Posted: 6 Min ReadProduct Insights

It’s Now Easier to Acquire and Deploy Symantec’s Security Analytics

Having full visibility is essential for threat hunters and incident responders

In my role at Symantec, a division of Broadcom (NASDAQ: AVGO), I have the privilege of working across the broad Symantec product portfolio. But I can honestly say that one of my favourites is Security Analytics.

One of the lessons I’ve learned after many years in this industry is with enough time and desire, it’s inevitable that cyber-attackers will find a way around all defences. When novel attacks against organizations with high-value digital assets are successful, it’s essential that those organizations be able to understand the scope of the attack, what specific information (if any) was lost, and how the attack took place—so future attacks can be prevented. A forensic record of network activities and tools for analyzing that vast quantity of data are necessary tools to accomplish that mission.

When novel attacks against organizations with high-value digital assets are successful, it’s essential that those organizations be able to understand the scope of the attack, what specific information (if any) was lost, and how the attack took place—so future attacks can be prevented.

As my friend Bryan Cardoza told us earlier this year, Symantec Security Analytics is a leading solution for assessing the impact of cyber attacks. Security Analytics can capture, analyze, and selectively retain all of the network traffic entering or leaving your network—both on-premise networks and cloud-hosted workloads. But it also provides the analytics and data analysis tools that SoC staff, threat hunters and incident responders need to identify and respond to novel attacks. I recommend reading Bryan’s blog post for a few product highlights.

I recently had a chance to chat with Bryan, who leads R&D and product management for Security Analytics, about the recently-delivered improvements to Security Analytics hardware and licensing.

* * *

Symantec™ Security Analytics

Karl Vogel: Recently, Symantec introduced a new hardware platform for our industry-leading Secure Web Gateway solution. I understand Security Analytics also introduced new hardware. Is it using the same platform?

Bryan Cardoza: The Secure Web Gateway’s new S410 platform is really exciting and we looked at it very closely for Security Analytics. It had the exact capabilities we were looking for. In the end, however, Security Analytics users have slightly different requirements, and that led us in a different direction.

KV: What sort of requirements?

BC: The short answer is lights-out management. Most Security Analytics systems have a lot of spinning disks in or attached to them in order to maintain a forensic record of network traffic. And one of the realities of a lot of spinning disks is that over time, some of them will fail. We do have several layers of resilience built into Security Analytics systems, but keeping those systems running with a full safety net in place means that system operators need to be able to get in and perform maintenance. Often, those systems are at remote locations, and the on-site staff don’t have the necessary clearance or expertise to do much more than physical drive swaps. That’s why remote, lights-out management capabilities are so important. The new Security Analytics hardware will give system operators the ability to have a remote virtual console, remote media mounting, and hardware telemetry to keep the systems running their best.

KV: Brilliant. Is there more we can expect beyond lights-out management?

BC: I think the first thing people will notice is the increased density compared to our current offering. Given the same capture rate, analysis, and retention requirements, deployments based on physical appliances will typically take about one half the rack units. But the other thing customers will notice is a lower initial price point; our new enterprise licensing for Security Analytics will lower the first-year cost by about 40%—and the longer the retention period, the better the first-year savings.

KV: Up-front costs are important to my customers, so I’m glad to hear that. I’ve got some questions about enterprise licensing, but first tell me how you’re delivering the higher density.

BC: As we put together our new hardware offering, we wanted to address lights-out management, take advantage of the latest chipsets, and simplify deployment. A key part of simplifying deployment was to address how we connect storage to our physical appliances. In the past, we either had JBOD storage attached to RAID cards with battery backup modules, or we had storage arrays with on-board RAID functionality attached via Fibre Channel, which often required a switch. We picked the best parts of each storage solution, and are moving to RAID storage arrays connected via SAS3. This gives us better performance in a smaller package with much simpler cabling. That, coupled with higher drive densities, yields the higher density. We have two storage modules for Security Analytics - a 2U model with 144TB of raw storage and a 5U model with 840TB of raw storage. Customers can expect roughly 700TB of usable capture storage from this higher model. More than twice the storage in half the size.

KV: Simpler deployment; I like that. Now, [back to] enterprise licensing. That’s another new offering with the secure web gateway. Will Security Analytics be the same?

BC: The metrics used for Security Analytics are a little different, but it’s a similar concept. With Security Analytics, our subscriptions will be based on the average amount of network traffic analysed per day, measured in 10 terabyte increments, and averaged over a ten day period. We’re focusing on the actual workload over time, not peak capacities.

As we put together our new hardware offering, we wanted to address lights-out management, take advantage of the latest chipsets, and simplify deployment. 

KV: What about storage? It seems like in the past, Security Analytics licensing was very focused on storage.

BC: That’s true. The prior Security Analytics appliances included a per-instance license as well as bundled storage expansion licenses. Those server instance and storage licenses could also be purchased separately for virtual deployments on premises or in the cloud. That could be very costly for customers with longer data retention requirements, and it’s not representative of the value of Security Analytics. The value of Security Analytics is manifest in the amount of data analysed, so we made the licensing model match that.

KV: Aside from a potential cost savings, are there other benefits to enterprise licensing?

BC: There are quite a few additional benefits. It might be easier for me to list them out:

  1. Customers have deployment flexibility. The new licensing allows you to transition from Security Analytics deployed on hardware to your virtual infrastructure or in your own public cloud if you use Oracle, AWS, Azure or Google Cloud - all with the same license
  2. The new solution delivers Improved scalability. You can easily spread the solution throughout your organization within the same license – resize, aggregate or split instances.
  3. Intelligence Services subscription is now included with the license. The Enterprise License now includes access to Symantec’s Intelligence Services for real time threat intelligence – previously, this was a separate purchase.
  4. The separation of hardware and software provide better support for disaster recovery and high-availability plans. The Enterprise License is based on usage. There is no need to pay for licenses that just stay idle or purchase unused capacity in advance.
  5. Finally, customers may also achieve additional cost savings. The model separates CapEx (capital expense) and OpEx (operational expense). This may provide tax benefits as the hardware can be reported as a capital expense, and the software component (subscription) can be reported as an operational expense.

KV: Overall, it sounds like the new enterprise licensing makes it a lot easier to get into Security Analytics. Do you expect this will translate into broader adoption?

BC: Perhaps in some cases, but it’s important to remember that Security Analytics is designed specifically for those customers who have full-time advanced cyber security investigation teams. That said, the new licensing model does fit very well with outsourced security operations, so broader adoption via service providers is a distinct possibility.

KV: Any other parting thoughts for customers looking to tune up their Security Analytics deployments?

BC: Now is a great time to upgrade your Security Analytics hardware. We’ve got a lot of exciting developments in Security Analytics software coming over the next year or so, and some of those capabilities are designed with the new hardware in mind. With more and more threats making use of encrypted channels, having full visibility is essential for threat hunters and incident responders. Consider investigating our SSL Visibility Appliance as a strong solution to provide decryption of traffic, using policies to ensure you’re still protecting your user’s privacy, and not violating compliance regulations.

Symantec Enterprise Blogs

Symantec Security Analytics: Full Network Visibility for Swift Incident Response

Learn about the new developments in Symantec Security Analytics that deliver comprehensive Network Traffic Analysis and Forensics for swift incident response with Bryan Cardoza and Alan Hall.

Register Now for Webinar

About the Author

Karl Vogel

Worldwide Solutions Architect, Symantec

Karl is Symantec’s World Wide Security Specialist for Network Forensics and Sandboxing. He shares best practices and knowledge, derived from his 20+ years of technical, consulting and leadership roles focused on securing some of the largest organizations.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.