Novice Question
Created: 29 Jan 2013 | 7 comments
Hello - I am new to this forum as well as SCSP. Can anyone tell me if applying the 'out-of-box' Detection polices such as---- sym_win_protection_core_sbp, sym_win_protection_strict_sbp, sym_win_protection_ltd_exec_sbp ...etc--- without any editing of those polices, does much good in terms of protection? I really need to get a base layer of protection in place very quickly and have not had enough time to create any type of customized polices. Any basic advice on getting started with SCSP would be really helpful as a new user to this product. Thanks in advance!
Discussion Filed Under:
Comments 7 Comments • Jump to latest comment
the policies are explained here
Symantec Critical System Protection 5.2.9 Detection Policy Reference Guide
http://www.symantec.com/docs/DOC5946
Symantec Critical System Protection 5.2.9 MP1 Prevention Policy Reference Guide
http://www.symantec.com/docs/DOC6275
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Thank you Pete. Those docs both look promising.
Sean,
My company works extensively with CSP. One piece of advice I could give you would be to not deploy a policy in "prevention enabled" mode... ever. While Symantec has done a good job in tuning the template policies for general use, they have no way of knowing what 3rd party apps or scripted administrative functions you may be running in your environment.
If you would like to have a more detailed conversation, please feel free to contact me (see below for contact info). CSP is a very powerful and highly customizable solution and proceeding forward without any form of assistance can lead to less than ideal outcomes.
Chris Tyrrell
Compliance Practice Lead
Conventus Corp.
ctyrrell@conventus-sei.com
Chris -Thanks so much for your help! I really could use some advice especially with the Prevention policies.
I'm in the beginning stages of rolling out SCSP to our DEV environment and have disabled the few Prevention policies that I've applied.
Thanks for your offer...I will absolutely be touch!
Sean
Just keep things in logging only mode, if this is your own environment, for about a week, maybe 2 and analyse the logs. Most of the work with CSP in the prevention side of things is looking with a fine tooth comb the logs to see what WOULD have happened if the prevention policy was doing the prevention.
With detection you have a lot less issue with messing up with systems because they don't affect the actual workings of the machine.
Also top tip: Back up the standard Symantec policies before you mess around with them!
http://www.cstl.com
Thanks Alex! Much appreciated--especially the tip about backing up standard polices....
Sean
Short answer:
Core Policy : limits/prevents damage caused by exploits that leverage vulnerabilities and/or functionality in core OS code. Allows 'other' software to run with little to no restrictions...therefor ensure you have other tradictional endpoint security controls in place (primarily AV)
Strict : Same protection provided by Core policy around core OS code. 'Other' software has restrictions around their ability to create/modify executables and network.
The key to either is succesfully tuning the policy to ensure that when you enbable prevention that normal activity keeps chugging along. And Chris has my vote...you're in good hands with him.
Looking for real-time reporting and data visualization for your Symantec Security solutions? http://www.trysolve.com
Would you like to reply?
Login or Register to post your comment.