How to SOC it to the bad guys

Security automation: The next wave Security counterattack How to SOC it to the bad guys Visa: Taking on Web services with resolve Your opinion: Tech talk Q&A: When trust isn't enough

Eamus Halpin's wake-up call was the Slammer worm. Until it hit, he had relied solely on port blocking to protect his enterprise network from hacks and intrusions. After he saw the network carnage Slammer wreaked around the globe, Halpin knew he had to revamp his company's approach to network security.

"I happened to be with Microsoft at the time at an NDA event in Seattle, and somebody scared me about what could happen to a port blocking-based network hit by Slammer," recalls Halpin, who is chief technical architect at iRevolution, a managed services provider in London. Although iRevolution's network was spared a direct hit by the worm, Halpin knew that had just been luck. "I spent three hours researching the implications of the worm, and my hair went white. We were as open as Swiss cheese," he says.

Although iRevolution had the basics in place - firewalls, anti-virus software, intrusion-detection systems (IDS) - it had no way to combine alerts from these various security tools to build a logical picture of the security health of the network.

"Everything was separately maintained and managed. They didn't speak to each other and didn't give us a business temperature for the enterprise as a whole," Halpin says. "So we could see occasionally that we were being attacked by a particular type of virus through e-mail, but we couldn't really determine how big an issue that was in the great scheme of things."

Halpin decided then and there to do a complete security overhaul. His goal was to build and maintain a world-class security operations center (SOC) for iRevolution's internal network, as well as to help support customers.

Just as network operations centers (NOC) continuously monitor networks to mitigate faults and ensure optimal performance, SOCs continuously monitor and manage a range of security devices and events to maintain and ensure overall network security. Experts say SOCs are becoming more common among companies for a variety of reasons, most notably because security has evolved from a discipline based on point solutions to something far more pervasive and critical to overall network health.

"It used to make sense to have security specialists managing the various firewalls, IDS and so on because security was at a very specific location on your network and had a very specific function," explains Andreas Antonopoulos, senior vice president and founding partner at Nemertes Research. "But security no longer works that way. The perimeter is porous, and instead, security needs to be applied at the application level, at the network level and at the storage level. It's become a feature of your end-to-end application delivery, much like network performance."

Regulatory pressure brought on by the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act also drives enterprise SOC development.