Before an attack. An early warning service delivers notification of vulnerabilities and exploits as they are identified, providing information to help users mitigate a vulnerability before it is exploited. The system's analysts monitor potential threats across thousands of products and draw upon information from a plethora of authoritative sources. Analysts provide information not only about the vulnerability, but also about best-practices countermeasures to keep systems protected. A detailed analysis should be provided in each alert and update, describing its severity and potential impact, technical makeup, the systems that might be affected, available patches or workarounds, and comprehensive mitigation strategies.

During an attack. An early warning system also provides warning of attacks that are under way. With personalized notification triggers and expert analysis, the system enables enterprises to prioritise IT resources in order to better protect critical information assets against attack. Using statistically reliable attack information, an early warning system must deliver automated, prioritised notifications. Patches, countermeasures, workarounds, and additional references are also provided.

The bottom line: an early warning system is vital in light of today's increasingly sophisticated threats, which demand superior response capabilities.

Getting the word out on Blaster and Slammer


Recent events underscore the value of early warning systems' response to cyber attacks. For example, it was an early warning system that alerted customers in July to the RPC DCOM Windows vulnerability and the patch from Microsoft. By continuing to monitor global attack activity, early warning systems were able to issue additional alerts as activity levels rose. (For example, an intrusion-detection signature that protected against this kind of attack was released.) The vulnerability eventually resulted in the Blaster worm, which began spreading in earnest on August 11. In between the vulnerability announcement and the worm, the threat increased daily as the new tools to exploit the vulnerability were publicly disclosed, as we saw above.

In January, it was an early warning system that first picked up the fast-moving Slammer worm, which doubled its infection rate every 8.5 seconds in its early stages and wreaked an estimated $1 billion in lost productivity. Automatic analysis of sensor-generated data identified Slammer as a global threat. Customers were notified of the threat and were advised to block traffic on the targeted port. Additional alerts were issued when further analysis pinpointed the threat as a worm, when the vulnerability that Slammer targeted was identified, and when patches that eliminated the vulnerability were available.

A federal case