SOCing it to malicious hackers

Brian Dunphy probably hasn’t seen every computer security mistake under the sun, but those he remembers are doozies.

Dunphy is senior manager of analysis operations at Symantec Corp.’s Managed Security Services (MSS) group, which monitors firewalls and intrusion detection systems (IDS) for enterprise clients.

Dunphy’s role affords insight into security snafus, like the client that insisted its outbound credit card data traffic to a partner was encrypted, secure and locked down. It wasn’t. The company was duly surprised to learn about the vulnerability, which MSS discovered during routine protection checks.

Or the Fortune 500 client that was incredulous when MSS said one of the company’s computers was infected with a worm. The client didn’t believe it, arguing that the IP address supposedly attached to the device had nothing to do with them.

But MSS knew full well the address belonged to this firm. “You could tell they just discovered a new part of their network,” Dunphy said.

These are the sorts of anecdotes heard at Symantec’s Alexandria, Va. security operations center (SOC), where MSS works. Symantec invited IT World Canada to tour the SOC and learn a thing or two about security, information that could help the enterprise stay safe when computer intruders come calling.

Among the things he’s learned here, Dunphy noted a trend: chief information officers and chief security officers view patch management differently. Whereas CSOs see patching as integral to network security, CIOs see it as a network breaker: as untested software destined to test the infrastructure.

“Being able to effectively prioritize is critical” to getting head-butting execs to see eye to eye, Dunphy said. He advocated a ranking system. The enterprise should create a policy dictating what kinds of attacks are most important and, most critical, which systems need patching immediately.

Stick to the policy, Dunphy said. “Too many times I’ve seen policy set and not followed through.” Maintaining audits might help, he suggested, as well as implementing strict security configuration rules for desktop PCs and laptops.

It’s also important to know where systems reside, unlike the unbelieving customer described above. “We have seen clients get it right,” Dunphy said, pointing out that the unfortunate Fortune 500 firm is an anomaly.

What of the SOC? It’s in a secure building. Hand scanners verify access rights to the analysts’ area, where security experts monitor client networks. Like NASA launch control, this space sets up workstations in curved rows around one, large-screened wall, where big video displays show “situational” data, such as the number of queries coming in from MSS customers, and the speed at which firewall and IDS logs are picked up from client-side devices.

One screen displays a spinning globe. Above certain countries, numbers represent rankings in the hacker hierarchy. For instance, today Canada is in second place with 4,570 IP addresses that seem to be on the attack.

From their workstations, some of which look like futuristic dentist’s chairs, analysts monitor network activity. They have dual-screen Dell workstations and Cisco IP phones, although the phones aren’t permanent. Dunphy said the SOC is phasing them out, not because they don’t work well, but because Symantec uses another phone system and has telephony experts trained therein. The Ciscos were included when Symantec bought the building.

“There was some resistance” to the move away from the modern Cisco devices, Dunphy said, pointing to a yellowed plastic brick that is the replacement. “I’m not convinced the Ciscos couldn’t do it. I’m less convinced we could do it on the Cisco phones.”

Tim Hillyard, one of the analysts, explained how he can see where attacks are coming from and which clients are affected. He has a hot list of IP addresses, a rundown of Internet co-ordinates associated with attacks. He can extrapolate likely outcomes. “A really good attacker would probably scan on Monday, and then we’d see buffer overflow a week later,” he said.

Hillyard is no low-level helpdesk employee. Analysts are paid well (Dunphy wouldn’t specify a salary) and they’re expected to live up to certain criteria: they must know networking; they need at least four years of experience; no prima donnas; no former hackers, no matter what colour of hat they wore. “We absolutely cannot tolerate such a risk,” Dunphy said.

Clients pay for MSS, of course, although Dunphy wouldn’t talk numbers. “I haven’t given out pricing before.” However, he did say it depends on the number of devices the enterprise wants monitored, length of contract, as well as whether the client wants the premium or the standard service. The former offers longer log-keeping and greater access to analysts.

MSS works alongside Symantec’s security response team, of which Dee Liebenstein is the product manager. This group takes global data and crunches it to provide research, alerts, advisories, security updates, white papers, newsletters and guidelines for clients.

Liebenstein said her crew is focused on speed-of-delivery, getting info and virus definitions out fast. It’s important as Internet threats propagate. In 2001, the average week saw 30 software vulnerability announcements from vendors. In 2003 that average has jumped to 60 per week.

To help the enterprise keep up, Symantec created “DeepSight” early-warning solutions, which provide alerts and threat management services. In a February press release, the firm boasted that DeepSight discovered the SQL-seeking Slammer worm “hours before it began rapidly propagating.”

The magazine Wired, however, blasted Symantec for withholding the info from the Internet community, “possibly harming millions of Internet users,” reads a Feb. 14 article.

Liebenstein saw that story and disagrees. “As soon as we have an indication of what the threat does, we go public with it,” she said, adding that Symantec knew something was happening on port 1434, Slammer’s door, but didn’t have enough info to call it an attack. When the firm confirmed worm’s arrival, Symantec shared the data, she said.

Liebenstein painted a disturbing picture of Internet health. In 2003, 80 per cent of threats have been remote executable, meaning that the attacker need not be nearby to set it off. Windows-targeted attacks increased 123 per cent between 2002 and 2003; peer-to-peer and instant messaging threats increased 400 per cent during the first half of 2003.

All the more reason for Symantec’s SOC, where Hillyard and the other watchers probably won’t get bored. “It’s never the same old thing day to day,” Dunphy said.

Related Download
CanadianCIO Census 2016 Mapping Out the Innovation Agenda Sponsor: Cogeco Peer 1
CanadianCIO Census 2016 Mapping Out the Innovation Agenda
The CanadianCIO 2016 census will help you answer those questions and more. Based on detailed survey results from more than 100 senior technology leaders, the new report offers insights on issues ranging from stature and spend to challenges and the opportunities ahead.
Register Now