ZDNet UK / News and Analysis / Infrastructure / Servers

Could Symantec have saved you from Slammer?

By John McCormick, TechRepublic, 3 March, 2003 12:03

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Symantec, Monitoring, Slammer

In the relevant press release, Symantec claims, "The DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised." Such a claim would be better if there were some offer of proof, especially in light of the forensic analysis of the Slammer attack conducted by the University of California-Berkeley's Cooperative Association for Internet Data Analysis. UC-Berkeley's Slammer report determined that Slammer spread at a rate 250 times faster than Code Red, doubling the number of infected machines every 8.5 seconds. The bulk of the Slammer attack was over in a very short time. When I pointed this out to the company, a Symantec spokesperson responded, "Even though there is active discussion on the initial infection rate of this work (10 to 60 minutes) to reach critical mass, the peak period of recorded scans was over a three-hour period and continued at a reduced rate throughout [the next day]." Apparently, at the same time I was told this, Symantec was releasing a Slammer timeline, as quoted in The Register:
  • 2200 (approx) PST, Friday, January 24: Firewall sensors detect numerous connection attempts on port 1434, Symantec's DeepSight Threat Management System generates automated alert to customers.
  • 2300 (approx) PST, Friday, January 24: First third-party posts on the phenomenon [appear on] BugTraq.
  • 0000 PST, Saturday, January 25: Intrusion Detection System (IDS) sensors light up (worm is spreading prolifically). Details become more concrete and Symantec moves its alert status from medium to high-risk range.
  • 0200 PST, Saturday, January 25: First public Web alerts [arrive] providing detailed information on Slammer, IDS signature updates and suggestions on mitigation strategies.
This assessment doesn't exactly match the hype in Symantec's initial press release and makes it clear that DeepSight didn't actually warn about Slammer but rather sent out a general warning of increasing port 1434 scans. A better example of DeepSight's capabilities Vincent Weafer, a director of Symantec Security, told me that the usefulness of the DeepSight service was better illustrated by the May 2002 Spida worm attack on Microsoft SQL Server. This attack took much longer to propagate than Slammer and, as he pointed out, "The threat management system saw this attack 24 hours before we obtained our first virus submissions from our customers." Weafer cited another value of DeepSight. "We can analyse attack trends and help give a stronger risk assessment message to customers to help them in prioritising the security patches on their systems. For example, many worms leverage a small number of vulnerabilities [in order] to propagate (e.g., the malformed MIME vulnerability that allows autoexecution of unsafe code on unpatched versions of Outlook and Outlook Express clients)." DeepSight 4, which was introduced on Feb. 12, 2003, includes firewall and IDS data from 180 countries, expands the number of reporting tools, and allows administrators to customise the way vulnerabilities are sorted, such as by the threat level or the software version(s) affected. See Symantec's two-page fact sheet for more information on the DeepSight Alert Services. Bottom line Symantec left itself wide open to a storm of criticism over the apparent slowness in warning the public about Slammer, all because of what appears to have been nothing more than an overzealous PR department. If we ignore the hype over early Slammer notification and whether it actually occurred before Slammer peaked, and we focus instead on what DeepSight actually did, we can see that the service was very fast in informing clients about an emerging threat. Even if the notice didn't offer anything more than advice to block port 1434 at the firewall, it would have provided a worthwhile service to subscribers. We can only hope that Slammer isn't an indication of how quickly new attacks will spread. If it is, even an automated notification service such as DeepSight won't be of much use, although that type of service may still be mandatory for large companies simply because it may help. In any case, I think DeepSight provides a useful management tool for enterprise administrators. Certainly, some automated threat alert of this sort will soon form the baseline for good security management on mission-critical systems, if only to reduce the number of information sources that the already-harried enterprise managers need to monitor on a continuous basis. The ability to focus on the most critical patches based not on vendor notices but on real-world exploits can be valuable. DeepSight appears to be a sophisticated warning service and almost certainly generates alerts earlier than free reports that appear on the Web. But two important questions remain:
  • Are the alerts sufficiently earlier than those provided by free online services to be worth the cost?
  • Even with early notification of a virus or exploit, will IT departments have enough time to deploy patches that can secure their systems?
Each organisation that evaluates whether Symantec DeepSight can provide value will need to make careful study of these questions based on their infrastructure and the resources available in their IT department.
For a weekly round-up of the enterprise IT news, sign up for the Enterpise newsletter. Tell us what you think in the Enterprise Mailroom.

Related stories

Dell plugs enterprise tools into entry-level PowerEdges

Fujitsu: Cheap servers can't fit all cloud roles

IBM rolls out PowerLinux systems for Red Hat and SUSE

Talkback

Symantec is only interested in Symantec and in defrauding its customers! There is no easy way of contacting Symantec and this leads one th think that they do not want customer contact. Their, supposed, customer service is out sourced to India and is no help.

I can only see one way to deal with this dishonest company and that is for EVERYONE TO STOP PURCHASING ANY OF THEIR PRODUCTS!

via Facebook 3 October, 2004 21:09
Reply

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

Thomas Gellhaus

I also installed the KDE version; I also will probably try out razorqt since I really haven't had a chance to before. I'm looking forward to the...

3 hours ago by Thomas Gellhaus via Facebook on Mageia 2 Released
francisabigail

Acquiring when reinvention/cannibalization is too challenging for a large organization can be an excellent strategy- still, so many mergers stumble...

6 hours ago by francisabigail on Ariba buy parks SAP on Oracle's cloud turf
apexwm

All of the feedback regarding using a touch monitor for a desktop PC is right on. Several months ago, we installed a "demo" multitouch all-in-one...

11 hours ago by apexwm on Windows 8 could speed multi-monitor uptake
191706

anyone wanting to triple boot *their* own Mac

12 hours ago by 191706 on xTreme Triple Booting: Linux, Mac & Windows
SoapyTablet

Cont.. Biggest Bugbear: Win7's stop-animate-go approach to work, you develop a staggered (not in the above alchohol sense of the word) approach to...

12 hours ago by SoapyTablet on Windows 8 could speed multi-monitor uptake
SoapyTablet

Ah the joys of Windows 8 Consumer Preview... If Windows 7 was 'Vista with Lipstick', whats Windows 8? Vista with Lipstick, the morning after?...

12 hours ago by SoapyTablet on Windows 8 could speed multi-monitor uptake
daveveej

Though the metro look is quite cool on the windows mobile platform I think that think that microsoft ARE MESSING THINGS UP because what has they...

13 hours ago by daveveej on Windows 8 could speed multi-monitor uptake
Custonian

I agree, we have a few touch screen monitors in work but as Windows7 and the applications we use are not touch screen friendly (the size of the...

13 hours ago by Custonian on Windows 8 could speed multi-monitor uptake
archerthom

I find it amusing that Microsoft added the mouse, which was deemed awkward, but people were forced to use it so it stuck, and now they're saying,...

15 hours ago by archerthom on Windows 8 could speed multi-monitor uptake
BrownieBoy

Agree with other comments. Nobody's going to start reaching out to start tapping their desktop monitors with their fingers. Their arms would tire...

24 hours ago by BrownieBoy on Windows 8 could speed multi-monitor uptake
Random_Error

The only way a touch monitor would be any good is if it were horizontal on the desk, with a virtual keyboard so you could do away with that as well...

1 day ago by Random_Error on Windows 8 could speed multi-monitor uptake
JBDragon

This is just dumb! Forget that I think Windows 8 will bomb, but really, people are going to go out and buy touch Monitors now??? Just pretend...

1 day ago by JBDragon on Windows 8 could speed multi-monitor uptake
Jake Rayson

@Andy Bolstridge > Unfortunately, we need the majority to work 9-5 And therein lies the lie. I work very hard indeed for my idleness, early starts...

1 day ago by Jake Rayson on The Idle Self-employed
Burn-IT

What happens when one hosting platform "acquires data" from another? If I forced the first one to remove it, who is responsible for chasing the...

2 days ago by Burn-IT on Google picks holes in EU's 'right to be forgotten'
JohnTalich

iSpring Pro is a nice tool, that allows PowerPoint to SCORM conversion. They also have free tool, that also generates SCORM compliant courses.

2 days ago by JohnTalich on How To Convert PowerPoint To SCORM Compliant Course
aaron.sloman

I think the answer to the question requires a deeper analysis of where the income can come from who else is now competing for it, who else will be...

2 days ago by aaron.sloman on The three big questions about Facebook's IPO
Brent Pieczynski

Your correctness about Government websites not being compliant with their own websites is correct. Most criticism of other people takes so many...

2 days ago by Brent Pieczynski on Privacy watchdog to chase big companies over cookie law
Kelvyn Taylor

802.11ac does promise some tricks to improve range & reliability, but not sure how these will work in practice until I get real products to play...

2 days ago by Kelvyn Taylor via Facebook on Next-generation 802.11ac routers
mrudang009

My wife and I love our new Kindle Fire. It's lightweight, easy to use and has a great interface. The first thing I recommend anyone with a new...

2 days ago by mrudang009 on Waterstones to sell Kindles with in-store offers
mrudang009

It basically unlocks all the Android marketplace apps and unlocks the device. I am one very happy Kindle owner!

2 days ago by mrudang009 on Waterstones to sell Kindles with in-store offers

Latest in Servers

Dell plugs enterprise tools into entry-level PowerEdges

Fujitsu: Cheap servers can't fit all cloud roles

IBM rolls out PowerLinux systems for Red Hat and SUSE

Featured white papers

Great British computers: A ZDNet UK retrospective

ZDNet UK

Great British computers: A ZDNet UK retrospective

Would you believe the first ever business computer totted up the price of cakes, bread and pies? You would if you knew it was operated by a British tea-shop company. Take a trip down computing memory lane with this guide to great British... Read more

Report: Mixed workload performance in VMware environments

IBM

Report: Mixed workload performance in VMware environments

This ESG Lab report indicates that IT managers looking to reap the benefits of server and storage consolidation are concerned about... Read more

Product analysis: Hitachi Unified Storage 100 series

Hitachi

Product analysis: Hitachi Unified Storage 100 series

This report from Josh Krischer and Associates looks at storage requirements and challenges in a weakened economy, with a focus on Hitachi's mid-range storage platform HUS 100... Read more

Inside ZDNet UK

Google digs in heels over EU antitrust ultimatum

Google digs in heels over EU antitrust ultimatum

Firefox rapid release improves Fedora Linux

Firefox rapid release improves Fedora Linux

Asus Transformer Pad TF300T

Asus Transformer Pad TF300T

How to gain total message system visibility

How to gain total message system visibility

HTC One V: First take

HTC One V: First take

SharePoint deployment: The final chapter

SharePoint deployment: The final chapter

Ten IT jobs to save up for those rare lulls

Ten IT jobs to save up for those rare lulls