Bulletproofing Applications with Symantec DCS Policies

The Challenge

Many insecure or difficult to secure systems may contain and utilize highly-sensitive and/or valuable applications, processes and data. This information is hosted on platforms which are otherwise disposable or cost-inefficient for applying comprehensive security measures. A need exists in these cases to bring focused, targeted, high-grade security controls to the sensitive areas of interest while minimizing overall overhead and system-wide impact.

 

The Solution

Symantec DCS Targeted Prevention Policies are one of the most under-used and under-represented strategies that Symantec Data Center Security administrators have at their disposal. These policies offer the ability to selectively define and protect individual elements of an environment without applying security controls to the whole system.  These policies offer some unique and potentially valuable and low cost solutions to some of the security and compliance issues that administrators face today and can often be employed very rapidly with a minimal potential for disruption.

A DCS targeted policy works by defining a set of resources to be protected and by applying a protection strategy to only those defined.  These resources are, at minimum, the running processes which make up the application space to be protected. However, these resources may also include log, data and configuration files and registry keys associated with the application as well.

Once the protected application has been defined, the policy will apply the protections specified to that application and to the resource spaces identified and associated with it. This will ensures that those resources are sandboxed away from the remainder of the operating system environment and are fully protected against unwanted or unauthorized modifications while still leaving the broader environment essentially “out of bounds” for the security restrictions being applied.

This has the effect of creating a well-defined and highly secure “safe space” within the environment which can be deployed with much less effort than is normally associated with a system-wide baseline prevention policy.  The net result is that it enables the administrator to define a highly secure zone within a less-secure platform, potentially allowing much easier and more flexible support of sensitive or regulated activities where they are taking place without the additional burden required to deploy a more demanding policy in response.

NorthStar can offer valuable guidance on determining when and how to employ this capability as part of a strategy that best suits the needs of your organization.

Symantec DCS Targeted Policies

 

The Impact

Leveraging either DCS:SA or SES:CSP requires installation of the Agent on your protected asset with the availability of a management server and database for initial agent configuration file and policy baselining for unmanaged agents.  When utilizing fully managed agents, the option of enhanced reporting services (such as NorthStar’s SOLVE solution) may and often are also implanted to enable more tailored visibility onto the environment.

In each case, the Agent is a small footprint of 100MB free space and 256MB of RAM to install and run. DCS:SA is available for current releases of AIX, Red Hat, Ubuntu, SUSE, Debian, Oracle Linux, and Windows releases from NT 4.0sp6a through to current releases of Windows 10 and Windows Server 2016. Additionally, Windows embedded platforms ranging from XP Embedded through to Windows 10 IOT are also supported with the latest releases of SES:CSP.  The unified management server ideally will support a minimum of 8GB of RAM, 4 CPU threads and 60GB of free disk space, and will have access to a Microsoft SQL database instance to host the management and reporting database.

Once installed and profiled, the agent will be protected by the configured security policy, and will typically require minimal (if any) adjustments to the finalized policy as long as the underlying system software configuration or behavior does not change.  Once the policy is configured to work with your systems, the security delivered by that policy will remain consistent for the remainder of the life of the protected asset, barring introduction of new functions, applications or configurations.

 

For questions about how NorthStar can help with your Symantec DCS environment, please review the Symantec DCS Experts link, or contact us via your favorite form of communication:

Email: connect@northstar.io  |   Phone: 312-421-3270