Symantec's Web Security Monitoring service, the newest addition to its managed security services portfolio, aggregates and analyzes corporate Web traffic data to detect and report on threats across the enterprise, from application attacks aimed at stealing sensitive data to malware downloads that recruit corporate PCs into botnets. The service aggregates and correlates log data from enterprise Web devices--proxies, Web security gateways (and/or a hosted Web security service) and Web application firewalls--in a SIM-like approach and notifies security personnel as soon as information about policy violations or compromises is available. The service monitors both inbound and outbound Web traffic.
"You have all that information [from Web devices], but these products and services are addressing very specific types of threats," says Khalid Kark, principal analyst at Forrester Research. "Nothing is correlating that information and checking it against a database to see how this all comes together."
The new service can augment an enterprise's existing Web security layer, and aid in early detection for companies that lack a Web security infrastructure. Grant Geyer, vice president of Symantec's Global Managed Security Services, says many enterprises lack Web security gateways and/or don't have access to a list of malicious or compromised Web sites. The service compares every browser request against Symantec's extensive database of known, bad URLs. This can help administrators stop employees from reaching dangerous sites and spot bot-infected computers as they attempt to phone home.
Symantec says the early detection--when the user first hits a bad site--will help defeat detection-evasion methods, such as fast-flux, in which the user could be directed to one of thousands of payload or command-and-control IP addresses. "By detecting earlier the in breach cycle when the initial attempt is occurring, we can help enterprises find gaps in their controls--if the browser is vulnerable, the vulnerable aspects of their security architecture--as well as infected systems," says Geyer.
The service supports third-party Web proxies and security gateways in addition to Symantec's Web Gateway, as well as its Hosted Web Security service. The hosted service is primarily designed for smaller companies, but enterprises often deploy Web security gateways at large, central offices and use the service for remote employees who can be protected even when not connected to the corporate network, as well as for branch locations, rather than back-hauling traffic to headquarters. Web Security Monitoring is subscription-based, with per-device pricing that varies based on traffic throughput. There is no additional charge for processing information collected by the Hosted Web Security service.