AT&T's Jason Porter on Leveraging Big Data Analytics to Bolster Cybersecurity

As hackers and bad actors find new ways to threaten network security, service providers face the constant challenge of developing new security tools that can both anticipate future threats and quickly mitigate existing ones.

Telco Transformation recently spoke with Jason Porter, Security Solutions vice president for AT&T Inc. (NYSE: T), about the changing face of security threats and two tools AT&T is using to protect its customers' sensitive data and networks -- AT&T Cloud Web Security and AT&T Threat Manager Log Analysis.

In part one of a two-part Q&A, Porter explains how AT&T Threat Manager Log Analysis utilizes big data analytics to identify and mitigate new security threats. Stay tuned for part two of this Q&A where Porter addresses AT&T Cloud Web Security, including a use case study on how AT&T Cloud Web Security and Threat Manager Log Analysis were used to protect sensitive data for the non-profit Community Based Care (CBC) of Central Florida.

Telco Transformation: What is the AT&T Threat Manager Log Analysis and what does this program do?

Jason Porter: Basically, what we did internally was realize that we needed to change the game of cybersecurity; we could no longer continue to throw analysts and people at cybersecurity -- we needed to move at machine-speed instead of human-speed in order to keep up with the volume of attacks and the changing behavior of attacks and attack types.

What we did was build a threat platform, so it's a dupe-based big data architecture. Over the last several years, we've been moving all our data to that big data platform. Let me describe that -- if we put a control, like a firewall or cloud-web security, or even our network services like VPNs, agents on cellphones and laptops, any of those control mechanisms -- their logs and their data comes back to this threat platform for analysis where our data scientists write math or algorithms to try and define and pick through all the data and discover anomalies so that we can then react to those threats.

If I try to simplify that, basically what we're looking for in that threat platform is changes in behavior. Let's say we see a bunch of login attempts that are failing and we see that on the firewall logs, but then we see that might be abnormal, but is that enough to really drive your attention and say, "We've got something really bad here!"? Maybe not, so then you add to it a change in net flow data, like a new IP address that is sending all of these failed log attempts, and it's an IP address that you've never seen before and then you get abnormal DNS behavior as well. All of that we can then correlate and then get to a high-confidence threat that we need to take action on.

So that is Threat Manager -- Threat Manager is that core, big data architecture and a portal that allows our customers to see everything that that big data architecture is doing to identify and respond to those threats for them.

We're in an exciting place right now because the Threat Manager has been able to identify a number of threats that have never been seen before, even beating some of the largest, most dependable or most market-leveraged threat data, so like anomalies and threat streams. We found new zero-day attacks 19 days before they publish them -- those kinds of things. So it's really working well and we're very excited about the opportunity of combining local area network with wide area network and a bunch of different log types to find new threats rapidly.

TT: How is big data analytics leveraged in Threat Manager?

JP: It's a lot of what Threat Manager is -- big data analytics. You put all of this data into a big data environment and my viewpoint and our philosophy at AT&T is look at it with as many different lenses as possible.

We want to leverage our data scientists as well as best-in-breed algorithms across the marketplace; that's why we built it on an open stack model so we could pull in other people's math, other data scientists in the industry that are also looking for unique things -- like maybe it's a specific behavioral algorithm or it's tied to a specific attack type like a specific APT [advanced persistent threat] that they're looking for. So you're able to really use this big data to identify trends that didn't exist before because when these were all unique points of data -- like if you were just looking at the firewall -- you wouldn't have put together that this threat originated from a credential theft on a device. So we want to look at it end-to-end and create linkages that make us believe that this is for sure a threat that we need to respond to.

— Kelsey Kusterer Ziser, Senior Editor, Light Reading