CenturyLink banks on machine learning, artificial intelligence for better security

CenturyLink has boosted its Security Log Monitoring platform by blending in machine learning and artificial intelligence.

With today's businesses operating in hybrid environments, and with the increasing number of mobile workers, more robust security measures are needed. CenturyLink has updated its network-based Security Log Monitoring platform with correlated threat intelligence, cloud security monitoring and a new mobile app to detect and respond to security threats.

"Essentially, Security Log Monitoring is a log management and SIEM (security information and event management) tool as a service," said CenturyLink's Chris Richter, vice president of global security services, in an interview with FierceTelecom. "Log management, SIEM services and managed security services have been combined into one service offering."

The service is designed for businesses that want to augment their existing security operation centers (SOC) or SIEM environments, or replace them entirely with CenturyLink's as a service offering. One of the advantages that CenturyLink has over competing security solutions is its large international backbone, which was augmented by its purchase of Level 3 last year. CenturyLink has virtualized log collectors on its backbone, Richter said.

Better security through automation, machine learning and AI

Richter said CenturyLink was constantly working on machine learning and automation for its security platform. Business customers can cut down or eliminate their 24/7 SOC staffs through automation.

"That's probably the biggest part of the roadmap, is taking out some of the functions that SOC staffers have do. They sit in front of consoles and perform very mundane tasks," Richter said. "You still have to notify and alert people to what the system did, but that's the kind of learning and automation that we want to see happen.

"Things that are known bad interactions and functions need to be blocked and shut down, but machine learning and automation and artificial intelligence all go hand in hand."

Richter said CenturyLink was moving towards doing a full integration of the threat intelligence and analysis capability it has on its backbone with security log monitoring in order to correlate active threats with the logs that it sees. That capability is slated to be available in the first quarter of next year.

Log collectors do the heavy lifting

Customers can choose to send their logs to cloud-based log collectors, or have a virtual log collection appliance on their premises that compresses, encrypts, and transmits the logs to CenturyLink's security log monitoring infrastructure.

The service recognizes common source logs types including those from VPNs, firewalls, databases, cloud infrastructures and servers.  While other telcos have managed security services, Richter said most of those monitored customer devices instead of logs.

"Most customers don't even know how many devices they have," he said. "It's much cleaner to look at the logs we ingest. It's a very honest approach because we can meter it, see it and report it back to the customer. Our services are powered by our network, but the customer does not have to purchase our network to get the services. So that's another unique element that might separate us from other technology and telecommunications companies.

"There are other players out there, but they do it differently, and I don't believe that there is another security vendor that has the threat visibility that we have. We have one of the largest IP backbones in the world."

A spokesman for AT&T said it offers services to both managed and non-managed enterprise customers, depending on the customer’s cybersecurity posture, program, infrastructure and needs. AT&T Business provides managed security services for enterprises in two ways. Through its Threat Manager platform, AT&T can manage cyber threat detection and analysis via logs. Separately, it can manage premise hardware and devices for enterprises.

Correlation is king

Richter said the Security Log Monitoring platform had its genesis in CenturyLink's purchase of netAura two years ago. While the service has been in existence for a few years, the correlating threat intelligence is the new and shiny feature.

RELATED: CenturyLink bolsters managed security portfolio with netAura purchase

"The real benefit of this is the correlation piece," Richter said. "That's where the science exists. You see suspicious activity on a database server and then you can correlate that with logs coming in on the web server. Then you correlate that with the application server.

"Then you correlate that with the access and authentication server so you can see where the authentication came from, who granted the authentication for this entity to access the database server and the applications. That's correlated with the firewall logs to understand was it a protocol breach, was a port opened up on the firewall, was a rule set removed that would've blocked the access?"

All of the correlated data then goes through CentjuryLink's reputation databases for analysis. Customers use a web portal to see the data correlated on CenturyLink's backbone to determine where the threat came from.

"The biggest enemy of SIEM tools today is they correlate the wrong things, and they generate a lot of false positives and background noise," Richter said. "That burns up a lot of the security team's time chasing red herrings and focusing on relatively minor threats and maybe missing some of the bigger threats, which could turn out to be needles in haystacks. So a good correlation engine and threat analysis tool is absolutely essential."

The current service works with small, medium and large business, although Richter said medium-sized business are CenturyLink's sweet spot because larger organizations have their own SOC and SIEM teams and tools in place.

CenturyLink's security consulting team talks to customers about their escalation procedures and processes, how to use their single-sign on web portals, and how to set up their workflows.

The service features free log ingestion of up to 10 gigabytes per day, with additional ingestion capabilities available through upgrades with CenturyLink. Richter said security monitoring could also be accessed through a mobile application.

"If you're given the right administrative levels with the mobile application, you can customize how you want to be alerted," he said. "You can also customize and inform the service of the types of alerts that are interesting to you that you want to prioritize. So in a way, we perform machine learning based on customer preferences."