[ISN] The View From Symantec's Security Central

From: InfoSec News (isnat_private)
Date: Thu Jan 09 2003 - 22:45:50 PST

  • Next message: InfoSec News: "[ISN] Bush To Name Tech Security Leaders"

    By Leslie Walker
    Thursday, January 9, 2003
    An ordinary office building on Route 1 in Alexandria offers a rare 
    window into the Internet hacker wars and a few clues to why Uncle Sam 
    wants more monitoring capabilities in cyberspace. 
    Inside a cavernous room on the first floor there, security analysts 
    for Symantec sit in long, curved rows 24 hours a day, working on 
    computers and facing a wall of theater-size screens. Information 
    displayed on the screens helps them keep tabs on whether any attacks 
    are underway at any of the company's more than 600 corporate clients. 
    Every five minutes or so, a giant, illuminated globe appears on the 
    central screen and starts to rotate, displaying the locations 
    worldwide where hackers are launching the most attacks. Symantec uses 
    special technology to monitor a huge chunk of the public Internet 
    along with the internal nooks and crannies of its clients' private 
    networks, looking for telltale signs of computer break-ins. 
    Its software constantly compares current hacker activity with a 
    database of prior attacks, then displays in red the names of countries 
    where an unusual amount of malicious Internet activity is originating 
    that day. The rotating globe also displays the number of attempted 
    break-ins against Symantec clients over the past 24 hours in the 10 
    most active countries. 
    On a recent Friday, the globe showed more than 16,000 attempted 
    break-ins originating from the United States, which often ranks as the 
    world's top launching pad for computer hackers. Brazil ranked No. 4 
    with 722 attacks. South Korea, Japan, Germany and Taiwan also 
    frequently appear on Symantec's top 10 list for malicious computer 
    Big numbers are par for the course at the Alexandria center, where 
    analysts detect more than 15,000 discrete "security events" against 
    Symantec's clients every day. About 4,000 are deemed real hacker 
    attacks after further analysis, company officials said. 
    "You can tell from these statistics that it's the Wild West out there 
    on the Internet," said Grant Geyer, who supervises the 
    12,000-square-foot facility. "Companies need to do whatever they can 
    to protect themselves." 
    The four-year-old operation, which includes special monitoring and 
    "data mining" technology, was created by a local start-up called 
    Riptech. Last year, California-based Symantec paid about $350 million 
    to buy Riptech and three other electronic-security firms (Recourse 
    Technologies, SecurityFocus and Mountain Wave) that had developed 
    proprietary anti-hacker technology. Symantec merged Riptech's 
    operations with its own and now has four similar centers -- in 
    Britain, Japan, Germany and San Antonio. 
    Symantec is known as the maker of the Norton anti-virus software that 
    runs on many home computers. But like competitor Network Associates, 
    it has been diversifying its security arsenal in an attempt to be at 
    the forefront of an emerging industry -- managing cybersecurity on 
    behalf of companies and governments. Mid-size companies typically pay 
    Symantec $1,000 to $2,000 a month to monitor their networks. The firm 
    has big clients, too -- including 55 of the Fortune 500 companies -- 
    and does work for several federal agencies. 
    The managed-security industry is complex and growing fast, especially 
    as companies awake to the difficulties of interpreting the deluge of 
    data on their computer networks. Not only is it hard to make sense of 
    who's doing what on a firm's network, Web sites and wireless devices, 
    but almost no company can see what is happening on other computer 
    networks. One advantage managed-security firms have is a global view 
    that lets them detect patterns. 
    The Alexandria facility is a private, miniature version of the kind of 
    public Internet-monitoring capability the Bush administration wants 
    the federal government to develop to protect the nation's electronic 
    infrastructure. The administration is readying for release in a few 
    weeks a final draft of its national strategy for bolstering 
    Hacking -- unauthorized break-ins on private computers and networks -- 
    is increasing dramatically as more computers connect to the Internet. 
    So, too, is the distribution of computer "viruses" and "worms" that 
    travel the globe via images, documents and plain-text e-mail messages. 
    Riptech, one of the few companies that monitored global hacking, 
    detected a rise in malicious computer traffic during the first half of 
    last year amounting to an annual rate of 65 percent. 
    One reason for the jump was the explosive growth in the distribution 
    of point-and-click hacking tools online. At the same time, more 
    critical commercial and government operations are moving online, 
    presenting a greater number of tempting targets to cyber-crooks. The 
    United States and other countries have passed laws criminalizing 
    certain forms of electronic break-ins, but detection and prosecution 
    remain a challenge because it's so easy to hide tracks in cyberspace. 
    Even in Alexandria, Symantec's job isn't to catch the bad guys, nor to 
    report them to law enforcement -- it's to thwart attacks and notify 
    companies of problems. 
    Natalie Smishko, 25, is typical of the analysts. Sitting in a raised, 
    rotating cubicle with built-in computer monitors and its own heat and 
    light controls, Smishko pores over logs in an attempt to separate real 
    attacks from false positives. Symantec's software automatically 
    collates data from multiple sources -- all the software programs and 
    hardware devices that companies use to monitor their networks -- and 
    presents it in a unified format. 
    "In this case, an attack was launched against one of our clients and 
    you can see where they scanned our protected network," said Smishko, 
    pointing to a list of network locations that allowed her to click on 
    any single address to get more details. 
    Another view showed her all the computer ports the interloper had 
    scanned to see if they were open. Drilling deeper, she could see 
    where, if at all, the interloper entered the client's network. If data 
    is transmitted, she can see that, too -- and not only when it is moved 
    by outsiders. Symantec has caught insiders improperly sending 
    pre-merger details and pre-earnings data and has reported those 
    findings to the employees' bosses. 
    In addition, Smishko can probe Symantec's database history to see if a 
    hacker's style of attack -- the reconnaissance probes he runs, 
    software he uses, ports he tries to enter and originating Internet 
    addresses -- matches prior attacks. Spotting repeat offenders helps 
    Symantec anticipate what might come next, as with attacks that 
    happened on the financial sector last summer. 
    During that time, analysts in Alexandria saw Bulgaria's name suddenly 
    go red on their giant globe as the hacking activity originating there 
    increased over a three-week period. The analysts determined that 
    unidentified cyber-baddies were launching what appeared to be 
    coordinated attacks against many of the largest financial institutions 
    in the United States, several of which are monitored by Symantec. 
    "We immediately gave a whole block of IP addresses [numerical 
    addresses of specific machines hooked up to the Internet] to our 
    clients and told them to block all traffic originating from those 
    addresses," Geyer recalled. 
    That doesn't mean the perpetrators were actually in Bulgaria. Serious 
    attacks often are launched through "bot-nets," slang for networks of 
    robots, typically compromised machines in the homes of unsuspecting PC 
    users. Hackers take these computers over from afar and turn them into 
    "zombies" that they control remotely and use to launch coordinated 
    "It's not unusual for us to see a single home computer launch attacks 
    against 200 of our clients on the same day," Geyer said. 
    It's anybody's guess, of course, who will win this escalating global 
    arms race between hackers and anti-hackers. But it's a sure bet that 
    2003 will see plenty of new resources pour into the coffers of 
    cybersecurity firms, bulking up the fledgling anti-hacking industry. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 00:49:08 PST