'Doomsday nerds' defend cyberspace

Going underground: a visit to Symantec's operation centre

All across the world

The facility - one of four run by Symantec around the world (the others are in Australia, Japan and Alexandria near Washington DC, USA) that provide a 24x7 service to clients - is at the front line of an ongoing war in cyberspace.

The main room in the bunker is the workplace at any one time of six security analysts (or Watchers as Symantec calls them), each of whom works a 12-hour shift, each in front of two screens, who sit in rows akin to scientists watching a space mission launch.

On a facing wall are three large screen monitors: one features a giant map of the world, which lights up intermittently and displays information on net attacks; another features a chart of security reports and the third supplies a news feed from the BBC. A smaller screen shows a CCTV image of the bunker's car park.

The analysts are experts in making sense of data from intrusion detection sensors and firewall logs to detect the tell-tale patterns that accompany internet attacks, either from malicious code or a directed attack. The idea is that firms can use the service to monitor its most sensitive IT assets and get early warning of possible problems before things get out of hand. Symantec's staff also look out for internal attacks or misuse of company systems to download illicit material.

The facility is staffed around the clock by three shifts. As well as the analysts there are security engineers, security device specialists, and support staff bringing a shift complement up to between 12 and 16. Contrary to the conspiracy theories there was no room harbouring virus writers. We checked just to make sure.

Economies of scale

Symantec's experts can either offer advice (for monitoring service clients) or take remedial actions themselves if client elects to outsource more security and network management functions. Firms trying to do this all by themselves would have problems interpreting a deluge of security alert data generated by networked devices. Managed-security firms such as Symantec also have the advantage of a global view that lets them detect patterns and correlate attacks to avoid false positives.

Symantec's software collates data from multiple sources - the European centre looks after 5,000 monitoring devices from an unspecified number of clients - and presents it to analysts. Matching assaults against prior attacks help to pick out suspicious traffic and alert patterns most worthy of closer examination, perhaps 300 events a day on a typical day. This work is separate from the job of virus analysis and dismantling hostile code that takes place, for example, in Symantec's Dublin anti-virus research centre.

Two years ago computer worms such as Nimda and Blaster were the number one security menace but "worms have dropped off the radar" to be replaced by more targeted attacks, driven by some profit motive, Symantec's Beighton says. Cyberspace can be a dangerous place, whichever way you slice it. The global arms race between crackers, fraudsters, spammers and virus writers on network defenders shows no sign of cooling off. So it looks like Symantec's staffers have the closest thing to a job for life that the IT industry provides. ®

Related stories

VeriSign focuses on managed security services
Corporates tackle security in-house
IT security to go offshore. Maybe
Britain tops zombie PC charts
In the event of nuclear attack, your data is safe

Other stories you might like

Biting the hand that feeds IT © 1998–2022