Telcos Dialing into Managed Security

America’s telcos have a long and storied history in cyber security development. Breakthroughs run the gamut from AT&T’s Bill Cheswick’s 1990 ‘Design of a Secure Internet Gateway’ to recent work by Verizon’s Gaston Ormazabal to develop what is said to be the first ever SIP-based denial-of-service detection and mitigation system for VoIP networks.

Self-preservation is of course the main motivation for the telcos to invest hugely in their laboratories and the research into security. Another impetus is emerging, however, which is that the telcos are leveraging some of their technologies to sell profitable managed security services to large enterprise clients.

It’s no secret that landline usage and revenues are dropping ? for instance AT&T’s first quarter landline revenues were down $1.2 billion to $8.7bn from the year ago period. Consequently the telcos are looking for growth elsewhere.

Managed network and IT services is big business and its subset, managed security services, is a relatively small but nevertheless a sweet spot.

Research company IDC believe the managed security service provider (MSSP) market will grow to $2.8b in 2012, at a compounded annual growth rate of 17.2%.

Although revenues from security services are not large, actually being able to provide those services is very important for the credibility of telcos and network providers, according to Amy Larsen DeCarlo, a principal analyst covering managed IT services at Current Analysis.

“Security is becoming a key differentiator for delivering any type of managed service for a provider. Every provider now is offering security as a product. It enhances their credibility and is essential to helping them sell other very profitable services,” she says.

At Verizon Business, CJ Spallitta, executive director of security product management, agrees that its security services offerings help differentiate the company, but they also provide another important role by increasing profit margins.

“We have seen margin pressure in the traditional network business of late, but where we can add on the security value-add, that’s when we can earn some of that margin back,” he says.

Leaders and Followers

In research company Gartner’s recent analysis of MSSP competitors targeting large US enterprises, Verizon Business and archrival AT&T are among the leaders. The research company designates BT Global Services, Orange Business Services, Sprint and Bell as challengers or niche players.

The first (and probably still the best) example of AT&T’s ability to leverage a technology it developed for its telephone business for a different application is its Daytona database management technology.

Daytona was originally developed to analyze every phone call made on the AT&T network, which were captured in the company’s Hawkeye database from about 2001. Its applications were subsequently expanded to manage Aurora, which was a network security database unveiled in 2005 to store internet traffic data.

Being able to leverage the system that had been developed by AT&T Labs was incredibly important for AT&T’s network security team, says Michael Singer, a 19-year veteran who is now executive director, security technology at AT&T. The company claims to have assembled the world’s largest security team of 1400, not counting the scientists working at AT&T Labs.

Having Daytona “made it so much easier for us to monitor billions of events a day. We were really struggling to use commercial off-the-shelf stuff,” he said.

AT&T has invested heavily to give it visibility into the 17 petabytes of traffic that courses through the internet on an average business day. In addition to volumetrics, says Singer, its Labs team has also developed some very specific algorithms to detect security hazards such as worms and botnets.

Analyzing Internet Traffic for Customers

From its expertise in monitoring, AT&T came up with its Internet Protect service, which offers information regarding potential near real-time intrusions and attacks that are occurring. The information provided uses AT&T’s analysis of information from its IP backbone, alongside essential security information such as top ten vulnerabilities, recent patch releases and other ‘need-to-know’ security facts.

The analysis is provided by AT&T’s 24/7 Tier One analyst team, which operates out of New Jersey. AT&T decided to turn the analysis into a business when it realized it was not a good idea to keep the information it was gleaning on security threats from its customers.

Those customers, according to Singer, responded by asking for more detailed analysis which led to the launch of the Private Intranet Service, which is designed to analyze traffic on a customer’s VPN to detect intrusions, cyber attacks, and other anomalies. Not only does Private Intranet Protect offer alerting and notification of outside threats, it also identifies and analyzes threats within the business’s AT&T Enhanced Virtual Private Network or AT&T Virtual Private Network using Managed Router Services.

Singer says it is advantageous in proposals to clients to say that it has technologies that have been built over time and work well. It then becomes possible to say: “We can do it the same way for you…share our learning, share our tools, our algorithms and our 24/7 analysts as well to have them go to work for you.”

Over at Verizon, probably the best example of a transition of a technology from internal use to external sales is its denial of service (DoS) defense detection and mitigation offering.

In the normal course of business, Verizon collected information about the vast amounts of traffic on its network; where that traffic was going, and what protocols were being used.

“We developed ways to detect abnormal traffic, if you will,” said Mark Wittry, director of network security delivery. The group then figured out that “the products that we had in our labs to help protect our infrastructure could be used to protect customers as well. That’s how our DoS detection and mitigation product came about. It’s a classic example.”

Mitigating Denial of Service

DoS mitigation services intercept and redirect malicious traffic to mitigation centers housed within Verizon's IP backbone. Traffic is quickly rerouted before it can compromise a customer's network. Via a Verizon portal, customers can review and analyze statistics and metrics related to a mitigated attack.

In another example, Verizon used its Sheriff anti-fraud system to beef up a security event management solution it was offering to a customer with a third party. Verizon found that a major vendor it was partnering with had what Wittry said was “a great collection engine and a great presentation engine, but processing the amount of data on the scale that we would use as a provider didn’t cut it.”

Verizon brought in Sheriff to better process security events so that the system can keep up. “We took something that we developed internally and brought it to bear to make our security products that much better,” he added.

All players in the MSSP are figuring that the recession will not negatively impact their growth, and may even provide a stimulus for new business. AT&T’s Singer said that there is more interest than ever in the MSSP scenario because there is pressure to reduce costs. Even if companies would like to have their own teams doing these functions, they might decide they can’t afford it.

Verizon and AT&T believe that because they can leverage information from their own networks, added to their research spending, they are uniquely positioned to develop and offer the most comprehensive security product portfolios. Gartner believes both companies are worth looking at for big enterprises.