Taking Communication Network Security to New Heights · 2018-05-19 · Nokia places CSPs on the...
Transcript of Taking Communication Network Security to New Heights · 2018-05-19 · Nokia places CSPs on the...
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com
Tolaga ResearchHarness the Power of Intelligence
Taking Communication Network Security toNew Heights
February 2018
A Case Study of Nokia’s Security Risk Assessment
This Custom Report was Commissioned and Sponsored by Nokia
Author: Dr Phil Marshall
Executive Summary
��
��
��
Page 1
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com
Tolaga ResearchHarness the Power of Intelligence
●
●
A Call to ActionIt has the makings of a perfect storm. The world israpidly becoming digitized and communicationnetworks are adopting enterprise IT basedtechnologies. This is being supported byadvancements in IP technology and innovations suchas cloud and virtualization, digital transactions andbig data, broadband mobility and the Internet-of-Things (IoT). The benefits from advancements incommunications networks and digitization aretremendous. However, there is a dark side.Technology advancements expose communicationnetworks to new attack vectors and digitizationcreates vulnerabilities that have not been seen in thepast and cannot be addressed with conventionalsecurity solutions. Digital transactions, big data andIoT dramatically increase attack surfaces and thepotential impact of attacks. Bad actors are motivatedto launch malicious attacks because of the increasedcommercial and political impact of new and emergingattack surfaces. When attacks are successful, theactions of bad actors are reinforced. This has resultedin a dramatic increase in the frequency and ferocity ofsecurity attacks.
With dangerous self-reinforcing conditions in play(see Exhibit 1), bad actors have bigger incentives andbetter tools than ever before to launch sophisticatedattacks, often with very little resistance from theirvictims. Commonly organizations are lulled into afalse sense of security with partial solutions that areunable to detect sophisticated attacks, and torespond effectively even when the attacks areidentified. High profile breaches are being reportedwith increased regularity in the media. However, thisis merely the ‘tip-of-the-iceberg’, since most securitybreaches are not publicly reported.
The security challenges for communication serviceproviders (CSPs) are particularly acute, as theynavigate the transition to enterprise IT-centricnetwork technologies. This, coupled with heightenedcustomer expectations and stringent compliance andregulatory requirements. Commonly CSPs have siloedsecurity solutions and organizational structures thatare woefully inadequate in protecting against thesophisticated security attacks launched daily by badactors.
Page 2
Tolaga ResearchHarness the Power of Intelligence
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 3
Exhibit 1: Dangerous self-reinforcing conditions are propelling security threats
Transformation at the heart ofa secure futureSecurity breaches can be extremely costly, and whenreported, can also have a disastrous impact on thebrand and credibility of the victim organization. Thestakes are high, and organizations must anticipatethat they might have already been compromised anddon’t know it, or will be soon – irrespective of thesecurity prevention measures they have in place. It iscommon for breaches to remain active for manymonths before being detected, and even whendetected, they can prove extremely difficult toeliminate. Furthermore, since the sophistication ofattacks is increasing at an unprecedented rate, it isnot enough to just focus on threat prevention.Prevention must be complemented with technologies,processes and governance regimes to detect, respondand recover from security breaches when they occur,and to continually evolve to the changing threatlandscape.
Exhibit 2 illustrates a holistic approach that is neededfor modern security solutions. This approach is
challenging to implement since it must spanorganizational and management silos, and requiresend-to-end operational integration, and coordinationamongst specialized security technology solutions.Assets and data protection, business continuity andeffective disaster recovery must be assured, identityand access must be managed, and privacy protected.Organizations need specialized securitycompetencies, extensive governance and policyframeworks and advanced technologies that are notconstrained by legacy operational models.
Generally multi-phased security transformation plansare needed, which must be prioritized and executedby skilled practitioners. Organizations often lack thenecessary resources and are constrained by internaloperations and conflicts of interest, to transform theirsecurity operations effectively. In these cases, webelieve that it is necessary for organizations tooutsource their security transformation efforts to thirdparties who have the necessary competencies andbenefit from being independent.
Disruptive Technologiesdecouple services from
infrastructure withconvergence to circumvent
conventional security solutions
Bad actors are motivatedby commercial and politicaldrivers to increase attacks
More bad actors emergeas the rate of successful
and impactfulattacks increase
Disruptive technologiesand services amplify attacks
and motivate bad actors
More BadActors
DisruptiveTechnologies
IncreasedAttacks
Tolaga ResearchHarness the Power of Intelligence
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com
Exhibit 2: A holistic approach needed for effective security, but is challenged by traditionaltechnical and operational silos
Preventvulnerabilities from known attacks,
with regular security software,patches and system updates
Detectwhen systems have been (or appearto be) compromised. Increasingly,detection requires heuristics with
AI and machine-learning
Respondrapidly to minimize the impact and
eliminate the cause of an attackor identified vulnerability
Recoversystems efficiently after
initial responses have been executed.Effective recovery is needed to
minimize service impact.
Technology Governance Operations
Nokia places CSPs on the rightsecurity transformation pathNokia is a recognized industry leader in security,and has products and services with end-to-endcapabilities that are particularly well suited forCommunication Service Providers (CSP). ItsNetGuard security management productportfolio helps secure and protect physical, andvirtual communication networks. This is
complemented with Security Integration servicesand other targeted Managed and ProfessionalServices (see Exhibit 3). Within its ManagedServices portfolio, Nokia provides acomprehensive Security Risk Assessment (SRA)solution for CSPs. The SRA enables CSPs to assesstheir security compliance and develop atransformation roadmap to address theirshortcomings.
Page 4
Tolaga ResearchHarness the Power of Intelligence
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com
Nokia’s Security Risk AssessmentSolutionNokia’s Security Risk Assessment (SRA) solutionenables CSPs to evaluate and benchmark theirsecurity operations, identify shortcomings anddevelop manageable transformation strategies.The SRA solution is designed specifically forcommunications networks and underpinned byindustry standards such as ITU-T X.805 (Securityarchitecture for systems providing end-to-endcommunications) and ISO/IEC 27001 (Information
security management systems). The structure ofNokia’s SRA is shown in Exhibit 3 and includes:
● Inputs and contextual assessments to ascertain thestate of technical, commercial and regulatorycompliance within the company being assessed.
● Cybersecurity Reference Architectures, Attack UseCase References, and Process and TechnologyControl References, and;
● Outputs, that include a Security Risk Index, GapAnalysis, Maturity Matrix, and a Prioritized SecurityRoadmap.
Exhibit 3: Nokia Delivers a Comprehensive Security Risk Assessment Solution
Page 5
SecurityIntegration
Services
SecurityProducts
(e.g. NetGuard)
ProfessionalServices
ManagedSecurityServices
Inputs andContextTechnical
CommercialRegulatory
and Compliance
Outputs andDeliverables
Security Risk IndexGap Analysis
Maturity MatrixPrioritized Security
Roadmap
Cyber SecurityReference
Architectures
Attack UseCase
References
ProcessControl
References
TechnologyControl
References
SecurityRisk
Assessment
SecurityInfrastructureManagement
Services
ISMSand
ComplianceManagement
SecurityMonitoring
andResponse
Transformation Security
Tolaga ResearchHarness the Power of Intelligence
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 6
Cyber Security ReferenceArchitecturesNokia’s SRA has Cyber Security ReferenceArchitectures (CSRA) that are tailored for thespecific needs of the company being assessed.The CSRAs consist of several components (seeExhibit 4), including:
● A Cyber Security Strategy Framework, whichassesses whether the company is aligned withleadership support for a security led strategy. Italso assesses the maturity of cyber security inthe organization and its governance, risk andcompliance management capabilities. Theseare complemented with threat modeling andresilience assessments.
● Cyber Defense Capabilities, to assess thecompany's ability to prevent, detect, recover from,and respond to security attacks. This is supportedby an extensive Attack Use Case database thatNokia maintains.
● Process, Technology and Operations, whichfocuses on the security of network andinfrastructure, applications, data and identity andaccess management. In addition, Nokia has aTransformation Security module, which paysspecific attention to security disruptions fromcloud, big data, mobility, social media,virtualization and IoT.
Exhibit 4: Nokia has a comprehensive Cyber Security Reference Architecture
Cyber Security StrategyFramework
Business Aligned andLeadership Driven Strategy
Cyber SecurityOrganization Maturity
Governance, Risk andCompliance Management
Threat Modelling andResilience Assessments
Prevent Detect
Recover Respond
Attack Use Cases
Process, Technology andOperations
Network and InfrastructureSecurity
Application SecurityData Security
Identity and AccessManagement
Transformation Security(Cloud, Big Data, Mobility
Social Media, Virtualizationand IoT)
Cyber Defense Capabilities
Cyber Security and Privacy Awareness
Tolaga ResearchHarness the Power of Intelligence
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 7
Exhibit 5: Nokia Fortifies its SRA with an Expansive and Growing Attack Use Case Library
Use Case Library with ITU-T 805.X Classification
Traffic Interception | Passive Listening | Cloning | RAN Outage |IMSI-catcher/Fake BTS | SS7 Entry Point Abuse | Hostile SS7 Location Request| Femto-Cell Based Signaling Attacks | SS7 MSU Bill Artificial Inflation |VoIP Originated SS7 Injection | Web Attacks | Exploit Injection | InformationDisclosure | Mediation and Billing Attacks | Billing System Flooding forPrepaid Abuse | Intelligent Network Attacks | Malware |Privacy | ChargeBypass | SMS/VMS Messaging Attacks | MMS Attack | Lawful InterceptionSystem Attacks |Reverse Charge SMS Fraud | Prepaid Abuse | SMSC ScanningDiscovery and Abuse | Location Based Service Unauthorized Access |HLR Authentication | Flooding VLR Stuffing | Illegal Call Redirection |SMS to MSC Direct Addressing ....
Telecom Centric Attacks
Denial of Service | Traffic Interception | Unauthorized subnet accessto confidential data |Unauthorized user/device on the network | Log deletedfrom source | Volumetric DDoS | Unauthorized data capture |Data exfiltration | Unclassified data | Anti-virus failed to clean | Excessive portblocking attempts |Excessive scan time-outs | Malicious websites frommultiple internal sources | Multiple infected hosts detected in an subnet |Excessive SMTP traffic outbound | Excessive web or email traffic outbound |C&C communication |Excessive connections to multiple sources | Repeatattack from a single source | Repeat attack from a multiple sources |Scanning or probing by an unauthorized host | Scanning or probing by anunauthorized time window | Anomaly in DoS baselines |Reconnaissance |Malware | Privacy | Device out of compliance | Behavior anomaly | Zero-day |Web Attacks | Exploit Injection | Information Disclosure | Anomaly in useraccess and authentication | Multiple logins from different locations |Multiple changes from administrative accounts ......
IT Attacks
(2G, 3G, 4G, 5G, Fixed Network, IoT Analytics etc.)Technologies and Solutions(access, transmission, core, IMS/IP, OSS/BSS etc.)Technology Layers
(HSS, PCRF, MME, HLR, eNodeB. GGSN,Gi, Gn, S1, S5, GRX,IPX, IN, Routers, Switches, Servers etc.)
Telecom Systems and Interfaces
Acc
ess
Cont
rol
Com
mun
icat
ion
Secu
rity
Aut
hent
icat
ion
Inte
grity
No-
Repu
diat
ion
Priv
acy
Conf
iden
tialit
y
Ava
ilabi
lity
Management | Control | End UserLayers
Infrastructure | Service | ApplicationPlanes
Dimensions
ClassificationExpanding Use Case Library
Attack Use Case ReferencesNokia maintains an extensive Attack Use CaseLibrary that fulfils an important role in ensuringthat the company is sufficiently protected againstknown security threats. The Library is an activedatabase that is continually updated as newsecurity threats are identified. These threats arecatalogued according to the ITU-T 805.X (805.X)standard to reflect their impact on end-to-end
security. The 805.X standard separates complex end-to-end architectures into logical components, tocharacterize eight security dimensions, in addition tomanagement, control and end-user layers andinfrastructure, service and application planes. Nokia’sreference library also identifies the telecom systemsand user interfaces, technology layers, and thespecific technologies and solutions involved, seeExhibit 5.
Tolaga ResearchHarness the Power of Intelligence
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 8
Exhibit 6: Nokia's Unified Compliance Framework
Nokia Unified Compliance Framework
Test ProceduresTest of Design | Test of Operating Effectiveness |Security Maturity Assessment
Unique Set of Security ControlsBased on Cyber Security Reference Architecture (CSRA)(see Exhibit 5)
Foundational Sources and ReferencesCSF | ISO 22301 | CSA/CSM | PCI DSS ENSA | NERC | GAPP |ISO 27001 | COBIT 5 | SOX | ANSI/ISA | ITU-T | 3GPP |DSCI
Outputs and deliverables
Security ProcessCompliance Effectiveness
Security Maturity Matrix
Recommendations forTest Procedure Improvements
Recommendations forSecurity KPIs
Process Control References forComplianceNokia's Process Control References evaluate aCSPs compliance with industry standards ofpractice for security. These Process ControlReferences also incorporate best-practices thatNokia has gleaned from its extensive experiencein the field. For this purpose, Nokia hasdeveloped its Unified Compliance Framework(UCF), which is illustrated in Exhibit 6.
In total, Nokia has 117 security controls in its UCF.These controls span 13 domains, which aresummarized in Exhibit 7 and include, securitygovernance and compliance, asset management,network architecture and control, software andapplication security, data centric security, identity andaccess management, security monitoring and threatintelligence, security incident and responsemanagement, threat and vulnerability management,security aspects in business continuity and disasterresponse, privacy, third party security and securitytraining and awareness.
Tolaga ResearchHarness the Power of Intelligence
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com
Exhibit 7: Nokia's Unified Compliance Framework Controls
Page 9
Tolaga ResearchHarness the Power of Intelligence
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 10
Once the UCF domains listed in Exhibit 7 havebeen identified and assessed, scores for eachdomain are derived according to the maturityindex phases described in Exhibit 8.
The SRA provides practical recommendations,milestones and key performance indicators (KPI)for CSPs to improve their security operations. Therecommendations, identify for each control
domain whether the CSP needs to focus on "People","Process", or "Technology". In addition, theidentified security weaknesses are assessed in thecontext of a CSPs ability to "Prevent", "Detect","Respond", or "Recover" from security attacks.
Exhibit 8: Security Index Phases of Maturity
Phase 1Initial
Evidence organization recognizes issues exist and need to be addressed. However, there are no standardizedprocesses; Instead ad hoc approaches are applied on a case-by-case basis. Management and governanceis disorganized.
Phase 3Defined
Procedures have been standardized and documented and communicated throughtraining. Processes are mandated; however, it is unlikely that deviations will be detected.The procedures themselves are not sophisticated, but formalize exisitng practices
Phase 2Repeatablebut Intuitive
Processes are developed to a stage that simlar procedures are followed by different peopleundertaking the same task. There is no formal training or communication of standardprocedures, and responsibility is left to the individual. Since there is a heavy reliance onthe knowledge of individuals, errors are likely.
Phase 5Optimized
Processes have been refined to a level of good practice based onresults from continuous improvement and maturity monitoring withother NSPs and enterprises. It is used in an integrated way to automateworkflows with tools to improve quality and effectiveness, making theenterprise quick to adapt
Phase 4Managedand Measurable
Management monitors and measures compliance, and proactivelyaddresses inadequate processes. Processes are constantly improvedfor good practice. There is limited and fragmented use of automationand other tools.
Tolaga ResearchHarness the Power of Intelligence
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com
Case Study:Security Risk Assessment for a Tier 1CSP in Asia PacificNokia has been conducting SRAs for itscustomers across the globe. One such customer isa Tier 1 CSP that operates networks in AsiaPacific. The CSP wanted to bring closer alignmentbetween its enterprise and network security, andcontracted Nokia because of its security portfolio,SRA solution and specific focus towards the CSPmarket.
Nokia conducted its SRA using a seven-stepprocess, which is summarized in Exhibit 9. Aninitial environmental assessment was conductedto determine the project scope, with emphasistowards identifying a statement of applicability(SoA). The SoA defined the security controlswithin Nokia's Unified Compliance Frameworkthat were relevant to the project.
A design assessment of the SoA was conductedrelative to processes and practices followed bythe client. The operational effectiveness of
applicable security controls was investigated.Vulnerability assessments and port scanning wereperformed to support the analysis of the securitycontrols, and to establish minimum base-line securitystandards. In addition, threat modeling wasconducted based on the eight security dimensionsassociated with the ITU-T X.805 standards, shown inExhibit 6.
At the completion of the project, Nokia published adetailed assessment report, which included high levelbenchmarks, base-line indices, and milestones andrecommendations for future improvements. Althoughthere were 83 security controls for which the CSP wasnon-compliant, the report recommendationsprovided clear guidelines for achieving basiccompliance and moving the CSP’s security to a highermaturity level.
Amongst the Top 10 recommendations from theNokia's SRA, tangible and specific guidelines wereprovided for the following:
● Security policy alignment with relevant globalstandards.
Exhibit 9: Seven-step process for conducting a SRA project
1 Key observations along with theimpact of non-compliance, root-cause
and detailed recommendations
Define maturity rating for each of the13 domains along with the
compliance percentage
2
Define the overall Security IndexScore for the assessment
3
Define the prioritizedsecurity roadmap
4
Identification ofProject
Statement ofApplicability (SoA)
Initial EnvironmentalAssessment and
Scope Discussionswith Client
DesignAssessment
of SoA
Test ofOperationalEffectiveness
VulnerabilityAssessment
MinimumBaselineSecurityStandard
ThreatModeling
1 2 3 4 5 6 7
Page 11
Tolaga ResearchHarness the Power of Intelligence
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com
● Third party security.
● Security KPIs.
● Governance.
● Network architecture.
● Personnel training and certification.
● Attack detection, and;
● Security incident reporting.
Nokia's SRI revealed that amongst the thirteensecurity controls, the CSP is at an "Initial"maturity level for twelve, and a "Managed"maturity level for "Security Aspects of BCP/DR".We believe that this is reflective of the maturitylevel of many CSPs and a compelling driver forCSPs to use Nokia's SRA.
Within the study, operational "Process" was byfar the dominant concern, appearing in twelve ofthe thirteen security controls assessed. Theoperational activities relating to "People" and"Technology" appeared 5 and 4 timesrespectively. We believe that the prevalence of“Process” related issues illustrates the difficultiesCSPs face with organizational transformation. Thisstrengthens the value proposition for conductingindependent assessments, such as Nokia's SRAservice.
ConclusionThe frequency, ferocity and sophistication ofcyber security attacks will continue to increase forthe foreseeable future. Unfortunately, manycompanies including CSPs have inadequatesecurity, with partial solutions that are unable toreliably detect attacks and respond effectivelyeven once they are detected. Companies mustanticipate that they might have already been
attacked and don't know it, or will be soon,irrespective of the security prevention measures inplace. CSPs are particularly vulnerable as theyupgrade their networks with enterprise IT centrictechnologies, address heightened customerexpectations and adhere to strict compliance andregulatory requirements.
With the growing prevalence and sophistication ofzero-day attacks, security prevention solutions are nolonger adequate and must be complemented withtechnologies, processes and governance regimes todetect, respond and recover from breaches when theyoccur, and continually adapt to the threat landscape.This creates complicated operational andorganizational transformation demands that arecommonly stifled by legacy environments andconflicts of interest. In many cases, thesecomplications can be mitigated through managedservices offerings, provided by companies like Nokia.
Nokia is a leading security solution provider for CSPsand recently launched a Security Risk Assessment(SRA) solution within its managed services portfolio.This solution is comprehensive and uniquelypositioned to provide tangible insights, indices,guidelines and milestones for CSPs to transform theirsecurity operations. A case study analysis for a Tier 1CSP in Asia Pacific demonstrated that, while the SRAis sophisticated and comprehensive, it also providespragmatic and achievable milestones for CSPs tomigrate towards having optimized securityoperations. We believe the study results highlight theoperational and organizational transformationchallenges that CSPs typically face. This strengthensthe value proposition of the independent assessmentprovided by Nokia's SRA. If a similar study had beenconducted internally, we believe that some of the keysecurity shortcomings identified in Nokia's SRA wouldhave most likely gone unreported.
Page 12
Tolaga ResearchHarness the Power of Intelligence
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 13
About the AuthorDr. Phil Marshall
Phil Marshall is the Chief Research Officer of Tolaga, where he leads its software architecture anddevelopment, and directs Tolaga's thought leadership for the Internet-of-Things (IoT) andmobile industry research. Before founding Tolaga, Dr. Marshall was an Executive at YankeeGroup for nine years, and most recently led its service provider technology research globally,
spanning wireless, wireline, and broadband technologies and telecommunication regulation. He serves on theadvisory board of Strategic Venue Partners, is an Industry Advisor for Silverwood Partners – Investment Bank, and wasa non-Executive board member of Antone Wireless, which was acquired by Westell in 2012.
Marshall has 20 years of experience in the wireless communications industry. He spent many years working in variousengineering operations, software design, research and strategic planning roles in New Zealand, Mexico, Indonesiaand Thailand for Verizon International (previously Bell Atlantic International Wireless) and Telecom New Zealand.
In addition, Marshall was an electrical engineer at BHP New Zealand Steel before he attended graduate school. Hehas a PhD degree in Electrical and Electronic Engineering, is a Senior Member of the IEEE and the Systems DynamicsSociety. His technical specialty is in radio engineering and advanced system modeling, and his operational experienceis primarily in communications network design, security and optimization.