SAN ANTONIO, TEXAS - Symantec's security operations center in San Antonio marches to a decidedly military beat.
First off, the specialists hired to remotely watch customer networks day and night for signs of attack are, for the most part, hired directly from the U.S. Army or Air Force.
"That's because these people are used to shift work and are diligent at staring at a screen when a new threat is evolving," explains Charlie Johnson, vice president of Symantec's security services. Johnson, who heads up Symantec's security operations centers in the U.S., Europe and Asia, has had a long career battling Internet cyberassault. Until a few years ago he was operations superintendent at the Information Warfare Center at Kelly Air Force Base, where the U.S. plots its cyberdefense strategies, before retiring as a 20-year Air Force veteran.
Johnson's mission now is to expand the operations of Symantec's managed security services, which he's undertaken with Craig Robinson, vice president of Symantec's managed security services.
Robinson is former CIO and president of Trident Data Systems, which for a decade provided information security services to the Department of Defense and intelligence agencies. Trident was acquired four years ago by Veridian, the San Antonio security firm that went public recently with an IPO valued at more than $200 million.
After the stint at Trident, Johnson and Robinson went into business by co-founding Secure Network Consulting (SNC) with two other colleagues. In a year of fast-paced acquisitions, SNC was snapped up by Axent Technologies, and Axent by Symantec two years ago.
At that point, Symantec, which sought to reach beyond its antivirus software focus to provide a wider array of security equipment and services, tapped Johnson to help Symantec expand into what was a new line of business: managed security services.
"Axent, before Symantec bought it, had a foothold here monitoring firewalls and Web servers for customers," Johnson says about the Austin, Texas-based operation, which occupies a floor in a high-rise office building on the outskirts of San Antonio. "The European division of Xerox was one of the early customers."
While Symantec's managed security services division is still fairly small - with about 300 people - it's growing steadily. Later this month, Symantec will open a new security operations center (SOC) in England. It's an underground bunker that was used by the British from World War II until the mid-1980s. It has high-speed telecommunications and microwave links connecting it to the outside world. Baltimore Technologies used it for secure digital certificate management before abandoning it.
"It's completely underground with grass growing over the top of it," Robinson says. "All you can see is an open meadow and cows." Symantec chose the bunker network center because "a lot of European clients were saying we need the assets to be survivable," Robinson says.
Symantec found the primary reason for building SOCs in foreign countries is because of language and business management concerns, not technology reasons.
"German companies want the SOC in Germany," Johnson says. Redundancy and back up are central concerns for all.
To communicate effectively with customers, Symantec asks all customers to make use of videoconferencing systems so the customer's staff and Symantec staff can interact effectively for morning meetings.
"If you have an incident and need to walk them through it, you want to bring up the video and see how panicked they are," Johnson says. If a hacker can be pinpointed and prosecution is warranted, Symantec works in partnership with PricewaterhouseCoopers to capture forensics evidence and pursue a chain of evidence that can be used in court.
Co-relating events
Pinging, probing and denial of service (DoS) are the kinds of attacks that Symantec security specialists observe hour after hour as they peer into their screens behind a glass-enclosed wall at the Symantec SOC in San Antonio.
The computer worms that ravaged the Internet and forced many corporations to shut down for a day or longer last summer are still thriving. "We're still seeing a lot of Code Red and Nimda," says security analyst Andrew Garthe, who got his first introduction to computer security response while at Fort Gordon before joining Symantec about one-and-a-half years ago. "About once a month, there's a serious event of some kind for each customer. We're seeing massive [DoS] attacks these days."
Garthe and other analysts can obtain multiple views of the customer network they monitor on their computers and via a large projection screen on the wall that highlights quiet areas in green and danger zones in red. Symantec also co-relates what it sees across multiple customer networks to determine if an ongoing pattern indicates a wider threat.
Symantec has developed its own enterprise management software for collecting output from different vendors' firewalls, and server- and host-based intrusion-detection system (IDS) equipment via a device it installs on each corporate network. The management software, which might eventually be marketed via Symantec's security products division, co-relates threat data so it can be presented as an overview to the observer.
Staff at the San Antonio SOC also can call on the experience of Symantec's antivirus division and the rapid response team that seeks to identify new viruses and worms and provide protection against them.
Symantec's customers tend to be large organizations that want complete monitoring of internal servers, IDS, antivirus and perimeter defenses, such as firewalls. Most agree to three- to five-year contracts that can cost upwards of $1 million. While Symantec's staff didn't disclose exactly whose network was in display on the large-projection screen, one customer offered to explain his rationale for outsourcing security monitoring to Symantec.
"We've had an initiative to focus on intrusion detection and management, and we wanted detectors on critical servers inside the organization," says Richard Diamond, CIO at The Doctors Company, a physician-owned medical malpractice insurance firm in Napa, Calif. The company has 12 regional offices and 400 employees. While The Doctors Company has 45 professionals in its IT department, it would be a strain to train and deploy them for round-the-clock monitoring. "We just don't have that level of resources," Diamond says.
RELATED LINKS
Contact Senior Editor Ellen Messmer
Other recent articles by Messmer
Financials: Symantec
The latest financials, news and information on Symantec. Network World Fusion.
Symantec names new president, COO
Security software maker Symantec named John Schwarz, former president and CEO of defunct digital rights management firm Reciprocal, as its new president and COO Wednesday. IDG News Service, 01/03/02.
Symantec: Blended security threats on the rise
Attacks on corporate computer systems will continue to get more sophisticated, simultaneously targeting several areas of vulnerability in "blended" attacks, according to executives from security vendor Symantec. IDG News Service, 04/16/02.
