• PC World
• » Security

In a sign that it is continuing to digest the technology it swallowed with three high-profile purchases last July, Symantec announced an upgrade to the DeepSight Threat Management System, which it acquired with its purchase of SecurityFocus in July.

DeepSight Threat Management System is an early-warning system that uses a worldwide network of firewall and intrusion-detection systems maintained by more than 19,000 data partners to aggregate and correlate attack data.

The system provides security administrators with analyses of emerging threats, customizing those alerts to a customer's network configuration. The system is designed to use advanced warning and targeted countermeasures to prevent or mitigate the effect of attacks, according to Symantec.

New Features

Version 4 of the DeepSight Threat Management System, announced on Wednesday, includes a number of new features, according to Symantec:

• The addition of firewall data to the threat information tracked by the system, allowing Symantec's DeepSight security analysts to detect impending attacks from anomalous traffic and port activity.
  
  
• Customization features that allow security administrators to filter DeepSight notifications by severity, impact, or affected software version. Administrators can also choose the format in which notifications are sent, such as e-mail, fax, telephone, or short message service.
  
  
• Expanded reporting tools and statistics. Security administrators can break out threat activity related to specific IP addresses, events, or ports to better understand emerging Internet attacks. A new reporting wizard will help security administrators set up their own customized reports.
  
  

The release of DeepSight Threat Management version 4 follows the November release of version 4 of the related DeepSight Alert Services, which notifies customers about emerging threats.

Stopping Slammer

Symantec is marketing the DeepSight technology as a hedge against fast-spreading threats such as the recent W32.Slammer worm.

DeepSight began tracking the Slammer worm hours before it began propagating, and issued alerts and procedures to administrators to prevent infection, according to Symantec.

An industry analyst expressed skepticism that subscribing to DeepSight in order to get early word of widely publicized outbreaks such as Slammer would be a worthwhile investment.

"It doesn't really help if at midnight you're notified (by DeepSight) that there's a huge attack taking place because these days, you're probably hearing about it from your local news," said John Pescatore, an Internet security researcher at Gartner.

The flood of early warnings about Slammer that were available within hours of the outbreak, for free, undermines the value of the DeepSight subscription for widespread outbreaks, Pescatore said.

The service is more valuable for low-profile and targeted attacks, according to Pescatore.

"Symantec can say 'We've got 19,000 companies, and we're seeing attacks targeting financial services companies or energy companies or banks,'" Pescatore said.

Companies can also determine whether an attack they are experiencing is part of a larger Internet attack, or whether it is targeted specifically at their network, according to Pescatore.

Competing Services

In its announcement, Symantec did not provide specific examples in which DeepSight prevented infection by the Slammer worm, however.

Symantec's DeepSight service competes against similar services from other antivirus and security vendors.

For example, Trend Micro recently announced enhancements to its enterprise Outbreak Prevention Services, broadening those services to encompass file, Web, and messaging servers running on the Solaris, Linux, and Windows operating systems, as well as users connected via broadband connections from remote offices.

Like Symantec's DeepSight service, Trend Micro's Outbreak Prevention Services relies on a network of security analysts to distribute information about developing virus outbreaks to Trend Micro customers prior to the release of a virus pattern file. That information can be used to modify network configurations and prevent or lessen the impact of infection.

While Wednesday's announcement shows that Symantec is continuing to invest in the SecurityFocus technology, the company will need to navigate tricky waters with its SecurityFocus products and services in the months ahead, according to Pescatore.

In addition to competing against free services such as DShield.org that offer many of the same features as DeepSight, Symantec needs to retain the thousands of volunteer data partners that make up the DeepSight network.

Those organizations agreed to be part of DeepSight when it was part of SecurityFocus, but may not have the same level of commitment to a huge security vendor, according to Pescatore.

In addition, Symantec will need to convince skeptics that it is managing assets such as the popular Bugtraq vulnerability discussion list impartially.

"The real critical test comes when somebody finds a vulnerability in a Symantec product. Does that get disclosed as quickly as with a similar vulnerability in a product from Cisco [Systems] or McAfee?" Pescatore said.

• See more like this:
• Symantec,
• early,
• warning,
• alert,
• SecurityFocus,
• firewall,
• intrusion detection system,
• DeepSight,
• cyberattack