Security is very much like insurance. Not many people understand it in detail, but everyone gets it when things go wrong. With 5G increasingly turning mobile networks into a backbone of the digital society, telco-specialized security expertise is a paramount part of preventing incidents, simplifying handling and accelerating remediation of incidents. As part of our data-driven operations blog series Annie Turner spoke to Eric Sisi, Service Portfolio Director – Security, Ericsson about how evolving, multi-strand approaches are securing telcos’ infrastructure in the 5G and cloud era.
Eric Sisi has been in his position for almost four years. Based in Reading, UK, he previously had long stints at the security solutions vendor McAfee and before that, Oracle.
“Security is not just a set of tools used to deliver a certain security outcome. Those tools support the evolution of security frameworks and paradigms that continue to mature ever since the first crude attacks as viruses we saw on PCs, spread using floppy disk,” he says.
He adds that vendors like Ericsson design solutions taking into consideration the obligations to address fundamental security threats and security-attack vectors, and that from their inception. In support to this, Ericsson is fully engaged with established standards organizations that develop the framework for telecoms, such as GSMA and 3GPP, BIS and others. Now, “As telecoms move into 5G, the environment is becoming more like IT and therefore will be subjected to the same type of attacks we’ve experienced in enterprise,” Sisi says.
Hence efforts are underway to develop a security knowledge base for telecoms that is similar to MITRE ATT&CK (for Adversarial Tactics, Techniques and Common Knowledge) for enterprises. The original was released in 2013 by MITRE, a not-for-profit organization with roots in the military. MITRE ATT&CK came out of research that emulated adversaries’ and defenders’ activities for better detection of post-compromise threats using telemetry sensing and behavioural analysis.
Sisi explains MITRE ATT&CK “contributes to our efforts put on desinging products that are security-aware, and that from their inception and can be integrated into an environment that work with current and future security monitoring systems, security detection systems and security mitigations mechanisms. This makes networks resilient against cyberattacks and provides the consumers and businesses using those networks with a relatively high level of confidence with using them.”
Tracking traffic patterns
The ability to recognise traffic patterns, long been used by enterprises to protect their networks especially using the power of analytics and machine learning to looks for anomalies is particularly important. The critical issue is setting the baseline for what a normal behaviour of network is. Sisi observes, “That’s one big thing that Ericsson can bring to customers, especially from a managed services perspective. We know what a good network looks like.
“Using baselining methodologies, you can deploy novel technologies that examine traffic patterns and the behaviour of certain elements in a network to discover if anything strange is happening, then initiate an incident response to investigate and mitigate a potential bad actor or other issue that may not be related to an attack.”
Those security solutions designed for telecoms operations are evolving. Sisi comments, “The security industry is only now catching up with what’s going on in telecom networks because
until very recently carrier networks were closed operations. To do something bad in those networks, to disrupt them, you had, for the most part to be an insider.”
Fränkle and his team set about optimizing the network to reduce downtime and the number of network incidents. They also focused on implementing ways to minimize their impact on customers, for example, by making the mean time to repair as short as possible.
As network functions move into the cloud, that infrastructure is becoming far more open, so every organization responsible for deploying and operating those networks must be able to monitor their behaviour. Sisi says, “We work with our research organization, developing use cases that use analytics and machine to detect specific type of activities in the network. Then we can deploy them across our solutions. We also work with partners in the security industry to build use cases that are telecom specific using methodologies and tools that until very recently were only focusing on enterprise environments.”
Who are you, really?
Identity management is another established discipline, but it is evolving. Sisi states, “It is getting much better with the introduction of different methodologies to authenticate the identity of an individual or a workload. Verification and authentication are extremely important: they provide the foundation for a secure operating environment.”
Increasingly machine learning-based ID management systems include usage pattern recognition to strengthen authentication, assessing whether a specific action is typical on a certain service. An example is if an individual typically spends €100 monthly on Amazon but places a €10,000 order, it will be flagged as an anomaly. Sisi says, “The service provider has an obligation and responsibility to confirm that the person has been authenticated correctly. It is a partnership.”
He adds, “Increased resiliency depends on the level of standards in the development, construction and implementation of telecom networks” and the extensible authentication protocol (EAP) is an important part of that standardization, and it too is being used increasingly with other technologies. The EAP is a messaging format that can be embedded in protocols used to authenticate various kinds of connection and complements new methods to encrypt communications and authentication.
“We are also moving to transport layer security or TLS – we’re currently on version 1.3 but starting to talk about 1.4 – to make authentication even more secure by sending a standard type of authentication message or content between different points. Such protocols must evolve to secure evolving and new operational environments for telecoms, such as cloud based services,” Sisi states.
AI, analytics and automation
How do the three ‘As’ fit into the evolving security framework? Sisi believes “we are past the hype curve with AI in telecoms. Practitioners understand how to use machine learning, especially for huge datasets that can provide a secure outcome, but you always need the
security practitioner to understand what those outcomes are because it’s very hard to train models to be accurate, while constantly watching and verifying the recommendations it to make sure no bias has crept in.”
He adds, “The key is to identify the proper datasets and the right data elements within the data sets to produce the desired results from analyses. The technology is getting better and better, and becoming more useful, but there’s still a lot of progress needed. Also, the AI must be complemented by solid security solutions, so that Security Operations (SecOps) for instance, can produce the expected results in the most effective way.”
Next, Sisi says, “As well as maturing methods we’ve developed over the last five years, we expand the capabilities AI/ML models; for instance, to learn more about what the network looks like and find things that we would miss when using a normal surveillance system.
“Today, we are at the machine learning phase. The next step is machine reasoning. Currently, we use basic playbook capabilities, where you can automate activities after a certain type of incident, but you still need a human to write the policy or rule that triggers the action. That’s not reasoning, that’s automation. With machine reasoning, the system will constantly monitor the network, and make decisions about reconfiguring or responding in a certain way to a suspicious incident. That’s going to be really interesting.”
Micro segmentation is another approach to network resilience: a micro segment is created in the network around an area where an issue has been detected until that issue can be identified and remedied. Sisi comments, “That’s a basic type of response, but with more research, it could be expanded to the point that a whole town might suddenly be moved onto a different type of network because of a direct attack on that town’s infrastructure. Solutions like that will be feasible in the next three years or so.” How well operators coped with massive shifts in network traffic patterns and soaring demand during lockdowns shows promises.
Sisi places great emphasis on vendors, enterprises and operators constantly practicing their responses to potential threats: “It amazes me that some customers, especially in the enterprise sector, do not exercise fundamental incident response processes and capabilities to be ready to face cyberattacks.”
He points out, as an ex-military person himself, “In peace time, the military does exercise all the time”. He was involved with responding to some of the most notorious ransomware attacks, including NoPetya and WannaCry, and says, “The fundamental factor is always a lack of basic education about security and no exercising of the response capabilities. I advise customers to exercise, to look at how they’d respond. That’s key.”
He adds, “Despite looking at using best security systems available, I don’t think we will ever rely on a fully automated response system. There will always be a human element to
security, as in many other things. Unless you exercise that human capability constantly, especially in today’s world where talent is so difficult to find and especially in security, you’re open to suffer some kind of disaster.”
“The more operators can demonstrate that their networks are safe and secure, the better it is for their business. Every day however, bad actors try to disrupt telecoms networks because they are foundation of a lot of the economic, defence and government activities,” Sisi notes.
Yet many of the worst network outages are caused accidentally by engineers, often during network maintenance and upgrades. He says, “We are addressing this – developing an AI- or machine learning-based solution that can predict the likelihood of commands sent to a particular element being incorrect, based on understanding the behaviour of activities on that network element in the past, thus reducing the risks and make networks more reliable.”
Sisi concludes “With telecoms, everyone is connected to everyone else, but somewhere there is always a weak spot due to poor implementation of security measures that could provide entry into something much bigger.
“That’s why, for instance, radios in our radio access networks can detect attempts to launch a DDoS attack and recover from it by themselves. We know the solutions we sell and deploy that will be subjected to constant attacks and that we need to be prepared and to educate our customers on how to protect telecoms networks.”
This article was originally published on the Ericsson website here on the 26th of January 2023.