Symantec Corp.'s DeepSight Threat Management System has added anti-virus data to its mix, bringing the product up to par with competitors. IT managers at large corporations that traditionally mine application and operating system vendor sites for known vulnerabilities should consider adding DTMS 5.0 to their security assessment tools.

DTMS 5.0, which is an early-warning vulnerability and malicious code monitoring system, is based on data gathered from more than 20,000 sensors scattered throughout the world. The product was released in September at a base price of $15,000. Costs rise depending on the number of users, and Symantec has also released an optional $9,995 custom reports module that let us ably slice and dice vulnerability data in tests.

The biggest weakness we saw in the product is that it required us to manually select the technologies in our network. We want to see DTMS integrate with any number of inventory systems currently on the market to automate configuration. DTMS should also be integrated with any number of vulnerability assessment tools.

To be clear, though, DTMS is an early-warning system, and, as such, it attempts to recognize potential threats for which no attack signature or published exploit yet exists. Because vulnerability scanners rely on known signatures and configuration profiles, DTMS is a nice complement to vulnerability assessment tools that may be in use.

For comparison, we recommend IT managers look at Internet Security Systems Inc.'s X-Force Threat Analysis Service. Although we think the X-Force service's forecasting features aren't very useful, the service has had anti-virus information for some time. In addition, ISS is a stickler for detail, and the expert analysis it provides is top-notch.

Sign In, Please

In some respects, it couldn't be easier to set up DTMS. All we had to do was point our browser at the product URL and sign in with account credentials. However, large organizations should factor in plenty of time to set up the system to monitor for vulnerabilities and malicious code because each operating system and application must be hand-entered into what DTMS calls a technology list.

The list is is populated with pick lists, which made it relatively easy for us to define the product and version that we wanted the system to track.

After setting up our technology lists and our urgency (as ranked by Symantec) and reliability (ranging from conflicting reports to confirmed by vendor), operating the product was easy. However, keeping the system up-to-date as applications and operating systems change is likely to be difficult.

DTMS 5.0 augments threat and vulnerability assessment rankings by adding anti-virus information, so IT managers should be able to spot threats more accurately than when using the previous version of the service. A statistical engine works over the data using information from field sensors. DTMS issues an alert if more than one sensor starts to read more than three times the standard deviation of its base line.