Symantec is attempting to capture some of the interest in detecting advanced threats by partnering with networking security vendors that have established technologies designed to identify suspicious activity that could signal a targeted attack.
The Mountain View Calif.-based security vendor unveiled Symantec Managed Security Services for advanced threat protection that focuses on correlating alerts from security appliances and providing more comprehensive attack prevention capabilities to its user base. At Symantec's 2014 Vision user conference, executives said they would be partnering more with networking gear makers to reduce the white noise caused by false alerts.
The company said its Advanced Threat Protection Alliance includes Check Point Software Technologies, Palo Alto Networks and Cisco-Sourcefire to construct a bridge between network traffic and endpoint activity monitoring software. The goal is to uncover the meaningful alerts and speed incident investigations, the company said.
The new services are intended to provide actionable data for containment of a security threat and remediation of a system infected by a zero-day exploit. It uses Symantec data and combines it with triggered alerts generated by the networking gear.
The focus on advanced threat detection capabilities has been fueled in part by interest in network security firm FireEye and its file behavioral analysis capabilities. The three companies in Symantec's new alliance have similar capabilities. Check Point sells a dedicated threat prevention appliance that connects to a cloud-based emulator to detonate and inspect suspicious files. Palo Alto Networks sells a WildFire subscription-based emulation service for file inspection. Meanwhile, Sourcefire, recently acquired by Cisco Systems, sells a cloud-based sandbox to inspect file behavior.
Businesses tend to ration security, sprinkling it around the edges without due diligence about what data is being safeguarded and where it resides, said Neil MacDonald, vice president and fellow at research firm Gartner, speaking to Symantec customers at the Vision conference. Visibility into identifying threats needs to increase, response capabilities need to be bolstered, but the activity needs to be combined with threat blocking and prevention measures, MacDonald said.
"These things work together as a system and at the heart of this is going to be lots and lots of data," MacDonald said. ”Once these advanced attacks get inside, they move throughout the network and there’s no ability to impede them."
Symantec, McAfee, Trend Micro and Sophos and other endpoint security firms can be combined with traffic packet inspection and user activity monitoring to create the visibility, but analytics need to be applied to discern meaningful anomalies from the noise, MacDonald said.
System complexity often opens up weaknesses that can be exploited by attackers, said Justin Flynn, a consultant and network security specialist with Chicago-based solution provider Burwood Group, a Palo Alto Networks partner. System monitoring is also not as easy as it sounds, Flynn said.
"The process often begins well but isn’t undertaken efficiently, causing bottlenecks and other issues that can be costly," Flynn told CRN in a recent interview.
Incident response is also often poorly coordinated at organizations, said Greg Williams, a security compliance consultant at MMIC Group, a medical liability insurer in the Midwest that operates a security services and risk consulting arm that works with security channel providers. Williams told CRN that monitoring is sometimes established by organizations to meet compliance mandates, but even if the monitoring is outsourced to a service provider, how alerts are addressed is ineffective.
"It's a tedious and boring task," Williams said. "You assess the value of what you are monitoring and if that value is significant enough, you build redundancies into your monitoring solutions."
Symantec said it is getting its incident response and managed services in place over the next six months. It also plans to roll out the integrated advanced threat protection platform with its own cloud-based sandbox for file analysis and a communication bridge called Synapse, which connects the components to provide protection.
This article originally ran an as an exclusive on the CRN Tech News App for tablet.