Inside Symantec's security bunker

In one of the rolling hills above Winchester, England, is a decommissioned nuclear bunker that houses Symantec's U.K. Security Operations Center.

The facility, built at enormous cost to British taxpayers at the end of the Cold War in the early 1990s, is now owned by the security company. The popular image of a bunker is a dank, rat-infested hole in the ground, but luckily for Symantec's team, the interior looks surprisingly like any other office.

The facility is home to Symantec's U.K. Managed Security Services team, whose main task is to filter and monitor data fed back from customers' intrusion prevention systems, firewalls and intrusion detection systems.

The Winchester team analyzes some 1.5 billion lines of code per day, said Jeff Ogden, Symantec's director of managed security services for Europe, the Middle East and Africa. "We spend our lives gathering and analyzing information and intelligence," he said. "This is an enormous amount of information, and we're trying to pull it into a coherent state."

The managed security services team is located in a room glassed off from the main bunker, which has 15 workstations ranged in three rows of five. Four large flat-screen monitors, mounted on the wall, face the workstations. Sky News plays constantly in the background to help the team monitor the geopolitical situations that may affect the info-threat landscape.

Tight security
Access to the bunker is closed--even other Symantec personnel cannot enter the building without prior clearance. Any visits must be announced at least 24 hours in advance. Symantec customers must sign nondisclosure agreements before visiting.

Once inside, all employees must log in at a special workstation and must log out when leaving. Three external cameras have a 360-degree view of the building. A digital recorder keeps 30 days of backup. The bunker runs round the clock, staffed by a minimum of four and a maximum of 15 analysts.

Even the atmosphere inside is highly managed. It is pressurized to 1.5 pounds per square inch greater than outside air pressure, so air is constantly being forced out--handy if someone decides to drop an atomic bomb in the vicinity. In the event of a nuclear attack, the air can be filtered through charcoal, and there are still safeguards in place against a gas attack.

The bunker has features like a security alarm--two strips of black plastic with glowing red insides--that's activated if any unauthorized visitor steps inside the glassed-off internal perimeter, where the analysts work away. Get too close to the alarm and it bleeps and registers an intruder.

If anyone gets past that, there's one last line of defense to deal with. "That's when I appear with a baseball bat," said Gordon May, Symantec's facilities manager.

Globally, there are 120 million desktops and servers using Symantec's products, which all feed back samples of malicious code. The company uses basic agent technology to collect the information, or customers can choose to send in the information manually.

"We deploy a small agent onto the customer collection point--the firewall, or the syslog server. The agent is a small piece of software that collects, compresses, signs and encrypts the data before forwarding it to us," Ogden said.

The data process
Once the data has been collected, it is sent to Symantec where it is analyzed and, if there is any danger of attack, a report is speedily sent to the client. "If the situation is critical or an emergency, we pick the phone up and say to the customer 'You could be under attack,'" Ogden said.

All customer information is stored centrally and run through two filters: a "progressive threat model," which decides whether the code is a threat, and an "expert query engine." The expert query engine decides what the threat is targeting, where it's coming from and what the threat is. This code is then analyzed by a Symantec engineer and the incident classified according to its threat level:

• Informational: The client has been scanned by hackers, but no more action is required

• Warning: The client has been scanned and a vulnerability has been detected by hackers

• Critical: The client has been scanned, and vulnerable machines are being targeted

• Emergency: There is a possibility of code being deposited on vulnerable machines

During ZDNet UK's visit to the facility, an attempted distributed denial-of-service attack, launched using a botnet in Romania, was detected.

[BlueLaser]

So why the nuke bunker?

I understand that digital security is a very serious issue and that some security threats can affect lives...but a nuclear bunker?

Is this really practical or just for show?

My Guess...

My guess is that they got a good deal for the facility from the British government. Governments often sell land, equipment or even decomissioned bunkers at below market values to reduce inventories they are not using.

[GrandpaN1947]

Newbies will see

this bunker story and think they are doing a great job. Personally, in the past I've found their software to be a pretty interface but largely ineffective. Perhaps they need a bunker so newbies will think they have it together, kind of like feeling safer with AOL :-)

[My-Self]

And they still could not detect the Sony Rootkit ...

That paranoia level seems designed to floor executives without real knowledge about computer security and it certainly works for that use.

One thing I'm still wondering is, how comes Symantec (and all others) could not detect the Sony Rootkit while it was reportedly infecting around 500000 machines and had done so for months.

The article defines emergency as "Emergency: There is a possibility of code being deposited on vulnerable machines". So did Symantec do as they say "If the situation is critical or an emergency, we pick the phone up and say to the customer 'You could be under attack,'" or did they rather phone Sony/BMG to work out an arrangement ?

Who else have such deals with Symantec ? Who else is authorised to exploit vulns and get away with it ?

Maybe it takes more than a cold war bunker to hide their dirty secrets ...

[The Harper]

But, they did detect it!

For what it's worth, the most recent version of both SAV (Symantec AV) and NAV (Norton AV) detected the Sony rootkit. If you go back to some of the first articles on the topic, one of the ways this particular rootkit was "discovered" was via Symantec Response, who then issued an advisory.

So your point is . . . ? ? ?

[Yog Sothoth]

Funny British quirk escapes in this article

to quote the article:
"If anyone gets past that, there's one last line of defense to deal with. "That's when I appear with a baseball bat," said Gordon May, Symantec's facilities manager."

Anyone who knows anything about British culture will find this comment hilarious.

(hint...it's about FIREARMS!!!)

I think I giggled for 10 minutes.

[n3td3v]

What I have

1. Banks of monitors for news tv channels world wide
2. Security news wire on Google Groups for e-mail based news.
3. Political radio phone-in discussion listened to at times of breaking news.
4. Two computers. one for visiting sites , other for software development and web development, with server facing the internet for honey potting.
5. Key word user name accounts on corporate I.M to honey the latest I.M phishing and virii threat.
6. Key word user name accounts on corporate E-mail to honey the latest Mail phishing and virii threat.
7. Connections to IRC, internet forums, mailing lists and interpersonal friending of suspected malicious users.
8. Connections to indivudal employees connected with big corporate web sites to feed back infos between each other.
9. A general internet presence under the "n3td3v" alias to let the internet and security community know of current feeling on news sites.
10. Propaganda mailings sent to corporations with recommendations of vulnerabilities and exploit and incident found to be current on the vendor's network and/ or software.