Cyber Defense Solution: - AT&T

CDS White PaperOctober 2001Cyber Security ServicesThe Internet is becoming the preferred way to do business as it provides a flexible, cost effective way toenable eBusiness transactions. eBusiness is helping Government and industry to work more effectively andefficiently by providing broad access to information based assets. By opening their networks to a variety ofremote users—such as mobile and telecommuting employees, business partners, resellers, and suppliers—many organizations risk exposing their proprietary and sensitive information. Therefore, Government andindustry are calling for better ways to secure their networks and monitor unauthorized access. One way fororganizations to ensure only authorized users have access to their networks is to use the near real timecustomized network monitoring provided by the AT&T Cyber Security Services.Service OverviewAT&T’s Cyber Security Services platform provides a comprehensive approach to monitoring anenterprise’s computer assets and communications to provide a means of identifying and responding tounauthorized use. Additionally, AT&T offers a proven methodology for event analysis and incidentresponse. The Service can include the AT&T Professional Security Consulting service. This provides aholistic approach to cyber Security, including enterprise Network Security Assessment. Also included isidentification of appropriate monitoring points and particularly sensitive infrastructure components;integration of both network and component monitoring devices; and integration of these cyber Securitycomponents into a comprehensive security management infrastructure.The AT&T Cyber Security Services offer provides continuous monitoring of these components on a 24 x 7basis. Our trained Security Analysts respond immediately to all alerts based on your security policy. Anescalation process for incidents is in place to provide support from AT&T Laboratories Senior SecurityAnalysts when needed.Device SupportThe Cyber Security Services platform architecture is based on the collection, storage and analysis of eventdata from multiple types of security devices within a network infrastructure and, therefore, does not tie thecustomer to a specific IDS, firewall or router vendor.The principal advantage to centrally collecting and storing event data from various security devices is theability to correlate events between disparate types of security devices. Correlation of security events acrossIDSs, firewalls and routers can provide:• The ability to more accurately detect suspicious or anomalous activity based on corroboratingevents from multiple sources.• The ability to detect activity that might be masked from an IDS by a firewall or router blockingtraffic.• The ability to detect “slow rolling” attacks which may first show up in router or firewall securityevents, and then in IDS security events, which in isolation would not trigger a security alert.• A “complete picture” view of security events that an experienced security analyst can use toidentify suspicious activity for which no signatures currently exist.Rule-Based Processing and NotificationAs event data is collected from security devices, the Cyber Security platform analyzes the event data toidentify suspicious or anomalous activity. The Cyber Security platform provides a robust set ofconfigurable rules for analyzing event data and generating “alerts” to notify appropriate personnel ofpotential probes, attacks or attempts to exploit known vulnerabilities.

CDS White PaperOctober 2001The event processing rules can generate alerts based on a combination of the following criteria:• The source and/or the target of network activity (e.g., source or destination IP address, resourcetype of the target such as a Web server or DNS server)• The type of network activity (e.g., a probe, attack or attempt to exploit a known vulnerability)• Frequency of events or types of events received over a given period of time exceeding a giventhreshold• Severity of an event received from a security deviceThe rules can also configure the severity of each alert generated by a rule. For example, ten eventstargeting a given server within a two-minute window could be configured at a “moderate” severity, whiletwenty events over the same period could be configured at a “high” severity. Many intrusion detectioncapabilities do not provide this feature.Each time an event or group of events is matched by an event processing rule, the Cyber Security platformgenerates an alert with the severity specified by the event processing rule.Event Drill-Down and QueriesThe Cyber Security platform’s analytical GUI not only provides notification of alerts but the toolsnecessary for our security analysts to further investigate the alert. When security personnel are presentedwith alerts by the GUI, the security personnel can “drill-down” into those alerts to view the actual eventsfrom the security devices that triggered the alert. This allows the analyst to view the source, target, typeand timing of the suspicious activity, making more informed decisions about response.Security monitoring is not simply a passive activity, where rules are configured once. The analyst mustreview network activity on an on-going basis, to better understand what is “normal” and what is not,adapting into the profile “normal” traffic changes over time. The Cyber Security platform supports theanalyst in this activity by providing the ability to run ad hoc queries against event data and review theresults of those queries using a spreadsheet-like interface (which supports the exporting of query results tofiles readable by Microsoft Excel for more extensive data analysis).Management ReportsIn addition to its ad hoc query capability for security analysts, the Cyber Security platform supports thegeneration of more traditional management reports, which give a broader picture of the activity beingtracked by the Cyber Security platform. These reports show activity levels over user-specified periods oftime (e.g., past 24 hours, past week, past month), breakdowns of where suspicious activity is originatingand is being targeted, and breakdowns of the types of suspicious activity. The reports can either be sent viaelectronic mail at scheduled intervals, or accessed via a secure Web browser connection. Reports accessedvia a Web browser can also include charts and graphs to aid in the visualization process.ImplementationAT&T’s Cyber Security platform is provided through its Cyber Security Center, providing centralizedsecurity management. Each device deployed in an infrastructure forwards alarms, logs and other data to thecenter for display and further processing. The center performs 24 x 7 monitoring, management, incidentresponse, and reporting.In addition to the Cyber Security Center implementation of the capabilities, the Cyber Security platformcan be deployed in a stand-alone environment to enhance existing security capabilities of an infrastructure.Customization of the platform can be performed to meet specific customer needs, and the system can bedelivered and installed to the customer site.To lean more about our security services, please contactSusanne S. Best at sbest@att.com