Symantec introduces centralised, open information security management

Symantec, the world leader in Internet security, today announced the Symantec Security Management System, a comprehensive set of management applications that improves the effectiveness of the information security environment by delivering proactive control of the security infrastructure and correlated information for better decision-making.

"The primary challenges our customers face are managing their complex security infrastructure and the overwhelming data flow created by all the security devices they've deployed," said Patrick Evans, regional manager for Africa at Symantec. "Symantec's approach is to provide open policy and incident management capabilities that allow users to proactively secure their network against known threats and to respond in real-time against new attacks."

Managing enterprise security today is a difficult process, delivered through a combination of disparate commercial products from different vendors lacking integration and interoperability. The result is a high degree of complexity and increased operational costs, and reliance on isolated security data to make critical security decisions. For a majority of enterprises, the outcome is a weak security risk profile - an insecure business infrastructure, incomplete regulation compliance, security audit failures and soaring security management costs - that is not in line with business requirements.

Making it more difficult, protection products throughout the enterprise scan systems and network traffic and send messages on every suspicious activity. Each message is termed a security event, and nearly 10 million occur each month in organisations of even moderate size. An event may be anything from a malformed or over-length network packet, potentially indicating a buffer-overflow attack, to a failed login on a computer that may be critical or relatively insignificant. Taken individually, it is difficult to determine if a given event indicates trouble or not.

An incident is an event or condition that requires a response and closure. Active attacks or virus outbreaks are incidents that are usually comprised of one or more events. Known system vulnerabilities or discovered policy violations should also be treated as incidents that require a response. However, the challenge is sorting through the millions of events to find the incidents in time to take action.

"The biggest challenge we face on a day-to-day basis is the volume of events on our network," said Phil Tyler, operational security consultant, Avnet. "The components of the Symantec Security Management System that we've deployed position us for a complete view of our security posture in real time, in one console, so that we can react quickly and effectively to actual security alerts."

Today's CIOs and CISOs are also under intense pressure when it comes to security. In addition to higher expectations from customers, investors and the general public with regard to regulatory requirements, legal liability and fiduciary responsibility, the increased complexity and number of attacks are causing greater damage. These pressures drive the need for a comprehensive approach to security management.

The Symantec Security Management System helps CIOs and CISOs answer questions such as "How secure am I?", "Where should I focus my resources?" and "Am I doing everything I can to protect my enterprise?"

The Symantec Security Management System is comprised of multiple components for customers to select and deploy the right set of security management applications unique to their individual business objectives.

The three key components of the Symantec Security Management System are Symantec Event Managers, Symantec Incident Manager and Symantec ESM for policy compliance.

For enterprise customers who want a complete view of security events for just a specific area of protection, Symantec introduces Symantec Event Manager for Anti-Virus and Symantec Event Manager for Firewall. These Event Managers consolidate data from Symantec's and other vendor's protection solutions to provide the customer with a complete view of virus and firewall events. Customers can collect data from third-party vendor security products including Network Associates anti-virus data and Check Point firewalls. Additional event collectors are expected to be available in the December quarter.

Symantec is working with third party vendors to create collectors through a partner program, to be formally announced in the first quarter of 2003. Early adopters to this program currently include TippingPoint, which develops active network-defense systems, and Entercept, which develops intrusion prevention software. TippingPoint and Entercept are scheduled to make event collectors for their products available in the December 2002 quarter.

For enterprise customers with large networks yielding massive amounts of security events on a daily basis, there is a greater need for a real-time aggregated and correlated view of security data across network tiers and security technologies. Symantec Incident Manager provides open, real-time incident management that helps enterprises maximise the value of their security technologies, and identify and respond rapidly to security breaches.

Symantec Incident Manager identifies, consolidates and correlates security events from multiple point products and security technologies from a variety of vendors. Symantec Incident Manager analyses and correlates events to identify incidents, then tracks the resolution of each one to closure. It also allows for the customised setting of incident priorities based on the severity of the impact to business and dynamically adjusts those priorities through each incident's lifecycle.

Once an incident is identified, Symantec Incident Manager provides expert guidance tailored to the specific incident characteristics. Guidance is based on the SANS/CERT incident response framework, an acknowledged best-practices framework. Guidance works in tandem with customer-specific policy controls to help security personnel resolve incidents quickly and effectively. The guidance provided by the system also helps security personnel give clear and complete instructions to the broader IT staff as they direct their activities to resolve each incident. Symantec Incident Manager also employs a powerful risk analysis engine that determines the impact of each incident based on the relative confidentiality, integrity and availability rating of each asset in the system. The risk analysis engine takes into account what actions have been taken to resolve an incident and dynamically balances the priority of each incident compared to all open incidents. This allows staff to focus resources on resolving the most critical incidents first.

Symantec Incident Manager issues alerts and notifications throughout the lifecycle of an incident. It notifies security personnel when an incident is first detected and constantly monitors the progress being made to resolve each incident. It issues alerts in advance of security level agreement (SLA) deadlines, implemented by many organisations, which require a response for each of these phases within a specified time.

In addition, Symantec Incident Manager records every action taken to identify and resolve an incident, and generates reports that not only illustrate the type and severity of threats, but also measure the effectiveness of the organization's response. This is an invaluable resource for both meeting audit requirements and improving response procedures.

Further, Symantec Incident Manager is backed by Symantec Security Response, which describes known vulnerabilities and serves as a reference to guide staff as they identify and resolve incidents. This valuable intellectual property includes a comprehensive database of new signatures, vulnerabilities, safeguards and response guidance, and is regularly updated from the largest and most comprehensive collection of security intelligence available.

Symantec is also creating third-party relays so that information can flow easily from the Symantec Security Management System to other network and system management products. A relay component for IBM Tivoli Risk Manager, including the Tivoli Enterprise Console, will be available in the December quarter.

"IBM and Symantec share a common mission to manage security across our customers' complex, multi-vendor environments," said Arvind Krishna, vice-president of security products, Tivoli Software, IBM. "Through integration between Tivoli and Symantec software products, IBM can continue to provide the automated, self-protecting security management infrastructure our joint customers expect."

For enterprise customers who are looking for a more comprehensive approach to security management, Symantec ESM, an industry-leading security policy compliance and vulnerability management solution, can be integrated with Symantec Incident Manager to track the resolution of identified policy non-compliance incidents to closure. As a stand-alone security application, Symantec ESM enables enterprises to create customised security policies and manage policy compliance in mission critical business applications and servers across a heterogeneous enterprise from a single location. Together, Symantec Incident Manager and Symantec ESM provide a coordinated, comprehensive approach to managing the security posture across the enterprise.

When integrated with Symantec Incident Manager, Symantec ESM adds important capabilities to identify and resolve policy non-compliance issues and eliminate vulnerabilities. As discussed above, any identified vulnerability or non-compliance condition can be treated as an incident within the context of Symantec Incident Manager.

The Symantec Security Management System components are built in compliance with Symantec Enterprise Security Architecture, which provides a standards-based interoperability framework for Symantec and third-party solutions to work together to provide secure, manageable, and scalable enterprise security. Customer environments are heterogeneous and often contain security products from many vendors. Therefore, an interoperable architecture is a critical enabler to enterprises that need strong security and centralised management.