Home » Data Protection » Network Security

Case Study

Inside Symantec's Security Operations Center

For Symantec clients, the Symantec Security Operations Center is the front line in the fight against network attacks. CSO toured the facility for an overview of how the services work, and for a look at some of the latest threats on the internet today

By Joan Goodchild, Senior Editor

October 14, 2008 — CSO —

The inside of the Symantec Security Operations Center looks like a scene out of the movie "War Games," and in many ways, the connection is fitting. The SOC, as it is known by Symantec employees, is in the business of detecting and analyzing network threats. And as malicious activity online gets increasingly more sophisticated, the war against cybercrime is definitely on.

The Alexandria, Virginia-based site is one of four SOCs in the Symantec managed security services (MSS) system. Others are in Reading, England; Sydney, Australia; and Chennai, India. All perform identical tasks for clients who pay Symantec for 24-7 monitoring, analysis and response to potential threats to their systems, according to Grant Geyer, vice president of Symantec MSS.

"Our clients are generally large-business customers that need bullet proof security," said Geyer. "A lot of these clients are responsible for huge energy systems, or they are large financial institutions that have a lot of assets at risk. They need real time access to incidents, as well as to analysts, they can work with on threats."

For the price they pay, these clients get immediate attention. The average hold time for a client calling an analyst at the SOC is 8.5 seconds, according to Geyer. And clients also get familiarity. Analysts are separated into teams and are assigned customers so clients know they will speak to the same group of people whenever they call.

Just getting into the room is a process. The SOC is secured by three different zones. Of Symantec's 17,000 employees worldwide, only 200 have access privileges to enter the SOC.

The first zone one must pass through is an average looking security point at a door with a badge reader and a biometrics scanner. But through that door is an area known as the "man trap," a large, circular waiting area with high walls that conjures up images of Dorothy and her crew waiting to be seen by the Wizard of Oz.

"I am the great and powerful Oz! Who are you?!" I expect the Wizard to boom from a place unseen. But quickly I am taken past security zone two and into a glassed in area with an impressive view of the SOC known as the "fishbowl" where we learn more about the SOC and how it works.

"We have experts looking at customer incidents and responding to them, in real time, to notify them about incidents they need to take care of at that moment," explains Geyer. "We receive over 2 billion security incidents on a daily basis."