Symantec Critical System Protection is intrusion detection software that protects against day zero attacks, hardens systems, and helps maintain compliance by enforcing behavior-based security policies on clients and servers. A centralised management console enables administrators to configure, deploy and maintain security policies, manage users and roles, view alerts, and run reports across heterogeneous operating systems.
As the name suggests, Symantec Critical System Protection is designed to protect and control any and all actions that can be performed on your critical systems. These can include actions ranging from preventing the modification/deletion of critical files, to controlling access to for instance a Microsoft Management Console, even if the user is a local system administrator.
An ounce of prevention is worth a pound of cure: This old proverb is still rings true with today’s information and systems security best practises. A pro-active rather than reactive security posture is the best strategy for reducing costs. With Symantec Critical System Protection for example you can deny an executable the ability to launch along with a huge array of other preventive controls; the inherent benefits are numerous and typically include:
Preventing a virus, spyware, trojan or other malicious application - any opportunity to propagate or deliver its payload. You may be that unlucky individual who firsts receive the new malware that, as yet, Virus vendors have not seen or worked into their virus definitions library. In which case traditional AV scanning will miss the risks (termed zero day threats), however only allowing known and trusted applications to launch prevents everything else that may be such a threat.
Configuration Control is the term to describe the formality of system change requirements, the idea long proven is that any changes to a production system, should be reviewed, tested and at all times recognised by the people that have to support such a system. Application control can help enforce such polices and keep the ‘standardised build’ sacred and contribute with:
Reduced support costs due to unfamiliar application fire fighting remediation.
Software Licensing and usage rights.
Enforcing staff productivity.
Segregating and reducing administrator privilege abuse.
Protecting VMware® environments without impacting performance:
Analyse virtual system configurations to identify vulnerabilities
Detect changes to files of virtualised compliance-controlled assets
Identify malicious attacks to Windows and non-Windows based guests, ESX/ESXi hypervisors and vCenter without using signatures
Limit the behaviour of VM workloads and use of removable media
Harden Virtualised systems against zero-day, known and unknown threats
Protect against web-based threats, restricting port access and network communications
Restrict the behaviour of supported Guest OS
Reduce the spread of malware by hardening VMware vCenter
Protect all 4 layers: The Hosts (VM guests), the base platform (Hypervisor), and the manager (VCenter) and the hardware (attached media).
Out of the box, CSP automatically applies 13 of VMware’s own security hardening recommendations, which would otherwise have to each be worked through separately and require on-going maintenance to preserve.
The new enhanced PRC feature (Process Access Control) stops code injection exploits across all of the virtualised layers including any cross-pollution of virtualised layers
Controls Virtualised Admin privilege abuse, for example: the Administrator for the Vsphere Server is separated from the Administrator of the Vsphere Application.
Monitors the VMware host config file, which comprises some 22 files associated with the “vCLi”, thus preventing attacks or abuse at this crucial and often overlooked virtualised component.
Provides FIM (file Integrity Monitoring) for both Host and Hypervisor – a) meets PCI the relevant requirement for Virtualised payment card systems. B) Ensures” best practise” security doctrines for change control and configuration drift are accomplished.
We recommend Critical System Protection (CSP) as it provides a strong, robust and fully flexible security layer to any high risk or high value system. CSP hardens the platform to ensure the threat is prevented from being able to execute – this prevention rather than detection is a better strategy for key systems that require complete defence with the lowest performance footprint. SCSP can be just as easily deployed to control Admin privileges on a System, as it can to offer powerful virus protection. Worth noting is that it supports a wide range of platforms and even legacy systems that don’t support virus scanning. SCSP offers the ability to mitigate just about every type of Host System security threat, and is incredibly powerful. It provides and extends the level of security where Windows, Linux and the alike can only hope to obtain, the examples on this page can you help understand its power.
Features & Benefits
Host Intrusion prevention system that shields operating systems, applications, and services by defining acceptable behaviour and safe actions for each function.
Offers system protection from miss-use by unauthorized users and applications through system and device controls that lock down configuration settings, file systems, and the use of removable media.
Provides monitoring, notification, and auditing features that ensure host integrity, system and regulatory compliance.
Enables cross-platform server auditing and compliance enforcement with graphical reporting engine featuring multiple queries and graphic formats to visually highlight data.
Secure virtual servers and demonstrate compliance
Stop internal and external attacks
Access “real-time” visibility of your current risk profile
Provide patch mitigation on new AND LEGACY operating systems?
Some Examples of usage
SCSP is a very powerful host security solution that we recommend for any high value or high risk system. Below are just a few usage scenarios where we have seen SCSP successfully deployed:
Web page defacement: SCSP is configured to continually monitor web site pages and compare against approved pages to detect web site defacement. This has been used by high profile companies who wish to protect their brand and on line e-commerce platforms.
PCI compliance: Deployed by organisations who want to address the FIM (file Integrity monitoring) mandates within the PCI (payment card Industry) standard.
Staff information abuse: By creating so called ‘bait’ folders (such as HR, Key Customer, R&D plans or whatever is relevant to your organisation) and configuring SCSP to watch such folders and locations you can have real time alerting and log event collection as staff misuse their rights to access such bait folders.
Admin Account Control: Where it’s desirable to separate Administrator privileges from System access, we would recommend SCSP to define separate roles; for instance the Sys-Admin would continue with their tasks of maintaining and configuring the System as normal, but their rights to access files and folders on such systems would be removed and enforced with SCSP. This is very relevant to organisation’s who wish to use contractors or third parties to maintain their systems, but don’t want them to have access to the data.
Hack Detection: Similar to the staff information abuse scenario above, although in this situation the ‘Admin’ account is renamed something less obvious, and another new account with null rights and credentials is created in its place. SCSP is configured to watch the new Admin account and alert whenever its access is attempted Only those who are not aware and hence are not authorised will try to log onto the account, with SCSP alerting in real time and recording the events and log actions, you have a 100% effective host intrusion detection system . Although you can use any Account as a decoy in this way, the Admin account is one typically targeted by hackers and hence reaps the earliest signs of attack.