Retired AT&T Chief Security Officer Ed Amoroso is publishing a free three-volume guide to enterprise cybersecurity, hoping to ward off the next big attack.

September 8, 2016

6 Min Read
Amoroso Shares His Security Obsession

When Ed Amoroso retired as AT&T's chief security officer last March, he actually became more obsessed with cybersecurity.

In fact, Amoroso spent much of the past six months personally writing a three-volume set of cybersecurity guides aimed at chief information security officers and their teams, laying out what he believes enterprises must do to avoid the next round of attacks -- attacks he believes will be highly destructive hits against critical infrastructure.

Today, Amoroso's new security advisory firm, TAG Cyber LLC , is making those three volumes available for download here at no cost. The 48 security firms with whom the former AT&T exec worked, and which are sponsoring his work, are also releasing the report this morning.

In an exclusive interview with Light Reading, Amoroso says making this information available for free is "an operating principle" for him, in light of his concern that enterprises aren't getting security right today and are vulnerable to future attacks that will go beyond theft of data and intellectual property to become more destructive in nature.

"Any rational, competent observer of cybersecurity would say we are past the point where we have to do something meaningful and significant immediately," Amoroso tells Light Reading. "And that is why I have been working 18-hour days to get this out. I feel like I have something to say and this is the best framework to say it."

He also is conducting an online course -- starting this week with 200 pilot students -- in which he'll go into greater depth on what enterprises need to be doing. Amoroso is hardly new to the teaching aspect of this, having been an Adjunct Professor of Computer Science at the Stevens Institute of Technology, an affiliated instructor at NYU and a senior advisor at Johns Hopkins University, all during his tenure at AT&T.

Explode, offload, reload
At the heart of Amoroso's approach is a three-step strategy he dubs "explode, offload and reload."

"I have been thinking about a methodology that I think is the right one for teams to follow and it underpins all three of the volumes," he says. "First, it means breaking up your infrastructure and distributing it; second, virtualizing the pieces of the infrastructure; and third, upgrading the security around those pieces."

That last piece can be accomplished working with any number of high-quality security vendors on the 50 separate cybersecurity controls that need to be addressed, Amoroso says. These controls include traditional tools such as firewalls and anti-malware tools but also newer things including security analytics, network monitoring and deception.

Next page: No more perimeters

No more perimeters
The report's approach underscores something Amoroso has been talking about for years now, which is the idea that it's no longer possible to draw a perimeter around the enterprise (or carrier) infrastructure and then set up a perimeter defense. Mobility, the cloud and other technology trends make any kind of solid perimeter impossible to draw. (See AT&T's Amoroso: LTE, Virtualization & Cloud Mean New Security Challenges, AT&T's Amoroso: Perimeter Security No Longer Enough, and AT&T's New Security Strategy.)

He believes most enterprise CISOs (chief information security officers) may agree with his premise intellectually but will be harder pressed to implement a strategy that isn't based on perimeter defense. In his typically entertaining fashion, Amoroso compares the "explode" stage of his strategy to skydiving: It sounds like an exciting entry on the bucket list, but when it comes to actually exiting a functioning airplane, the moment of truth is tougher than most expect.

"It's like taking down the walls of your house -- suddenly, the kitchen, the bedroom and the living room are all exposed," he says.

Figure 1: Three-Step Methodology for Enterprise Security Teams

But it's essential to distribute enterprise functionality into micro-segments that can be offloaded to the cloud and then protected through virtualized security functions.

"Distributing those pieces is the first step and once you do that, you can't protect it with physical perimeter equipment, you have to have virtual," he says. The budget and expertise doesn't exist to spread hardware throughout the network, protecting each micro-segment, so virtualization is the only approach that makes sense.

"I believe software-defined networking is the glue that holds together modern cybersecurity architectures," Amoroso says. Once functionality is distributed in virtual machines and clouds, SDN is the powerful means of pulling it all together, he says. And, in his approach, implementing explode and offload presents the perfect opportunity to upgrade the security being used, working with vendors that have moved to an SDN-based approach.

Busting talent silos
Amoroso also hopes to address what he believes is another core problem for most enterprise security teams: limited vision among talent silos. While CSOs might be broadly competent, many of the people that report to the CSO have a particular skill or specialty, like behavior analytics, adaptive authentication or cloud security. Outside that one skill set, however, the security expert is not well-versed.

"I always knew that was a problem: It always struck me as a gigantic gaping hole in our profession, as a working professional, how do you fill that in?" he says. "You can't really take a course on it, everybody is so busy."

So one of Amoroso's goals in writing his three-volume security report was to round out the understanding of those who are experts in one area but can use help in others.

He doesn't see what he is offering as a means of solving the industry's crying need for more security personnel. It might help someone with adjacent skills in software development or networking to get a foothold in cybersecurity, however.

Given Amoroso's passion for cybersecurity, it's not surprising that he's not planning to stop with this report. By making his materials free, he's hoping entire cybersecurity departments can download the reports, so information can then be shared and discussed across organizations.

With the "alpha" version of his course that starts today, he's invited 200 people to participate in a 25-week course that he hopes becomes the model for a series of franchised/free classes that are conducted by skilled technologists, all with the goal of helping build up cybersecurity defenses. Around that, Amoroso would like to see an informal community build up similar to what has grown up around "2600: The Hacker Quarterly," a seasonal magazine that engages its readers in contributions and in meetings held around the country to share ideas and solutions.

So it's clear Amoroso isn't really retiring anytime soon, just channeling his cybersecurity passions in new directions.

Want to hear more? You can see Amoroso in person this December at Light Reading's Service Provider and Enterprise Security Strategies event in New York. You can read more about that here.

— Carol Wilson, Editor-at-Large, Light Reading

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like