B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us

8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us

1/12


2/12

Endpoint Security

2

Abstract

In today's landscape of emerging threats, effective security solutions as well as regulatory

compliance are essential. Symantec Critical System Protection ensures server integrity and

compliance across heterogeneous platforms. It effectively protects critical assets, and helps lower

costs of administering asset protection through simple, centralized policy management.

This paper shows how Symantec Critical System Protection, an easy-to-install solution,

provides effective countermeasures to protect your servers in five crucial ways:

1. Compliance monitoring offers a long list of predefined and custom compliance monitoring rules

(e.g., Audit Tampering Detection) for both system and application complianceeach designed

to meet the requirements of a growing body of laws and regulations.

2. Exploit prevention recognizes operating system functions that are well-defined and regularly

repeated, allowing Symantec Critical System Protection to automatically block unexpected

actions designed to hijack a service or function.

3. System configuration protection allows you to literally lock down servers to prevent

unauthorized changes to Web pages, Web applications, and more. Further, policies you set will

be enforced globally across all your server groups.

4. Security event monitoring provides a large library of common security events that need to

be monitoredwith detection rules for continuous server monitoring that allows security

administrators to spend their time on more important tasks.

5. Real-time alerting and log file consolidation reports to administrators any important events or

attacks in time to determine which are critical and require immediate attention, and which are

low priority.


3/12

3

Endpoint Security

Every company exposes a set of servers to the public internet. These are used for delivery of web

content, interactive portals, e-business commerce sites, online banking, and corporate email,

and are exposed daily to a variety of threats. Successful attacks against these servers can put

company branding, customer confidence, and business reputation at risk.

Typically, these servers are somewhat hardened and protected by firewall and network

intrusion prevention technologies. Unfortunately, many attacks on these exposed servers are

based upon good traffic, taking advantage of weaknesses in operating systems or applications.

Attacks range from web defacements to more elaborate tampering involving capture and

distribution of user credentials or transaction information.

One example of the threat to the exposed servers is the increasing number of web

defacements around the world. According to CERT-IN, the Indian Computer Emergency Response

Team, from January to April of 2007, over 2200 websites with India-specific domains were

defaced. This number shows significant growth over the same time period during the previous

year. The risk of web defacements is real and has significant consequences.

Why are these attacks successful? It may be as simple as a technical support service allowing

customers to upload a log file to a server. This decision can put the entire demilitarized zone

(DMZ) at risk. Well-documented cases of exploits leveraged against an operating system can easily

be found on the Internet.For example, in one case, the attacker uploaded a file to the server, and then leveraged an

exploit in the FTP client, which allowed them to take over administrative control on the server.

At this point, all servers in the DMZ were exposed because firewall rules and intrusion detection

systems (IDS) signatures did not protect server-to-server communications in the DMZ. The

attacker then explored the vulnerabilities of the other servers until they gained access to the

target system. The end result of this attackdefacement of the company websiteresulted in a

rather public and embarrassing exposure.


4/12

Endpoint Security

4

Many companies believe that if they update their network intrusion prevention signatures

and maintain updated patches, they are safe from attack. But as zero-day threats continue to

surface, proactive protection of the public-facing servers becomes an even higher priority. In the

case of zero-day exploits, the attacker leverages a weakness in a silent-but-effective means. They

no longer care about infecting thousands of machines, only the few that will result in a payday. By

the nature of these attacks, it could be a long time before the weakness is recognized and patched

by the vendor. While the attacker has access to the system, they can create backdoors or other

avenues to gain access even after the patch is applied.

At Symantec, we believe that one of the most effective countermeasures to protect your

servers is Symantec Critical System Protection. This solution has been specifically designed

to protect and monitor server operating systems and applications. Symantec Critical System

Protection combines together key technologies to protect and monitor the server environment.

The solution includes the following five major areas of protection:

Compliance monitoring

Exploit prevention

System configuration protection

Security event monitoring

Real-time alerting and log file consolidation

Compliance monitoring

An increasing number of organizations today face challenges complying with standards, laws,

and governmental regulations relating to security and administration. Good governance of your

IT infrastructure requires that you monitor your critical systems for adherence to your security

policies. Symantec Critical System Protection solves this difficult issue by enabling real-time

compliance through its broad detection and intrusion feature set. As a result, it addresses manycompliance standards such as PCI, Sarbanes-Oxley, and Enterprise Security Policy Compliance.


5/12

5

Endpoint Security

Symantec Critical System Protections compliance monitoring allows you to provide your

auditors the evidence needed to prove that you are enforcing your policies and are reacting to

situations as they arise. The intrusion detection library contains compliance-monitoring policies

such as ones that monitor successful and unsuccessful logins. In addition, you have the ability

to use the workbench to create any rule that is important for your environment and use the file

watch services that monitor changes or abnormal activity for sensitive files.

Examples of pre-defined compliance monitoring rules include:

Audit tampering detection

Syslog tampering detection

Failed access monitoring

Logon success monitoring

Remote logoff detection

User configuration change detection

Group management change detection

The latest version release of Symantec Critical System Protection 5.2 also extends compliance

monitoring beyond system compliance and supports application compliance as well. The Virtual

Agent capability allows administrators to monitor files and events on unsupported systems, yet

show resulting events in the console as if they came from the original unsupported system. The

Virtual Agent capability monitors the remote system events and files via either fileshares or by

copying relevant files to a system where a Symantec Critical System Protection agent is installed.

As a result, with Symantec Critical System Protection, the ability to monitor for PCI compliance,

such as user logon on remote systems that do not have agents, is enabled. Symantec Critical

System Protections Virtual Agent capability enables detection monitoring of older or lesscommon systems that are not currently supported. Other solutions only provide monitoring of the

systems they currently support.


6/12

Endpoint Security

6

Symantec Critical System Protections intrusion prevention features also manage user

privilege and application control. As a result, the ability to restrict access to files on a per-

application/user/group basis, block hacker and virus activities, control applications network

activities, and control USB device usage, are all available through the Symantec solution which

can be used as a tool to ensure an organizations compliance. Whether it is limiting access to

specific files and programs, addressing Sarbanes-Oxley, or locking down applications you would

potentially need for Health Insurance Portability and Accountability Act (HIPAA) Compliance,

Symantec Critical System Protection can address compliance monitoring with its intrusion

prevention features as well.

Exploit prevention

The exploit prevention solution is a rather simple concept, yet an extremely powerful

implementation. It is known that every service or function of the operating system is well defined.

Services do the same job day in and day out with no change. Therefore, the known good behavior

of those services and functions can be defined and pre-packaged in the Symantec Critical

System Protection default policies. Since these protection policies know the good behavior for

each element of the system, then all other behavior can be automatically blocked without the

fear of false positives. This is a very powerful concept in protecting the operating system andapplications. It is also a different approach from other intrusion prevention technologies that rely

on baselines or application learning to create their protection profile. Symantecs security team

has encapsulated many years of knowledge into the default policies so that your staff doesnt

need to become expert in operating systems.

The end result of this approach is zero-day exploit prevention without the need for signatures

or updates. Exploits rely on the fact that they can hijack a service or function running with

administrative privileges. The exploit then uses that privilege to download files, make changes

to security configuration, add user accounts, and the like. Symantec Critical System Protection

prevents this from happening by automatically blocking the malicious request. Once Symantec

Critical System Protection is installed the exploits just dont work.


7/12

7

Endpoint Security

Let us look briefly inside of the Symantec solution. Symantec Critical System Protection

inserts itself into the operating system using well-defined documented procedures that are

supported by the operating system vendors. Through its placement in the system, every system

call can be intercepted before it is executed. Symantec Critical System Protection evaluates

the system call and ensures its validity prior to passing it along to the execution engine of the

operating system. Some may be concerned about the performance degradation that this may

have on the system. While it is true that this zero-day exploit prevention is not resource free,

Symantec Critical System Protection was designed specially to reduce the amount of time it takes

to intercept and evaluate these calls. Through a patent-pending modular approach to validation

of the system calls, the resource expenditure is roughly three to six percent, depending on the

variables of the server and workload. Other similar solutions can take 20 percent and more of

the system processing power especially when under duress. Symantecs unique approach makes

Symantec Critical System Protection the best fit for a high-transaction production environment.

System configuration protection

System configuration settings, file systems, and access to services can be restricted by Symantec

Critical System Protection. This ability allows companies to literally lock down servers and ensure

that proper change control is executed on public-facing and mission-critical servers. In the case ofpublic-facing servers, this feature enables the company to prevent unauthorized changes to web

pages, web applications, and the like. It helps ensure protection against the public embarrassment

of web defacements or web application tampering.

Here is how it works: the security administrator or your consulting partner can define files,

file systems, and settings that may not be changed. Even if the machine is compromised and the

attacker gains administrative rights, the software will protect the settings, files, and directories.

One of the benefits of this approach is that by centralizing your configuration protection, you

reduce the amount of time needed to continually review and harden servers. The policy you

create will be applied universally across your server groups. You can apply a rule such as no

FTP allowed in the policy, and Symantec Critical System Protection will enforce it globally. With

Symantec Critical System Protection there is no need to visit all your servers and remove the

ftp.exe program files.


8/12

Endpoint Security

8

Symantec Critical System Protection also provides flexibility: if you dont want to entirely

lock down your system, the Symantec solution can monitor key applications instead of a complete

configuration lockdown. Simply put, Symantec Critical System Protection can take a forensics

approach and be set up to work with approved enterprise management tools (such as Altiris). In

this configuration, the Symantec solution allows updates to be pushed out, yet still protect from

unauthorized behavior.

Security event monitoring

Security events occur every day and it can be an overwhelming task to continually monitor

and keep ahead of the threats. Symantec Critical System Protection contains a large library of

the most common security events that should be monitored. Symantec has used a decade of

experience in intrusion detection to provide a collection of best-practice monitoring rules in the

library. By selecting a group of detection rules from the library and applying them to a set of

servers, the continuous monitoring system reduces the burden on your security administrators

enabling them to focus on higher-value efforts.

In addition to pre-defined rules, a workbench allows the administrator to define rules to

monitor log files for just about anything. Not only does the rule set allow you to monitor, it also

allows you to instantly react on the target server. For example, you may be monitoring the webserver for failed login attempts. After a threshold has been met, you may disable the user account,

alert the administrator, and increase security logging. All of this is done automatically based upon

the trigger.

Here are some examples of the pre-defined security event monitoring rules:

Domain configuration changes

File tampering

Scanner probes

Malware detection

IIS security configuration changes

Network communication configuration

SANS Top-20 vulnerabilities detection


9/12

9

Endpoint Security

Audit tampering detection

IIS or Apache vulnerable scripts detection

Sendmail exploit detection

UNIX stack execution denied detection

Syslog tampering detection

System hardening detection

System share configuration changes

Startup option change detection

System security configuration detection

USB device activity detection

Real-time alerting and log file consolidation

Important events, issues and attacks need to be reported in real time to security administrators.

Symantec Critical System Protection has a sophisticated alerting system that allows the security

team to determine which alerts are critical and should be recognized immediately. Real-time

feeds from Symantec Critical System Protection can be sent to Symantec Security Information

Manager. This solution correlates data from the protected servers to identify attacks that may

include multiple devices around the company.

For low-priority security events and compliance log files, the information is stored locally

and then compressed and transmitted to the centralized management server. The information

can be stored off-line, in Symantec Enterprise Vault or imported to the security event database.

This separation of alerts from log file consolidation greatly reduces the daily network traffic and

streamlines the process of managing the volumes of information needed in todays corporateenvironment.


10/12


11/12


12/12

About Symantec

Symantec is a global leader in

infrastructure software, enabling

businesses and consumers to have

confidence in a connected world.

The company helps customers

protect their infrastructure,

information, and interactions

by delivering software and ser-

Copyright 2007 Symantec Corporation. All rightsreserved. Symantec, the Symantec Logo, Symantec

Critical System Protection, Symantec Security

Information Manager, Symantec Enterprise Vault

are trademarks or registered trademarks of Symantec

Corporation or its affiliates in the U.S. and other coun-

tries. Other names may be trademarks of their respec-

tive owners. The product described in this document is

distributed under licenses restricting its use, copying,

distribution, and decompilation/reverse engineering. No

part of this document may be reproduced in any form

by any means without prior written authorization of

Symantec Corporation and its licensors, if any.

11/07 13540288

For specific country offices and

contact numbers, please visit

our Web site. For product

information in the U.S., call

toll-free 1 (800) 745 6054.

Symantec Corporation

World Headquarters

20330 Stevens Creek Boulevard

Cupertino, CA 95014 USA

+1 (408) 517 8000

1 (800) 721 3934

www.symantec.com

B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us

Documents

Transcript of B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us