What allows you to better control your company’s security: intrusion prevention or intrusion detection?
The answer is: Both. Symantec Critical System Protection offers both intrusion detection and proactive behavioral-based host intrusion prevention for your critical systems, and together these features can help you monitor your system’s security exactly the way you want to. Here are three examples of how:
1. Monitor without blocking. The detection feature FileWatch has traditionally been used to monitor files. One typical use is to automatically alert IT whenever executable files are changed. But that means burdening the CPU with regular scans of all executable files on the system. To preserve bandwidth, most IT departments set FileWatch to monitor only specific applications that are critical to the company’s business.
With Critical System Protection’s advanced prevention features, you can protect files by making them read-only, as well as identifying files to monitor. By putting the prevention policy into monitor-only mode, you can automatically gather data on any changes to these files, including which application wrote to the file and which username initiated the change. Because prevention does this without constant scanning, you can include all executable files across the system in this monitor-only list, without overburdening processors. Users can write to files without interruption, and you get a full view of exactly what’s been changed and by whom.
2. Track odd behavior, not just bad signatures. Network Intrusion Protection features will identify malicious code based on specific signatures or vulnerabilities. However, this means vulnerabilities and attacks need to be known beforehand, which makes it difficult to block zero-day attacks that come in immediately when (or sometimes before) a vulnerability is discovered. Behavioral-based prevention, on the other hand, can catch zero-day attacks by focusing on odd behavior that legitimate applications wouldn’t do but malware might, such as writing directly to the hard drive, changing the registry or writing to system files and folders.
Behavioral-based prevention can also stop valid but malicious intrusion—for instance, if a DBA fails to reset a default password on an Oracle application. If a hacker who knows the default uses that password to gain entry, the system has no way of knowing that a hacker, rather than the DBA, has entered. But as soon as that hacker begins moving files around, writing executable files or trying to FTP material to or from a server, Critical System Protection will recognize this as odd behavior and lock the system down.
3. Set sophisticated rules. With all these prevention features, why do you still need detection? For one thing, detection can write more complex scripts, allowing you to fine-tune the rules for control. Let’s say you have remote users who are all thumbs; half the time they type their passwords wrong. This might drive you nuts if the system is set to alert you to every log-in failure. But intrusion detection can instead be set to only send an alert if there are three consecutive password failures within 60 seconds. That will let you know if there’s a password sniffer at work, but won’t alert you to every typo.
The combination of both intrusion detection and prevention gives you more options to set the specific security rules and alerts you choose, without overburdening processors. Behavior based prevention helps you block zero-day attacks. And Critical System Protection works effectively across heterogeneous platforms. This means you get the control you need to protect your organization’s endpoints—without inconveniencing users.