Inside the Security Operations Center
Level two alert
by Uli Ries
Source: Symantec Every day, the experts at Symantec's Security Operations Center discover 200 dangerous attacks on the networks of the center's large corporate customers and notify the affected customers within ten minutes. However, this doesn't mean these networks become immune.
Those who expect a NORAD-style command centre or virtual hacker chases similar to those in the "Sneakers" movie will probably be disappointed when they enter Symantec's European Security Operations Center (SOC). There's an atmosphere of calm at the SOC, and not a trace of hectic or even alarmed activity. A handful of well-presented employees – all dressed in modern casuals and a world away from freaks in slogan t-shirts and other hacker stereotypes – sit in front of two or three LCD displays each, occasionally looking at eight wall-mounted flat screen monitors that display information about the current global cyber threat situation. The SOC employees even have time for a relaxed chat between jobs. What they talk about remains a secret: Visitors only observe their activities through a glass screen in the adjacent conference room. Incidentally: The SOC specialists' work stations still all run Windows XP.
It's difficult to relate the relaxed atmosphere within the small team to the centre's purpose. After all, the SOC protects the networks of large corporate customers and public authorities, among them 92 of the top 500 companies worldwide, around the clock and 365 days a year. When asked Symantec say they won't disclose client names. The only thing we're told is that a third of those protected are banks and insurance companies. We do know, however, that Symantec's Managed Security Service (MSS) customers include the logistics service provider DHL and eBay. MSS offers various services like penetration testing and security monitoring services – the SOC is responsible for the latter. With companies such as Atos Origin, BT, IBM, RSA and Verisign also offering similar services, it's evident that there must be a large demand in the corporate world for external security services.
A separate screen shows the BBC World News on TV. Martin Dipper emphasised that this is not intended for staff diversion. Dipper, who is the General Manager of the London SOC, soberly explained that centre needs early information about events that may influence IT security. This includes events like the death of a celebrity. For example following Michael Jackson's death, waves of spam and malware with related content appeared quite rapidly. Political summits also regularly trigger cyber attacks which, according to Symantec, even put the respective venue's energy providers on the alert.