Service providers and their customers have new weapons in the escalating cybersecurity battle: software-defined networks (SDN) and machine learning.
They need them. Only 10% of US companies did not suffer at least one malware-related incident in the past 12 months, according to AT&T Cybersecurity Insights: The CEO's Guide to Navigating the Threat Landscape, a newly released report by AT&T. In that timeframe, 63% faced at least one ransomware incident and almost 80% suffered a threat caused by an insider, the report says.
Organizations are, of course, fighting back with more sophisticated tools and methodologies. In addition to firewalls for cloud and on-premise environments, new mobile security solutions and social engineering training, service providers use their knowledge of scalability, reliability and networks to leverage virtualization and SDN to extend enterprise safeguards. SDN empowers CSPs to combat bad actors in real or near real time, says Mo Katibeh, senior vice president of Advanced Solutions at AT&T Inc. (NYSE: T)
Speaking to the New IP Agency from the two-day AT&T Cybersecurity Conference in Manhattan earlier this week, Katibeh discussed the CSP's security offerings, the security benefits of SDN and the expanding impact of machine learning on safeguarding enterprise networks and data. Following are excerpts from the interview, edited for space.
Alison Diana: AT&T has shared a lot of information about cybersecurity over the past two days and in its new reports. What are the main takeaways for enterprises and other CSPs?
Mo Katibeh: I would say there's one key point and three takeaways. The key point of the entire Insights report is that more 90% of attacks logged by AT&T are known attacks or their variants. So even though zero-day attacks get a lot of coverage and press, at the end of the day the vast majority of attacks against businesses in the United States can be protected against using technologies that are readily available.
Obviously we then need to distill that down into three key takeaways. The first one is every business should engage in risk and vulnerability assessments, right? Know what your assets are, know where your vulnerabilities are, what you need to protect -- they are kind of the table stakes in building a comprehensive cybersecurity plan. Then, relative to the vast majority of attacks are something that can be protected, is at a minimum stay focused on the basic protect and respond defenses required to help protect against those known threats. Trusted partners can help with those tools whether it's DDoS, whether it's firewalls, whether it's endpoint protection both mobile and fixed, there are very good tools out there that can help you detect and respond and protect your business. There's a third one there, put it under the umbrella term 'awareness,' because employees are a vital part of any protection schema for a business. You can have really great tools in place but you absolutely have to educate your employees and make sure they are part of your firewall and make sure that as part of your plan you have a governance structure in place that, on an ongoing basis, has a cadence around updating your policies, upgrading firmware for the things you have deployed, making sure you have regular scans of all the IP-enabled devices in your ecosystem, people are always deploying new things -- make sure you're aware of them and that they're detected.
AD: How would you describe corporate awareness of the need for security solutions?
MK: There has clearly been a massive increase in awareness at the business and executive level of the risks that cybersecurity brings. Quite frankly, if I was given one simple term, over the last 12 months I'd say we've seen the mainstreaming of cyber threats, where it's become a really key part of every executive's thought process on "How am I going to manage this? How am I going to defend against it?" And the report is full of, frankly, amazing, mind-blowing stats on how that mainstreaming has occurred. So, as an example, 90% of US organizations have reported they had a malware or virus attack in the past 12 months. You can't have that stat without a broad awareness of the challenge facing businesses today. We logged a six-fold spike in ransomware and information-stealing Trojans over literally a two-month period in 2016 and if you look at ransomware, the FBI is estimating this form of extortion is on-track to become a $1-billion business, $1-billion crime, in 2016. This all speaks to cybersecurity, cybercrime, has become a mainstream part of the business ecosystem and thus I think there's absolutely an awareness at the executive level, I think at the general level, of the challenges the businesses are facing today.
AD: Do you find security is more embedded from the start today versus being tacked on?
MK: As we get engaged with new business customers, i.e. people who have not used our security services before, we find multiple flavors. You might have a brand new startup and so they're thinking of security from Day One. They want to bring in a trusted partner to help them design: "What security apparatus should I put in place, whether it's virtual or physical, to help improve my security posture?" By the way, this could be a very small, one- or two-person company but they're doing something with intellectual property and they want to make sure they put a strong security posture in place that will help them from Day One. You'll have other customers of all sizes that may have been around for years or decades, and they historically built a security practice but they're looking for someone to come in and help them take over that security practice as a managed service. We're happy to help them become their managed security partner and help them manage their firewalls, the configurations, the protection and their ecosystem and help them evolve that to a stronger, more layered approach to security. And the third example we see on a fairly regular basis are companies that may have bought security point solutions -- maybe they bought a mobile solution for their endpoint device, maybe they bought a firewall for on-premise and they started moving workloads into the cloud and they're thinking about how they can do that in a secure manner and how they can protect that in the cloud and be aware of what they're putting in the cloud.
AD: How have virtualization and SDN changed security?
MK: The first thing I'll say is, relative to customers and their workloads right now, some recent stats I tell you is over 80% of business customers are now using multiple clouds to store data and we're seeing over 50% of customers using a mix of private and public clouds and a little bit more than a third of enterprise workloads now have moved into the cloud. So when you talk about virtualization and how that impacts external security, if you will, then there is a clear movement of workloads into the cloud that all businesses are embracing and we don't see that stopping. Quite frankly, that is only going to grow over time. So as those workloads go into the cloud, they need to be protected. If you're going to protect cloud-based workloads, you're going to want to make sure you've got cloud-based security helping to protect those workloads.
AD: How is AT&T addressing this?
MK: We've built some really amazing, cloud-based defenses within AT&T called Astra and we're going to be using that technology that we've used ourselves to protect our business customers who wish to subscribe to those services and we use virtual firewalls in the cloud. We also have a product that we call FlexWare -- from a FlexWare perspective, we've already announced a number of different security virtual firewalls that will be part of that FlexWare ecosystem and will reside at the customer premise level. Virtual firewalls are absolutely the future of security, both on the premise level, on the network level, as well as within the cloud. And the benefits that those virtual firewalls bring, above and beyond the fact their built to protect workloads that are already virtualized and sitting in a cloud environment, is that we can leverage our Threat Intellect platform which is the brains behind the AT&T security ecosystem (it's the platform we built ourselves) and into that platform we ingest data of the things that are traversing our networks -- so every single day we have over 118 petabytes of things that are traversing our networks -- we're analyzing that to identify these threat signatures to protect our customers. We're also putting that threat info into third-party signatures that come from best-of-breed partners as well as we're very fortunate to be one of the few companies that has access to governmental signatures that we put into our Threat Intellect platform. Currently we're putting in about 2 million use threat signatures every single month, that's how quickly the threat landscape is evolving. We're able to use that platform, essentially along with advanced analytics -- identifying use threats, to protect our customers from attacks that are happening on their businesses.
We're evolving that platform using machine learning toward a capability we call Automated Threat Response. And Automated Threat Response is the Holy Grail of the software-defined network when it comes to cybersecurity. Automated Threat Response is when we're going to be able to, using machine learning, identify new signatures and the signatures already within the Threat Intellect Platform and as we see attacks on our customers, automatically configure their firewalls and their configurations to protect against those attacks in real time and then, in near real time, be able to pivot and apply those new learnings and those new identifications of those new signatures to update the configurations for all customers and protect them from similar attacks. And that will apply both in the cloud level and on the premise level, wherever virtual firewalls are deployed. It's an amazing capability and it's how software-defined networking and machine learning of this massive, unparalleled data that we have access to at AT&T will be used to better protect all of our customers.
AD: Where are we with advanced analytics, in terms of implementation?
MK: I would tell you the advanced analytics and machine learning is right now. Threat Intellect is our platform. We have that up and running. It's doing what it needs to do. We're applying advanced analytics on top of that right now. Every single day we're getting stronger and smarter in terms of the machine learning and identifying new threats and I think as you go into 2017, late 17, you're going to see the beginning of the automated threat-response capability.
AD: In addition to machine learning and analytics, what other areas are AT&T exploring, relative to security?
MK: Anything we're going to invest in going forward will tie in to software-defined networking. We want to make sure everything we do is software-based and driven. We know it's scalable, it's easier to deploy, it's easier to update, right? So that's going to, whether it's internal or what we're doing from a security perspective, that's at the heart of our security investment strategy.
— Alison Diana, Editor, The New IP Agency. Follow her on Twitter @alisoncdiana or @The_New_IP.