Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Novice Question

Created: 29 Jan 2013 | 7 comments

Hello - I am new to this forum as well as SCSP.   Can anyone tell me if applying the 'out-of-box' Detection polices such as----  sym_win_protection_core_sbp, sym_win_protection_strict_sbp, sym_win_protection_ltd_exec_sbp ...etc--- without any editing of those polices, does much good in terms of protection?  I really need to get a base layer of protection in place very quickly and have not had enough time to create any type of customized polices.  Any basic advice on getting started with SCSP would be really helpful as a new user to this product.  Thanks in advance!

Discussion Filed Under:

Comments 7 CommentsJump to latest comment

pete_4u2002's picture

the policies are explained here

Symantec Critical System Protection 5.2.9 Detection Policy Reference Guide
http://www.symantec.com/docs/DOC5946

Symantec Critical System Protection 5.2.9 MP1 Prevention Policy Reference Guide
http://www.symantec.com/docs/DOC6275

SeanSmith's picture

Thank you Pete.  Those docs both look promising. 

Conventus Tyrrell's picture

Sean,

My company works extensively with CSP. One piece of advice I could give you would be to not deploy a policy in "prevention enabled" mode... ever. While Symantec has done a good job in tuning the template policies for general use, they have no way of knowing what 3rd party apps or scripted administrative functions you may be running in your environment.

If you would like to have a more detailed conversation, please feel free to contact me (see below for contact info). CSP is a very powerful and highly customizable solution and proceeding forward without any form of assistance can lead to less than ideal outcomes.

Chris Tyrrell
Compliance Practice Lead
Conventus Corp.
ctyrrell@conventus-sei.com

SeanSmith's picture

Chris -Thanks so much for your help!  I really could use some advice especially with the Prevention policies. 

I'm in the beginning stages of rolling out SCSP to our DEV environment  and have disabled the few Prevention policies that I've applied. 

Thanks for your offer...I will absolutely be touch!

Sean

Alex_CST's picture

Just keep things in logging only mode, if this is your own environment, for about a week, maybe 2 and analyse the logs.  Most of the work with CSP in the prevention side of things is looking with a fine tooth comb the logs to see what WOULD have happened if the prevention policy was doing the prevention.

With detection you have a lot less issue with messing up with systems because they don't affect the actual workings of the machine.

Also top tip:  Back up the standard Symantec policies before you mess around with them!

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

SeanSmith's picture

Thanks Alex!  Much appreciated--especially the tip about backing up standard polices....

 Sean

AMoss's picture

Short answer:

Core Policy : limits/prevents damage caused by exploits that leverage vulnerabilities and/or functionality in core OS code.  Allows 'other' software to run with little to no restrictions...therefor ensure you have other tradictional endpoint security controls in place (primarily AV)

Strict : Same protection provided by Core policy around core OS code.  'Other' software has restrictions around their ability to create/modify executables and network.

The key to either is succesfully tuning the policy to ensure that when you enbable prevention that normal activity keeps chugging along. And Chris has my vote...you're in good hands with him.

Looking for real-time reporting and data visualization for your Symantec Security solutions?  http://www.trysolve.com