In a move that could improve Symantec Corp.'s standing in the hotly contested market for enterprise security management products, the company Monday announced a new vulnerability assessment tool and an updated version of its Incident Manager software.
Symantec Vulnerability Assessment 1.0 is a host-based vulnerability assessment tool that can identify vulnerable systems and applications on a network using information in Symantec's vulnerability database. The product is built on Symantec's Enterprise Security Architecture (SESA), an open, standards-based architecture for managing security devices across a network.
A software agent installed on host machines performs the vulnerability assessments, checking for vulnerable software versions and configurations that might act as avenues of attack for malicious hackers, worms and viruses. That information is relayed to a common SQL data store that is part of SESA along with security information collected from other Symantec Enterprise Security products, according to Ronald van Geijn, director of product management at Symantec.
Using a Web-based user interface, administrators can use the Vulnerability Assessment product to select a known vulnerability, such as the recent Microsoft WebDAV vulnerability, and see what systems on their network are affected.
Through the user interface, systems can be selected and scanned. The vulnerabilities detected on those systems can then be sorted in a variety of ways such as by the affected platform or by urgency, which is a measure of the vulnerability's impact on the affected system's integrity, Symantec said.
The ranking assigned to individual vulnerabilities helps administrators decide which problems need to be addressed immediately, which can wait and which don't need to be addressed at all, van Geijn said.
Vulnerability Assessment 1.0 also makes use of Symantec's DeepSight alert network and its database of product vulnerabilities and attacks, which spot and track Internet threats.
As information changes in real time, the status of a given vulnerability can also change, he said. For example, a software vulnerability for which no patch has been issued might receive an urgency rating of "critical." Once a patch has been issued, however, the urgency rating of that issue might decrease, van Geijn said.
The company's Security Response organization, including the Bugtraq mailing list that Symantec acquired with its purchase of SecurityFocus in August 2002, provides vulnerability signatures as well as procedures for patching vulnerable systems, including links to patches and online knowledge bases.
Symantec's LiveUpdate technology delivers updated security information automatically to the SESA common data store on the customer network, which is then used by the Vulnerability Assessment product, the company said.
Along with the new software product, Symantec announced a new version of Symantec Incident Manager, which enables security administrators to identify, correlate and prioritize security issues.
Symantec Incident Manager 2.0 has improved correlation features that allow it to perform automated, real-time correlation of events.
The company also added attack tracing features that can help administrators identify redundant incident reports by examining new events in the context of known incidents, Symantec said.
For security incidents that are identified, a risk analysis engine enables administrators to apply risk profiles to different parts of their business and then use that information to determine the severity of the individual events and assign each event a "Business Impact Rating."
Once events are identified, workflow features aid administrators in tracking them through to resolution, providing a checklist for each phase of the incident and logging each completed action.
When combined with the new Vulnerability Assessment product, Incident Manager can correlate attacks to vulnerabilities, making it easier for administrators to focus on just the systems affected by an ongoing attack, Symantec said.
"We're moving customers from a chaotic and reactive paradigm to one focused on prioritization, identification and action," said John Heath, senior product manager of Incident Manager.
As with other products based on the SESA architecture, Symantec Vulnerability Assessment and Incident Manager can be managed from a common, Web-based interface, van Geijn said.
That kind of close integration and ease of use will be attractive to companies looking to simplify their security management operations, said Charles Kolodgy, an analyst at IDC.
"Going forward, I think it's going to be less about the capabilities of individual products then their integration -- the integration of multiple capabilities inside a single management framework," he said.
With senior IT staff scarce and expensive, companies are demanding products that are powerful, but simple enough for junior staff to manage and use, Kolodgy said.
"Customers are demanding some reduction in terms of administrative overhead for these products. There's a movement away from products that require extremely senior security gurus to run (them)," he said.
Symantec Vulnerability Assessment costs US$795 per server, a price that includes one year of maintenance, upgrade insurance and support. Workstation licenses cost $150. The price of Symantec Incident Manager starts at $75,000 and varies depending on the number of systems to be monitored and customer needs, a Symantec spokeswoman said.