Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
Some say that protecting companies and governments from unanticipated cyberattacks is similar to finding a needle in a haystack. But at Symantec's Security Operating Center in Alexandria, Virginia, protecting clients from worms, viruses, and other computer-related threats is more like plucking a specific needle from a mound of needles in a haystack.
"We find an average of 16,000 potential security incidents in any 24-hour period," says Tony Vincent, a lead global security architect for Symantec. "We narrow those down to 3500 that we think are [of concern] to our customer. We find about 30 to 300, depending upon the day, that are very urgent, severe attacks."
The Security Operating Center, or SOC, is the largest of five such facilities operated by Symantec worldwide.
Control Center
From the visitor lounge, a dramatic black curtain sweeps aside to reveal the control room. The SOC's hub, resembling something out of a James Bond film, is a windowless bunker. Large screens monitor incoming phone calls and news of worldwide cyberattacks; a few displays are dedicated solely to CNN. Looking like they might be poised to send a shuttle into space, employees sit in curved rows of workstations, facing their computers and the spacious displays overhead.
Other employees sit in pods reminiscent of Star Trek, round vessels with leather dentist-style chairs and two large computer screens mounted in front of them. Equipped with motors, the pods have the ability to rotate away from sun glare on the monitors--which they would do if there were any windows in the facility. The pods also allow the employees to control the climate with fans and heating options.
The SOC receives 500 million logs and alerts from its customers daily. The data includes anything from the traffic to and from a company's firewall to the number of computers on its network. The information is analyzed for patterns or unusual activity, compared with known threats lurking in the cyberworld, and examined with a specific client's concerns in mind.
"We create a separate database for each customer," Vincent says, adding that the company has more than 70 terabytes of data on its clients.
Vincent tells the story of a high-profile media client who came to Symantec after trying three other security companies. "Three days after we were brought on board, we found that a human hacker had broken in and was using their network to launch attacks on other customers on the Internet," Vincent says. "We saw it within three days, but it had been broken into 18 months earlier."
Vincent emphasizes that such a lurking threat could have led to a lawsuit against the media company or attacks on that company's system.
Only about once a year does a warning escalate to a point that law enforcement is required, Symantec estimates. In those instances, the customer decides how far to take the case.
"Most people don't choose to pursue it legally," Vincent says. "They don't want to look bad in public. We do maintain a chain of evidence, so if they choose to notify law enforcement we can produce court-relevant data," he says.
Worldwide Reach
With five similar operating centers around the world, Symantec's teams work together, sharing information or advice.
Timothy Hillyard, a manager of analysis at the SOC, says he often posts notes to other operating centers with either a heads-up on something he's found or questions he has.
"Our communication is truly global," Hillyard says. "We found and exported a tool made by a German hacker, and an analyst in Germany translated it and sent it back."
Swift response time is crucial to the success of the SOC. Symantec at large develops security software for millions. If users have a problem, they are asked if they would like to notify the company--a normal security update. The information is quickly sent to the SOC, where the analysts can examine the problem and determine whether the issue is really a new cybersecurity threat.
The analysts have the luxury of having 28 software developers located in the same facility. Any time the analysts run into a problem, they can contact the developers and try to find a solution.
All the computers in the SOC are identical. Since the machines are exact images of each other, the core infrastructure can be rebuilt in a matter of minutes.
Vincent says that if a machine is acting unusual at all, the staff simply breaks it down and rebuilds it from the image. The precise duplication of machines also prevents SOC employees from wasting time; if one machine is down, a person can simply move to an identical computer elsewhere in the SOC.
In an increasingly vulnerable cyberworld, SOC claims to have had zero security infractions.
