Symantec Unveils IPS Defense, Models Worm Behaviors

The Cupertino, Calif.-based security vendor also unveiled a simulation tool that models how past major worms spread, and said it plans to expand the tool so that enterprises can simulate how a specific, and current, attack propagates through their own networks.

The intrusion prevention system, dubbed Symantec Critical System Protection 4.5, will defend against day-zero attacks -- exploits for which no patch exists -- and proactively protects applications and OSes on both clients and servers by enforcing behavior-based security policies.

"We're extending the endpoint security infrastructure by adding a layer of robust protection against new malicious threats," said Chirantan Desai, director of product management Symantec's client and host security group, in a statement.

Critical System Protection uses behavior-based techniques to watch for as-yet-unknown threats, includes a high-performance firewall, and also protects against buffer overflow and memory-based exploits, said Symantec.

Sponsored post

A central console monitors covered clients and servers, and lets administrators manage the configurable security policies for apps and operating systems. Those policies, said Symantec, automatically and dynamically adapt to the OSes and applications installed on the machines so that IT doesn't have to configure new policies to cover different types of systems.

Critical System Protection 4.5 will be available late June through Symantec's resellers, distributors, and systems integrators.

Also on Monday, Symantec touted a new worm attack modeling tool, dubbed Worm Simulator, that graphically shows how several notable malicious attacks spread in the past, both on a macro and on a micro scale.

The simulator, which can be downloaded free of charge from Symantec's Web site, shows how six of the biggest worms of the last two-and-a-half years -- MSBlast, MyDoom, Netsky, Sasser, Slammer, and SoBig -- spread throughout the Internet in general, and in several "typical" network configurations specifically.

Although Symantec officials said that the simulator will be used by its sales staff to demonstrate large-scale attacks, they also said it's a worthwhile tool for end users now, and would get better down the road.

"We want common users to use this to get an idea of how threats develop and spread," said Carey Nachenberg, the chief architect of Symantec Research -- the company's R&D effort -- and the holder of several security patents. "And while we now have models of typical networks [in the simulator], in the long run we'll give tools to enterprises so they can map their own networks to see how attacks affect them."

As new worms appear in the wild, Nachenberg said, Symantec plans to release simulation files that can be run using this modeling tool. Symantec is already using the tool internally for a better understanding on how major worms spread, and has tweaked the simulator sufficiently for Nachenberg to be confident of its accuracy.

"In our initial modeling of the Slammer worm, for instance, we had it flooding the world's systems in a third of the time it took in the real attack. The real thing took longer because it clogged up routers and slowed because of the reduced bandwidth."

Although he wouldn't promise that new worm simulator "definitions" would be released in enough time for companies to run a simulation before the attack hit them, he claimed that "once we understand how a worm works, it's pretty trial, a half hour's job or so, to create a simulation for it."

In the future, Nachenberg said, Symantec has plans to not only provide manual tools for companies to accurately model the specifics of their own networks -- to see how a particular worm spreads, to gauge how effective patching certain systems will be to defend the network as a whole -- but he hopes to give administrators the ability to automatically sniff out the construction of their networks.

"That's the plan in the long run," said Nachenberg.