Windows Vista includes several barriers designed to prevent malicious code from gaining access to the operating system core or kernel. These include the “Patch Guard” feature that checks the integrity of key parts of the kernel code that can be disabled, according to a report released by Symantec last week. Microsoft, however, said in a recent News.com story that these issues have been addressed in subsequent Vista builds that follow the one that Symantec used for the purposes of its report.
“Microsoft wants everybody out of the kernel,” said Vincent Weafer, senior director of Symantec security response, expressing his concern about Microsoft’s decision. “This is the core of our technology to protect our users.”
Despite not having access to the operating system core, Weafer said Symantec is working around it in the development of its future products.
“We have some APIs that we have access to,” he said. “We augment that by looking at heuristics.”
The kernel protection is an extra layer of security to make sure that what’s being installed onto the machine is legitimate software, said Derek Wong, senior product manager, security/management, Microsoft Canada Co.
“We want to be able to ensure the user understands what’s been loaded onto the machine,” said Wong. “That’s the key thing about the malware and spyware issue where they’ve actually inserted code in there that’s not supposed to be there. People just unknowingly upload code without knowing this stuff is on there.”
Wong added that security in Vista goes beyond locking down the operating system core.
“We look at a concept called defence in depth where you need different defense points to enter your network,” said Wong. “It’s like an onion: you peel one layer, there’s another layer. You’re still going to require your traditional network procedures in addition to protecting the operating system. By locking down the operating system we’re securing one of those layers.”
Symantec’s Weafer spoke to a group of Canadian journalists that were visiting one of Symantec’s five security operation centres (SOC) in Alexandria. The others are in Tokyo, Sydney, Turyford England and Munich, Germany. These centres are part of Symantec Managed Security Services, which serves 500 customers worldwide with 24/7 operations support from 200-plus security professionals. Symantec serves over 84 of the global Fortune 500 companies, the majority of which are financial services companies, followed by power and energy companies and health care. Another set of customers includes those who deeply measure loss such as manufacturing and consumer packaged goods companies and technology firms.
“These centres help us get an understanding of who’s attacking and what we need to do to prevent possible harm,” said Jonah Paransky, director of product management for Symantec Managed Security Services.
Security analysts work three eight-hour shifts to keep the centre running 24 hours a day, seven days a week. In the event of an attack, a senior analyst will contact the customer, no matter what time of day it is to start to work on the problem or take proactive measures to prevent an attack from happening.
The centre, which is located on the lower level of Symantec’s offices in Alexandria, Va., requires two-factor authentication to gain access. Once inside, the centre features three large LCD screens that show the number of threats worldwide and the phone queue for customer calls. The large screens are surrounded by several smaller ones that are tuned into various TV all-news stations such as CNN and CNBC to keep analysts on top of what’s going on in the world that might be affecting the information they’re getting.
The SOC in Virginia has over 1.2 billion log entries per day and over 3,000 security incidents against customers per day. Out of that number, over 100 are to prevent actions or damage to the customers’ systems.