'Doomsday nerds' defend cyberspace
Going underground: a visit to Symantec's operation centre
From the outside it looks like a home for a Hobbit or two, but inside security analysts are monitoring banks of screens feeding alerts from hundreds of corporate networks. Welcome to Symantec's European centre of operations, housed in a former nuclear shelter in rural Hampshire.
The site - near Winchester, Hampshire on land formerly used as a reservoir by Southern Water - was chosen for its inherent physical security. Built as a nuclear shelter in the Cold War, the bunker was designed to supply 30 local utilities workers with food, clean air and water for up to 60 days. This group of pre-selected workers were hand-picked to reconnect vital water, gas and electricity supplies across the south of post-apocalypse England.
The sole entrance to the building is via an eight-inch thick steel frame and concrete infill door in the side of a hill. Large blast valves designed to allow a nuclear blast wave to pass through the building can still be seen alongside the entrance. The walls are around 50cm thick and made from reinforced concrete. The concrete on the roof is 2.5 metres thick, reinforced with steel.
The Cold War ended, and the site was taken off the Government's nuclear facility register in 1991. After a spell as a remote alarm monitoring facility (with customers include the Ministry of Defence, gold centres and the Royal family) it became a managed PKI (Public Key Infrastructure) centre, before Symantec took over the bunker in March 2002 and used it to deliver managed security services.
How I learned to stop worrying and love botnets
What is it with anti-virus companies and former nuclear facilities? Kasperky's Moscow HQ is in a building where scientists used to design nuclear weapon's guidance systems. Symantec has gone one step further is hosting a facility in a former nuclear bunker. Is there some kind of "Doomsday nerd" or Dr Strangelove complex going on? We should be told!
Nigel Beighton, Symantec's director of enterprise strategy, EMEA, took our demand in good spirit. Although Symantec wouldn't have built the facility itself it amply suited its purposes, helping it meet stringent security features and standards such as BS7799 that its clients expect, he said. These include redundant, independently routed 54Mbps data pipes, redundant mains power plus a back-up generator as well as an array of physical security features.
Three remote cameras scan the external perimeter. A fourth is trained on the entrance to scan everyone entering and leaving the facility. An access control system guards all areas and rooms in the facility. Its building manager is an affable former submariner who spent 25 years in the Royal Navy and obviously enjoys life under the surface.
The bunker can only be reached up a narrow, single-track lane which sometimes becomes snowed up in the winter. Most of the locals are unaware of its true purpose. Its location on the side of a hill and vents make it look like the home of the Tellytubbies to a casual observer. Symantec staffers tell us that young couples sometimes park in its car park on summer's night unaware that they can be observed from underground from the facility's hidden cameras.
All across the world
The facility - one of four run by Symantec around the world (the others are in Australia, Japan and Alexandria near Washington DC, USA) that provide a 24x7 service to clients - is at the front line of an ongoing war in cyberspace.
The main room in the bunker is the workplace at any one time of six security analysts (or Watchers as Symantec calls them), each of whom works a 12-hour shift, each in front of two screens, who sit in rows akin to scientists watching a space mission launch.
On a facing wall are three large screen monitors: one features a giant map of the world, which lights up intermittently and displays information on net attacks; another features a chart of security reports and the third supplies a news feed from the BBC. A smaller screen shows a CCTV image of the bunker's car park.
The analysts are experts in making sense of data from intrusion detection sensors and firewall logs to detect the tell-tale patterns that accompany internet attacks, either from malicious code or a directed attack. The idea is that firms can use the service to monitor its most sensitive IT assets and get early warning of possible problems before things get out of hand. Symantec's staff also look out for internal attacks or misuse of company systems to download illicit material.
The facility is staffed around the clock by three shifts. As well as the analysts there are security engineers, security device specialists, and support staff bringing a shift complement up to between 12 and 16. Contrary to the conspiracy theories there was no room harbouring virus writers. We checked just to make sure.
Economies of scale
Symantec's experts can either offer advice (for monitoring service clients) or take remedial actions themselves if client elects to outsource more security and network management functions. Firms trying to do this all by themselves would have problems interpreting a deluge of security alert data generated by networked devices. Managed-security firms such as Symantec also have the advantage of a global view that lets them detect patterns and correlate attacks to avoid false positives.
Symantec's software collates data from multiple sources - the European centre looks after 5,000 monitoring devices from an unspecified number of clients - and presents it to analysts. Matching assaults against prior attacks help to pick out suspicious traffic and alert patterns most worthy of closer examination, perhaps 300 events a day on a typical day. This work is separate from the job of virus analysis and dismantling hostile code that takes place, for example, in Symantec's Dublin anti-virus research centre.
Two years ago computer worms such as Nimda and Blaster were the number one security menace but "worms have dropped off the radar" to be replaced by more targeted attacks, driven by some profit motive, Symantec's Beighton says. Cyberspace can be a dangerous place, whichever way you slice it. The global arms race between crackers, fraudsters, spammers and virus writers on network defenders shows no sign of cooling off. So it looks like Symantec's staffers have the closest thing to a job for life that the IT industry provides. ®