The facility, built at enormous cost to British taxpayers at the end of the Cold War in the early 1990s, is now owned by the security company. The popular image of a bunker is a dank, rat-infested hole in the ground, but luckily for Symantec's team, the interior looks surprisingly like any other office.
The facility is home to Symantec's U.K. Managed Security Services team, whose main task is to filter and monitor data fed back from customers' intrusion prevention systems, firewalls and intrusion detection systems.
The Winchester team analyses some 1.5 billion lines of code per day, said Jeff Ogden, Symantec's director of managed security services for Europe, the Middle East and Africa. "We spend our lives gathering and analysing information and intelligence," he said. "This is an enormous amount of information, and we're trying to pull it into a coherent state."
The managed security services team is located in a room glassed off from the main bunker, which has 15 workstations ranged in three rows of five. Four large flat-screen monitors, mounted on the wall, face the workstations. Sky News plays constantly in the background to help the team monitor the geopolitical situations that may affect the info-threat landscape.
Tight security
Access to the bunker is closed--even other Symantec personnel
cannot enter the building without prior clearance. Any visits
must be announced at least 24 hours in advance. Symantec
customers must sign nondisclosure agreements before visiting.
Once inside, all employees must log in at a special workstation and must log out when leaving. Three external cameras have a 360-degree view of the building. A digital recorder keeps 30 days of backup. The bunker runs round the clock, staffed by a minimum of four and a maximum of 15 analysts.
Even the atmosphere inside is highly managed. It is pressurised to 1.5 pounds per square inch greater than outside air pressure, so air is constantly being forced out--handy if someone decides to drop an atomic bomb in the vicinity. In the event of a nuclear attack, the air can be filtered through charcoal, and there are still safeguards in place against a gas attack.
The bunker has features like a security alarm--two strips of black plastic with glowing red insides--that's activated if any unauthorised visitor steps inside the glassed-off internal perimeter, where the analysts work away. Get too close to the alarm and it bleeps and registers an intruder.
If anyone gets past that, there's one last line of defence to deal with. "That's when I appear with a baseball bat," said Gordon May, Symantec's facilities manager.
Globally, there are 120 million desktops and servers using Symantec's products, which all feed back samples of malicious code. The company uses basic agent technology to collect the information, or customers can choose to send in the information manually.
"We deploy a small agent onto the customer collection point--the firewall, or the syslog server. The agent is a small piece of software that collects, compresses, signs and encrypts the data before forwarding it to us," Ogden said.
The data process
Once the data has been collected, it is sent to Symantec where it
is analysed and, if there is any danger of attack, a report is
speedily sent to the client. "If the situation is critical or an
emergency, we pick the phone up and say to the customer 'You
could be under attack,'" Ogden said.
All customer information is stored centrally and run through two filters: a "progressive threat model," which decides whether the code is a threat, and an "expert query engine." The expert query engine decides what the threat is targeting, where it's coming from and what the threat is. This code is then analysed by a Symantec engineer and the incident classified according to its threat level:
- Informational: The client has been scanned by hackers, but no more action is required
- Warning: The client has been scanned and a vulnerability has been detected by hackers
- Critical: The client has been scanned, and vulnerable machines are being targeted
- Emergency: There is a possibility of code being deposited on vulnerable machines
During ZDNet UK's visit to the facility, an attempted distributed denial-of-service attack, launched using a botnet in Romania, was detected.
We profile the threat by finding out where it's being launched from, who it's being aimed at and what it's trying to achieve," Ogden said.
On a wider network
The Security Operations Center's Winchester facility is part of
Symantec's global network of information monitoring stations.
Customer data is monitored in five centres. The other four are
located in Sydney, Australia; Munich, Germany; Alexandria, Va.;
and San Antonio.
The security operation centres work closely with Symantec's seven security response centers, located around the globe, in locations including the U.S., Canada, Ireland, Japan and Australia. Where the primary role of the operations center is to identify attacks against customers, the response centers work on a higher level and collate information from a wider variety of sources.
Along with monitoring viruses directly detected by customers, Symantec scans 25 percent of global e-mail traffic for malicious code. It has a number of "honeypot" e-mail boxes, which are accounts provided by ISPs. They are not used, so anything that ends up there is usually spam, Trojan horses, viruses or other forms of malicious software.
An attack quarantine system linked to the honeypot network captures such malicious code. "It is a virtual network that simulates servers, and so looks like a real network," said Art Wong, vice president of security response and managed security services at Symantec.
Symantec maintains a list of all the vulnerabilities found across its network, called Bugtraq. Wong said that it's both a clearing house and a database of vulnerabilities. This list is shared with other security vendors to speed up the process of issuing patches.
The threat of botnets
As a leading security vendor, Symantec is well-positioned to
identify future threats. Some of the biggest offenders on the
radar at the moment are botnets, which are extensive networks of
compromised computers controlled by hackers. These botnets are
usually used to launch distributed denial-of-service attacks,
which effectively flood Web servers or e-mail boxes with
traffic.
