Inside Symantec’s Fishbowl

From the outside, it’s a bland brick building in a bland brick industrial park, one of hundreds that blossomed during Northern Virginia’s continuing technology boom. A small sign admits to its occupation by Symantec, but gives no indication of the digital drama that lies within. None, that is, until you enter the Fishbowl.

The Fishbowl is a glass-enclosed room inside Symantec’s SOC (Security Operations Center). When the curtains are open, you see a room reminiscent of NASA’s mission control center or perhaps the main control room at the North American Air Defense Command. Of course, if you’ve been to either of those places, this room isn’t on the same scale, but it’s impressive nonetheless.

On the wall opposite the Fishbowl is a collection of screens. The largest shows an image of a globe, with each nation flagged to indicate the number of security attacks originating there. As the globe turns (backward, for some reason) it’s sobering to see just how much attack activity there is. For example, why so many attacks from Sweden? Is it because it’s winter there, and there’s nothing else to do?

As impressive as the mission control atmosphere of the 10,000-square-foot SOC may be, the critical work is really going on at the dozens of analyst workstations in the room. These workstations are where the real security management of Symantec’s customer networks happens. The analysts are highly trained in the characteristics of each item being monitored, ranging from anti-virus software to firewalls and intrusion detection systems. Whereas most security companies have people monitoring these items instead of outsourcing this function, Symantec takes it to a whole new level by collecting and centralizing the experiences of multiple sites.

For example, several weeks ago the security analysts were monitoring a customer’s network and noticed a series of intrusion attempts from a single IP address. They flagged this address as a “hot address” and let the customer know it was being attacked. So far, so good.

But a few days later, analysts noticed a single FTP session from a different customer to this same hot IP address. Because that IP address was flagged in the company databases as suspicious, it was immediately clear that the second customer’s security had been penetrated.

That ability to link multiple attacks is something that no individual company could ever do on its own. The single FTP session would have gone unnoticed, while the intruder was quietly insinuating himself or herself into a new enterprise. Instead, the Symantec analysts were able to alert the second customer and help it take corrective action.

Does this mean that you need to hire Symantec and use its managed security services? No. Does it demonstrate that you can outsource security management successfully? Yes, clearly. On the surface, Symantec’s system appears to work very well; how well it works in real life is harder to say. But I plan to find out with a test in the near future. In the meantime, I was indeed impressed with my first look.