Critical System Protection

Greetings..

Will the shortcomings of CSP IPS policies ever be addressed?  The HIPS policies should be as simple to create and customize as the HIDS policies.

Clearly, CSP has not gotten the development resources, or adequate documentation - that it should.

Any roadmap info? 

This is such a HUGE topic...I don't think I could contain all my thoughts/opinions into a single post.

My first question would be to understand your use case(s)...because the current policies are written to solve specific issues, and I don't technically see a way to simplify IPS to an 'IDS-like' simplicity and meet the same objectives.

If you'd be willing to take this discussion off-line and into the real world, I would love to chat with you about what your use cases are and how you envision meeting the requirements with IPS.  I'm doing the same excercise with several others right now and would welcome additional input.

Feel free to PM me.

If you look at solidcore, or the older iss product agents, these profiling tools supplied make this chore feasible..  "Snapshotting" system exe's, dlls, etc..

Symantec recommends manual scrutinty of running processes, and files, etc..   is this practical..?

CSP obviously doesn't have the best documentation but more and more customers are turning to CSP and in turn Symantec is putting more resources behind it.

CSP IPS policies have something called Profile Lists for "snapshotting" system processes. See page 37 of the ips_ref.pdf included with the product documentation. I included it below. Something it does not mention is that you have to adjust your configs to pass Profile events from the agent to the server.

Additionally, it is recommended that you first apply an IPS policy in Log Only mode and tune events appropriately. Only then you should turn on enforcement. You can do this by Enabling/Disabling the "Disable Prevention" option in the Global Policy Options.

Profile lists
This option profiles processes. Profiling records all actions taken by a process.
You can use profile data to create policy controls for a process.

Note: Profiled processes are given full privileges. The prevention policies
provide no protection for processes that are being profiled.

The profile options are as follows:
Profile specific processes:

Enable this option to profile a process. In the list of processes,
specify the full path to the process executable.
You can use the asterisk (*) as a wildcard character. You can
specify optional process attributes along with the full path.

The profile lists option includes process logging options. You use process
logging options to configure process logging for processes that are being
profiled.
See “Process logging options” on page 43.