TORONTO (01/29/2004) - Brian Dunphy probably hasn't seen every computer security mistake there is to be made under the sun, but those he remembers are doozies.
Dunphy is senior manager of analysis operations at Symantec Corp.'s Managed Security Services (MSS) group, which monitors firewalls and intrusion detection systems (IDS) for enterprise clients.
Dunphy's role affords insight into security snafus. Like the client that insisted its outbound data traffic to a partner -- credit card info -- was encrypted, secure and locked down. It wasn't. The company was duly surprised to learn about the vulnerability, which MSS discovered during routine protection checks.
Or the Fortune 500 client that was incredulous when MSS said one of the company's computers was infected with a worm. The client didn't believe it, arguing that the IP address supposedly attached to the device had nothing to do with them.
But MSS knew full well the address belonged to this firm. "You could tell they just discovered a new part of their network," Dunphy said.
These are the sorts of anecdotes that emit from Symantec's Alexandria, Va. security operations center (SOC), where MSS works. Among the things he's learned here, Dunphy notes a trend: chief information officers and chief security officers view patch management differently. Whereas CSOs see patching as integral to network security, CIOs see it as a network breaker -- untested software destined to test the infrastructure.
"Being able to effectively prioritize is critical" to getting head-butting execs to see eye to eye, Dunphy said. He advocated a ranking system. The enterprise should create a policy dictating what kinds of attacks are most important and which systems are most critical -- which systems need patching immediately.
Stick to the policy, Dunphy said. "Too many times I've seen policy set and not followed through." Maintaining audits might help, he suggested, as well as implementing strict security configuration rules for desktop PCs and laptops.
It's also important to know where systems reside, unlike the unbelieving customer described above. "We have seen clients get it right," Dunphy said, pointing out that the unfortunate Fortune 500 firm is an anomaly.
What of the SOC? It's in a secure building. Hand scanners verify access rights to the analysts' area, where security experts monitor client networks. Like NASA launch control, this space sets up workstations in curved rows around one, large-screened wall, where big video displays show "situational" data, such as the number of queries coming in from MSS customers, and the speed at which firewall and IDS logs are picked up from client-side devices.
One screen displays a spinning globe. Above certain countries, numbers represent rankings in the hacker hierarchy. For instance, today Canada is in second place with 4,570 IP addresses that seem to be on the attack.
From their workstations -- some of which look like futuristic dentists' chairs -- analysts monitor network activity. They have dual-screen Dell Inc. workstations and Cisco Systems Inc. IP phones, although the phones aren't permanent. Dunphy said the SOC is phasing them out, not because they don't work well, but because Symantec uses another phone system and has telephony experts trained therein. The Cisco phones were here when Symantec bought the building.
"There was some resistance" to the move away from the modern Cisco devices, Dunphy said, pointing to a yellowed plastic brick that is the replacement. "I'm not convinced the Ciscos couldn't do it. I'm less convinced we could do it on the Cisco phones."
Tim Hillyard, one of the analysts, explained how he can see where attacks are coming from and which clients are affected. He has a hot list of IP addresses, a rundown of Internet coordinates associated with attacks. He can extrapolate likely outcomes. "A really good attacker would probably scan on Monday...and then we'd see buffer overflow a week later," he said.
Hillyard is no low-level help desk employee. Analysts are paid well (Dunphy wouldn't specify a salary) and they're expected to live up to certain criteria: they must know networking; they need at least four years of experience; no prima donnas; no former hackers, no matter what color of hat they wore. "We absolutely cannot tolerate such a risk," Dunphy said.
Clients pay for MSS, of course, although Dunphy wouldn't talk numbers. "I haven't given out pricing before." However, he did say it depends on the number of devices the enterprise wants monitored, length of contract, as well as whether the client wants the premium or the standard service. The former offers longer log-keeping and greater access to analysts.
MSS works alongside Symantec's security response team, of which Dee Liebenstein is the product manager. This group takes global data and crunches it to provide research, alerts, advisories, security updates, white papers, newsletters and guidelines for clients.
Liebenstein said her crew is focused on speed-of-delivery, getting info and virus definitions out fast. It's important as Internet threats propagate. In 2001, the average week saw 30 software vulnerability announcements from vendors. In 2003, that average had jumped to 60 per week.
To help the enterprise keep up, Symantec created "DeepSight" early-warning solutions, which provide alerts and threat management services. In a February press release, the firm boasted that DeepSight discovered the SQL-seeking Slammer worm "hours before it began rapidly propagating."
The magazine Wired, however, blasted Symantec for withholding the info from the Internet community, "possibly harming millions of Internet users," reads a Feb. 14 article.
Liebenstein saw that story and disagrees. "As soon as we have an indication of what the threat does, we go public with it," she said, adding that Symantec knew something was happening on port 1434, Slammer's door, but didn't have enough info to call it an attack. When the firm confirmed the worm's arrival, Symantec shared the data, she said.
Liebenstein painted a disturbing picture of Internet health. In 2003, 80 per cent of threats have been remote executable -- the attacker need not be nearby to set it off. Windows-targeted attacks increased 123 per cent between 2002 and 2003; peer-to-peer and instant messaging threats increased 400 per cent during the first half of 2003.
All the more reason for Symantec's SOC, where Hillyard and the other watchers probably won't get bored. "It's never the same old thing day to day," Dunphy said.