Everything done from his view is source-IP correlated. In other words, he is reviewing which websites are talking to his clients systems and determining if there is malicious activity. Customers register all of their net blocks, so analysts have a sense where traffic is going to or coming from.
Williams points to one incident he is keeping an eye on.
"This is part of our bot-net command and control detection," he explained. "We only see one signature trigger, and only 13 logs. But there is one distinct destination IP address and it's only going across one device. There isn't a lot of data. But based on our work with our Deep Site partners, we know this is an IP address that is doing something malicious. They provide us with a list of suspicious IP addresses."
Whether the incident is a worm infection or other problem still needs to be determined. But Williams said it is ranked as critical level, and the client will be called immediately.
"The idea is if it is malicious, we want to get it to them in real time so they can start remediation immediately. We will wake you up in middle of night and say: "You might want to take a look at this now."
All of this information is stored in the third security zone, the locked server room. The data from the SOCs, as well as the Deep Site network and the security response labs is used to compile a bi-annual report on the internet threat landscape, which is evolving daily, said Geyer.
"If you looked back five years ago, you see on average about 6,000 to 9,000 new variants of malware in each report. But in the past 18 months, the increase is just staggering. It really just shows us how easy it is to write it, and also that there is true financial gain to it. Malware is proving to be good business model for people in the underground economy."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.