8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
1/12
8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
2/12
Endpoint Security
2
Abstract
In today's landscape of emerging threats, effective security solutions as well as regulatory
compliance are essential. Symantec Critical System Protection ensures server integrity and
compliance across heterogeneous platforms. It effectively protects critical assets, and helps lower
costs of administering asset protection through simple, centralized policy management.
This paper shows how Symantec Critical System Protection, an easy-to-install solution,
provides effective countermeasures to protect your servers in five crucial ways:
1. Compliance monitoring offers a long list of predefined and custom compliance monitoring rules
(e.g., Audit Tampering Detection) for both system and application complianceeach designed
to meet the requirements of a growing body of laws and regulations.
2. Exploit prevention recognizes operating system functions that are well-defined and regularly
repeated, allowing Symantec Critical System Protection to automatically block unexpected
actions designed to hijack a service or function.
3. System configuration protection allows you to literally lock down servers to prevent
unauthorized changes to Web pages, Web applications, and more. Further, policies you set will
be enforced globally across all your server groups.
4. Security event monitoring provides a large library of common security events that need to
be monitoredwith detection rules for continuous server monitoring that allows security
administrators to spend their time on more important tasks.
5. Real-time alerting and log file consolidation reports to administrators any important events or
attacks in time to determine which are critical and require immediate attention, and which are
low priority.
8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
3/12
3
Endpoint Security
Every company exposes a set of servers to the public internet. These are used for delivery of web
content, interactive portals, e-business commerce sites, online banking, and corporate email,
and are exposed daily to a variety of threats. Successful attacks against these servers can put
company branding, customer confidence, and business reputation at risk.
Typically, these servers are somewhat hardened and protected by firewall and network
intrusion prevention technologies. Unfortunately, many attacks on these exposed servers are
based upon good traffic, taking advantage of weaknesses in operating systems or applications.
Attacks range from web defacements to more elaborate tampering involving capture and
distribution of user credentials or transaction information.
One example of the threat to the exposed servers is the increasing number of web
defacements around the world. According to CERT-IN, the Indian Computer Emergency Response
Team, from January to April of 2007, over 2200 websites with India-specific domains were
defaced. This number shows significant growth over the same time period during the previous
year. The risk of web defacements is real and has significant consequences.
Why are these attacks successful? It may be as simple as a technical support service allowing
customers to upload a log file to a server. This decision can put the entire demilitarized zone
(DMZ) at risk. Well-documented cases of exploits leveraged against an operating system can easily
be found on the Internet.For example, in one case, the attacker uploaded a file to the server, and then leveraged an
exploit in the FTP client, which allowed them to take over administrative control on the server.
At this point, all servers in the DMZ were exposed because firewall rules and intrusion detection
systems (IDS) signatures did not protect server-to-server communications in the DMZ. The
attacker then explored the vulnerabilities of the other servers until they gained access to the
target system. The end result of this attackdefacement of the company websiteresulted in a
rather public and embarrassing exposure.
8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
4/12
Endpoint Security
4
Many companies believe that if they update their network intrusion prevention signatures
and maintain updated patches, they are safe from attack. But as zero-day threats continue to
surface, proactive protection of the public-facing servers becomes an even higher priority. In the
case of zero-day exploits, the attacker leverages a weakness in a silent-but-effective means. They
no longer care about infecting thousands of machines, only the few that will result in a payday. By
the nature of these attacks, it could be a long time before the weakness is recognized and patched
by the vendor. While the attacker has access to the system, they can create backdoors or other
avenues to gain access even after the patch is applied.
At Symantec, we believe that one of the most effective countermeasures to protect your
servers is Symantec Critical System Protection. This solution has been specifically designed
to protect and monitor server operating systems and applications. Symantec Critical System
Protection combines together key technologies to protect and monitor the server environment.
The solution includes the following five major areas of protection:
Compliance monitoring
Exploit prevention
System configuration protection
Security event monitoring
Real-time alerting and log file consolidation
Compliance monitoring
An increasing number of organizations today face challenges complying with standards, laws,
and governmental regulations relating to security and administration. Good governance of your
IT infrastructure requires that you monitor your critical systems for adherence to your security
policies. Symantec Critical System Protection solves this difficult issue by enabling real-time
compliance through its broad detection and intrusion feature set. As a result, it addresses manycompliance standards such as PCI, Sarbanes-Oxley, and Enterprise Security Policy Compliance.
8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
5/12
5
Endpoint Security
Symantec Critical System Protections compliance monitoring allows you to provide your
auditors the evidence needed to prove that you are enforcing your policies and are reacting to
situations as they arise. The intrusion detection library contains compliance-monitoring policies
such as ones that monitor successful and unsuccessful logins. In addition, you have the ability
to use the workbench to create any rule that is important for your environment and use the file
watch services that monitor changes or abnormal activity for sensitive files.
Examples of pre-defined compliance monitoring rules include:
Audit tampering detection
Syslog tampering detection
Failed access monitoring
Logon success monitoring
Remote logoff detection
User configuration change detection
Group management change detection
The latest version release of Symantec Critical System Protection 5.2 also extends compliance
monitoring beyond system compliance and supports application compliance as well. The Virtual
Agent capability allows administrators to monitor files and events on unsupported systems, yet
show resulting events in the console as if they came from the original unsupported system. The
Virtual Agent capability monitors the remote system events and files via either fileshares or by
copying relevant files to a system where a Symantec Critical System Protection agent is installed.
As a result, with Symantec Critical System Protection, the ability to monitor for PCI compliance,
such as user logon on remote systems that do not have agents, is enabled. Symantec Critical
System Protections Virtual Agent capability enables detection monitoring of older or lesscommon systems that are not currently supported. Other solutions only provide monitoring of the
systems they currently support.
8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
6/12
Endpoint Security
6
Symantec Critical System Protections intrusion prevention features also manage user
privilege and application control. As a result, the ability to restrict access to files on a per-
application/user/group basis, block hacker and virus activities, control applications network
activities, and control USB device usage, are all available through the Symantec solution which
can be used as a tool to ensure an organizations compliance. Whether it is limiting access to
specific files and programs, addressing Sarbanes-Oxley, or locking down applications you would
potentially need for Health Insurance Portability and Accountability Act (HIPAA) Compliance,
Symantec Critical System Protection can address compliance monitoring with its intrusion
prevention features as well.
Exploit prevention
The exploit prevention solution is a rather simple concept, yet an extremely powerful
implementation. It is known that every service or function of the operating system is well defined.
Services do the same job day in and day out with no change. Therefore, the known good behavior
of those services and functions can be defined and pre-packaged in the Symantec Critical
System Protection default policies. Since these protection policies know the good behavior for
each element of the system, then all other behavior can be automatically blocked without the
fear of false positives. This is a very powerful concept in protecting the operating system andapplications. It is also a different approach from other intrusion prevention technologies that rely
on baselines or application learning to create their protection profile. Symantecs security team
has encapsulated many years of knowledge into the default policies so that your staff doesnt
need to become expert in operating systems.
The end result of this approach is zero-day exploit prevention without the need for signatures
or updates. Exploits rely on the fact that they can hijack a service or function running with
administrative privileges. The exploit then uses that privilege to download files, make changes
to security configuration, add user accounts, and the like. Symantec Critical System Protection
prevents this from happening by automatically blocking the malicious request. Once Symantec
Critical System Protection is installed the exploits just dont work.
8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
7/12
7
Endpoint Security
Let us look briefly inside of the Symantec solution. Symantec Critical System Protection
inserts itself into the operating system using well-defined documented procedures that are
supported by the operating system vendors. Through its placement in the system, every system
call can be intercepted before it is executed. Symantec Critical System Protection evaluates
the system call and ensures its validity prior to passing it along to the execution engine of the
operating system. Some may be concerned about the performance degradation that this may
have on the system. While it is true that this zero-day exploit prevention is not resource free,
Symantec Critical System Protection was designed specially to reduce the amount of time it takes
to intercept and evaluate these calls. Through a patent-pending modular approach to validation
of the system calls, the resource expenditure is roughly three to six percent, depending on the
variables of the server and workload. Other similar solutions can take 20 percent and more of
the system processing power especially when under duress. Symantecs unique approach makes
Symantec Critical System Protection the best fit for a high-transaction production environment.
System configuration protection
System configuration settings, file systems, and access to services can be restricted by Symantec
Critical System Protection. This ability allows companies to literally lock down servers and ensure
that proper change control is executed on public-facing and mission-critical servers. In the case ofpublic-facing servers, this feature enables the company to prevent unauthorized changes to web
pages, web applications, and the like. It helps ensure protection against the public embarrassment
of web defacements or web application tampering.
Here is how it works: the security administrator or your consulting partner can define files,
file systems, and settings that may not be changed. Even if the machine is compromised and the
attacker gains administrative rights, the software will protect the settings, files, and directories.
One of the benefits of this approach is that by centralizing your configuration protection, you
reduce the amount of time needed to continually review and harden servers. The policy you
create will be applied universally across your server groups. You can apply a rule such as no
FTP allowed in the policy, and Symantec Critical System Protection will enforce it globally. With
Symantec Critical System Protection there is no need to visit all your servers and remove the
ftp.exe program files.
8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
8/12
Endpoint Security
8
Symantec Critical System Protection also provides flexibility: if you dont want to entirely
lock down your system, the Symantec solution can monitor key applications instead of a complete
configuration lockdown. Simply put, Symantec Critical System Protection can take a forensics
approach and be set up to work with approved enterprise management tools (such as Altiris). In
this configuration, the Symantec solution allows updates to be pushed out, yet still protect from
unauthorized behavior.
Security event monitoring
Security events occur every day and it can be an overwhelming task to continually monitor
and keep ahead of the threats. Symantec Critical System Protection contains a large library of
the most common security events that should be monitored. Symantec has used a decade of
experience in intrusion detection to provide a collection of best-practice monitoring rules in the
library. By selecting a group of detection rules from the library and applying them to a set of
servers, the continuous monitoring system reduces the burden on your security administrators
enabling them to focus on higher-value efforts.
In addition to pre-defined rules, a workbench allows the administrator to define rules to
monitor log files for just about anything. Not only does the rule set allow you to monitor, it also
allows you to instantly react on the target server. For example, you may be monitoring the webserver for failed login attempts. After a threshold has been met, you may disable the user account,
alert the administrator, and increase security logging. All of this is done automatically based upon
the trigger.
Here are some examples of the pre-defined security event monitoring rules:
Domain configuration changes
File tampering
Scanner probes
Malware detection
IIS security configuration changes
Network communication configuration
SANS Top-20 vulnerabilities detection
8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
9/12
9
Endpoint Security
Audit tampering detection
IIS or Apache vulnerable scripts detection
Sendmail exploit detection
UNIX stack execution denied detection
Syslog tampering detection
System hardening detection
System share configuration changes
Startup option change detection
System security configuration detection
USB device activity detection
Real-time alerting and log file consolidation
Important events, issues and attacks need to be reported in real time to security administrators.
Symantec Critical System Protection has a sophisticated alerting system that allows the security
team to determine which alerts are critical and should be recognized immediately. Real-time
feeds from Symantec Critical System Protection can be sent to Symantec Security Information
Manager. This solution correlates data from the protected servers to identify attacks that may
include multiple devices around the company.
For low-priority security events and compliance log files, the information is stored locally
and then compressed and transmitted to the centralized management server. The information
can be stored off-line, in Symantec Enterprise Vault or imported to the security event database.
This separation of alerts from log file consolidation greatly reduces the daily network traffic and
streamlines the process of managing the volumes of information needed in todays corporateenvironment.
8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
10/12
8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
11/12
8/13/2019 B-whitepaper Keep Your Exposed Servers Protected 11-2007 13540288.en-us
12/12
About Symantec
Symantec is a global leader in
infrastructure software, enabling
businesses and consumers to have
confidence in a connected world.
The company helps customers
protect their infrastructure,
information, and interactions
by delivering software and ser-
Copyright 2007 Symantec Corporation. All rightsreserved. Symantec, the Symantec Logo, Symantec
Critical System Protection, Symantec Security
Information Manager, Symantec Enterprise Vault
are trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other coun-
tries. Other names may be trademarks of their respec-
tive owners. The product described in this document is
distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No
part of this document may be reproduced in any form
by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
11/07 13540288
For specific country offices and
contact numbers, please visit
our Web site. For product
information in the U.S., call
toll-free 1 (800) 745 6054.
Symantec Corporation
World Headquarters
20330 Stevens Creek Boulevard
Cupertino, CA 95014 USA
+1 (408) 517 8000
1 (800) 721 3934
www.symantec.com
Top Related