Photos: Waging war on the web's bad guys

Inside Symantec's security operations centre

Symantec's security operations centre analyses more than one billion logs per day, as part of a global network monitoring attacks on computer networks for 650 customers.

And the centre faces a growing threat, with a 140 per cent increase in the amount of malware being deployed online over the past six months.

Today the 24/7 centre deals with more than 3,200 security incidents and sees 10 security incidents escalated every day.

Alan Osborne, senior manager of global technical operations for Symantec managed security services, said: "We are seeing more escalated security events now. There are a reasonable number of severe security incidents.

"If it's a critical security event then we will ring the client whatever time it is day or night, we will get them out of bed if necessary."

Photo credit: Nick Heath

Symantec has four security operations centres worldwide in India, the UK and the US. The UK headquarters, seen here, is based in Reading.

The security operations centre is part of the Symantec Global Intelligence Network.

The centres protect and monitor more than 7,000 devices for 650 customers against everything from viruses to data theft.

Data for the intelligence network floods in from more than 40,000 registered sensors and two million probes in more than 180 countries.

Symantec also has about two million active email accounts that its uses to collect and analyse spam and a "honey pot network" of vulnerable websites, to entice hacking and examine techniques.

Photo credit: Nick Heath

The centre immediately flag up attacks on its customers' systems, alerting the company to methods such as port scanning, or attempts to get through the firewall and intrusion detection system.

Software filters out false positives from the one billion-plus logs that generate the huge amount of data seen on the screen here, leaving Symantec's 30-strong team of security experts at the Reading centre to deal with the most serious attacks.

Attacks are escalated when they reach a certain threshold or dangerous signatures are detected.

The centre also has a regularly updated list of the IP addresses of the servers that command botnets, allowing it to spot attempts to connect to systems by botnet command servers.

Photo credit: Nick Heath

Commenting on the level of security in different industry sectors Jim Hart, manager with Symantec managed security services, said security is usually tightest within the financial sector, due mainly to the amount of regulation the sector faces. Businesses in retail and other sectors however tend to have more holes in their systems.

Hart said a growing challenge was the rise of "polymorphic viruses" that can dynamically change their signatures to avoid detection by security packages.

He said this was why Symantec was focusing on developing "heuristic" systems that detect viruses through their behaviour on the machine rather than their signatures.

Photo credit: Nick Heath