« previous 1 2 3 next »

Alarm system

Apart from the European SOC, there are three other SOCs; one in the US, one in India and one in Australia. According to Dipper, each of them is online for 19 hours at a time, ensuring that there are always two centres available simultaneously. All the centres have identical set-ups and access the same customer data and log files. In the four SOCs, Symantec employs a total of around 200 staff whose professional and personal CVs were thoroughly screened before they were hired. Dipper said he does not consider newly graduated applicants because the demands involved are too varied, and the tasks too sensitive.

Well informed: Among other things, the wall-mounted flat screen monitors display the relevant cyber attacks in progress somewhere in the world. To limit the potential misuse of information despite the careful selection of their staff members, the centres are structured in a strictly regimented way: Only one or two system developers – the usually precise SOC executive didn't want to specify exact numbers – have access to all of the system's analytical functions if required. Otherwise, the employees only have access to the data that is relevant to their specific tasks, for example access to firewall logs, messages from intrusion detection systems or to customers' contact details.

The SOC's technologies are designed to track down suspicious network activities in the log files generated by customers' systems. More than two billion log entries are generated every day, and sensors like firewalls, IDS and IPS components, and other network devices, send their log files to Symantec every three minutes. The system can handle log files generated by any product of any hardware or software vendor. Symantec initially stores all the information in a database before sending it for analysis to the actual SOC core component: Caltarian. This is Symantec's name for the system which first formats the various log files in a uniform way and then screens the data for suspicious network activities. The collected data is later also anonymised and combined into a Security Threat Report Symantec publishes twice a year.

The detection system not only considers known patterns of cyber and malware attacks, but also the previous behaviour of individual customer systems. For example, Caltarian detects when one of a customer's email servers suddenly starts producing high data volumes compared with previous months.

Groupings: Depending on their task, for example when analysing firewall logs, the SOC employees group together in pairs. It was through such an anomaly that the fully automated system recently discovered that one of the email servers monitored by the SOC had been infected by a spamming trojan: When SMTP data volumes increased more than tenfold within a single day, Caltarian raised the alarm because a threshold previously set for this very server had been exceeded. Such alerts require Symantec to act very quickly: The security firm guarantees that its customers will be informed about critical security issues no later than ten minutes after the SOC's warning. In such alert situations, employees need to be able to rely on their experience and professional qualifications. Without these it would be impossible, in such a short time, to accurately conclude whether an issue is a genuine security problem or a false alarm. Dipper said the SOC's job is done once the alert has been issued; the customer's IT experts are then responsible for tracking down and fixing the cause of the problem.

According to the executive, one reason why the SOC is not directly involved in the problem solving is that it doesn't have any knowledge about a system's purpose. He said, only the customer's own IT experts on site know whether an affected server or an infected workstation can, for example, be rebooted for decontamination. In addition, the executive says Symantec naturally also wants to avoid potential liabilities in case something goes wrong in the problem-solving process.

Next - Analysis

« previous 1 2 3 next »