With their visibility into enterprise networks, service providers are natural partners to design, implement and deliver corporate security. That, at least, is the consensus among many operators that are leveraging their investment in virtualization, software-defined networks and automation to offer managed security services to organizations large and small.
Verizon, AT&T, Deutsche Telekom, Colt and other large service providers are taking a holistic view to security, using their many assets and years' experience across multiple verticals to weave security throughout their networks, then pass that expertise to customers. AT&T uses a platform approach, integrating different vendors' products into a combined cloud-based best-of-breed solution, that prevents coverage gaps, says Jason Porter, vice president of security solutions at AT&T.
Porter sat down recently with the New IP Agency's Alison Diana to discuss the operator's security platform, approach and the positive impact virtualization is having on CSPs and their customers. Read on for the interview, edited for space.
New IP Agency: How would you describe the security market today?
Protecting the Network
James Porter of AT&T discusses the service provider's security platform.
Jason Porter: A lot of times businesses are moving to an external model and asking others to help them out. As new entrants -- new companies, maybe a corporation in their vertical got breached or maybe they, themselves, got breached or their neighbor, someone on the block got breached and they heard about it -- now there seems to be a lot more collaboration and stories told so they don't have to go through the same learning curve and there's a lot more interest to start with a partner model to allow them to take advantage of the partner model right out of the gate.
New IP Agency: So what is AT&T doing to support that model?
JP: We're doing well, maybe because we've invested a lot over the last couple of years on building platforms. If you go at this alone, the first thing you do is walk around on the RSA Conference floor, the Black Hat floor, and you'll see there are a number of threat companies, there are a number of mobile security companies, there are number of firewall companies -- there are all these different things, but none of them work together. If you're going, as chief security officer, and think you've got to be more secure, every one of those things represents an area you have to protect.
Let's say you've never gotten any mobile security, but now you realize 30% of attacks originate on endpoints and so you're sitting there thinking, "Oh my gosh, that's a gap in what I'm protecting but if I get that, it's just one more system that I have to look into and my [Security Operations Center] SOC is already looking into four different types of firewalls, two different kinds of threat companies and none of that is interwoven." So what we've done is focus on this platform. We've got one platform and all of our security controls feed into that -- whether it's a firewall, mobile endpoint or data loss protection -- any control we put in place since a couple of years ago, we made an architectural decision as part of our DOMAIN 2.0 to always leverage the central threat platform, so all the data is in one place. That allows us to do advance data correlation so our data scientists can look at how things are interacting from the endpoint to the network to the firewall and get to a centralized model for correlated threats. We've made it much more efficient. Instead of our SOC having to look at all of that, we have big data analytics and machine learning that are really correlating all that data and helping us get to known, verified threats and then our analysts can either take action or automate action to push the policy change.
New IP Agency: Where does virtualization fit in?
JP: We've also got our virtualization platform that allows us to put security controls anywhere, but most importantly when we identify a threat we create a new policy to protect against that threat. The way we built our platform is once we create that policy it now goes to all the different firewalls, it goes to the mobile threat protection, it goes to all of that, whereas before we had to log on to all those systems independently and deploy -- which took days and weeks depending on the size of the organization -- which meant they were vulnerable for a longer period of time. So now we've automated all of that so we're more efficient so we can take on and help out more customers.
They have a bag of parts but nothing tells them a unified story, and there's no vendor out there -- from a technology perspective -- that can do everything, right? You've got specialists in threats, specialists in mobile end points, specialists in IoT, specialists are everywhere. And so that's what I see moving us to and I believe other managed security providers will start moving that way in this platform approach, with high automation and high integration between all of the controls and the threat platform.
New IP Agency: Why are service providers better situated than, say IT-based solution providers or integrators, to provide security services?
JP: The number one thing is we can see what others can't. Let's take somebody like a systems integrator or somebody like that, they don't own the network. They can't see. They have a big blind spot. They can put a castle wall around a data center, but they can't see the bad guys as they're approaching that castle wall. Their first line of defense is that castle wall. Whereas, by owning the network as well as the castle, we can see end to end, we can see interactions from the devices through the network into the castle, if you will, to see what are they doing? If you equate it to an airport, we can see everything from where they're gathering in their homes and garages and meeting places to their trip to the airport, and then we can also secure the network, whereas the others -- if you get into an SI - a lot of times they can only see the airport, like the TSA checkpoint at the airport.
Security doesn't work that way. It's not just one spot. It's defense in-depth that you need to apply, so more visibility is more opportunity to identify and stop the adversary, and the better positioned you are. That's what's driving, I think, a lot of growth in our space. It resonates with customers. They want that ability to stop. An SI is not going to have a DDoS solution. We have a DDoS solution. We have 130 petabytes of traffic going across our network every day and can pull that information into our threat center for analysis. Most of our enterprise customers want that data. They value that additional data point. Our small business customers get that we can protect them; if their neighbors are getting attacked we can take the learnings from them and apply them to the next customer.
New IP Agency: How does the size of a customer affect its relationship with security?
JP: We have a bunch of different models. Small-business customers in general want something like email security or web security or firewall. They're probably not going to have a whole security tool bag and are not going to have a CISO, so they want something very automated and something that gets them to gain the benefit of the best of support. We see point solutions going in those areas. If you go into the mid-market, we see them largely externalizing what they're doing. They might have limited or no security operations team. They want their teams to focus on operations. They right away move to an external security situation and really ask AT&T to be their SOC, do everything, and they can have very robust and complex security architectures, but for the most part they're asking us to run their operations.
Then we get to very high-end... and you get to areas where the customer is looking for help partnering on very innovative ideas like our mobile threat defense or our IoT solutions, where we've gone out with our foundries, done all our research, identified the best technologies and integrated them into our platform. They want to leverage the learnings and benefits from what we've been able to do. I see a lot of sharing of ideas there, because some of the things they're doing we incorporate and some of the things we're doing, they incorporate. That is a very small group. In that small group there is a lot of collaboration and sharing. We built our threat platform to share data so some of those well-armed customers -- when I built that for those reasons, I was doing it so we could pool data, but I quickly discovered they want to push data. We're better together than doing it separately.
New IP Agency: Where do service level agreements fit in today's security landscape?
JP: SLAs come up often. In the industry at this point, not many people are willing to put SLAs behind attacks themselves. There are SLAs behind time to respond and time to update but there's not any SLAs behind the ability to prevent you from being attacked. I think there's going to be a push to go that way, but I think the market's going to have to evolve significantly before we can actually get there.
New IP Agency: What is one area of future focus for service providers in security?
JP: It's really to maximize this platform approach and continue to build and establish those platforms. There's going to be constant new technology and new attack types, but if we can leverage these platforms well everything we build just incorporates into that and makes everything very flexible and agile. The industry as a whole is now getting to a point where efficiency is becoming one of the prime drivers. We can't keep throwing technology and people at problems. We have to get good and efficient at new technology we deploy, how we deploy it and how we operate it. So that's really the primary driver for us.
— Alison Diana, Editor, The New IP Agency. Follow her on Twitter @alisoncdiana or @The_New_IP.