Hands-On Review: Symantec's DeepSight Threat Management System & Alert Service

Company name: Symantec

Review: DeepSight Threat Management System and Alert Services

Price: TMS: $15,000 and up; Alert Services: $5,000 and up, depending on number of users

URL: http://tms.symantec.com, alerts.Symantec.com

Platforms supported: Browser-based service, runs on v.5 or better browsers (PGP, an e-mail account and Acrobat reader required to take full advantage of various features)

Key features: Provides the ability to monitor worldwide threats and attacks in near-real time, as well as be informed about the state of vulnerabilities in your technology portfolio, all via a simple Web browser and e-mail alerts of your choosing.

Pros: Customization of features to match your choices of technology vendors. Alerts can be sent to e-mail, phones and fax.

Cons: Reports are somewhat cumbersome to set up, spanning several screens and numerous options. The top navigation bar is missing from the TMS home page, and navigation could be better organized on the Alerts Services pages, too.

Description: Ever wish your clients had the bucks to assemble one of those cool network "command centers" with the dozens of big displays to monitor what is going on with your networks and the Internet at large across the globe? But who has the time to sit and watch all that stuff, and who has the money these days to put it together and staff it 24x7? Well, Symantec does and is willing to share its center and expertise with you. The idea is a good one for VARs interested in expanding their security practice areas.

Now you can be there virtually, courtesy of two services from Symantec's DeepSight division. The two services complement each other and, though you can purchase either independently, they work best if used in tandem. They are a heck of a lot cheaper than building your own command center, yet let you take advantage of all the expertise that the company has assembled to analyze and fight cyberthreats around the world.

The Alert Services package looks inward. It is geared toward keeping up with the portfolio of products you have to maintain as part of your client's overall IT infrastructure, and new security vulnerabilities that can keep you after hours patching code and updating products.

First, you specify the device on which you wish to receive alerts. This can be e-mail, a fax machine, or via either text or voice messages to a phone number. Second, you specify the technologies about which you wish to receive alerts. This can be as specific as a particular version of Windows or all technologies from a particular vendor. Third, you set up the notification monitoring service--choosing either a vulnerability or (new to this version) a malicious-code situation, along with particular thresholds to send the alerts, the technology list you created in the second step and to which device you want the alerts sent. There is also a database of vulnerabilities and malicious code that is searchable by vendor or product name.

The TMS looks outward. It monitors what is happening to the world's computers and networks that have been equipped with sensors by Symantec over the past several years on ISPs, corporate networks and with individual users. In near real time, you can keep current with the latest attacks and view statistics on what new exploits have occurred on the Internet in the past days or weeks.

TMS is divided into several sections: statistics on various threats and activities that Symantec has observed across its network of sensors, analysis collecting various prewritten reports and research papers that analyze attacks and hacks along with daily and weekly attack summaries, reports that can be customized for particular needs (more on these in a moment), notifications of particular attacks in progress and account information where you can change your e-mail address and password.

The key to TMS and new to version 5.0 are the custom reports. They are sent to you via PGP encrypted messages and can specify what kind of attacks have been observed on particular IP address ranges or over particular port numbers or types of exploits. The reports have so many custom options that getting them right the first couple of times will take some skill and perhaps help from Symantec engineers.

I liked both services and think they should be in any VAR's bag of tricks. I wish the navigational elements had received a little more work from the company, including placing the Alert Services items in the order that I described them above and a better home page nav bar for TMS. But these are minor complaints.

With both services, the idea is to be better informed and able to take action before the bad guys take over your clients' networks and your weekends and before your machines are hijacked into causing grief. While the multiple-thousand-dollar price tag isn't cheap, given the time spent tracking down attacks and fixing things in their aftermath, it could be money well spent.