If you manage security on an enterprise network, Symantec’s new DeepSight suite of products may be an appealing option for attack detection. But starting at $25,000 per year, this service is definitely not intended for small to midsize networks. It’s also probably not worth considering unless your organization has 24/7 IT support (or at least someone on call at all times), since it would be a waste to get early warnings if no one is on hand to take immediate action to protect the network.

Slammer is the biggest recent network disruption, so it’s instructive to consider how this alert service would have enhanced your ability to respond. And in fact, Symantec has made some wild claims about how DeepSight handled Slammer, so we’ll look at just how well it performed during the Slammer attack.

Symantec DeepSight
The DeepSight suite of products should not be confused with a local intrusion-detection system. DeepSight integrates data automatically gathered from nearly 20,000 of Symantec’s partners’ firewall and IDS programs with the aim of spotting emerging attacks and alerting administrators of a current real-world threat, often before their particular system comes under full attack. Notification is based on the hardware and software in use by a particular subscriber, and the value lies in the fact that these aren’t just general threat warnings.

DeepSight is intended as an early warning system that transmits alerts via e-mail, fax, and other methods, informing administrators of new threats specific to their environment if they run any of 3,400 products (14,000 different versions). The alerts, which are based on Symantec’s monitoring of network threats across the globe, are sent to only those subscribers who may actually be affected by each new attack. The report includes recommendations on how to mitigate the threat, such as installing a specific patch or using a firewall to block a port.

For large networks, especially enterprise installations with a large number of different platforms and versions, the alerts can save a lot of time and effort watching for attacks and researching each threat and each fix, as well as helping to improve general security and attack readiness.

The Slammer attack
There have been loud complaints that Symantec, as part of its DeepSight service, knew about the recent Slammer attack early (which it subsequently bragged about in a press release) but failed to notify anyone other than its clients. Wired, in particular, has claimed that Symantec’s failure to spread the word about Slammer was irresponsible, “possibly harming millions of Internet users.”

I think this misses the point, in part because Symantec owes its subscribers special service for the hefty price they pay for DeepSight, but mainly because the biggest benefit of using DeepSight is the help provided in pinpointing more targeted or low-profile attacks. Slammer was a major threat and was widely publicized by free alert services. In fact, anyone interested in monitoring such major Internet threats so they can tweak their firewalls or take other preventive steps can see this information by following the top 10 port scans at Incidents.org. Port 1434, the port attacked by Slammer, is one of the ports regularly monitored by the Internet Storm Center.

In the relevant press release, Symantec claims, “The DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec’s DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised.”

Such a claim would be better if there were some offer of proof, especially in light of the forensic analysis of the Slammer attack conducted by the University of California-Berkeley’s Cooperative Association for Internet Data Analysis. UC-Berkeley’s Slammer report determined that Slammer spread at a rate 250 times faster than Code Red, doubling the number of infected machines every 8.5 seconds. The bulk of the Slammer attack was over in a very short time.

When I pointed this out to the company, a Symantec spokesperson responded, “Even though there is active discussion on the initial infection rate of this work (10 to 60 minutes) to reach critical mass, the peak period of recorded scans was over a three-hour period and continued at a reduce rate throughout [the next day].”

Apparently, at the same time I was told this, Symantec was releasing a Slammer timeline, as quoted in The Register:

“2200 (approx) PST, Friday, January 24: Firewall sensors detect numerous connection attempts on port 1434, Symantec’s DeepSight Threat Management System generates automated alert to customers.

“2300 (approx) PST, Friday, January 24: First third-party posts on the phenomenon [appear on] BugTraq.

“0000 PST, Saturday, January 25: Intrusion Detection System (IDS) sensors light up (worm is spreading prolifically). Details become more concrete and Symantec moves its alert status from medium to high-risk range.

“0200 PST, Saturday, January 25: First public Web alerts [arrive] providing detailed information on Slammer, IDS signature updates and suggestions on mitigation strategies.”

This assessment doesn’t exactly match the hype in Symantec’s initial press release and makes it clear that DeepSight didn’t actually warn about Slammer but rather sent out a general warning of increasing port 1434 scans.

A better example of DeepSight’s capabilities
Vincent Weafer, Sr., Director, Symantec Security, told me that the usefulness of the DeepSight service was better illustrated by the May 2002 Spida worm attack on Microsoft SQL. This attack took much longer to propagate than Slammer and, as he pointed out, “The threat management system saw this attack 24 hours before we obtained our first virus submissions from our customers.”

Weafer cited another value of DeepSight. “We can analyze attack trends and help give a stronger risk assessment message to customers to help them in prioritizing their security patches on their systems. For example, many worms leverage a small number of vulnerabilities [in order] to propagate (e.g., the malformed mime vulnerability that allows autoexecution of unsafe code on unpatched versions of Outlook and Outlook Express clients).”

DeepSight 4, which was introduced on Feb. 12, 2003, includes firewall and IDS data from 180 countries, expands the number of reporting tools, and allows administrators to customize the way vulnerabilities are sorted, such as by the threat level or the software version(s) affected. See Symantec’s two-page fact sheet for more information on the DeepSight Alert Services.

Bottom line
Symantec left itself wide open to a storm of criticism over the apparent slowness in warning the public about Slammer, all because of what appears to have been nothing more than an overzealous PR department. If we ignore the hype over early Slammer notification and whether it actually occurred before Slammer peaked, and we focus instead on what DeepSight actually did, we can see that the service was very fast in informing clients about an emerging threat. Even if the notice didn’t offer anything more than advice to block port 1434 at the firewall, it would have provided a worthwhile service to subscribers.

We can only hope that Slammer isn’t an indication of how quickly new attacks will spread. If it is, even an automated notification service such as DeepSight won’t be of much use, although that type of service may still be mandatory for large companies simply because it may help.

In any case, I think DeepSight provides a useful management tool for enterprise administrators. Certainly, some automated threat alert of this sort will soon form the baseline for good security management on mission-critical systems, if only to reduce the number of information sources that the already-harried enterprise managers need to monitor on a continuous basis. The ability to focus on the most critical patches based not on vendor notices but on real-world exploits can be valuable. DeepSight appears to be a sophisticated warning service and almost certainly generates alerts earlier than free reports that appear on the Web.

But two important questions remain:

  • Are the alerts sufficiently earlier than those provided by free online services to be worth the cost?
  • Even with early notification of a virus or exploit, will IT departments have enough time to deploy patches that can secure their systems?

Each organization that evaluates whether Symantec DeepSight can provide value will need to make careful study of these questions based on their infrastructure and the resources available in their IT department.