Taking Communication Network Security to New Heights · 2018-05-19 · Nokia places CSPs on the...

© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com

Tolaga ResearchHarness the Power of Intelligence

Taking Communication Network Security toNew Heights

February 2018

A Case Study of Nokia’s Security Risk Assessment

This Custom Report was Commissioned and Sponsored by Nokia

Author: Dr Phil Marshall

Executive Summary

��

��

��



●

●

A Call to ActionIt has the makings of a perfect storm. The world israpidly becoming digitized and communicationnetworks are adopting enterprise IT basedtechnologies. This is being supported byadvancements in IP technology and innovations suchas cloud and virtualization, digital transactions andbig data, broadband mobility and the Internet-of-Things (IoT). The benefits from advancements incommunications networks and digitization aretremendous. However, there is a dark side.Technology advancements expose communicationnetworks to new attack vectors and digitizationcreates vulnerabilities that have not been seen in thepast and cannot be addressed with conventionalsecurity solutions. Digital transactions, big data andIoT dramatically increase attack surfaces and thepotential impact of attacks. Bad actors are motivatedto launch malicious attacks because of the increasedcommercial and political impact of new and emergingattack surfaces. When attacks are successful, theactions of bad actors are reinforced. This has resultedin a dramatic increase in the frequency and ferocity ofsecurity attacks.

With dangerous self-reinforcing conditions in play(see Exhibit 1), bad actors have bigger incentives andbetter tools than ever before to launch sophisticatedattacks, often with very little resistance from theirvictims. Commonly organizations are lulled into afalse sense of security with partial solutions that areunable to detect sophisticated attacks, and torespond effectively even when the attacks areidentified. High profile breaches are being reportedwith increased regularity in the media. However, thisis merely the ‘tip-of-the-iceberg’, since most securitybreaches are not publicly reported.

The security challenges for communication serviceproviders (CSPs) are particularly acute, as theynavigate the transition to enterprise IT-centricnetwork technologies. This, coupled with heightenedcustomer expectations and stringent compliance andregulatory requirements. Commonly CSPs have siloedsecurity solutions and organizational structures thatare woefully inadequate in protecting against thesophisticated security attacks launched daily by badactors.



Exhibit 1: Dangerous self-reinforcing conditions are propelling security threats

Transformation at the heart ofa secure futureSecurity breaches can be extremely costly, and whenreported, can also have a disastrous impact on thebrand and credibility of the victim organization. Thestakes are high, and organizations must anticipatethat they might have already been compromised anddon’t know it, or will be soon – irrespective of thesecurity prevention measures they have in place. It iscommon for breaches to remain active for manymonths before being detected, and even whendetected, they can prove extremely difficult toeliminate. Furthermore, since the sophistication ofattacks is increasing at an unprecedented rate, it isnot enough to just focus on threat prevention.Prevention must be complemented with technologies,processes and governance regimes to detect, respondand recover from security breaches when they occur,and to continually evolve to the changing threatlandscape.

Exhibit 2 illustrates a holistic approach that is neededfor modern security solutions. This approach is

challenging to implement since it must spanorganizational and management silos, and requiresend-to-end operational integration, and coordinationamongst specialized security technology solutions.Assets and data protection, business continuity andeffective disaster recovery must be assured, identityand access must be managed, and privacy protected.Organizations need specialized securitycompetencies, extensive governance and policyframeworks and advanced technologies that are notconstrained by legacy operational models.

Generally multi-phased security transformation plansare needed, which must be prioritized and executedby skilled practitioners. Organizations often lack thenecessary resources and are constrained by internaloperations and conflicts of interest, to transform theirsecurity operations effectively. In these cases, webelieve that it is necessary for organizations tooutsource their security transformation efforts to thirdparties who have the necessary competencies andbenefit from being independent.

Disruptive Technologiesdecouple services from

infrastructure withconvergence to circumvent

conventional security solutions

Bad actors are motivatedby commercial and politicaldrivers to increase attacks

More bad actors emergeas the rate of successful

and impactfulattacks increase

Disruptive technologiesand services amplify attacks

and motivate bad actors

More BadActors

DisruptiveTechnologies

IncreasedAttacks



Exhibit 2: A holistic approach needed for effective security, but is challenged by traditionaltechnical and operational silos

Preventvulnerabilities from known attacks,

with regular security software,patches and system updates

Detectwhen systems have been (or appearto be) compromised. Increasingly,detection requires heuristics with

AI and machine-learning

Respondrapidly to minimize the impact and

eliminate the cause of an attackor identified vulnerability

Recoversystems efficiently after

initial responses have been executed.Effective recovery is needed to

minimize service impact.

Technology Governance Operations

Nokia places CSPs on the rightsecurity transformation pathNokia is a recognized industry leader in security,and has products and services with end-to-endcapabilities that are particularly well suited forCommunication Service Providers (CSP). ItsNetGuard security management productportfolio helps secure and protect physical, andvirtual communication networks. This is

complemented with Security Integration servicesand other targeted Managed and ProfessionalServices (see Exhibit 3). Within its ManagedServices portfolio, Nokia provides acomprehensive Security Risk Assessment (SRA)solution for CSPs. The SRA enables CSPs to assesstheir security compliance and develop atransformation roadmap to address theirshortcomings.



Nokia’s Security Risk AssessmentSolutionNokia’s Security Risk Assessment (SRA) solutionenables CSPs to evaluate and benchmark theirsecurity operations, identify shortcomings anddevelop manageable transformation strategies.The SRA solution is designed specifically forcommunications networks and underpinned byindustry standards such as ITU-T X.805 (Securityarchitecture for systems providing end-to-endcommunications) and ISO/IEC 27001 (Information

security management systems). The structure ofNokia’s SRA is shown in Exhibit 3 and includes:

● Inputs and contextual assessments to ascertain thestate of technical, commercial and regulatorycompliance within the company being assessed.

● Cybersecurity Reference Architectures, Attack UseCase References, and Process and TechnologyControl References, and;

● Outputs, that include a Security Risk Index, GapAnalysis, Maturity Matrix, and a Prioritized SecurityRoadmap.

Exhibit 3: Nokia Delivers a Comprehensive Security Risk Assessment Solution

SecurityIntegration

Services

SecurityProducts

(e.g. NetGuard)

ProfessionalServices

ManagedSecurityServices

Inputs andContextTechnical

CommercialRegulatory

and Compliance

Outputs andDeliverables

Security Risk IndexGap Analysis

Maturity MatrixPrioritized Security

Roadmap

Cyber SecurityReference

Architectures

Attack UseCase

References

ProcessControl

References

TechnologyControl

References

SecurityRisk

Assessment

SecurityInfrastructureManagement

Services

ISMSand

ComplianceManagement

SecurityMonitoring

andResponse

Transformation Security



Cyber Security ReferenceArchitecturesNokia’s SRA has Cyber Security ReferenceArchitectures (CSRA) that are tailored for thespecific needs of the company being assessed.The CSRAs consist of several components (seeExhibit 4), including:

● A Cyber Security Strategy Framework, whichassesses whether the company is aligned withleadership support for a security led strategy. Italso assesses the maturity of cyber security inthe organization and its governance, risk andcompliance management capabilities. Theseare complemented with threat modeling andresilience assessments.

● Cyber Defense Capabilities, to assess thecompany's ability to prevent, detect, recover from,and respond to security attacks. This is supportedby an extensive Attack Use Case database thatNokia maintains.

● Process, Technology and Operations, whichfocuses on the security of network andinfrastructure, applications, data and identity andaccess management. In addition, Nokia has aTransformation Security module, which paysspecific attention to security disruptions fromcloud, big data, mobility, social media,virtualization and IoT.

Exhibit 4: Nokia has a comprehensive Cyber Security Reference Architecture

Cyber Security StrategyFramework

Business Aligned andLeadership Driven Strategy

Cyber SecurityOrganization Maturity

Governance, Risk andCompliance Management

Threat Modelling andResilience Assessments

Prevent Detect

Recover Respond

Attack Use Cases

Process, Technology andOperations

Network and InfrastructureSecurity

Application SecurityData Security

Identity and AccessManagement

Transformation Security(Cloud, Big Data, Mobility

Social Media, Virtualizationand IoT)

Cyber Defense Capabilities

Cyber Security and Privacy Awareness



Exhibit 5: Nokia Fortifies its SRA with an Expansive and Growing Attack Use Case Library

Use Case Library with ITU-T 805.X Classification

Traffic Interception | Passive Listening | Cloning | RAN Outage |IMSI-catcher/Fake BTS | SS7 Entry Point Abuse | Hostile SS7 Location Request| Femto-Cell Based Signaling Attacks | SS7 MSU Bill Artificial Inflation |VoIP Originated SS7 Injection | Web Attacks | Exploit Injection | InformationDisclosure | Mediation and Billing Attacks | Billing System Flooding forPrepaid Abuse | Intelligent Network Attacks | Malware |Privacy | ChargeBypass | SMS/VMS Messaging Attacks | MMS Attack | Lawful InterceptionSystem Attacks |Reverse Charge SMS Fraud | Prepaid Abuse | SMSC ScanningDiscovery and Abuse | Location Based Service Unauthorized Access |HLR Authentication | Flooding VLR Stuffing | Illegal Call Redirection |SMS to MSC Direct Addressing ....

Telecom Centric Attacks

Denial of Service | Traffic Interception | Unauthorized subnet accessto confidential data |Unauthorized user/device on the network | Log deletedfrom source | Volumetric DDoS | Unauthorized data capture |Data exfiltration | Unclassified data | Anti-virus failed to clean | Excessive portblocking attempts |Excessive scan time-outs | Malicious websites frommultiple internal sources | Multiple infected hosts detected in an subnet |Excessive SMTP traffic outbound | Excessive web or email traffic outbound |C&C communication |Excessive connections to multiple sources | Repeatattack from a single source | Repeat attack from a multiple sources |Scanning or probing by an unauthorized host | Scanning or probing by anunauthorized time window | Anomaly in DoS baselines |Reconnaissance |Malware | Privacy | Device out of compliance | Behavior anomaly | Zero-day |Web Attacks | Exploit Injection | Information Disclosure | Anomaly in useraccess and authentication | Multiple logins from different locations |Multiple changes from administrative accounts ......

IT Attacks

(2G, 3G, 4G, 5G, Fixed Network, IoT Analytics etc.)Technologies and Solutions(access, transmission, core, IMS/IP, OSS/BSS etc.)Technology Layers

(HSS, PCRF, MME, HLR, eNodeB. GGSN,Gi, Gn, S1, S5, GRX,IPX, IN, Routers, Switches, Servers etc.)

Telecom Systems and Interfaces

Acc

ess

Cont

rol

Com

mun

icat

ion

Secu

rity

Aut

hent

icat

ion

Inte

grity

No-

Repu

diat

ion

Priv

acy

Conf

iden

tialit

y

Ava

ilabi

lity

Management | Control | End UserLayers

Infrastructure | Service | ApplicationPlanes

Dimensions

ClassificationExpanding Use Case Library

Attack Use Case ReferencesNokia maintains an extensive Attack Use CaseLibrary that fulfils an important role in ensuringthat the company is sufficiently protected againstknown security threats. The Library is an activedatabase that is continually updated as newsecurity threats are identified. These threats arecatalogued according to the ITU-T 805.X (805.X)standard to reflect their impact on end-to-end

security. The 805.X standard separates complex end-to-end architectures into logical components, tocharacterize eight security dimensions, in addition tomanagement, control and end-user layers andinfrastructure, service and application planes. Nokia’sreference library also identifies the telecom systemsand user interfaces, technology layers, and thespecific technologies and solutions involved, seeExhibit 5.



Exhibit 6: Nokia's Unified Compliance Framework

Nokia Unified Compliance Framework

Test ProceduresTest of Design | Test of Operating Effectiveness |Security Maturity Assessment

Unique Set of Security ControlsBased on Cyber Security Reference Architecture (CSRA)(see Exhibit 5)

Foundational Sources and ReferencesCSF | ISO 22301 | CSA/CSM | PCI DSS ENSA | NERC | GAPP |ISO 27001 | COBIT 5 | SOX | ANSI/ISA | ITU-T | 3GPP |DSCI

Outputs and deliverables

Security ProcessCompliance Effectiveness

Security Maturity Matrix

Recommendations forTest Procedure Improvements

Recommendations forSecurity KPIs

Process Control References forComplianceNokia's Process Control References evaluate aCSPs compliance with industry standards ofpractice for security. These Process ControlReferences also incorporate best-practices thatNokia has gleaned from its extensive experiencein the field. For this purpose, Nokia hasdeveloped its Unified Compliance Framework(UCF), which is illustrated in Exhibit 6.

In total, Nokia has 117 security controls in its UCF.These controls span 13 domains, which aresummarized in Exhibit 7 and include, securitygovernance and compliance, asset management,network architecture and control, software andapplication security, data centric security, identity andaccess management, security monitoring and threatintelligence, security incident and responsemanagement, threat and vulnerability management,security aspects in business continuity and disasterresponse, privacy, third party security and securitytraining and awareness.



Exhibit 7: Nokia's Unified Compliance Framework Controls



Once the UCF domains listed in Exhibit 7 havebeen identified and assessed, scores for eachdomain are derived according to the maturityindex phases described in Exhibit 8.

The SRA provides practical recommendations,milestones and key performance indicators (KPI)for CSPs to improve their security operations. Therecommendations, identify for each control

domain whether the CSP needs to focus on "People","Process", or "Technology". In addition, theidentified security weaknesses are assessed in thecontext of a CSPs ability to "Prevent", "Detect","Respond", or "Recover" from security attacks.

Exhibit 8: Security Index Phases of Maturity

Phase 1Initial

Evidence organization recognizes issues exist and need to be addressed. However, there are no standardizedprocesses; Instead ad hoc approaches are applied on a case-by-case basis. Management and governanceis disorganized.

Phase 3Defined

Procedures have been standardized and documented and communicated throughtraining. Processes are mandated; however, it is unlikely that deviations will be detected.The procedures themselves are not sophisticated, but formalize exisitng practices

Phase 2Repeatablebut Intuitive

Processes are developed to a stage that simlar procedures are followed by different peopleundertaking the same task. There is no formal training or communication of standardprocedures, and responsibility is left to the individual. Since there is a heavy reliance onthe knowledge of individuals, errors are likely.

Phase 5Optimized

Processes have been refined to a level of good practice based onresults from continuous improvement and maturity monitoring withother NSPs and enterprises. It is used in an integrated way to automateworkflows with tools to improve quality and effectiveness, making theenterprise quick to adapt

Phase 4Managedand Measurable

Management monitors and measures compliance, and proactivelyaddresses inadequate processes. Processes are constantly improvedfor good practice. There is limited and fragmented use of automationand other tools.



Case Study:Security Risk Assessment for a Tier 1CSP in Asia PacificNokia has been conducting SRAs for itscustomers across the globe. One such customer isa Tier 1 CSP that operates networks in AsiaPacific. The CSP wanted to bring closer alignmentbetween its enterprise and network security, andcontracted Nokia because of its security portfolio,SRA solution and specific focus towards the CSPmarket.

Nokia conducted its SRA using a seven-stepprocess, which is summarized in Exhibit 9. Aninitial environmental assessment was conductedto determine the project scope, with emphasistowards identifying a statement of applicability(SoA). The SoA defined the security controlswithin Nokia's Unified Compliance Frameworkthat were relevant to the project.

A design assessment of the SoA was conductedrelative to processes and practices followed bythe client. The operational effectiveness of

applicable security controls was investigated.Vulnerability assessments and port scanning wereperformed to support the analysis of the securitycontrols, and to establish minimum base-line securitystandards. In addition, threat modeling wasconducted based on the eight security dimensionsassociated with the ITU-T X.805 standards, shown inExhibit 6.

At the completion of the project, Nokia published adetailed assessment report, which included high levelbenchmarks, base-line indices, and milestones andrecommendations for future improvements. Althoughthere were 83 security controls for which the CSP wasnon-compliant, the report recommendationsprovided clear guidelines for achieving basiccompliance and moving the CSP’s security to a highermaturity level.

Amongst the Top 10 recommendations from theNokia's SRA, tangible and specific guidelines wereprovided for the following:

● Security policy alignment with relevant globalstandards.

Exhibit 9: Seven-step process for conducting a SRA project

1 Key observations along with theimpact of non-compliance, root-cause

and detailed recommendations

Define maturity rating for each of the13 domains along with the

compliance percentage

2

Define the overall Security IndexScore for the assessment

3

Define the prioritizedsecurity roadmap

4

Identification ofProject

Statement ofApplicability (SoA)

Initial EnvironmentalAssessment and

Scope Discussionswith Client

DesignAssessment

of SoA

Test ofOperationalEffectiveness

VulnerabilityAssessment

MinimumBaselineSecurityStandard

ThreatModeling

1 2 3 4 5 6 7



● Third party security.

● Security KPIs.

● Governance.

● Network architecture.

● Personnel training and certification.

● Attack detection, and;

● Security incident reporting.

Nokia's SRI revealed that amongst the thirteensecurity controls, the CSP is at an "Initial"maturity level for twelve, and a "Managed"maturity level for "Security Aspects of BCP/DR".We believe that this is reflective of the maturitylevel of many CSPs and a compelling driver forCSPs to use Nokia's SRA.

Within the study, operational "Process" was byfar the dominant concern, appearing in twelve ofthe thirteen security controls assessed. Theoperational activities relating to "People" and"Technology" appeared 5 and 4 timesrespectively. We believe that the prevalence of“Process” related issues illustrates the difficultiesCSPs face with organizational transformation. Thisstrengthens the value proposition for conductingindependent assessments, such as Nokia's SRAservice.

ConclusionThe frequency, ferocity and sophistication ofcyber security attacks will continue to increase forthe foreseeable future. Unfortunately, manycompanies including CSPs have inadequatesecurity, with partial solutions that are unable toreliably detect attacks and respond effectivelyeven once they are detected. Companies mustanticipate that they might have already been

attacked and don't know it, or will be soon,irrespective of the security prevention measures inplace. CSPs are particularly vulnerable as theyupgrade their networks with enterprise IT centrictechnologies, address heightened customerexpectations and adhere to strict compliance andregulatory requirements.

With the growing prevalence and sophistication ofzero-day attacks, security prevention solutions are nolonger adequate and must be complemented withtechnologies, processes and governance regimes todetect, respond and recover from breaches when theyoccur, and continually adapt to the threat landscape.This creates complicated operational andorganizational transformation demands that arecommonly stifled by legacy environments andconflicts of interest. In many cases, thesecomplications can be mitigated through managedservices offerings, provided by companies like Nokia.

Nokia is a leading security solution provider for CSPsand recently launched a Security Risk Assessment(SRA) solution within its managed services portfolio.This solution is comprehensive and uniquelypositioned to provide tangible insights, indices,guidelines and milestones for CSPs to transform theirsecurity operations. A case study analysis for a Tier 1CSP in Asia Pacific demonstrated that, while the SRAis sophisticated and comprehensive, it also providespragmatic and achievable milestones for CSPs tomigrate towards having optimized securityoperations. We believe the study results highlight theoperational and organizational transformationchallenges that CSPs typically face. This strengthensthe value proposition of the independent assessmentprovided by Nokia's SRA. If a similar study had beenconducted internally, we believe that some of the keysecurity shortcomings identified in Nokia's SRA wouldhave most likely gone unreported.



About the AuthorDr. Phil Marshall

Phil Marshall is the Chief Research Officer of Tolaga, where he leads its software architecture anddevelopment, and directs Tolaga's thought leadership for the Internet-of-Things (IoT) andmobile industry research. Before founding Tolaga, Dr. Marshall was an Executive at YankeeGroup for nine years, and most recently led its service provider technology research globally,

spanning wireless, wireline, and broadband technologies and telecommunication regulation. He serves on theadvisory board of Strategic Venue Partners, is an Industry Advisor for Silverwood Partners – Investment Bank, and wasa non-Executive board member of Antone Wireless, which was acquired by Westell in 2012.

Marshall has 20 years of experience in the wireless communications industry. He spent many years working in variousengineering operations, software design, research and strategic planning roles in New Zealand, Mexico, Indonesiaand Thailand for Verizon International (previously Bell Atlantic International Wireless) and Telecom New Zealand.

In addition, Marshall was an electrical engineer at BHP New Zealand Steel before he attended graduate school. Hehas a PhD degree in Electrical and Electronic Engineering, is a Senior Member of the IEEE and the Systems DynamicsSociety. His technical specialty is in radio engineering and advanced system modeling, and his operational experienceis primarily in communications network design, security and optimization.

Taking Communication Network Security to New Heights · 2018-05-19 · Nokia places CSPs on the...

Documents

Transcript of Taking Communication Network Security to New Heights · 2018-05-19 · Nokia places CSPs on the...