Could Symantec have saved you from Slammer?
John McCormick
Published: 03 Mar 2003 12:03 GMT
In the relevant press release, Symantec claims, "The DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
Such a claim would be better if there were some offer of proof, especially in light of the forensic analysis of the Slammer attack conducted by the University of California-Berkeley's Cooperative Association for Internet Data Analysis. UC-Berkeley's Slammer report determined that Slammer spread at a rate 250 times faster than Code Red, doubling the number of infected machines every 8.5 seconds. The bulk of the Slammer attack was over in a very short time.
When I pointed this out to the company, a Symantec spokesperson responded, "Even though there is active discussion on the initial infection rate of this work (10 to 60 minutes) to reach critical mass, the peak period of recorded scans was over a three-hour period and continued at a reduced rate throughout [the next day]."
Apparently, at the same time I was told this, Symantec was releasing a Slammer timeline, as quoted in The Register:
- 2200 (approx) PST, Friday, January 24: Firewall sensors detect numerous connection attempts on port 1434, Symantec's DeepSight Threat Management System generates automated alert to customers.
- 2300 (approx) PST, Friday, January 24: First third-party posts on the phenomenon [appear on] BugTraq.
- 0000 PST, Saturday, January 25: Intrusion Detection System (IDS) sensors light up (worm is spreading prolifically). Details become more concrete and Symantec moves its alert status from medium to high-risk range.
- 0200 PST, Saturday, January 25: First public Web alerts [arrive] providing detailed information on Slammer, IDS signature updates and suggestions on mitigation strategies.
This assessment doesn't exactly match the hype in Symantec's initial press release and makes it clear that DeepSight didn't actually warn about Slammer but rather sent out a general warning of increasing port 1434 scans.
A better example of DeepSight's capabilities
Vincent Weafer, a director of Symantec Security, told me that the usefulness of the DeepSight service was better illustrated by the May 2002 Spida worm attack on Microsoft SQL Server. This attack took much longer to propagate than Slammer and, as he pointed out, "The threat management system saw this attack 24 hours before we obtained our first virus submissions from our customers."
Weafer cited another value of DeepSight. "We can analyse attack trends and help give a stronger risk assessment message to customers to help them in prioritising the security patches on their systems. For example, many worms leverage a small number of vulnerabilities [in order] to propagate (e.g., the malformed MIME vulnerability that allows autoexecution of unsafe code on unpatched versions of Outlook and Outlook Express clients)."
DeepSight 4, which was introduced on Feb. 12, 2003, includes firewall and IDS data from 180 countries, expands the number of reporting tools, and allows administrators to customise the way vulnerabilities are sorted, such as by the threat level or the software version(s) affected. See Symantec's two-page fact sheet for more information on the DeepSight Alert Services.
Bottom line
Symantec left itself wide open to a storm of criticism over the apparent slowness in warning the public about Slammer, all because of what appears to have been nothing more than an overzealous PR department. If we ignore the hype over early Slammer notification and whether it actually occurred before Slammer peaked, and we focus instead on what DeepSight actually did, we can see that the service was very fast in informing clients about an emerging threat. Even if the notice didn't offer anything more than advice to block port 1434 at the firewall, it would have provided a worthwhile service to subscribers.
We can only hope that Slammer isn't an indication of how quickly new attacks will spread. If it is, even an automated notification service such as DeepSight won't be of much use, although that type of service may still be mandatory for large companies simply because it may help.
In any case, I think DeepSight provides a useful management tool for enterprise administrators. Certainly, some automated threat alert of this sort will soon form the baseline for good security management on mission-critical systems, if only to reduce the number of information sources that the already-harried enterprise managers need to monitor on a continuous basis. The ability to focus on the most critical patches based not on vendor notices but on real-world exploits can be valuable. DeepSight appears to be a sophisticated warning service and almost certainly generates alerts earlier than free reports that appear on the Web.
But two important questions remain:
- Are the alerts sufficiently earlier than those provided by free online services to be worth the cost?
- Even with early notification of a virus or exploit, will IT departments have enough time to deploy patches that can secure their systems?
Each organisation that evaluates whether Symantec DeepSight can provide value will need to make careful study of these questions based on their infrastructure and the resources available in their IT department.
For a weekly round-up of the enterprise IT news, sign up for the Enterpise newsletter.
Tell us what you think in the Enterprise Mailroom.
Previous
Did you find this article useful?
85 out of 197 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
1 comment
