Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

New Policies in Critical System Protection Help Organizations Move from Host IDS to IPS with Confidence

Created: 16 Dec 2011 • Updated: 16 Dec 2011
Stuart_Hawkins's picture
+4 4 Votes
Login to vote

Many organizations are using Critical System Protection to monitor system activity and alert if and when a host has been compromised. As the attacks to servers become more sophisticated, it’s becoming more important for organizations to block malicious activity automatically - whether the attack originates from internal or external parties - to prevent further incursion of their environment.

What has prevented a number of customers from moving to host IPS is the fear of false positives, and what impact the prevention may have on the applications or server workloads being supported.

With the most recent release of Critical System Protection customers are now able to selectively enable prevention policies without the fear of stopping critical business processes.

Targeted Prevention Policy (available in the 5.2.8 MP2 release, GA 12.14.11) allows you to set a baseline policy that targets those security controls most important to your organization.  For example, an administrator can easily apply buffer overflow detection to an entire system but allow all other activities.  By default, the Targeted Prevention Policy is open, allowing access and modification to all resources.  From this state, you can begin to quickly customize the policy to block access or modifications to your critical resources.

Targeted Prevention takes an inverse approach to policy creation, as the existing out of the box Critical System Protection IPS policies focus on stringent system hardening:

  • Core, Strict, Limited Execution Approach: block all, allow specific actions
  • Targeted Prevention Approach: allow all, block specific actions

Customers moving from host IDS to host IPS can use the Targeted Prevention policies to test drive prevention before moving to a “learning” or log only mode.

4 Phased Approach to Full System Hardening

Example targeted prevention use cases:

  • Restrict access to specific files
  • Prevent configuration changes by administrators
  • Restrict network access
  • Buffer overflow protection
  • Secure and harden Critical System Protection agent

As with all host IPS policies, we would recommend deploying the IPS polices in a test environment before moving to full production. We are excited about this new approach to policy creation and hope that you too will find that it simplifies your path to system hardening, and helps reduce the amount of time it takes to configure prevention policies.

Learn more about the 5.2.8 MP2 release in the Critical System Protection Support Knowledge Base. Thanks!