use their existing security infrastructure more strategically by identifying
the most critical changes to implement and any additional investments that need to be made.
• REPLACING GUESSWORK WITH HARD DATA AND EXPERT ADVICE. Symantec DeepSight Threat
Management System provides the objective facts and powerful analysis capabilities necessary
to evaluate risks and make tough decisions such as when to isolate network operations or block
groups of users. Because the data is immediately available from a Web-based console or via e-
mail, fax, phone or SMS alerts, Symantec DeepSight Threat Management System dramatically
reduces the time and effort required for security staff to research and track security events.
They have constant access to alerts and analysis from anywhere in the world.
• PROVIDING A GLOBAL VIEW OF EMERGING SECURITY TRENDS. By comparing company log data
with information from the global Symantec Event Database, Symantec DeepSight Threat
Management System puts IDS and Firewall data into the proper context and perspective. The
Symantec Event Database translates the unique incident reports and descriptions from every
leading IDS and Firewall product into a consistent format, so administrators get the most
accurate and comprehensive look at critical security trends worldwide.
√ Conclusion
Advances in security technology are often surpassed by new tools and techniques for would-be
intruders. As additional physical and logical security mechanisms start to reach the point of
diminishing returns, many businesses are learning that the most important and effective piece of the
security puzzle is a proactive early warning solution.
With Symantec DeepSight Threat Management System, businesses can leverage the collective
experience and expertise of network security experts around the world to better anticipate and help
prevent attacks. By evaluating a company’s network profile and IDS and Firewall log data against
similar information from thousands of other organizations, Symantec DeepSight Threat Management
System delivers timely, specific, comprehensive, and actionable information into the hands of
security professionals, resulting in a more efficient prioritization of security spending and resources.
11
WORLD HEADQUARTERS
20330 Stevens Creek Blvd.
Cupertino, CA 95014 U.S.A.
408.517.8000
800.721.3934
www.symantec.com
For Product information
In the U.S. call toll-free
800.756.7260
Symantec has worldwide
operations in 38 countries.
For specific country offices
and contact numbers please
visit our Web site.
√ Glossary
If you are unfamiliar with any term this report uses, you can find more information and a glossary at
http://securityresponse.symantec.com.
SYMANTEC, THE WORLD LEADER IN INTERNET SECURITY TECHNOLOGY AND SERVICES, PROVIDES A BROAD RANGE OF CONTENT
AND NETWORK SECURITY SOFTWARE AND APPLIANCE SOLUTIONS TO ENTERPRISES, INDIVIDUALS, AND SERVICE PROVIDERS.
THE COMPANY IS A LEADING PROVIDER OF CLIENT, GATEWAY, AND SERVER SECURITY SOLUTIONS FOR VIRUS PROTECTION,
FIREWALL AND VIRTUAL PRIVATE NETWORK, VULNERABILITY MANAGEMENT, INTRUSION DETECTION, INTERNET CONTENT AND E-
MAIL FILTERING AND REMOTE MANAGEMENT TECHNOLOGIES, AS WELL AS SECURITY SERVICES TO ENTERPRISES AND SERVICE
PROVIDERS AROUND THE WORLD. SYMANTEC'S NORTON BRAND OF CONSUMER SECURITY PRODUCTS IS A LEADER IN
WORLDWIDE RETAIL SALES AND INDUSTRY AWARDS. HEADQUARTERED IN CUPERTINO, CALIF., SYMANTEC HAS WORLDWIDE
OPERATIONS IN 38 COUNTRIES. FOR MORE INFORMATION, PLEASE VISIT WWW.SYMANTEC.COM
Symantec DEEPSIGHT™ THREAT MANAGEMENT SYSTEM
Symantec, the Symantec logo, and DeepSight are US registered trademarks of Symantec Corporation or its subsidiaries. DeepSight Analyzer, DeepSightExtractor, and Bugtraq are trademarks of Symantec Corporation or its subsidiaries. Other brands and products are trademarks of their respective holders.Copyright © 2003 Symantec Corporation. All rights reserved. Printed in the U.S.A. 04/03. All product information is subject to change. 10040177