Symantec's DeepSight Warns Of Targeted Attacks


Symantec Monday updated its DeepSight Threat Management System to provide customers with warnings of attacks specifically targeting their Internet domains.

The long-running vulnerability and exploit warning service will move up to version 7.0 later this month to account for the increasing number of narrow-cast attacks, said Dee Liebenstein, group program manager for DeepSight.

"The threat landscape is changing," Liebenstein said. "We haven't seen the kind of [massive] outbreaks as in past years, but we have seen an increase in the total number of attacks. The increase is coming from targeted attacks done for financial gain."

Most security vendors have noted similar findings: that the drop in large-scale events in the league of, say, MSBlast or Zotob, is due to attackers conducting more one-on attacks against specific companies or Web sites.

Lots of current DeepSight users, said Liebenstein, are using its research database to find those threats targeting their domains, so this move is not so much leading as following customers. "They're querying the database looking for those types of worms and backdoors, but with the volumes of malicious code, that's difficult. So we're now going to proactively alert them."

The new feature doesn't examine Net traffic patterns to determine targets, but instead looks inside malware to find the Internet domains embedded in the code. It may not be a perfect solution, Liebenstein said, but it's a start.

"If we can identify the 10 to 20 threats that represent a higher risk to that company, we're identifying those things they should be focusing on," she said.

DeepSight 7.0 will also include analysis of adware and spyware for the first time, added Liebenstein, and boasts other new features that will make it easier for customers to dig up data on emerging threats.

A quick port lookup tool, for instance, lets users search for threats by TCP port numbers. They'll be able to access not only the existing threats identified with a specific port, but also see the last 48 hours of activity on that port across the DeepSight global network, which boasts more than 20,000 intrusion detection and firewall sensors.

The update will also offer more information on anti-virus threats, more direct access to key global threat statistics, and simpler set up of alerts.

"This type of deeper personalization will become more and more important as threats continue to mutate," said Liebenstein.