AT&T developing early warning tool

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/0929att.html

By Carolyn Duffy Marsan
Network World
09/29/03

AT&T Labs is developing a new kind of traffic analysis tool - dubbed
Internet Protect - that is designed to provide corporate customers
with earlier indications of network attacks.

Although Internet Protect is being kept under wraps, AT&T confirmed
that it is conducting an early test of this tool with several large
corporations. With Internet Protect, AT&T has set up a special Web
portal to provide a steady stream of information about anything out of
the ordinary that AT&T's network operators see, particularly on the
Internet.

"Worms don't always fire off and work perfectly. We see all the test
attempts. We see the fizzled versions of stuff in advance,'' says Ed
Amoroso, chief information security officer at AT&T. "We're trying to
change the nature of our relationship with customers so when we see .  
. . indicators of something that fizzled, we tell everybody.''

AT&T officials would not say when Internet Protect will be
commercially available or whether it would be offered under the
Internet Protect brand. But they did say it would be complementary to
intrusion-detection systems.

"We're trying to take this internal technology and extend it to CIOs
in the enterprise . . . . It's a technology that's very promising,"  
Amoroso says.

Internet Protect is part of a larger initiative across AT&T Labs to
improve the security and reliability of AT&T's increasingly IP-based
network infrastructure.

"Network attacks are clearly on the rise,'' says Hossein Eslambolchi,
AT&T CTO, CIO and president of AT&T Labs in a recent conference call
with the media. "We have seen more attacks in the last six months than
we've seen in the last 10 years.''

Eslambolchi says security is one of six strategic areas of research
for AT&T Labs.

"We are looking at innovations'' related to network-based security,
Eslambolchi says. "We need a lot better ways to do forensic analysis
of viruses and worms.''

As an example, Eslambolchi points to the MS-SQL Slammer worm, which
was reported on the Internet in January. AT&T saw anomalies in its
network three to four weeks before that worm hit and was able to take
certain precautions. "When the worm actually happened, AT&T's network
did not take a hit,'' Eslambolchi said.

Amoroso says the rise in network attacks AT&T is seeing can be
attributed to the growing number of vulnerabilities in commercial
operating systems and applications that can be exploited easily by
writing worms.

"Network security has become a process of hunting down the latest and
greatest information on vulnerabilities and trying to patch like crazy
to beat the worms,'' Amoroso says.

With Internet Protect, AT&T will use internally developed traffic
analysis tools to look for anomalies such as traffic spikes, traffic
drop-offs and unusual protocols in use.

"We do [traffic analysis] better than anybody,'' Amoroso says. "By
traffic analysis, I mean pulling information from the network such as
statistics and routing information. . . . It turns out that building
security tools around traffic analysis is as good a theme as any.''

Amoroso uses the analogy of highways and truck bombs to explain
Internet Protect.

"As highway people, we say [focus on] delivering all the traffic. . .  
. But that's a bittersweet victory if what we're delivering is the
equivalent of truck bombs,'' he says. "Maybe there's something we
could do on the highway to filter out the truck bombs."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.