One-Stop Cop

So it's little wonder why managed-hosting services are ready to take off, and providers,including Cupertino, Calif.-based Symantec,have begun to broaden their offerings and make it easier for VARs to resell their services. I recently visited one of Symantec's six security operations centers, in a bunker not far from downtown Washington, D.C. No, Dick Cheney was nowhere to be found, but the place looked like a cross between the war-room sets of Men In Black and Wag the Dog.

Fancy digs aside, managed hosting makes sense, especially in these days of IT staff cutbacks and reduced overall in-house skillsets. Script kiddies and open-source toolkits have made it easier to launch an attack over the Internet. All you need is a lot of time and not much in the way of skill. The outsourced hosting vendor maintains the critical infrastructure of a corporate network, including firewalls, routers, and key application servers and services, and monitors its health 24/7.

Symantec says that managed-hosting services is its fastest-growing sector, responsible for 10 percent of its overall revenue last year. It has more than 2,000 devices under management with more than 500 clients, generating millions of daily alerts and terabytes of data its analysts and automated routines process. On average, one of its customers gets 30 attacks a week. Most of these, according to the company, represent reconnaissance activities, such as probing the network for specific vulnerabilities in network services, rather than actual break-ins.

Symantec's center is filled with consoles and large projection screens, including a spinning globe that shows the number of attacks by country in the past 24 hours. On the day I was there, South Korea had the most attacks per capita of computer users. Aside from the screens were pod-like workstations for a series of serious-looking analysts: With built-in swivel, dentist-type chairs and dual phones and displays, the analysts examine individual threats and communicate with their customers about attacks in progress and what they observe on their customers' networks. These analysts are key to the entire managed-hosting operation; you are basically buying their skillsets and abilities to track hackers and attempted break-ins.

Observing patterns of attack can also help to spot trends and formulate defensive plans. "Within 10 minutes that the SQL Slammer [virus] was launched, we had identified over 9,000 events relating to it," says Grant Geyer, senior director of Symantec's Managed Security Services, and my tour guide at the center. "This enables us to do all sorts of visualization of the attacks and predict where it is going and how we can protect our clients." The company has developed "peak activity" charts that show when hackers are most active by their country of origin. Contrary to popular opinion, most attacks occur during the business day.

Predicting hacker behavior is more art than science, but Symantec makes use of free and inexpensive tools such as Sam Spade, along with its own custom-built routines that the company got when it acquired Riptech Technologies last year.

"You would be surprised at how many hackers launch their attacks time and again from the same IP address," Geyer says. "We can flag that IP address in our database and track its history to better serve our customers."