Symantec’s early warning system shines

DeepSight Threat Management service sounds an early alert when Internet evil is afoot

It has always been hard for a single business to gather the intelligence necessary to prepare for the depredations of hackers, virus creators, and worm writers. Suddenly, you’re faced with having to update your systems with too little time to plan, no time to test, and the knowledge that you may have already been invaded through vulnerabilities you couldn’t fix in time.

Symantec’s DeepSight Threat Management System 5.0 service can get you the information you crave. It relies on both expert analysis as well as data gathered from around the globe to provide intelligence and early warnings about attacks, vulnerabilities, and even tentative probings. DeepSight alerts you immediately if a threat reaches a set threshold, and provides the details needed to respond quickly.

Using DeepSight is straightforward: You get log-in information from Symantec and enter either of its two DeepSight Web sites. The Alert Services site is designed to warn you when there is activity that could threaten any part your enterprise. The Threat Management System goes deeper, providing detailed information about the nature of an impending threat, the likelihood of it becoming a threat to your enterprise, and the nature of how it may affect you.

To maintain its timeliness, Symantec gathers data from instrumented firewalls, servers, intrusion detection systems, and other network devices worldwide. The data is analyzed as it’s aggregated; when a trend appears, the site sends out early alerts.

DeepSight’s difference is customization. You select the level of threat severity for alerts and notifications by product. Plus, you can vary that level by device, choosing the exact versions of OSes, hardware (such as print servers and routers), or apps on your network.

DeepSight’s alerts are also customized — you can have an e-mail sent when a potential threat reaches one level of severity, but have an alert sent to your cell phone or pager if the threat rises.

This level of customization is unique, and better than anything I’ve seen in other solutions. But you must tell DeepSight exactly what you want to get the most appropriate reports.

DeepSight’s other advantage is its storehouse of security knowledge. You’ll find all there is to know about any impending threat against the products you use in your enterprise on the DeepSight Web sites. On the Alert Service site, for example, you can see at a complete list of all reported recent issues; clicking on each one provides a detailed description.

The Threat Management System is equally clear. The opening screen gives you a graphical indication of the threat level and line graphs of important metrics, such as a particular threat’s trend line. A click on the day’s report gives you a detailed description of activities.

Much of the material on the sites is only distantly related to an actual threat. Fortunately, DeepSight makes it very clear just how serious and immediate, according to its analysis, the threat is, so you can plan an appropriate course of action.

DeepSight is easy to set up and use, but I never managed to get SMS messaging to work despite trying multiple phone types and multiple carriers. On the other hand, the e-mail alerts worked perfectly.

For what DeepSight is designed to do (provide timely threat information and alerts), it’s very complete. The biggest question is cost: The full package will set you back $20,000 a year, though you can subscribe to DeepSight’s parts separately. Then again, even one exploited vulnerability will cost you a lot more than DeepSight’s subscription fee, so consider your options carefully.

InfoWorld Scorecard
Interoperability (20.0%)
Ease of use (15.0%)
Value (10.0%)
Timeliness (20.0%)
Setup (15.0%)
Completeness (20.0%)
Overall Score (100%)
DeepSight Threat Management System 5.0 10.0 8.0 8.0 10.0 8.0 9.0 9.0