Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Telecom incidents investigation: daily work behind the scenes
Similar to Telecom incidents investigation: daily work behind the scenes (20)
Recently uploaded
Recently uploaded (20)
Telecom incidents investigation: daily work behind the scenes
- 1. DAY BY DAY. BEHIND THE SCENE Incident investigation
- 2. Today on call Milan has 14 years’ experience in Telecommunications Industry. Joined Positive Technologies in 2019 as an Telco security expert. Previous roles held in messaging security, specialize at short message service, VAS and AntiSpam William has 19+ years’ experience in Telecommunications Industry. Joined Positive Technologies in May 2021, responsible for Technical Presales for PT Product and Solutions. Previous roles held in network equipment vendors include NFVi, Edge Computing Milan Březina milan.brezina@positive-tech.com William Tiew william.tiew@positive-tech.com
- 3. Introduction Delimitation of Cybersecurity in Telco Investigation from MNO perspective Handover to 3rd line support Real examples from the field Smart “risk-driven” approach Q&A
- 4. INTRODUCTION
- 5. On your own journey Securing legacy network Full IoT 5G SA Industrial 4.0 SS7 Diameter GTP SIP 5G SBA NEFF SEPP PFCP Kubernetes OSS/BSS MANO CNF VNF Early IoT MQTT Supply chain API’s Device Security Virtualization beyond core O-RAN MEC Core network virtualization
- 6. Security driven by money 1-10-100 RULE 1 PREVENTION 10 REMEDIATION 100 FAILURE Remediation costs more than prevention. The cost of fixing bad data is an order of magnitude greater than the cost of stopping at source. Failure costs more than remediation. The costs of remediation are insignificant compared to leaving bad data in place. Our focus should be on prevention.
- 7. Few facts Mobile evolution Regulators & Legislation Recommendations Definition of KPIs Building 360˚ security Introducing Telco SOC
- 9. Common types of Cyber attacks MALWARE PHISHING PASSWORD ATTACK DOS ATTACK MITM SQL INJECTION EXPLOITATION OF FLAWS IN ARCHITECTURE SIGNALLING THREAT SIM SWAP DOS ATTACK MITM MALICIOUS CODE OR SOFTWARE PHYSICAL ATTACK ... FEW OTHERS
- 10. Now what can a Hacker do? Easily From anywhere Any mobile operator No special skills needed Get access to your email and social media Track location of VIPs and public figures Perform massive denial of service attacks From GSM to 5G Different Protocols Same Threats Intercept private data, calls and SMS messages Steal money Take control of your digital identity
- 12. End to End View
- 13. End to End View
- 14. MNO point of view Trigger point (SIEM, SDR, Monitoring, FW) Investigation process „Respond“ defined Telco SOC team responsibility To describe the situation To mitigate the situation (W/A, Final Solution) To find reproduction (Lab, Production) To find RCA
- 16. Handover Lack of resources/skills/ knowledge to continue Collect and share existing progress with 3rd line Data analysis Mitigate the situation (W/A, Final Solution) Provide the reproduction (Lab, Production) Provide RCA
- 17. Deliverables Progress incident report All collected logs RCA document Repro Description of attack
- 19. Worldwide Telco Security Risks Based on 70+ telecom security audits finished in 2020/21 ALL LTE networks are vulnerable to Denial- Of-Service attacks 4,000+ attacks hit a mobile network operator on average per day 75% of mobile networks put subscribers at risk of Geo-tracking 67% of networks fail to prevent bypass of SS7 protections 53% of call tapping attempts on 3G networks succeed 9 out of 10 of SMS messages can be intercepted
- 20. 5G NSA networks are at risk of attacks ... ... because of long-standing vulnerabilities in the Diameter and GTP protocols
- 21. Common Signalling CyberAttack 2G/3G/4G LTE Subscriber Denial of Service (DoS Attack)
- 22. Common Signalling CyberAttack 2G/3G/4G LTE SMS Interception
- 23. Common Signalling CyberAttack 2G/3G/4G LTE Call Interception
- 24. A) OTP SMS interception “We have received multiple complains from our subscribers which bank account was drained due to delivery of OTP message via our carrier” Retrospective incident investigation from last 90 days FRAUDULENT EVENT NUMBER OF EVENTS NUMBER OF AFFECTED SUBSCRIBERS IMSI disclosure 980 450 Fake subscriber registration 490 340 SMS interception with short number 2770 128
- 25. How to abuse International / National SS7 network MSC/VLR HLR SMS-C STP UpdateLocation: IMSI, Hacker GT Hacker GT
- 26. How to abuse International / National SS7 network MSC/VLR HLR SMS-C STP UpdateLocation: IMSI, Hacker GT MO-ForwardSM: A-Num, B-Num, text SRI4SM request: B-Num SRI4SM response: IMSI, Hacker GT MT-ForwardSM: A-Num, IMSI, text Hacker GT
- 27. B) Voice Calls fraud FRAUDULENT EVENT NUMBER OF EVENTS NUMBER OF AFFECTED SUBSCRIBERS Termination of SMS with alphanumeric number 5550 160 Termination of SMS with short number 790 100 Fraudlent voice call redirections 1700 60 Retrospective incident investigation last 120 days “We can see very suspicious tendency of MT SMS reminding SMS fraudster, also we identified strange change in our CAMEL plattform for some cheap trunks”
- 28. Investigation International / National SS7 network MSC/VLR HLR STP InsertSubscriberData: IMSI, SCP=Hacker GT Hacker GT SCP RAN
- 29. Final attack International / National SS7 network MSC/VLR HLR STP CAP InitialDP: A-Num, Cheap number SCP RAN CAP Connect: Expensive number Hacker GT
- 30. C) Double MAP „We can see messages which are directly sent to HLR, seems like a good reason for abusing our Home Routing solution“ Double map HR bypass MiTM Site 1 15563 265 Site 2 16522 200 Site 3 13863 370 Retrospective incident investigation last 24 days
- 31. Double MAP component TCAP Message Type — mandatory Transaction IDs — mandatory Dialogue Portion — optional Component Portion — optional Component 1 Component 2 The SS7 FW checks a subscriber's ID in the first component considering the other data as a long payload not meant to be inspected
- 32. Double MAP component attack STP HLR SS7 FW SMS Router TCAP Begin SendRoutingInfoForSM_REQ StatusReport_REQ Send the message to the SS7 FW for inspection Inspect the first component only and pass the message into the network
- 33. Double MAP component attack STP HLR SS7 FW SMS Router TCAP Begin SendRoutingInfoForSM_REQ StatusReport_REQ TCAP Continue Reject
- 34. Double MAP component attack STP HLR SS7 FW SMS Router TCAP Begin SendRoutingInfoForSM_REQ StatusReport_REQ TCAP Continue SendRoutingInfoForSM_REQ TCAP Continue Reject
- 35. Double MAP component attack STP HLR SS7 FW SMS Router TCAP Begin SendRoutingInfoForSM_REQ StatusReport_REQ TCAP Continue SendRoutingInfoForSM_REQ TCAP Continue Reject TCAP End SendRoutingInfoForSM_RES Reject
- 37. End to End View
- 38. Multi-Access Edge Computing Access Network Virtualization Core network 5G infrastructure 4G Vulnerability testing Manual audit Fully automated vulnerability identification Semi-automated fuzzing
- 40. Multi-Access Edge Computing Access Network Virtualization 5G infrastructure 4G Implement appropriate protection PATCHING AND VERIFICATION HARDENING AND COMPLIANCE DESIGN REVIEW AND REQUIREMENTS TRAFFIC FILTERING AND CONT FINE-TUNING Core network
- 41. Multi-Access Edge Computing Access Network Virtualization Core network 5G infrastructure 4G Complete Telecom Operator Security PROFESSIONAL SERVICES PRODUCTS NFVi OSS/BSS SS7GTP < > Interconnect Devices < > IoT Network monitoring Signalling NG firewall
- 42. To wrap up Detect Non-stop real-time threat detection is essential for verifying the effectiveness of network security and supporting rapid detection and mitigation Respond Completely secure your network by addressing both generic vulnerabilities (GSMA) and the threats that actually affect you as part of an ongoing process. Audit Auditing provides essential visibility to fully understand your ever-changing network risks.
- 43. Q&A
- 44. THANK YOU
Editor's Notes
- Small talk: Covid Whether WT: Lets get started, welcome everyone on this call, I can see XX attendees which means there is nothing better on TV so you decided to stay with us for the next 60 minutes and we really appreciate it. MB: We also do our best to make following 60 minutes interesting and usefull for you WT: But..... before we move on, let us briefly introduce to that part of attendees who does not know us yet.
- WT: This is the Agenda for this call, we let you from introduction through some definintion till the typical investigation process in its first part MB: the second part starts at the time when „us“ or any other vendor providing so called „Incident Investigation service“ hand over the activity and continues the investigation WT: Indeed we are going to discover a few of real examples, fully anonymized as I can see some representatives on the called have been working with us on this tasks MB: Anyways, there always must be some message to those who want to adopt some lesson learn ...... and in the final part of this call, we are going to show you what such smart approach should look like WT: So far, sounds good, at the end we welcome some challenging questions from your side. MB: Alright, going to Introduction, not yet, just small comment, in a humans life there are some sad events and today I am going to a funeral of my best friend´s father, so my presence here will be limited to one hour, in advance, sorry for this incovenience.
- MB: And here we are, a briliant slide with introdcution, cant imagine better. WT: Too fast „Milan“, it starts afterward CLICK
- WT: So here we´ve got corn seed - saying that every MNO is on its own journey and every step introduces new opportunites for bad actors MB: I am curious why you have chosen just this corn. WT: Thats a long story „Milan“ MB: Anyway „William“ tried to say - that there arent two identical MNOs, two identical infrastructures, two identical cybersecurity levels, thats why - the approach cant be copy/paste
- WT: After a corn see we get to the Egypt´s pyramid, which in a nutshell says ... or better .... It is a justification for initial investment into security, which is very very challenging for some SOC team when trying to get some budget for such activities MB: I would only correct you, this is a quality management concept developed by Mr. Loabovitz and Mr. Chang in the past .... WT: Really? Good to know.... MB: Not at all, man,..... but let me finish here: and it says that Remediation costs more than prevention and Failure costs more than remediation +++++ The 1-10-100 rule is a quality management concept developed by G. Loabovitz and Y. Chang that is used to quantify the hidden costs of poor quality. When relating the concept to data quality it must be recognized that the principle, rather than the exact numbers will apply. So how does it work? The 1-10-100 rule refers to the hidden costs of waste associated with poor quality. Remediation costs more than prevention The principle suggests that the cost of fixing bad data is an order of magnitude greater that the cost of stopping it from entering the system. These costs may be obvious – we may set up back office teams that are responsible for validating and correcting errors in created in the front office. In effect we are spending money to capture data twice. Failure costs more than remediation Yet, the costs of remediation pale into insignificance when compared to the costs of leaving bad data in place. Poor quality data impacts our ability to operate. If we invoice the incorrect amount then we don’t get paid. If we deliver to the wrong address then we have to pay for another delivery. If we provide the wrong risk assessment then we increase our chance of a bad debt. Our focus should be on prevention Far too many data quality initiatives are focused on remediation after the fact. What is your company doing to stop bad data from entering your systems? The rule explains how failure to take notice of one cost escalates the loss in terms of dollars. There are many costs of non-quality such as: (1) prevention, (2) appraisal, (3) internal failure, and (4) external failure. Of these types of costs, prevention cost should probably take priority because it is much less costly to prevent a defect than to correct one.
- WT: Our internal statistics say that despite we live in „5G era“ CLICK, which means pretty mature system with quite long history, the number of attacks which are doable is still too high MB: You are right, despite the fact, that we face the preasure from CLICK national regulators and new legislation or all kind of CLICK recommenation from GSMA and few others WT: Nice to hear from MNO there are defining CLICK their KPI plans or CLICK buidling their 360 security ..... MB: ... Or in recent years CLICK they introduced brand new Telco SOC teams. WT: To me this should be enough to eliminate majority of serious issues, which is still not true MB: How do you explain „William“ ? WT: Maybe our valuable attendees might now use the chat and write down how they see it MB: I have the only explanation and sorry to be so direct, „lack of experience“, „thoroughness“ /fforones/ ) and all around present human factor -which we call „laziness“ WT: No offence, but do you have some evidence? MB: Sure, pardon me as this will be commerical break, you can use it for your refershment. Back to your question. I work many year close to „service support“ and always if we talked about critical system such as for example SMSC, every new situation must be reported and immediately fixed as MNO was losing money. A perception of many people is that security does not work like this. WT: Are you saying that if MNO revenue is not directly impacted, there is no effort to solve ASAP? MB: You said it correctly, how else you explain the simle fact that MNOs we worked with started their own investigation week, month sometime several week after someone did strike them? WT: Again, we kindly turn to our attendees from the field, if you can use chat box and Milan will try to answer your question
- WT: Also, when looking at security or cybersecurity if you wish, we have two points of view
- WT: From IT perspective and from Telco perspective MB: There is a few representatives from IT leg CLICK WT: Followed by Telco leg CLICK, indeed some they have in common, but in general we need to have a look at Telco world by different pair of our eyes. MB: For today we work on assumption we live in Telco world Malware – take control over the system Phishing sending confidential data to attacker Password – brute force DoS – Useless traffic, service MiTM – Interruption, modification, eavesdrop Signaling threats .- Location tracking, Private data or network data disclosure, take control of digital identity, Steal money
- WT: I believe many of you already seen this slide, but the message we want to say is that still „we“, you on the call, your colleages, your family member, friends .... Can be the victim for cyber attack, regardless where you stay, what MNO you are attach with. B: Despite all you´ve seen few slides ago as a „FEW FACTS“ it is in many of us become victim/ target victim. Another commerical break. Time by time or better often ... Skill set of intruder is move ahead against technologies pace, from traditional GSM to present 5G A: I believe most of you receive regularly some text message, or even recorded voice call, ask you to press button “9” to continue, this is phishing technique, even intruder can fake the sender ID, sending email on behalf of regulatory even your higher mgmt..... B: Exactly, many times we see that fake email from C-level managements are ignored but fake email from your direct reporting person is answered A: that is the trick, because they know, covid 19 pandemic had change working culture, you are no more face to face in office with your superior, this is the chances Intruder use, they know how important for a person to secure a job with covid19 pandemic, we see cyber attack is significantly increase B: Nice try, or the second example which „William“ answers your question why it takes so long time. When we do „Secret or Hidden Scanning“ the only C-level is aware about date/time/scope and they do nothing but just wait till their Blue team / SOC team identifies this malicious behaviour and according to process triggers some meassures. A: Perhaps you´re right „Milan“ we know that not always response comes shortly sometimes never. B: And this is too sad. A: Telco SOC skill sets, need to move ahead from the pace of intruder, in order to protect their end subscriber, leak of visibility in assets, leak of experts are making the situation worse than ever.
- MB: We use this opportunity to show you how we see it from customer side WT: Also here you can comment and share your thoughts in chat box
- WT: Looking at mobile architecture and infrastructure grow, security view not ONLY apply for new upcoming 5G, but also existing NEs, infrastructure. MNOs cannot stay focus on certain node, they need to have end to end view, from end user, to RAN, to mobile core, and toward IPX
- MV: It should be more complex hence we talk about End to End view. WT: One view can be focused on a very low level positioning where security is based on the way down to the ChipSet for instance, very handy when we employ thousands of IoT device (for smarthome, smart city, industries.) MB: next, The other part is traditionally the interconnect security regardless we talk about services or products. WT: In the middle we can find Consolidating technologies in 5G. We can see from the center office for vEPC, Virtualization, NFV, Containerize Environment, moving down to Edge security of MEC, as well as 5G New Radio. MB: If we stick to 5G SA we can name a Service Based Architecture and new protocols coming there as these protocols are used very very widely in IT world, like HTTP2, where hackers have lot of experience which can reuse these vulnerabilities. WT: so the tendency is to shine all light into your network and you can proud say to everyone, I see my assets as E2E visibility not only stress certain points.
- MB: Let me stress this fact a bit. To start doing any kind of investigation, there must be a trigger of situation. It might arrive from SIEM, when doing CDR inspection, from Monitoring or from FW logs CLICK WT: We know, the trigger is there so we have a situation but what to do now? This has to be described somewhere as every stakeholder knows what to do CLICK MB: I assume these days it is mainly on Telco SOC responsibility CLICK WT: yes, it suppossed to be. What is also very important is the full and clear description of the situation, collect all the available logs from several systems CLICK MB: Then do a brainstorming and voala give me final solution or at least workaround. CLICK WT: Nice to have is a MOP how to reproduce such situation as this might be very uselful in the future CLICK MB: Last not least we need report it to that C-level and we need to create story about it CLICk On Demand – this is usually unplanned activity, which has to be executed without any delays Best practice approach supported by our huge signaling experience in this field Reproduction – if customer agrees, we will provide reproduction scenario Swift Workaround Remediation validation Protection of corporate reputation Limiting future fines
- WT: at MNO stand point, I believe they are experiencing this situation, and good sign I see at majority of MNOs I dealing with, they not we give up, ... But sometime they are in situation which they are totally out of ideas, how to proceed further, incident investigation has reached the dead end? MB: Then the last resort option is to turn to experts in the field and ask for help. Not the beauty of handover support starts. Question to Audience: Did you ever engage with Third Line Support for Incident Investigation? (Y/N)
- WT: Handover, What does it mean, what is the typical process and what is then the customer expectation? MB: Lets call your experts in the field ... 3rd line support for a moment.... If we omit the legal part, NDA and other agreements ... There is always and handover where 2nd line shares all the existing materials, captures traces, logs and many other with 3r party WT: And these experts in do start their own journey, investigate by expert is possible, because most of MNOs keep the raw signalling traffic for at least 3months. MB: But the expecation does not differ from the one on the previous slide. There is a serious pressure to provide customer with workaround if not today, then already yesterday WT: Yes, thats true, one highlighted fact, it is not rare, thats why I am telling this that during reproduction the experts in the field, they are able to discover related issue/vulnerability, get deep into technique use by intruder, expose and discover the impact subscriber, down to list of IMSI, so in the end of the day customer gets much more visibility and lessons learnt together with 3rd Line Support.
- MB: as you mentioned what customer gets, here is just brief list of deliverables, not always only documents, it gets common, all the extra logs, traces, TCP dumps are enclosed to the report. CLICK WT: And sometimes happens that such logs disappear from customer storage over night for obvious reason
- WT. As we promised 40 minutes ago, here you are, there are 3 real example which all dates 2021
- MB: Actually before examples let us share few statistics collected during this and last year. WT: As you can see this is nothing we could call positive, it is worse than I wish. Indeed, thats our numbers from security audits and this mit be mispresented picture of situation as we must admit those MNO which are well protected dont give us the opportunity to prove it and improve the final picture. Anyway, those who gave us the chance we included into this slides MB: when talking about attack ... CLICK ...
- MB: ...we maybe show this one as this reflects the most serious attack seen on Diameter and GTP perimeter.
- WT: Nothing to add, just we can visualize some of them like this. MB: Despite the fact we could show much more examples, we´ve decided to cherry pick another 3 examples and uncover something which day by day duty behind the scene ....... 3x CLICK (new slides on each cyberattacks)
- WT: SMS Interception, this cause OTP/ TAC of credit card, being stolen
- MB: Call interception, ear-drop is what intruder did, be silent listener
- WT: So this is our first example. All starts with any description, so this is what we´ve got from customer. It is clear that we had to deal with fraud case WT: Already now we can show you the results, what the retrospective incident investigation focused on last 90 days uncovered. MB: to be more concrete ... An external intruder registered victim subscriber on a fake mobile network. After that, the intruder performed an attack on a banking account of the victim subscriber and requested money transfer to their accounts. The banking 2FA system sent OTP SMS to the client’s device. Since the client’s device has been previously registered on the fake network, the Customer's network redirected the OTP SMS to the intruder’s equipment. Thus, the intruder was able to confirm the money transfer transaction using data from the OTP SMS.
- WT: What has happened ? CLICK Sending the UpdateLocation CLICK message using IMSI of a target subscriber and Hacker GT as a new MSC and VLR, the hacker is able to disturb voice call and SMS services for the subscriber, intercept incoming SMS messages, and redirect incoming voice calls if we list of options, all based on known IMSI (CLICK)
- MB: Correct, CLICK as you can see, it was not a big deal for intruder to complete the activity CLICK 4x . From ohter social engineering step preceeding this redirection he or she got the bank account credentials of our victim and the one last step we needed. To trasfer the money and type the confirmation code in OTP message. WT. Crazy considering the fact how many people have been affected and how much money was lost. WT: Recommendation We identified the source address, so the main recommendation is to block all incoming SS7 messages from this source in order to avoid this kind of fraud from these guys in future. Then we saw that some of the subscribers were still affected after the fake registration. So, the recommendation is to make forced Location Update procedure on the list of these subscribers. Block incoming signaling messages, which may lead to IMSI disclosure as it was the first step of the attack. Block incoming registrations if the requested subscriber is currently located at home network.
- WT: A second story is like this, again we have a messsage from MNO follwoed by real numbers /rounded) MB: As you can see not only voice call issue was discovered during investigation, typically if anyhting happens it is not an isoloated activity. WT: The first issue is connected with the grey SMS termination on the Customer network. At the observed period, the some short messages were terminated from the intruder’s host, some of them are A2P SMS. MB: The second issue is connected with voice traffic fraud. An intruder changed a CAMEL platform address in the VLR node for one subscriber having control over the outgoing voice calls of the affected subscriber. The subscriber made voice calls to a cheap trunk and the intruder redirected the calls to a more expensive route.
- MB: so how we investigated. First, the hacker sends the InsertSubscriberData message CLICK to change or insert a serving SCP address in the subscriber's profile. New SCP address is under the hacker's control. CLICK 2x
- MB: When the target subscriber makes a call, the CAP InitialDP message goes to the Hacker’s GT instead of legal SCP node. Then the hacker can send CAP Connect signaling message with the number with much more expensive direction. 5x Click RECOMMENDATIOn The recommendation is to block GSMA FASG category 2 signaling messages. That means the border equipment like STP or signaling firewall should check if the source and the addressed subscriber belong to the same network. If nor, the request should be filtered out.
- WT: Another very unique and working attack technique, it work for SS7, Diameter, GTP, Let’s see how the intruder can use double MAP component signaling message to bypass the protection
- MB: Lets start with the fact that TCAP message multiple components withing the same TCAP ID. The hacker worked on this assumptiong, expecting signaling firewall wouldnt check or better would ignore the second optional component CLICK WT: . In this case each MAP component defines its own operation, and subscriber identifiers in these operations might be different. When the Signalling firewall inspects such double component message, it checks the subscriber’s identity in the first component considering the other data as a long payload not meant to be inspected.
- MB: Now real example. As you can see in our investigation, we identified request of status report followed by SRI4SM request. Nothing suspicious, isnt it? The STP sends this message to the SS7 firewall that inspects the first component only, defines that the operation is not suspicious, and forwards the message to the destination node. CLICK 6x
- WT: From the HLR point of view this combination of the components is not valid and thats why HLR returns REJECT error. If we pay attention to some details in this response, we will find that the message type on the TCAP layer is “Continue”. That means something like this: I don’t understand you please repeat you request within the same transaction. 3x Click
- MB: as you can there is an unexpected behaviour as we see now that the originator used the TCAP continue to submit new message where only SRI4SM remains. 2x Click As we moved in state machine of STP and SS7 FW further, we can notice that such message is being accepted and delivered to HLR. You can see why not but this is the trick. STP does not suppose to send SMS related messages message directly to the network elements but via SMS Router, which was actaully bypassed this time CLICK
- WT: This is correct, you could see the „lateral movement“ abusing „double map“ component which was used to get real subscriber IMSI, 3x Click Recommendations: Redirect SendRoutingInfoForSM messages to the Home Router regardless the TCAP message type and also Configure security means to block illegal operations based on multicomponent TCAP transactions. Or just block all strange multi-component requests. It is easier and more effective.
- WT: We are slowly approaching the finale /finali/ of this call and as always there should be any message to you, some advice, something which might be catchy and your take away from this call, I hope some / majority of you can benefit from this webinar B: And here we are, this is what can be called „risk driven“ approach ... What is it „William“?
- WT: Let me go back to the slide which opened this section, maybe one step back. Then we get to the point where we apply our pro-active approach on every red point. This will then result in source of knowledge about your today cybersecurity level. MB: OK, and how to get this source of knowledge? WT: Let me show you. ... CLICK
- MB: If we simplify the previous slide we get 4 areas of interest. There we have Access network, Core network, MEC and Virtualization CLICK WT: These tell you to Vulnerability testing for the Access, because there are hundreds or thousands of base station in the wild. - Run it for the Core, because it is 100% exposed to the IPX - Run it for the Virtualization infrastructure, because vendors deliver it as a black box – which is unacceptable from security pint of view. - And run it for the MEC - if you already have one – because no one knows what will be there. MB: correct, we might find issue, probably: - Software vulnerabilities in the Access - Lack of architectural security in MEC - No security policies for NFVi - Misconfigurations in the Core WT: What next? How to address these issues? This is what pops-up mind when looking at this slide....
- MB: one of the ways to start is with getting visibility of what is happening in the wild. We already know a lot about our weakness, but can we escape from it immediately? .... NO! WT: We know very well how the MNO processes and policies work: WT: Can we patch all unpatched systems? – MB: Not that fast! WT: Can ask for security hot fixes from vendors? MB: Please have a sit and wait, it is in the roadmap. WT: Can we apply some config changes to make network more robust? MB: NO, you need to test it first. .... 2 sec silence... WT: We have a lot of constrains for security. MB: But we know how to efficiently work in this tough environment - do start threat detection and plan response because security monitoring is essential to provide the rapid detection and mitigation. WT: Exactly. It does make absolutely no sense to try to create proactive protection via building boarders – the network and services are already exposed – more than ever before – and having visibility over it - is the only way to enforce control and protection.
- MB: You can have audit report in your hand, you can get the best monitoring solution, but neither one saves you from troubles, unless you implement protection. CLICK WT: Of course, but please do not be confused with protection as a function. It is goal, it can be achieved in many ways – It is our mission – to find most effective, applicable for customer’s environment and cost-efficient solution. MB: Indeed, It can be Patching and verification Or Hardening and compliance Or Design review and security requirements Or Traffic filtering and continuous fine-tuning WT: All of this can take place, where it is need and when is the suitable timing.
- WT: So we get to the final slide of our presentation. I hope we managed to explain right approach of telecom security which helps againt unwanted and unexpected situations which directly on indirectly affects your reputation, revenue but also your quality of service. CLICK This approach should be just enough to do main jobs and help with most important tasks It should be cost-efficient, because this is the only way Security teams can demonstrate value to the business of course today it is also about creating trust and assurance in technologies. MB: Our message is that no one is perfect and today we presented that there are companies which can help you anytime you need. WT: There always wil be a likehood that someone can strike you, but with well arranged processed, this subsequent investigation and reponse will become much more efficient, fast...... MB: Indeed, I wihsh no more invetigation months ago after the situation
- MB: And here we are, this was our last slides. We really appreciate you stayed with us until this point, thank you. WT: As we are good in time so we can immediately proceed with your questions .....