Symantec on site experts help clients combat cyber threats

Relying on the latest and best information security products and resources is fine.

But with an onsite expert to guide you, these tools could provide tremendously more value, says Cupertino, Calif.-based Symantec Corp.

CTAP-ping the right resources

So, earlier this week, the security firm formally announced its Cyber Threat Analysis Program (CTAP), offering clients just that — the services of a “cyber threat analyst”, resident at the customer site, along with access to a range of Symantec’s proprietary data resources.

Read related stories

Malware threats have more than quadrupled

Symantec: C-level execs still don’t get the message

Symantec: When you should dip into honeypots

While the program is only being publicized now, executives from the security firm say its been running for slightly over a year, and the response has been heartening.

Also see our slideshow

Inside Symantec’s Security Operations Center

“So far we have around 30 cyber threat analysts out in the field,” said Ted Donat, director, product management at Symantec’s Global Consulting Services organization. “Typically they would reside at the customer site for one to five years – depending on the need.”

Speaking to, Donat said CTAP responds to customers’ needs for a more proactive way of dealing with cyber security threats that are growing more numerous and serious by the day.

In its latest Internet Security Threat Report, published in April, Symantec says it created more than 1.6 million new malicious code signatures in 2008.

On average, it blocked more than 245 million attempted malicious code attacks worldwide during each month of 2008. Ninety per cent of all detected threats attempted to steal confidential information, the report said.

Donat noted that the Internet Security Threat Report draws on Symantec’s Global Intelligence Network, which the security firm calls “one of the largest commercial repositories of cyber security-focused vulnerability data.”

The network includes more than 120 million desktop, server, and gateway antivirus installations that allow spyware and adware to be captured and transmitted back to Symantec Security Response Centres (SRCs) for analysis.

Donat said customers greatly value this information, but want more.

“They said they needed to understand what’s happening in their environment in the context of these global threats, to appropriately respond to current threats and prevent future ones.”

CTAP, he said, is tailored to meet those needs. “It’s a very specialized service that we’ve never offered before.”

At least one Canadian analyst acknowledges that the offering is “pretty unique.”

“I don’t know of any other vendors in Symantec’s category or space offering this kind of service,” said James Quin, senior research analyst, at Info-Tech Research Group in London, Ont.  

“On the whole I think it’s a definitive indication of Symantec’s strong push into services, and in particular managed services as a way of expanding their lines of business and revenues.”

Fusion cuisine

The threat analysts placed at customer sites have worked in secure environments and within Symantec’s own response organization, Donat said.

“They know what’s going on in the global landscape, and in the customer’s network, have the expertise to fuse those pieces of the puzzle, and provide intelligence and actionable information on how to remedy any problems.”

CTAP analysts will focus on four areas: cyber intelligence, network operations analysis, malicious code analysis and forensics.

Apart from the security benefits, timely intervention by an onsite specialist can generate huge cost savings for clients, according to Tim Gallo, technical product manager at Symantec.

He recalled the case of a customer, who after detecting some activity through their intrusion detection systems (IDS), responded inappropriately to the incident.

“The IDS information was also provided to our onsite analyst,” Gallo noted. “He looked at that and the firewall data, as well as at our Global Intelligence Network resources, including the vulnerability catalogue, malicious code catalogue, attack catalogue, data leakage and spyware catalogue.”

By blending this global and customer-specific information, said Gallo, the specialist was able to conclusively determine that the so-called attack wasn’t an attack at all. “It was a false positive.”

So he advised the client to call a halt to the incident-response process initiated earlier. 

The benefits of doing this were immediately apparent, he said, as the cost of responding to such false positives can be very high – and includes lost work hours, wasted manpower and resources.

Pricey program?

Donat said CTAP pricing varies and hinges on various factors: client requirements, access to Symantec’s data resources, and for how long the security expert will be resident at the customer site. “The minimum time length is one year.”  

He said annual cost to the customer starts from “the low to middle $300,000s” and goes up depending on the number and type of resources required.

Services and actionable information provided by the expert could be reactive (information/advice on responding to a current threat) or proactive — combing data to identify and forestall a potential threat “that may at the customer’s doorstep.”

While, right now its larger firms that are opting for the program, he said “the size of the enterprise isn’t so much the issue as need.”  

Gallo noted that CTAP comes under the purview of Symantec’s Security Intelligence Services.

This umbrella offering includes other services such as Deep Sight Threat Management System – that provides customers intelligence covering the complete threat lifecycle, from initial vulnerability to active attack.

He said Symantec’s goal is to offer security services to meet the requirements of every kind of customer.

These could range from the small outfit that only wants alert e-mails, to one that needs the kind of “proactive remediation” that a cyber threat specialist can provide.

The big question is whether an on-site security specialist really provides significant value to justify the cost of CTAP program.

Info-Tech’s Quin acknowledges that specialists always make a difference, as does enhanced knowledge and information.

Still he believes many organizations will find it “far more cost effective to employ one or more dedicated security specialists of their own and rely on more commonly available information than to opt for such a service.”

Symantec’s Donat said CTAP clients include national governments, and critical infrastructure organizations in the finance, power, energy, transportation and manufacturing sectors.

Given the sensitive nature of the data these organizations handle, he said, having that information travel off site could be risky. And that, he suggested, is another reason why having a Symantec specialist on site makes sense.

Quin, however, isn’t convinced.

“It’s certainly an argument for having dedicated resources [but] I’m not sure it’s an argument for using an expensive (or potentially very expensive) third party service.”

“Most threats are pretty basic”

Symantec’s messaging for CTAP focuses a great deal on the role its proprietary data sources – which collectively comprise its Global Intelligence Network – play in the success of the program.

The media release announcing the program notes that:

By leveraging Symantec’s global repositories, the analysts give customers access to a depth and breadth of information and tools that are only attainable through this program (italics mine) including:

  • Attack, vulnerability and malicious code intelligence
  • Phishing, spam, data leakage, spyware, adware and virus intelligence
  • Underground cyber economies and honeypot network intelligence
  • Symantec’s Cyber Threat Analysis Program analyst community

According to Quin, however, the actual value to users of these proprietary resources isn’t likely to greatly exceed what’s found in the public domain.

“Top 25 lists, threat advisories and vulnerability information are pretty widely available from a multitude of sources these days,” he notes.

“Even assuming Symantec has ‘better’ data, the vast majority of businesses continue to be susceptible to pretty basic threats – unsecured wireless access points, unencrypted laptops and back-up tapes, unpatched systems and so on.”

He said when dealing with such issues, resources of the Global Intelligence Network either aren’t going to be very handy or won’t be the only sources of information that can be used to overcome those problems.

“The most common vulnerabilities affect the greatest number of organizations,” he said. “Defending against those goes a long way to improving organizational security without the need for specialized knowledge.”

Share on LinkedIn Share with Google+