Inside Symantec's nuclear bunker
Published: 25 Nov 2005 13:10 GMT
...of malicious code. Symantec uses basic agent technology to collect the information, or customers can choose to send in the information manually. "We deploy a small agent onto the customer collection point — the firewall, or the syslog server. The agent is a small piece of software that collects, compresses, signs and encrypts the data before forwarding it to us," says Ogden.
The data process
Once the data has been collected, it is sent to Symantec where it is
analysed and, if there is any danger of attack, a report is speedily
sent to the client. "If the situation is critical or an emergency, we
pick the phone up to the customer and say 'You could be under attack',"
says Ogden.
All customer information is stored centrally and run through two filters — a "progressive threat model" that decides whether the code is a threat, and an "expert query engine". The expert query engine decides what the threat is targeting, where it's coming from and what the threat is. This code is then analysed by a Symantec engineer and the incident classified according to its threat level:
Informational — the client has been scanned by hackers but no more action is required
Warning — the client has been scanned and a vulnerability has been detected by hackers
Critical — the client has been scanned and vulnerable machines are being targeted
Emergency — there is a possibility of code being deposited on vulnerable machines
During ZDNet UK's visit to the facility, details of an attempted distributed denial of service attack, that had been launched using a botnet in Romania, were detected. "We profile the threat by finding out where it's being launched from, who it's being aimed at and what it's trying to achieve," says Ogden.
On a wider network
The Security Operations Centres (SOCs) Winchester facility is part of
Symantec's global network of information monitoring stations. Customer
data is monitored in five SOCs located in Sydney, Munich, the UK and
two in the US — in Alexandria and San Antonio.
The SOCs work closely with Symantec's seven security response centres (SRCs). Where the primary role of the SOC is to identify attacks against customers, the SRCs work on a higher level and collate information from a wider variety of sources.
The seven SRC's are located around the globe, in locations including the US, Canada, Ireland, Japan and Australia.
As well as monitoring viruses directly detected by customers, Symantec also scans 25 percent of global email traffic for malicious code — Symantec has a number of "honeypot email boxes", which are accounts provided by ISPs. They are not used, so anything that ends up there is usually spam, trojans, viruses or other forms of malware. An attack quarantine system linked to the honeypot network captures malicious code such as worms and trojans. "It is a virtual network that simulates servers, and so looks like a real network," says Art Wong, vice-president of security response and managed security services for Symantec.
Symantec maintains a list of all the vulnerabilities found across its network called Bugtraq. According to Wong, it's both a clearing house and a database of vulnerabilities. This list is shared...
For more, click here...
Previous
Did you find this article useful?
162 out of 310 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
2 comments
