The realization that something better could be done for security came to Edward Amoroso while tackling AT&T’s own security issues across its telecommunication network. Amoroso, who acts as AT&T’s chief information security officer, remembers how AT&T was able to detect the Slammer worm and protect its network well before it began to bring down other networks and servers across the Internet.
“We saw several early versions of (Slammer) before it started to hit everyone else,” Amoroso said. “The worm actually hit some three weeks before it made a big impact, but it fizzled.”
From that, Amoroso began to re-think how security has traditionally been done for the last decade. Today, companies take on the burden of trying to protect networks and systems by deploying firewalls, antivirus and other security systems on the outer edges of their networks in order to stop potential threats reaching critical systems. The problem is that this approach has become a hugely expensive operation for many companies, becoming for some the largest single expense in the operating budget.
Amoroso argues since AT&T already monitors network traffic and has put into place a wide range of security processes and solutions to protect that network, why not extend those service to companies? Instead of making the carriers and telecommunications providers nothing more than dumb pipelines, carriers of data traffic only, why not make the network intelligently tackle security problems before those problems can reach a customer’s system? Simply, security would become a service that companies would purchase or pay a fee for instead of taking the security costs and management onto themselves.
“Instead of using my intrusion detection systems, my firewalls on the edge to see what is going on, maybe we should recognize network management of the core is a better way of doing things,” Amoroso adds. “One can monitor the network to see any suspicious activity and tackle (that activity) before it reaches other systems, that is, the customer’s networks.” As an example, Amoroso said that on any given day, AT&T gets some 2.8 million messages coming to it, of which some 2.1 million are spam. A&T deployed a set of network-based antispam and antivirus systems that would take that traffic and “scrub” it to remove the unwanted material.
“If throughout the core I’m routing your e-mail through a system that is plucking off the spam traffic, now that is my problem not yours,” Amoroso said. “I’ll give you the access to all the protection and firewalls and I’ll worry about technology refreshes or who is trying to leapfrog over systems to get to you. I do that anyway.”
Mark Fernandes, senior manager of the security services group with Deloitte in Toronto said AT&T’s proposed security model will appeal to some companies, especially in this time of cost cutting and tightening budgets. However, he does say that companies need to keep certain things in mind when considering this route.
One is companies must make sure a security service provider has the same level of threat and reporting compliance as the company. Companies will need to negotiate the compliance levels from the beginning in order to prevent any misalignment. At the same time, companies will have to keep in mind not all risks are known and not everything can be prepared for before hand.
“Some risk cannot be realized until they happen and it is hard to address every possible risk as this industry changes every hour,” Fernandes adds.
The biggest hurdle for AT&T may be getting companies to accept this new model of security. For over a decade, the model is security something companies handle and there is now a $100-million a year security solutions industry supplying solutions to companies whose livelihoods depend on that model. Still, Amoroso said the shift will start to happen.
“What if I told you 10 years from now you’d have on the roof of every building in Canada air warning defense systems, guys with howitzers, military field glasses and night vision goggles protecting you because missiles might be coming,” he continues. “You might ask what happened to the military. Companies like AT&T have been told by the marketplace that people don’t value intelligence in the network and that people can do everything themselves. We say enough is enough.”