From the outside, the building along Eisenhower Avenue in Alexandria, Va. seems like nothing out of the ordinary.
Apart from the company logo at the entrance, there’s little indication that this low-rise structure is key facility in the global battleground of cyber warfare.
Symantec Canada recently hosted several Canadian journalists on a tour of its Security Operations Centre (SOC) some 20 minutes outside of Washington, D.C. The Virginia facility is one of five Symantec SOCs across the globe; others are located in Tokyo, Munich, Sydney in Australia and Twyford in England.
These SOCs comprise Symantec’s Global Intelligence Network which provides, among other things, an insight into IT security vulnerabilities and attacks around the world.
The SOCs monitor security threats through 40,000 sensors installed in 180 countries and 150 million client, server and gateway anti-virus systems, according to Vincent Weafer, senior director for Symantec Security Response.
The Global Intelligence Network also draws reports from two million decoy e-mail accounts that generate between 30 and 40 million spam and virus-related e-mail messages per day, Weafer added. These reports become the basis for creating rules and definitions for viruses and spam.
The SOC room in Symantec’s Alexandria office is located at ground level. Entry into the SOC is secured by two-factor authentication technology, consisting of an authorized employee badge and a biometric reader for fingerprint scanning.
The first entry point leads to what is called the “fishbowl,” a lounge-like room enclosed by a wide glass window providing a view of the SOC on the other side of the room.
Entry to the actual SOC, which serves as the war room for Symantec’s security analysts and engineers, is also secured by two-factor authentication.
In the centre of the room are three large LCD screens. The middle screen is the Deep Sight Threat Monitor showing a map of the world and the number of security threats in different parts of the globe, giving analysts a real time view of the threats and attacks that are happening on a global basis, explained Jonah Paransky, director of product management with Symantec Managed Security Services.
The second monitor shows operations queued for analysts to look into and the status of those operations. These are specific incidents detected from customers’ monitored network devices that require further investigation.
The third displays a phone queuing system that monitors and reports details of various phone calls with customers related to security incidents, explained Paransky.
There are also smaller television sets around the centre of the room that are tuned in to different news channels, providing up-to-date news on global developments as they relate to IT and network security.
A large part of the SOC’s function is monitoring various network security devices for Symantec’s Managed Security Services enterprise customers. Analysts research and capture security threats and vulnerabilities for customers and provide comments and recommendations for remediation in case of an attack.
Analysts monitor network activities for customers, watching for unusual traffic such as known signatures for worms and viruses, external IP addresses attempting to access specific network ports, firewall or intrusion detection systems, as well as internal traffic for unusual activities within the network, explained Tracy Williams, a senior analyst at the SOC.
Each analyst’s workstation consists of two LCD computer monitors that show log entries pertaining to a customer’s network traffic. The logs are sorted by different categories, including timestamp, source IP address and company ID. The logs are also colour-coded, indicating to the analyst what type of attack or event is occurring, Williams explained.
Analysts primarily look for signatures for different types of traffic, including known vulnerabilities.
“There are certain signatures that are known as just normal traffic through firewalls, where you’re going to see a lot of internal-to-internal traffic. But if I see external IP addresses that do not belong to the customer and then I see signatures firing that should only be firing for internal-to-internal, that raises a flag for me,” explained the SOC analyst.
Another cause for concern, added Williams, would be aggressive outbound scanning by an external source IP address, particularly involving ports that are designed only for internal traffic.
The SOC is in operation 24 hours a day, seven days a week. Analysts work on three rotating eight-hour shifts daily. An analyst on duty also has a backup person who steps in to staff the queuing monitors if the primary analyst on duty needs to go on break.
This practice is to ensure that monitoring continues consistently and security incidents are dealt with in real-time as they happen, said Williams.
There are four different levels of severity for any security event, according to Williams: informational, warning, critical and emergency.
For informational and warning level, an e-mail is generated for the customer containing details of the specific incident, as well as comments and recommendations from the analyst in charge of the account.
In critical- and emergency-tagged situations, an e-mail is still generated, but there is an added step of opening up a ticket for logging resolution and status of the incident.
If the situation is deemed as extremely urgent, the analyst would then call the customer and initiate ways to either stop the attack from happening or prevent the attack from spreading across the corporate network, Williams explained.
Every source IP address that goes through the customers’ security devices that the SOC manages or monitors is stored in a database. This allows analysts to track and get details on certain IP addresses that are of interest to them.
In addition to monitoring and managing customer environments, the huge amounts of data that the SOC generates, including 200,000 malware submissions per month, is used by Symantec’s engineering team for future technology development, said Symantec’s Weafer.