Windstream's Pham: Cybersecurity Is About Trade-Offs

Artificial intelligence for cybersecurity is currently not financially viable as it consumes tremendous amounts of storage and computing power, according to Trent Pham, head of security at Windstream.

Cybersecurity defenses involve trade-offs. The more sophisticated methods are expensive for the human and network resources costs. The least expensive way to battle threats is to prevent them at every level with testing, network risk mitigation services and blocking them at the gateways.

In this Q&A, Pham spoke to Telco Transformation about how Windstream's emerging virtualized network is building cybersecurity defenses. (See Windstream's Brown Discusses Virtualization Game Plan.)

Telco Transformation: The virtualization of networks, their increasingly distributed nature, the mass use of open software, and their governance by centralized SDN controls exposes them to large-scale cybersecurity attacks. What kind of new methods are you deploying to keep them in check?

Trent Phan: Regarding security implications of open software, the code is visible publicly, and a much larger contributing community readily scrutinizes it in contrast to what is available at a single enterprise with closed software. As a result, open software is often considered more secure than closed software.

As for SDN, its “attack surface” is small because it centralizes logical control. It is simpler to implement security controls to ensure SDN network integrity. The exposed surface is protected by locking it away with borders that separate its arena from the rest of the traffic.

Much of our SDN, network virtualization and cloud technologies are still in early development, but I can say that there are many new methods we are employing that can help to mitigate security risks. Because of the distributed nature of cloud technologies and microservices, it is necessary for us to create an automated integration and delivery pipeline from the point where we receive the code from developers. This automation includes rigorous testing, and that testing should incorporate the validation of security controls.

TT: New forms of cybersecurity threats have emerged such as zero-day exploits and botnets, the former is very elusive, and the latter operates at massive scales. How have you adapted to these new threats?

TP: Threats today are constantly evolving and as a service provider we offer Internet connectivity that exposes our customers to these threats. We are planning to protect customers from zero-day exploits by taking recourse with sandboxing, in real-time, when a payload is impacted and the activity looks suspicious. Additionally, we enable malware protection and intrusion prevention system on our managed network security service. The technology used regularly updates its signatures based on the vendor lab's discovery of new exploits.

As for botnets, they are a growing concern and are commonly used in spamming or phishing, but within the last seven years have been increasingly used to launch distributed denial of service attacks. Botnets have been commercialized into services whereby you can rent one to perform an attack on your behalf. The ease of launching a DDoS attack has led to the increase in frequency of attacks including size. Windstream just launched a DDoS Mitigation service to protect customers from this type of threat.

TT: How are you upgrading your threat intelligence systems and threat detection methods in the context of increasing sophistication of the methods your adversaries are using? Their methods include AI that they are using to destroy the AI-enabled defense systems. Is there even a method to stop them?

TP: Decision systems were the beginnings of a class of computer systems that took in data, found correlations in it and facilitated decision-making. This model has transitioned over to the security space beginning with intrusion detection systems that parsed log feeds to find a threat. Intrusion detection systems had limited capabilities as they could ingest only log data and they could not monitor more than a single network.

Cyber surveillance evolved with the rise of security incident event managers (SIEM) with recourse to big data. A SIEM can ingest all types of logs, events, proprietary system alerts, etc. As a result, it has become possible to find patterns that uncover security risks. SIEM still needs programming, that instructs the system that if it sees "this" with "that" to perform a specified "action." Programming capabilities constrain SIEMs and can grow within the horizon of the security analyst's research knowledge of how the system should behave.

Artificial Intelligence takes a step further, and the system can learn based on its experience and can perform actions independently over time. The concept of threat intelligence and threat detection is the foundation of this process. Threat Intelligence promises to ingest all traffic data coming from the Internet to create a heat map of the risks that exist. Threat detection is achieved by comparing the customer's network log information with the heat map of risks. It is a powerful concept but takes a tremendous amount of computing power and storage. At this point in time, we do not see it as an economically feasible method to use along with other security software. As the costs decline and more vendors incorporate AI into their cybersecurity solutions, we will take advantage of it.

TT: While virtualized networks have a greater exposure to cyber threats they also have advantages such as the ease of collection of data from sensors or from the flow of packets end-to-end in the network. How do you leverage the tools available to virtualized networks to combat cyber threats?

TP: Our development of cloud-based networks is still early in development, as is our development of stream processing and machine learning, but there is some evidence to support this notion. Sensors, stream ingestion, machine learning, and control that is closer to the edge of the network should allow for early detection of security threats at the perimeter. If this information is then sent to more centralized stream processing and analytics, we should be able to correlate it with other edge network data to develop an end-to-end view of security threats, while still benefitting from separation of concerns at the edge.

TT: How does the hosting of cybersecurity software on your clouds help to deter cybersecurity threats?

TP: Windstream's approach to much of our security involves implementation of security capabilities into the network that includes managed network security and DDOS mitigation services. The advantages of doing so are many and include ease of service activation, no hardware or software is required of the customer and the detection and protection is closest to the threat. Having the security control closest to its entry point into Windstream's network also means the threat is kept furthest away from the customer's network.

— Kishore Jethanandani, Contributing Writer, Telco Transformation