Analysis
The system organises the anomalies detected by Caltarian into four categories, and customers must be notified of level 3 (Critical) and 4 (Emergency) alerts no later than ten minutes after detection. "Critical" is the level used for potentially dangerous events, while "Emergency" identifies attacks where data is already leaking. Every day, Caltarian distils around 200 level 3 and 4 events from up to two billion log entries.
Caught in the net: The sudden surge of SMTP traffic is caused by a spamming trojan which has infected the email server.
Another suspicious activity the SOC will immediately report to its customer is when a workstation tries to establish an IRC (Internet Relay Chat) connection via the internet. In a recent case, Caltarian matched the data traffic with the typical traffic of a certain botnet and raised the alarm. The local anti-virus system had failed to detect the client's prior malware infection, and a subsequent infection of a different network's email server had likewise remained undetected. It was only the subsequent data traffic from this email server that was classified as suspicious during the automated log file analysis.
Dipper explained that the SOC can only ever be as successful as the quality and number of the log files provided by the customer. In the General Manager's experience, only a third of all attacks can be detected using the logs generated by IPS/IDS components. He said that Combining the entries with the corresponding firewall logs increases the detection rate to just over 80 per cent. Only merging these data with the data produced by the virus scanners and other monitoring systems installed on the PCs and servers themselves allows the experts to recognise almost all the attacks, said Dipper.
Suspicious: A client attempting to contact a Serbian IP address via IRC puts the Symantec monitoring system on alert. A manual screening of the suspicious PC produces a botnet trojan.
However, the SOC executive admits that even Symantec's systems have no chance when a customer falls victim to a targeted attack. It's not only because the spyware used for targeted attacks can't be detected by anti-virus programs. It's also that the data traffic it generates will most probably not match any of the more than 74,000 patterns collected by Caltarian over the years and used by the system to categorise threats. In addition, botnet operators increasingly try to camouflage the communication between their bots and the control server to avoid attracting the attention of the monitoring team.
Incidentally, Dipper explained the comparatively unspectacular appearance of his SOC by pointing out that the SOC only moved into a regular office building two years ago. Prior to that, the experts sat in a decommissioned army bunker deep below the surface of the earth. While this added to the staff's James Bond image, working in the absence of daylight apparently did nothing for their motivation.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
