Gunnar Assmy - Fotolia

Q&A: Marcus Ranum chats with AT&T's CSO Ed Amoroso

There's no shortage of new security technology, but enterprise integration is still a major hang-up, says AT&T's chief of security.

Technology assessments are a key component of effective security programs. The challenge is finding benchmarks for enterprise architectures. As the chief of security for AT&T's global communications network -- the company's backbone carries an estimated 73.4 petabytes of data traffic on most days -- Ed Amoroso knows a thing or two about vetting new security technology.

Amoroso started out at Bell Labs where he did work to secure Unix systems. He currently serves as the senior vice president and chief security officer, where his primary responsibilities are in the real-time protection of AT&T's vast enterprise, network and computing infrastructure, including its mobile network and cloud services. Amoroso is also one of 15 AT&T fellows and creator of the AT&T Security Research Center. Current projects include architecture for virtual private mobile networks and research on the differences between mobile and PC-based botnets.

Amoroso has authored five books including Cyber Attacks: Protecting National Infrastructure. He has a doctorate in computer science from Stevens Institute of Technology. A longtime proponent of the field, Amoroso has introduced thousands of graduate students to the topic of computer security as an adjunct professor at the Institute. Marcus Ranum caught up with him to discuss the growing computer security industry and the security officer's role in securing complex design.

Marcus Ranum: Let's talk about a big industry trend; namely, that we're now a big industry. Since you represent [AT&T] -- a big customer in a big industry -- I wonder how you avoid getting buried in all the new security technology that keeps coming out. How do you assess which products to even look at?

Ed Amoroso: We generally assess new products at various levels. First, as the CSO, it's my responsibility to maintain personal relationships with the principals of new security start-ups. We want to know whether the company is interested in an early exit, a merger, or if it is trying to be the next Twitter. We are such a large company that it really matters what new companies are trying to accomplish.

Ranum: Do you prefer companies that are looking to be acquired?

Amoroso: It depends. When a new offering provides great security capability, but it is run by a firm with eight employees, we would like to see the underlying business base provided by a larger partner or owner. If the small company shows that it is growing and can easily handle our needs, then it's less important.

Ranum: What are some of the other levels for assessment?

Amoroso: The second level of assessment is pure cybersecurity effectiveness. We will look carefully at the technical approach and if it seems to make sense, we'll put the technology or tool through a series of rigorous tests in our lab and infrastructure. Many times this will expose issues of capacity, scale or just plan ineffectiveness. Distributed denial of service is hard to test, obviously, but most other technologies lend [themselves] well to realistic penetration and scale testing.

Ranum: I would think that scaling would be a big issue in any large Internet service provider.

Amoroso: Yes, it is one of our biggest issues. Security solutions in our environment must expand to many tens of millions of customers, so any manual processes or reliance on a single individual for support are simply not feasible.

And this highlights the third level of assessment, and that is support. If a new entrant into the cybersecurity marketplace has great technology from great people, but no clear focus on lifecycle support, then this can be a showstopper. Support includes on-going technology refresh, tiered customer support and the ability to quickly deal with any problems that might arise.

Ranum: Do you think that mergers and acquisitions help propel the industry forward, or are they a net loss? Not that it's going to stop, either way.

And is the rate of change in your area of responsibility slow enough that you wish products wouldn't [become] obsolete so fast -- or be discontinued? Would you rather see the rate of innovation speed up?

We have a lot of great technical innovation, but the industry hasn't figured out how to actually use it.
Ed Amorososenior VP and chief security officer, AT&T

Amoroso: I think the rate of innovation in product development has been fine. And I think mergers and acquisitions are good, to the degree that they produce the '2 + 2 = 5' results that everyone hopes. The place where innovation has been too slow is in the area of enterprise architecture, and integration of new technology and products. We have a lot of great technical innovation, but the industry hasn't figured out how to actually use it.

Ranum: Are you bullish or bearish on the future of cybersecurity?

Amoroso: I think most people recognize that the bad actors are getting much better, so it is tempting to really feel bearish about the future of cybersecurity. But there are so many excellent vendors, technologists and architects working hard to reduce risk and enable new services, that a bullish attitude seems more appropriate.

Ranum: How do you incorporate new things into your plans? I realize that question presupposes that there's a certain amount of new going on, and not reinvention and reshuffling of old things. But let's take cloud computing or bring your own device as an example: How do you enlarge your planning cycle to take new stuff into account?

Amoroso: The planning cycle for new security functions follows two tracks. First, the evolution of infrastructure toward cloud and BYOD needs to be integrated with proper security controls. And this is not always straightforward. BYOD, for example, could benefit from TPM [trusted platform module] like hardware to improve the resilience of containers. But such hardware support is not always available in the marketplace.

Second, the evolution of security tools for threat management needs to also be tracked, and this is clearly a progression from signature to behavioral controls. Just about every CISO team is now using behavioral analytics.

Ranum: Do you have a process that you use for deciding what you're going to incorporate into your IT landscape? How does one strategize for such a large organization?

The evolution of security tools for threat clearly a progression from signature to behavioral controls. Just about every CISO team is now using behavioral analytics.
Ed Amoroso

Amoroso: There was a wonderful paper written many years ago by the great computer scientist David Parnas [and coauthor Paul Clements] called 'A Rational Design Process: How and Why to Fake it.' I read the paper in graduate school and it stuck with me. The point was that no actual process of complex design is ever perfect while you are doing it. But Parnas argued that you must always fight hard to build rational explanations and documentation around what you are doing.

The best CISOs I've encountered do this all the time -- namely, they will try various approaches to threat mitigation, and the ones that do not work are deemphasized and forgotten. The ones that do work, however, are translated into control matrices and risk management documentation.

Ranum: What's the last new technological thing that took you by surprise?

Amoroso: As you know, techies have been building virtual operating systems on top of other operating systems for many years, but I never expected the concept to progress into the mainstream the way it did. I must say that this has been a pleasant surprise.

Another pleasant surprise is that so many new products have embraced two-factor authentication as a baseline solution. I'm sure you remember all the half-starts in the industry for 2FA. It's good to see this gaining momentum.

Ranum: Any final predictions?

Amoroso: More companies will embrace cloud as a means for providing more resilient computing. This is essential for dealing with destructive malware. As a result, all the conventional security functions like wireless application protocol, data loss prevention and encryption will gravitate to run-time systems in cloud environments.

About the author:
Marcus J. Ranum, chief security officer of Tenable Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.

This was last published in March 2015

Dig Deeper on Security operations and management