In one of the rolling hills above Winchester, England, is a decommissioned nuclear bunker that houses Symantec's U.K. Security Operations Center.
The facility, built at enormous cost to British taxpayers at the end of the Cold War in the early 1990s, is now owned by the security company. The popular image of a bunker is a dank, rat-infested hole in the ground, but luckily for Symantec's team, the interior looks surprisingly like any other office.
The facility is home to Symantec's U.K. Managed Security Services team, whose main task is to filter and monitor data fed back from customers' intrusion prevention systems, firewalls and intrusion detection systems.
The Winchester team analyzes some 1.5 billion lines of code per day, said Jeff Ogden, Symantec's director of managed security services for Europe, the Middle East and Africa. "We spend our lives gathering and analyzing information and intelligence," he said. "This is an enormous amount of information, and we're trying to pull it into a coherent state."
The managed security services team is located in a room glassed off from the main bunker, which has 15 workstations ranged in three rows of five. Four large flat-screen monitors, mounted on the wall, face the workstations. Sky News plays constantly in the background to help the team monitor the geopolitical situations that may affect the info-threat landscape.
Tight security
Access to the bunker is closed--even other Symantec personnel cannot enter the building without prior clearance. Any visits must be announced at least 24 hours in advance. Symantec customers must sign nondisclosure agreements before visiting.
Once inside, all employees must log in at a special workstation and must log out when leaving. Three external cameras have a 360-degree view of the building. A digital recorder keeps 30 days of backup. The bunker runs round the clock, staffed by a minimum of four and a maximum of 15 analysts.
Even the atmosphere inside is highly managed. It is pressurized to 1.5 pounds per square inch greater than outside air pressure, so air is constantly being forced out--handy if someone decides to drop an atomic bomb in the vicinity. In the event of a nuclear attack, the air can be filtered through charcoal, and there are still safeguards in place against a gas attack.
The bunker has features like a security alarm--two strips of black plastic with glowing red insides--that's activated if any unauthorized visitor steps inside the glassed-off internal perimeter, where the analysts work away. Get too close to the alarm and it bleeps and registers an intruder.
If anyone gets past that, there's one last line of defense to deal with. "That's when I appear with a baseball bat," said Gordon May, Symantec's facilities manager.
Globally, there are 120 million desktops and servers using Symantec's products, which all feed back samples of malicious code. The company uses basic agent technology to collect the information, or customers can choose to send in the information manually.
"We deploy a small agent onto the customer collection point--the firewall, or the syslog server. The agent is a small piece of software that collects, compresses, signs and encrypts the data before forwarding it to us," Ogden said.
The data process
Once the data has been collected, it is sent to Symantec where it is analyzed and, if there is any danger of attack, a report is speedily sent to the client. "If the situation is critical or an emergency, we pick the phone up and say to the customer 'You could be under attack,'" Ogden said.
All customer information is stored centrally and run through two filters: a "progressive threat model," which decides whether the code is a threat, and an "expert query engine." The expert query engine decides what the threat is targeting, where it's coming from and what the threat is. This code is then analyzed by a Symantec engineer and the incident classified according to its threat level:
• Informational: The client has been scanned by hackers, but no more action is required
• Warning: The client has been scanned and a vulnerability has been detected by hackers
• Critical: The client has been scanned, and vulnerable machines are being targeted
• Emergency: There is a possibility of code being deposited on vulnerable machines
During ZDNet UK's visit to the facility, an attempted distributed denial-of-service attack, launched using a botnet in Romania, was detected.
My guess is that they got a good deal for the facility from the British government. Governments often sell land, equipment or even decomissioned bunkers at below market values to reduce inventories they are not using.
this bunker story and think they are doing a great job. Personally, in the past I've found their software to be a pretty interface but largely ineffective. Perhaps they need a bunker so newbies will think they have it together, kind of like feeling safer with AOL :-)
And they still could not detect the Sony Rootkit ...
That paranoia level seems designed to floor executives without real knowledge about computer security and it certainly works for that use.
One thing I'm still wondering is, how comes Symantec (and all others) could not detect the Sony Rootkit while it was reportedly infecting around 500000 machines and had done so for months.
The article defines emergency as "Emergency: There is a possibility of code being deposited on vulnerable machines". So did Symantec do as they say "If the situation is critical or an emergency, we pick the phone up and say to the customer 'You could be under attack,'" or did they rather phone Sony/BMG to work out an arrangement ?
Who else have such deals with Symantec ? Who else is authorised to exploit vulns and get away with it ?
Maybe it takes more than a cold war bunker to hide their dirty secrets ...
For what it's worth, the most recent version of both SAV (Symantec AV) and NAV (Norton AV) detected the Sony rootkit. If you go back to some of the first articles on the topic, one of the ways this particular rootkit was "discovered" was via Symantec Response, who then issued an advisory.
to quote the article: "If anyone gets past that, there's one last line of defense to deal with. "That's when I appear with a baseball bat," said Gordon May, Symantec's facilities manager."
Anyone who knows anything about British culture will find this comment hilarious.
1. Banks of monitors for news tv channels world wide 2. Security news wire on Google Groups for e-mail based news. 3. Political radio phone-in discussion listened to at times of breaking news. 4. Two computers. one for visiting sites , other for software development and web development, with server facing the internet for honey potting. 5. Key word user name accounts on corporate I.M to honey the latest I.M phishing and virii threat. 6. Key word user name accounts on corporate E-mail to honey the latest Mail phishing and virii threat. 7. Connections to IRC, internet forums, mailing lists and interpersonal friending of suspected malicious users. 8. Connections to indivudal employees connected with big corporate web sites to feed back infos between each other. 9. A general internet presence under the "n3td3v" alias to let the internet and security community know of current feeling on news sites. 10. Propaganda mailings sent to corporations with recommendations of vulnerabilities and exploit and incident found to be current on the vendor's network and/ or software.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
Is this really practical or just for show?
One thing I'm still wondering is, how comes Symantec (and all others) could not detect the Sony Rootkit while it was reportedly infecting around 500000 machines and had done so for months.
The article defines emergency as "Emergency: There is a possibility of code being deposited on vulnerable machines". So did Symantec do as they say "If the situation is critical or an emergency, we pick the phone up and say to the customer 'You could be under attack,'" or did they rather phone Sony/BMG to work out an arrangement ?
Who else have such deals with Symantec ? Who else is authorised to exploit vulns and get away with it ?
Maybe it takes more than a cold war bunker to hide their dirty secrets ...
So your point is . . . ? ? ?
"If anyone gets past that, there's one last line of defense to deal with. "That's when I appear with a baseball bat," said Gordon May, Symantec's facilities manager."
Anyone who knows anything about British culture will find this comment hilarious.
(hint...it's about FIREARMS!!!)
I think I giggled for 10 minutes.
2. Security news wire on Google Groups for e-mail based news.
3. Political radio phone-in discussion listened to at times of breaking news.
4. Two computers. one for visiting sites , other for software development and web development, with server facing the internet for honey potting.
5. Key word user name accounts on corporate I.M to honey the latest I.M phishing and virii threat.
6. Key word user name accounts on corporate E-mail to honey the latest Mail phishing and virii threat.
7. Connections to IRC, internet forums, mailing lists and interpersonal friending of suspected malicious users.
8. Connections to indivudal employees connected with big corporate web sites to feed back infos between each other.
9. A general internet presence under the "n3td3v" alias to let the internet and security community know of current feeling on news sites.
10. Propaganda mailings sent to corporations with recommendations of vulnerabilities and exploit and incident found to be current on the vendor's network and/ or software.