Service Provider / July 28, 2015

Using subscriber level intelligence to secure the network

The telecommunications market has undergone some huge changes in recent years.  Where a decade ago most mobile subscribers used a mobile device for making calls and SMS, today the situation is very different.  Users expect to be able to browse the web, use applications (from games to Over-The-Top (OTT) messaging services), check emails, and many more online activities, all at the same time as also using traditional SMS and phone services.  What’s more, the number of internet enabled devices used by consumers has skyrocketed.  Research by IAB and PWC earlier in 2015 found that the average UK household now owns 7.4 devices – with each household having an average of 1.7 smartphones and 1.2 tablets[1].  The proliferation of devices shows no sign of slowing either, and research firm Strategy Analytics has forecast that, by the end of 2020, the number of connections per person will increase to 4.3[2].

This presents a challenge in itself, thanks to the sheer amount of data that is now crossing service provider networks and making the environment far more complex.  Moreover, in a market that already sees high levels of churn, operators have to keep Quality of Service (QoS) high to hold onto their customers, as well as introduce new services such as VoWiFi and VoLTE to differentiate themselves.  In order to do this, as well as deal with continuously increasing traffic, a transformation is required.  100Gb pipes aimed to solve the issue of too much traffic, but are hard to monitor as no analytic tools are able to directly connect, while VoLTE is a complex and hugely sensitive real time service that requires a high level of visibility to keep it functioning. On top of that, virtualisation technologies – Software-Defined Networking (SDN) and Network Functions Virtualisation (NFV) – are becoming increasingly attractive propositions, thanks to their promise of simplicity and agility. Yet they also add layers of network abstraction, which decreases visibility into traffic crossing the physical layer. Essentially, a telecommunications network is a hugely complex environment, and the challenges don’t stop there.

As with any industry today, security threats are increasing every day, and the tactics used by adversaries are sophisticated and wide-ranging.  SMS fraud, malware, DDoS attacks, and data exfiltration are just some of the ways cyber-criminals can compromise a mobile network.  A cyber-criminal only needs to find one vulnerability to exploit, while the network operator needs to protect the entire infrastructure – clearly putting them at a disadvantage.  At the same time as these threats to carriers are growing, security infrastructure is becoming more complex and costly to manage and operate. As such, real-time visibility into the entire environment is required so threats can be identified and removed as quickly and as seamlessly as possible.

Visibility and the subscriber

Without the required visibility, packets will be dropped and blind spots will occur, making it easier for nefarious actors to access and remain on the network.  By using a Security Delivery Platform to get access to the network at various points, pervasive visibility across the network as a whole is achieved and detecting fraud, malware, data exfiltration and so on in real-time becomes a far more likely prospect.  At a time when customer churn on mobile networks is increasing, and operators are looking for ways to keep Average Revenue Per User (ARPU) up, doing everything they can to prevent security breaches is essential.

However, in order to ensure accurate, cost-effective analytics from their tools infrastructure, service providers are dependent on two critical components; the ability to correlate traffic flows to the subscriber(s); and visibility across all segments of their mobile networks.  Service providers need to conduct an analysis of data streams in order to allow them to detect and prevent criminal activity as quickly as possible.  To do this effectively, real-time analysis of packets is required, yet with the sheer amount of data that they need to sort through, this can be a challenge.  As such, these tools need a Security Delivery Platform that will intelligently feed the tool with the specific data packets and streams they need – and nothing else.

GPRS Tunnelling Protocol (GTP) is often used to carry mobile data across networks, and includes control plane and user data plane traffic. Currently, many analytic and security tool vendors have a built-in feature to correlate GTP, the user plane, with the control plane inside GPRS tunnels. But in the process, each analytic tool hides its insight from the other analytic tools – and it’s this subscriber and service layer insight that is needed.

As such, the operational efficiency of the service provider decreases thanks to the increased cost of reduced tool processing throughput – as each analytic tool correlates GTP separately and individually – which also reduces the effectiveness of security tools.  Visibility into a subscriber’s activity requires the ability to understand the stateful nature of GTP traffic and correlate subscriber-specific sessions to gain an accurate view of the subscriber’s activities.  Once this is achieved, the traffic can be intelligently sorted to optimise flows based on what the tools need to see, so the applications used to secure, monitor, and analyse the infrastructure to see only what is relevant to them.

From there, tools designed specifically to identify suspicious activity can do their job – without having to sift through petabytes of irrelevant data – quickly stopping criminals in their tracks.  Furthermore, combined with the pre-existing GTP Correlation capability in GigaSECURE, the industry’s first Security Delivery Platform, mobile carriers can also create custom whitelists of specific subscribers using their IMSI (International Mobile Subscriber Identity).

For example, if a service provider needs to identify security threats from an individual subscriber or device they’ll need to focus on specific subscribers or devices that present a security threat to the network, as well as remove malicious traffic from the network, or deny access to the network. Since security tools rarely run at line-rate speeds, any capability that reduces the amount of traffic flowing through the tools provides for a smaller and more cost effective security capability – allowing the operator to do more with less.

Whitelists can be created to identify security threats to (or from) a specific subscriber.  This results in a clear operational advantage, both network operational cost-wise and network capacity-wise, while subscriber devices, and associated malicious traffic, can be blocked from the network altogether.

What’s more, not all devices or app stores have the same built-in security screening capabilities. One vendor and their associated devices and app store may represent a greater security threat than equivalent devices and application stores from other vendors.  As such, whitelisting and GTP correlation can be used when it makes sense to treat devices, applications or subscriber groups with a perceived higher security threat profile differently. This way, traffic can be grouped with low threat traffic being treated differently than high threat traffic. This preserves the processing throughput of security tools, decreasing the cost for processed traffic, which yields a competitive advantage against other competing carriers within a region.

You can’t secure what you can’t see

As service providers are required to undergo rapid transformation, some things are clear – they need to be able to deal with vast, and ever-increasing, amounts of data at the same time as ensuring the security of their network.  While advanced security tools are available, they are costly and their effectiveness is severely limited when they have to process huge volumes of data.  The only way to ensure security is by putting in place a Security Delivery Platform – with a GTP correlation application.  With the ability to intelligently filter, replicate, and forward specific subscriber sessions to the specific tools by correlating the subscriber ID, the current tool infrastructure investments are optimised.  Not only does this increase visibility into subscriber traffic and potential malicious activity, but it also helps improve QoE and performance.



Back to top