Download presentation
Presentation is loading. Please wait.
1
AT&T Internet Protect with DDoS Defense Option
Security Services
2
AT&T Internet Protect– Presentation Overview
Business Statistics Around Security AT&T Internet Protect Service DDoS Defense Option
3
Threats continue and become more frequent
Cost of computer crime totaled $141,496,560 DDOS attacks are the most expensive computer crime Sources: 2004 CSI/FBI Computer Crime and Security Survey, CERT Denial of Service is the most common cyber crime complaint of CSOs Source: CSO Magazine In May 2004, a total of 959 new viruses were released on the Internet, the highest number since December 2001 Source: Information Week Remote access to the corporate network Internet access from the corporate network The Internet, or Cyber space, is multidimensional and provides access to and from numerous environments through interconnections between various networks around the world. The threats to AT&T’s portion of cyber space comes in many flavors and sizes; from expert hackers trying to steal credit card information to high school hacker wanna bees who are trying to show that they can get into something perceived as impenetrable. Inappropriate access and theft of information can both have significant economic and political impact on a company or a government. This threat is the threat without. Another threat is the threat from within or the insider threat. This threat comes from an authorized user of the network, or the cyber space, and represents its own set of difficulties. Insider threats can be an administrator, or user, who hits a wrong key by mistake to industrial spies and disgruntled employees trying to take critical information or destroy key systems before walking out of the door forever. The data is compelling and we know the data is seriously incomplete. But its completeness is growing every year. REASON: The cost of the threat is starting to equal, or exceed, the cost of the defense. Enterprise-to-enterprise networks E-commerce
4
Moving Security Intelligence into the AT&T Network
Current State of Industry “Distributed Enterprise Edge Security” Evolving State of AT&T Network “Intelligence and Security” Security built into the network, protecting customer network & applications AT&T IP Network AT&T IP Network Firewall IDS, Anti-Virus etc. Edge Edge Edge Edge Client Enterprise Client Enterprise Client Enterprise Client Enterprise Firewall IDS, Anti-Virus etc. Today Network Security is focused on the edge and what is happening around the edge of the network. If you think about it this is fundamentally backwards – trying to create security at network edges with the deployment of hardware in an expensive and disjointed approach where false positives generate 95% of alarms and critical systems are left to their own devises. Like the Shepherd in the story of “The Boy Who Cried Wolf” with only 5% of alerts being true security risks you start to ignore the alerts until you are effected by a major security breach. At AT&T, we want to help you to change your perspective by investing in technology and innovations to have 95% of your alarms be actual security events and not the false cry of WOLF! The way we are doing this is to look at operating principles that focus on prevention at the core of the network rather than relying on detection at the edge. Then we will work with you to design additional security within your network to keep your critical systems operating in a safe and redundant manner. AT&T has the world’s largest IP network, with the most IP endpoints connected to that network. This gives us a huge advantage in scale, which is vital to providing network-based security. The security innovations and technologies that we’re working on in AT&T Labs, as well as partnering with others, are being deployed throughout our network and services, to give you the highest level of security with the greatest amount of efficiency and protection. True network intelligence changes the game for customers, moving from intrusion detection to intrusion prevention. Major client security investment at edge IDS, firewalls, anti-virus, anti-SPAM deployed by customer Inefficient, expensive, non-holistic Repetitive across client base Network-based solutions for IDS, firewalls, anti-virus, anti-SPAM Efficient, inexpensive, holistic Non-repetitive across client base Total Cost of Ownership (TCO) improvement
5
Cyber Attack Strategy – Perspective of Adversary
Day Zero Web-Based Information Collection Broad Network Mapping Service Vulnerability Exploitation DDOS Zombie Code Installation Use of Stolen Accounts for Attack Social Engineering Targeted Scan Password Guessing System File Delete Log File Changes Reconnaissance Scanning System Access Damage Track Coverage Preventive Phase (Defense) Reactive Phase (Defense) Let’s focus on what AT&T is doing to address the challenge of network attack predictions and accuracy. If we look at the stages of an attack there are clear phases just like any software engineering project. When attackers are building an attack there are some discreet functions conducted shown on the left side of the chart. AT&T has provided a focus on early detection of an attack. The objective is move to a process of Intrusion Prevention through early detection. Services such as Sans, Cert and other subscription services gather their information on the right side of this graph. AT&T is in a unique position of having the largest IP network in the world to view occurrences on the network and what is happening in the Internet. Other services are gathering information as an attack is being propagated based on a percentage of already infected users. Indications and Warning Threshold (Defense) DDoS Attack Mitigation-I Advance Attack Visibility AT&T Internet Protect
6
Provides an early warning for worm and virus attacks
AT&T Security Analysis of Network Flow Data Existing AT&T Security Information Analysis Program (Domestic View) AT&T Labs – Security Forensics Experts AT&T Labs – Research Statisticians AT&T GNOC – Security Technicians AT&T Analysis System GNOC Alerts Private AT&T Transport 4.5 TB/day – 08/03 7.0 TB/day – 12/03 10.0 TB/day – 03/04 25.0 TB/day – 07/04 To gather data on traffic flows AT&T placed optical splitters and AT&T developed Gigaflow sensors at major peering points in our IP network. Using real time smart sampling of AT&T’s IP backbone, as a proxy of general internet traffic, we are able to look at IP traffic at a port and application level. The information collected is fed into AT&T analysis tools allowing AT&T Security Analysts to review the data and traffic flows, at a port level, in near real time. This means that we are looking at, and analyzing, information from over 65,000 ports in real time 24 hours a day 7 days a week (note: we look at TCP and UDP traffic - technically we are looking at 130,000 ports). Currently we are collecting over 4.5 terabytes of data daily and based on expected traffic flows we are putting systems in place to capture and analyze over 7 terabytes of data daily. By analyzing these real time samples and using heuristics and statistical models AT&T Security Analysts can predict, and pinpoint, potential worms, virus, and other malicious activity before they effect AT&T’s IP networks and AT&T customer’s networks. Optical Splitters (Gateway Routers) Provides an early warning for worm and virus attacks
7
AT&T Security Analysis of Network Flow Data
Detect, identify, quantify, and locate potential threats to AT&T’s internal systems, services, and/or clients Activities Correlate in excess of 25 Terabits data daily collected from AT&T IP Backbone and Peering Points Detect and Predict Threats Forensic Analysis in conjunction with FBI and other law enforcement agencies on behalf of the customer Inputs Metadata (flow records, registry data, routing data, network topology data…) Selected, AT&T destined, content data Protect customer privacy Operate in accordance with AT&T Privacy Policy Headers vs. Traffic Payload. AT&T uses a proprietary system that processes literally terabytes of network derived data daily. The data includes flow records, registry data, routing data, and network topology data. Unsampled flow generation, data management, and processing systems have been embedded into AT&T’s network to perform analysis that is unique in the industry, both in scale and in breadth. AT&T Labs developed statistical algorithms and analysis tools in conjunction with commercially available tools automatically issue alerts on a variety of anomalies characteristic of Worms, DDoS, and other malicious activity. In addition, AT&T can expeditiously implement specific detection algorithms in real time to support security related events. The systems are monitored for alerts and trends on a 24x7 basis by AT&T's Security Analysts in the Global Network Operations Center. As a result, Internet Protect customers gain the benefits of global visibility, continually evolving analysis techniques, 24x7 evaluation, event interpretation, mitigation recommendations, and timely notification. In addition to AT&T's proprietary code, algorithms and techniques, the following commercially available enabling technologies are employed within the Internet Protect architecture: - Juniper Networks - Narus - Sun Microsystems - Hitachi Data Systems - Dell - Red Hat Linux - Daytona (AT&T's proprietary technology for very large databases) - ArborNetworks - Cisco Riverhead
8
What if we notify customers in advance of network security events?
AT&T Security Analysis of Network Flow Data SQL Slammer Observation Packet counts on UDP port 1434 in weeks prior to event Day 0 Suspicious activity Some speculate recon. Some speculate recon. Further speculative recon. Slammer hits! (01/26/03) Normal UDP Port 1434 Distribution Range On January second an unusual traffic spike is detected on port 1434 and an alert flashes across the screen in you NOC. A quick look at what the AT&T Security analysts think this means and you can take the recommended action whether accelerating your system patching schedule to placing ACLs on key routers and firewalls. January 12th, you notice on your screen another alert with links to recommended actions. Then again on the 14th and the 21st, you can take action or more closely monitor your systems. Then, when you least expect it, January 26th and the SQL Slammer worms hits, doubling it’s effect every 8.5 seconds. The regular security briefing video feed streamed through your AT&T Internet Protect portal is interrupted by an alert telling you that a major worm has been detected…an AT&T Security analyst is on camera with some general recommendations. The Analyst is also taking questions from other AT&T Internet Protect customers via , video feeds and over the phone. Shortly after the target of the worm is identified a security expert from Microsoft joins the broadcast for a discussion on ways to mitigate the worms effects. This is only an example and not exactly what would happen but…With AT&T Internet Protect Security Alert Notification, you are given the information and the resources needed to help keep your systems and network operational even during the some of the most disruptive worm and virus attacks…because you are informed in advance of the possible threats, given remediation recommendations and can take action before a threat becomes an attack. Alert Threshold is 2 orders of magnitude of normal port activity What if we notify customers in advance of network security events?
9
AT&T Internet Protect Service Overview
What is the Service? Critical alerts / Security advisories via /paging Security Information via AT&T BusinessDirect Real-time data on potential intrusions and attacks Mitigation recommendations AT&T Internet Protect - DDoS Defense: Customer specific event detection and mitigation How does it address your needs? Early warning of possible hacker attacks Adds additional layer of defense Immediate Confirmation and Internal Analysis – including security intelligence from other resources No additional equipment to install at your locations Expert Input and Advice Customer-specific expert advice available
10
AT&T Internet Protect: Security Alert Notification Internet Protect Sasser Timeline / Alerts 445/tcp flows volume relative to 5 week mean 05/01 Major Alert SASSER Worm Spreading 04/20 Major Alert MORE New Exploit Code Released Block port 139& 445 PATCH ASAP! 04/14 Major Alert Proof of Concept MS Exploit Code Released PATCH ASAP! 04/30 Alert Another New Attack Tool 3/23 Alert Increased Scanning on TCP/445 04/28 Alert Increased Scanning on TCP/445 04/16 Alert New Exploit Code Released 04/26 Alert New Attack Tool Released 04/13 Advisory Microsoft Announces patch MS04-011 Sasser Exploit took place on 5/01/04 and AT&T Internet Protect was providing notification of the patch and exploit activity two weeks earlier. 3/23 AIP alerts increased scanning on port 445/tcp 4/13 Microsoft releases patch MS AT&T Internet Protect(AIP) releases an advisory 4/14 AIP pages and alerts there is exploit code available on hacker sites 4/16 AIP alerts the release of exploit code 4/20 AIP alerts and pages regarding new exploit code; recommend block port 139 and 445 and update patches 4/26 AIP alerts and pages re:another attack took available on the internet; recommend block port 139 and 445 and update patches 4/28 AIP alerts increased scanning on TCP 445 4/30 AIP alerts new attack exploit code available on the Internet 5/1 AT&T Internet Protect pages and alerts a new worm spreading (Sasser) AIP has multiple pages and alerts leading up the to Sasser Worm Implementation of the patch provides protection against the vulnerability. Blocking of the recommended ports would provide protection against the spreading of the worm if the patch was not yet installed. AT&T Internet Protect was providing notification of the patch and exploit activity two weeks earlier! Notification of activity more than two weeks early!
11
AT&T Internet Protect Security Alert Notification Service
Sources Destinations All Source Anomaly Intelligence (Government, etc.) AT&T IP Backbone AT&T Customer Portals AT&T Prop Heuristics GCSC L1: Broadcast L2: Notification L3: Customized GNOC Security Alerts Via Portal Security Analysis (Profile/Anomaly Based Using IP Header Info, not content) AT&T Alerting L3: Response Support (GCSC) – Proactive Filtering GCSC – Customer Facing Team (Raleigh) GNOC – AT&T Infrastructure Team (Bedminster) Over 900 Viruses/Worms in May 2004 Well over 3,000 new Viruses/worms/Trojans since Jan 2004 3,383,939 virus infected s were denied entry into the AT&T environment between Jan and June 2004
12
AT&T Internet Protect: Security Alert Notification BusinessDirect Client Portal
To access the AT&T Internet Protect Security Alert Notification portal you will first have to log into AT&T BusinessDirect. From there you will be able to link to the AT&T Internet Protect portal where you, as a designated Point of Contact, will be requested to enter your user name, password and SecureID number. Then you will be given access to the AT&T Internet Protect port. From the portal you will be provided with network security event alert notification and information. Each alert is ranked by urgency and risk…links are provided to give you detailed information on the type of activity being seen and links to the information you need in order to mitigate the threat before it becomes a network effecting event. The AT&T Internet Protect portal also provides you with information on Network Anomalies, Threat Analysis, Security Alerts, and the Top Threats…all with links to get more information from AT&T and some of the top security information resources in the world. All available on a 24 hour basis 365 day a year. Alert notification can be delivered through , text page or text messaging. In the future you may even be bale to view network security reports and interact with live video feeds with security analysts during critical security events.
13
AT&T Internet Protect: Alert Detail Page BusinessDirect Client Portal
14
AT&T Internet Protect Advantage
Analyzes complete network flow of data Correlates data in real time Examines all Internet ports and protocols for anomalies Provides device specific critical alerts Analyzes over 25 terabytes of data daily Provides a holistic network view of all Internet traffic Other services may only provide the following… Data samples gathered from both trusted and untrusted sources Data analysis is not real time Data sample from limited number of inputs Work off of FW/IDS logs; limited subset of available information “AT&T’s new option for its Internet Protect service offers clients a real time solution, that unlike some competitors’ solutions does not require the customer to notify the provider, but instead, AT&T alerts its users in real time of attacks it has detected." -Current Analysis, June 2004
15
Cost of DDoS Attacks Rising
??/#'s need to be verified Cost of DDoS Attacks Rising DoS attacks are characterized by explicit attempts to deny access to mission critical corporate resources Incident type causes largest financial loss Only Cyber attack to grow in 2003 Professionally generated attacks – not just SYN floods Matches intrusion as the greatest concern of security executives Problem Scale Longest DOS Attack Unknown Most computers impacted: M+ Largest Bandwidth Attack: Gpbs Largest Zombie Attack: M+ The San Diego Supercomputer Center reported 12,805 denial of service (DoS) attacks over a three-week period in February 2001- 50% of the attacks lasted less than ten minutes, unfortunately, 2% of them lasted greater than five hours and 1% lasted more than ten hours. Most expensive computer crime was denial of service with a cost of $26,064,050 CSI/FBI 2004 Computer Crime & Security Survey DDoS attacks challenge intrusion as the primary threat facing U.S. businesses… -CSO Magazine Security Sensor III & IV Research July 2003 The Solution DDoS Defense- attack mitigation option
16
Distributed Denial of Service Attack Multiple Points of Vulnerability
Zombies on innocent computers Infrastructure-level DDoS attacks Server-level DDoS attacks Bandwidth-level DDoS attacks THIS ONE NEEDS NOTES
17
Denial of Service Attacks
The problem… DDoS bandwidth attacks flood the network and often congest last mile access Existing defenses are ineffective “Blackholing”- discards all traffic to a victim Protection on the customer premises is too late and inefficient DDoS Attacks create possible legal and/or regulatory exposures DDOS Attacks disrupt business continuity and may be brand or share price impacting Customer solution should … Detect and mitigate DDoS attacks Handle large scale & sophisticated attacks Ensure legitimate transactions get through Maintain trouble-free operation of business critical applications A distributed DoS attack occurs when a hacker hijacks machines across the Internet and uses them to send a flood of requests to a server until it becomes overwhelmed and stops functioning. AT&T DDoS Defense is a D/DoS Detection and Mitigation option available only to AT&T Internet Protect customers.
18
AT&T Internet Protect DDoS Defense Option
AT&T DDoS Defense provides an additional layer of security protection: Identifies attacks in seconds Defends against broad range of DoS and DDoS Attacks Mitigates the threat within the AT&T Core Network before customer last-mile How it works: Uses analysis, filtering, scrubbing and diversion to protect against attacks On attack detection, suspicious traffic is immediately diverted for scrubbing to remove attack flows without disrupting legitimate transactions Diverted traffic is “cleaned” of malicious components and then redirected to its original target The result: Defense against disabling attacks directed at your infrastructure resources, applications and businesses Secures availability Ensures business continuity “We are taking a very positive stance on AT&T’s DDoS Defense option for its Internet Protect service….“ -Current Analysis, June 2004
19
AT&T DDoS Defense Diversion Overview
AT&T IP Network 1. AT&T Internet Protect Detects DDoS attack Scrubber BGP announcement 2. Activates Scrubber (Auto/Manual) 3. Diverts only the Target’s traffic to Scrubber The DDoS defense solution detects and mitigates DoS attacks by detecting zones under attack and diverting all traffic destined to the targeted zones to Cisco Guards located within the network for ‘cleaning’. Without DDoS Defense, both normal traffic and attack traffic goes through AT&T’s IP backbone to a customer With DDoS Defense, the customer access router will push out net flow to a detector The Detector constantly baselines customers traffic pattern looking for malicious traffic When the Detector sense an anomaly, it redirects traffic to Scrubbing facility Traffic redirected to scrubbing facility has malicious traffic removed After the facility mitigates the malicious content that traffic will be forwarded back to the customer through an encapsulated tunnel. Non-targeted servers Non-targeted servers Targeted servers
20
AT&T DDoS Defense Diversion Overview
AT&T IP Network 4. Scrubber: Identifies and filters the malicious traffic Targeted traffic redirected 5. Scrubbedd Legitimate Traffic Flows 6. Non-targeted traffic flows freely Scrubber Non-targeted servers Non-targeted servers Targeted servers
21
AT&T Internet Protect Advantage
DDOS Mitigation Stops DDOS attacks BEFORE they reach customer last mile access DDoS Scrubbing Complex highly scalable - off AT&T OC-192 node(s) No additional bandwidth charge to handle burstable rate of the attack Customer has full control on bandwidth protection up to capacity of the AT&T backbone Both Customer Specific and Internet Wide threat visibility Do It Yourself – Customer Solutions No Advanced Warning system Scrubbing occurs on the customer network requiring significant increased last mile bandwidth DDoS Defense replication required at all mission critical server locations Sophisticated (and expensive) security skill sets required AT&T DDoS Mitigation: Ensures business continuity at reduced TCO
22
Dedicated Mitigation: Cloud Based Detection
Customizable equipment allows for more granular mitigation thresholds Allows for greater traffic capacity through Guard Scrubbing hardware always available More expensive than shared option For dedicated configuration, Scrubber is dedicated to a single customer, which allows for tuning more granular mitigation thresholds.
23
Shared Mitigation: Cloud Based Detection
Scrubbing hardware shared among more than one customer - may not be available at all times Equipment configured based on generic mitigation profiles Traffic through scrubbing center limited Less expensive than Dedicated option For Shared configuration, Scrubber is shared with more than one customer. Scrubbers are load balanced to provide support to customer getting attacked.
24
ROI Advantages of a Network Based Solution
SH to review #s ROI Advantages of a Network Based Solution 2 hours = Average downtime suffered from a DDoS Attack 5 days = Average duration of a DDoS Attack $16,800 = Average e-commerce revenue/minute across all industries $10,080,000 = Financial Risk from DDoS Attack Build your own Remediation Solution? $1,067,800 First year expenditure with unproven ability to remediate a DDoS Attack Vs. AT&T DDoS Defense Source: IT Performance Engineering & Management Strategies: Quantifying Performance Loss - Meta Group 2000 Source: Costs include Routers, Hardware, Software, Consultants, Personnel, and Bandwidth
25
DDoS Defense Option The Solution….DDoS Defense Benefits
Option for AT&T Internet Protect customers Provides Customer Specific Distributed/Denial of Service (D/DoS) detection and mitigation Identifies and blocks malicious packets in real time without affecting the flow of legitimate traffic Benefits Proactively protects your network by detecting the presence of a DDoS attack, before they cause disruption or down time Blocks malicious packets in real time while allowing the flow of legitimate business traffic Reduces Business Risk and supports business continuity Integrates with the predictive and early warning capabilities of AT&T Internet Protect
26
DDoS Defense: How Can You Afford Not To?
Your Average Ecommerce Revenue/Minute_____________ X 10 Hours of Downtime_____________ = $___________ Increased Accountability Customer Loyalty and Devalued Brand Image Continued Operations
27
The Security Services Family Security Layering Choices
Firewall Service Layered Security Performance options AT&T Internet Protect Respond ALARM Intrusion Detection Service Antivirus Scanning Svcs Detect ALARM Managed Intrusion Detection Svcs Token Authentication Service Token & PKI Protect Managed VPN Svcs Professional Service Vulnerability Scanning & Testing Ethical Hacking Assess Security Layering Choices
28
Thank You
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.