AT&T's Chief Security Information Officer Ed Amoroso recently spoke with Network World senior editors Denise Pappalardo and Ellen Messmer about his job heading up security for one of the largest telecom companies in the world, as well as the topics of patch management, intrusion-prevention systems and worm attacks.
What are your job responsibilities?
In just about every Fortune 1000 company there is somebody, somewhere worried about infrastructure security, hackers, or about laptops that aren't patched properly. That's a job function that typically falls to the chief security information officer [CSIO]. I have a fairly sizable team that works on all of the above. There are four divisions, each with about 100 people and a different set of responsibilities.
What are some key issues your team addresses?
Because our business is networking, the infrastructure we protect is pretty large. We have a lot of IP networking, circuit switching, Layer 2 frame relay, managed services and outsourcing that all comprise the infrastructure that we need to protect. When a router vendor puts out a patch some users might say, 'Well, we don't have to worry about that one.' We rarely have that experience. Every problem, every issue, every patch, they all have to be attended to.
Are you also responsible for development of AT&T's security service offerings?
That's the second piece, cybersecurity, and it's embedded in our world. The concept of providing security services and integrating them and bundling them with our telecom, managed and professional services we offer is pretty obvious. It's a very nice sort of integration because in some sense I wear the cap of not just providing the service, but I'm also of a pretty typical buyer. I can tell in 3 seconds whether something that we're considering or proposing is worth bothering with because I know darn well if it's going to help reduce the burden on my budget or if it's going to help me sleep better at night. Sometimes I watch service announcements come out and I say, 'Gosh, what must they be thinking?'
Can you give us an example?
They are not always product announcements. One idea that we saw was the idea that when a spam comes out, you spam the spammer. That's a notion that has come out of universities for a long time.
Our feeling is we have to stop spam. We need to clean up the network. That's something we would look at and say, 'Wait a minute, what if my systems are hacked and I'm spamming, are you saying you're going to chuck spam back at me?' That's an example of something any CSIO would look at in 1 second and say, 'Ugh,I hate that.'
Which patch management system do you use?
We use many. We can certainly reduce our expenses by having one tool in our infrastructure. But we tend to like to have a couple or a few in the security business because we have customers using many. When I'm engaging with a customer I prefer having experience with whatever tool they are using than to say I didn't pick that one.
Do you see any alternatives to traditional patch management?
First off, as a software engineer with a PhD in computer science, as a software engineering professor, I have been in and around software my whole life. For the record, software should be correct. Let's not lose sight of the fact that patching means we're fixing somebody's bugs. So we should preface everything by saying that that is an untenable situation. . . . I'm encouraged by Microsoft's Trusted Computing Initiative. They are headed in the right direction.
What's your view on IPSs?
We actually sit with a 24-7 ops team in our Global Network Operations Center where we collect data for our threat management system, Aurora. Aurora is essentially a huge database that collects firewall and IPS logs, net flows from our routers, information from our honeypots and all sorts of different networks in and around AT&T. We sit 24-7 taking actions on alerts coming in, and many of the alerts show a source IP that appears to be scanning. My team gets in touch with that individual, because we have a look-up tool and know exactly what it is. A lot of times it's not something that we want to take off the network.
IPS automates the whole thing and takes you off the network. I'm not willing to go there just yet because I don't trust the accuracy of IPS picking up the condition properly. Maybe some businesses can stand that, but a lot can't. I do know CSIOs are running intrusion prevention in certain cases, but the vast overwhelming majority are testing it or they are running the IPS in passive mode.
Where does the responsibility and liability lie when you have a customer that didn't patch their Web server? Who is responsible?
It all comes down to the contract. We have different categories: low-rent, medium-rent and high-rent districts that range from basic collocation to fully managed Web hosting services. If someone in the cage next door is getting pounded that should not affect you. We go to great lengths to make sure we are carefully monitoring and load balancing so if someone is getting hit pretty good it doesn't take the whole LAN down. And that's easy to do with [virtual] LANs and rate limiting.
Speaking of attacks, we haven't seen much in terms of a big worm attack in a while.
We haven't seen a worm attack in a while, but let me give you advice. Never, ever, ever confuse a quiet period with improved security. The fact we haven't seen one is completely irrelevant. It's not that everyone has gotten better. Worms are very simple to write. It's just no one has written one, that's why we haven't seen it.