Threat Intellect, which went live a couple of weeks ago and got its formal launch yesterday, is the nerve center behind AT&T’s machine learning-based threat intelligence system. It’s been in use internally at AT&T for a year, but its design goes back to the beginning of the Domain 2.0 strategy.
“This threat platform was really put at the center of that strategy,” says Jason Porter, AT&T’s vice president of security solutions. “Everything we put in the network feeds this platform. Every router, every switch, every firewall, every server. It all feeds to this threat platform.”
At its core, the platform is an analytics and machine learning program. It watches everything happening in the network and determines if unusual activity is worth flagging. The machine learning part means that Threat Intellect is always honing its understanding of what activity is normal.
The result, AT&T claims, is pervasive security monitoring and a drastically reduced response time when problems occur. AT&T claims it can sift through 5 billion events — as many as all of AT&T’s managed security customers see, combined, in a day — in 10 minutes.
Most of that happens behind the scenes; managed-security customers probably won’t even be aware of it. The visible part of Threat Intellect is a browser-based log analysis service — a security dashboard which AT&T hopes will show customers that they didn’t know so much about their networks before Threat Intellect came along.
Rise of Machine Learning
Those two technologies are becoming familiar themes in network security. Defending the perimeter is nice, but breaches do inevitably happen, so enterprises have to guard the interior of the network as well.
One way to do that is to watch literally everything happening in the network, storing the information in one big repository. Only recently has that approach become practical, thanks partly to the rise of big data technologies that can analyze this mass of data.
Performance monitoring is another area that’s becoming enamored with this idea of watching everything. Startup Jolata is using a big data approach to monitor traffic, and Cisco recently launched Tetration, a rack-sized system for recording everything the network does.
In security, startups such as Vectra tout continuous monitoring of the network (the more common alternative is to sample the traffic intermittently). The difference is that Vectra is offering a product that customers deploy on their own networks, whereas AT&T’s Threat Intellect is a service. All of AT&T’s managed-security customers are being migrated to it, and it’s also possible for customers to use APIs to tap the platform’s data.
Even if other companies use similar approaches, AT&T thinks its size is an advantage.
The problem with watching everything the network does is that you’d get a lot of false positives. A traffic spike might indicate someone’s breached the network and is sucking down data — or, it might be a normal surge that happens on certain Mondays. Learning the difference takes time and experience.
AT&T’s argument is that having a larger network gives the machine learning algorithms more to learn from. “Part of the power of this is that we see 117 petabytes of traffic every day,” Porter says. (Whether more data visibility truly means better security intelligence is a debate that’s been going on for a while, one enterprise IT executive points out.)
AT&T also thinks it has a leg up because Threat Intellect was developed by a combination of big data and security experts. Other approaches just throw big data tools at the network, Porter says.
“Companies like Splunk try to adapt to security, but it’s a general big data platform, and you have to put these modules in to make it adapt to security,” Porter says. “What we started with, ground-up, is a security-focused threat platform. So the way we store our data allows us to detect threats faster, and the way we analyze the data is with security in mind.”
Strapped for Staffing
Customers for Threat Intellect fit into two broad categories.
First, it’s a tool for small and midsized businesses that have already outsourced their network security to AT&T. These companies have minimal budget for hiring security experts (assuming they can find any) and have been overwhelmed by numbers — too many threats to consider, too many places in the network to protect, and too many products to choose from, Porter says.
But Threat Intellect also serves the huge enterprises — banks, especially. These companies have their own security operations and even their own security platforms, but they can expand their knowledge by tapping into AT&T’s repository.
“They have really talented people, but they have all the data of one bank,” Porter says. “What they want is the data from our network,” assembled from the activity of thousands of banks, he says.
Photo: Porter (left) and Alex Cherones, AT&T’s director of security solutions.