Symantec's Sydney SOC surge sounds suspiciously so-so

But security vendors need to generate buzz somehow, and that's the problem.

Symantec's so-what launch of a minor facilities upgrade in Sydney illustrates a key problem facing all information security vendors. How do you convince the pointy-haired bosses to go for your company's tender when it's almost impossible to reveal any meaningful comparisons with the competitors?

Symantec were so eager for media coverage of their expanded Managed Security Services (MSS) operation in Sydney this week that they offered to pay for interstate-based journalists' flights and cab fares.

"This local investment story is sure to have significant consequences for the Australian market and up into the rest of Asia. It will also give you a unique chance to have a behind the scenes look at Symantec's Security Operations Centre," enthused one PR email.

But as CSO Online reported yesterday, the total investment was $1 million. That doesn't go far when it's being spent on both "infrastructure and resources", the latter presumably being what we used to refer to as "people".

Symantec won't say exactly what that million was spent on, but they're claiming a 40 per cent increase in the SOC's capacity. Measured somehow.

Well, if that million were all spent on "resources", which it wasn't, it would pay for about eight staff.

Symantec's Sydney SOC operates seven days a week during daylight hours as part of the company's follow-the-sun strategy, where two of their SOCs are online at any one time. So we're talking four more bodies per shift, plus a supervisor.

Since the SOC we toured now has eleven desks in it, this all sounds about right.

But let's put this in context.

Symantec's revenue in 2011 was US$6.19 billion. This new expenditure is 0.016 per cent of revenue. That's not even a rounding error, let alone significant.

Eight more bodies in Sydney when Symantec's Australia and New Zealand staffing is around 650? Will anyone even notice?

And consider the changing infosec landscape.

Even if Symantec's customer base stayed exactly the same, they'd still need a significant expansion of their facilities.

More devices per customer employee, because they have a smartphone and a tablet in addition to their computer. More log lines per device, because higher-speed devices and internet links mean more network events to log. And more and more complex malware means more analyst time to understand what's going on.

A 40 per cent increase in SOC and analyst capacity might well be needed to cope with the organic growth in traffic from Symantec's existing customer base, let alone represent "significant consequences for the Australian market and up into the rest of Asia".

Look, it was nice to catch up with everyone at Symantec for a coffee, as well as fellow journalists. We got to see an ops room that looked exactly like every other ops room on the planet: a few rows of desks with big dual monitors, plus a six-pack of big screens on the end wall. Staff wearing Symantec-branded shirts and trying to look busy with their PowerPoint presentations, because you'd be a fool to put real security information on screen while the media was present. And it was good to meet a new Symantec executive.

But this isn't news.

Nor did we get any news when we were, eventually, at the very end of the media tour, given the chance to talk to the real security engineers and analysts staffing the SOC.

Journalists asked questions. Staffers responded with generic, bland statements. And every time they seemed likely to respond with some interesting, concrete information they were shut down by a sales or PR person. "I'll take that question." Yawn.

Symantec couldn't even answer what I thought was a straightforward question from another journalist: What does this newly-expanded SOC allow you to do that you couldn't do before?


I don't want to give Symantec a hard time. Everyone plays this game.

I did slam Symantec last year for their Norton Cybercrime Report. But while this year's report was also criticised, it's a significant improvement. Better methodology all round. Given the dearth of proper research into online crime, Symantec should be praised for lifting their game. Well done, Symantec.

But every infosec vendor has a sophisticated comprehensive resilient end-to-end 360-degree world-class meat-lover's combo deluxe intelligence-based offering to face the challenges of the complex and evolving threat landscape. Why should we pick yours? The logo? The shirts?

Contact Stilgherrian at or follow him on Twitter at @stilgherrian

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts