Professional Documents
Culture Documents
Tolaga Research Nokia SRAEvaluation Feb 2018
Tolaga Research Nokia SRAEvaluation Feb 2018
Tolaga Research Nokia SRAEvaluation Feb 2018
Executive Summary
��
��
��
Disruptive Technologies
decouple services from Bad actors are motivated
infrastructure with Increased by commercial and political
convergence to circumvent Attacks drivers to increase attacks
conventional security solutions
Disruptive technologies
and services amplify attacks
and motivate bad actors
Exhibit 2: A holistic approach needed for effective security, but is challenged by traditional
technical and operational silos
Prevent Detect
vulnerabilities from known attacks, when systems have been (or appear
with regular security software, to be) compromised. Increasingly,
patches and system updates detection requires heuristics with
AI and machine-learning
Respond Recover
rapidly to minimize the impact and systems efficiently after
eliminate the cause of an attack initial responses have been executed.
or identified vulnerability Effective recovery is needed to
minimize service impact.
Attack Use Case References security. The 805.X standard separates complex end-
to-end architectures into logical components, to
Nokia maintains an extensive Attack Use Case characterize eight security dimensions, in addition to
Library that fulfils an important role in ensuring management, control and end-user layers and
that the company is sufficiently protected against infrastructure, service and application planes. Nokia’s
known security threats. The Library is an active reference library also identifies the telecom systems
database that is continually updated as new and user interfaces, technology layers, and the
security threats are identified. These threats are specific technologies and solutions involved, see
catalogued according to the ITU-T 805.X (805.X) Exhibit 5.
standard to reflect their impact on end-to-end
Exhibit 5: Nokia Fortifies its SRA with an Expansive and Growing Attack Use Case Library
No-Repudiation
Prepaid Abuse | Intelligent Network Attacks | Malware |Privacy | Charge
Access Control
Authentication
Confidentiality
Bypass | SMS/VMS Messaging Attacks | MMS Attack | Lawful Interception
Availability
System Attacks |Reverse Charge SMS Fraud | Prepaid Abuse | SMSC Scanning
Discovery and Abuse | Location Based Service Unauthorized Access |
Integrity
Privacy
HLR Authentication | Flooding VLR Stuffing | Illegal Call Redirection |
SMS to MSC Direct Addressing ....
IT Attacks
Denial of Service | Traffic Interception | Unauthorized subnet access
Layers Management | Control | End User
to confidential data |Unauthorized user/device on the network | Log deleted
from source | Volumetric DDoS | Unauthorized data capture |
Planes Infrastructure | Service | Application
Data exfiltration | Unclassified data | Anti-virus failed to clean | Excessive port
blocking attempts |Excessive scan time-outs | Malicious websites from
multiple internal sources | Multiple infected hosts detected in an subnet | Telecom Systems and Interfaces
Excessive SMTP traffic outbound | Excessive web or email traffic outbound | (HSS, PCRF, MME, HLR, eNodeB. GGSN,Gi, Gn, S1, S5, GRX,
C&C communication |Excessive connections to multiple sources | Repeat IPX, IN, Routers, Switches, Servers etc.)
attack from a single source | Repeat attack from a multiple sources |
Scanning or probing by an unauthorized host | Scanning or probing by an
Technology Layers
(access, transmission, core, IMS/IP, OSS/BSS etc.)
unauthorized time window | Anomaly in DoS baselines |Reconnaissance |
Malware | Privacy | Device out of compliance | Behavior anomaly | Zero-day | Technologies and Solutions
Web Attacks | Exploit Injection | Information Disclosure | Anomaly in user (2G, 3G, 4G, 5G, Fixed Network, IoT Analytics etc.)
access and authentication | Multiple logins from different locations |
Multiple changes from administrative accounts ......
Process Control References for In total, Nokia has 117 security controls in its UCF.
These controls span 13 domains, which are
Compliance
summarized in Exhibit 7 and include, security
Nokia's Process Control References evaluate a governance and compliance, asset management,
CSPs compliance with industry standards of network architecture and control, software and
practice for security. These Process Control application security, data centric security, identity and
References also incorporate best-practices that access management, security monitoring and threat
Nokia has gleaned from its extensive experience intelligence, security incident and response
in the field. For this purpose, Nokia has management, threat and vulnerability management,
developed its Unified Compliance Framework security aspects in business continuity and disaster
(UCF), which is illustrated in Exhibit 6. response, privacy, third party security and security
training and awareness.
Once the UCF domains listed in Exhibit 7 have domain whether the CSP needs to focus on "People",
been identified and assessed, scores for each "Process", or "Technology". In addition, the
domain are derived according to the maturity identified security weaknesses are assessed in the
index phases described in Exhibit 8. context of a CSPs ability to "Prevent", "Detect",
"Respond", or "Recover" from security attacks.
The SRA provides practical recommendations,
milestones and key performance indicators (KPI)
for CSPs to improve their security operations. The
recommendations, identify for each control
Phase 2 Processes are developed to a stage that simlar procedures are followed by different people
undertaking the same task. There is no formal training or communication of standard
Repeatable procedures, and responsibility is left to the individual. Since there is a heavy reliance on
but Intuitive the knowledge of individuals, errors are likely.
Evidence organization recognizes issues exist and need to be addressed. However, there are no standardized
Phase 1 processes; Instead ad hoc approaches are applied on a case-by-case basis. Management and governance
Initial is disorganized.
1 2 3 4 5 6 7
Initial Environmental Identification of Minimum
Design Test of
Assessment and Project Vulnerability Baseline Threat
Assessment Operational
Scope Discussions Statement of Assessment Security Modeling
of SoA Effectiveness
with Client Applicability (SoA) Standard
● Third party security. attacked and don't know it, or will be soon,
irrespective of the security prevention measures in
● Security KPIs.
place. CSPs are particularly vulnerable as they
● Governance. upgrade their networks with enterprise IT centric
● Network architecture. technologies, address heightened customer
expectations and adhere to strict compliance and
● Personnel training and certification. regulatory requirements.
● Attack detection, and; With the growing prevalence and sophistication of
● Security incident reporting. zero-day attacks, security prevention solutions are no
longer adequate and must be complemented with
Nokia's SRI revealed that amongst the thirteen
technologies, processes and governance regimes to
security controls, the CSP is at an "Initial"
detect, respond and recover from breaches when they
maturity level for twelve, and a "Managed"
occur, and continually adapt to the threat landscape.
maturity level for "Security Aspects of BCP/DR".
This creates complicated operational and
We believe that this is reflective of the maturity
organizational transformation demands that are
level of many CSPs and a compelling driver for
commonly stifled by legacy environments and
CSPs to use Nokia's SRA.
conflicts of interest. In many cases, these
Within the study, operational "Process" was by complications can be mitigated through managed
far the dominant concern, appearing in twelve of services offerings, provided by companies like Nokia.
the thirteen security controls assessed. The
Nokia is a leading security solution provider for CSPs
operational activities relating to "People" and
and recently launched a Security Risk Assessment
"Technology" appeared 5 and 4 times
(SRA) solution within its managed services portfolio.
respectively. We believe that the prevalence of
This solution is comprehensive and uniquely
“Process” related issues illustrates the difficulties
positioned to provide tangible insights, indices,
CSPs face with organizational transformation. This
guidelines and milestones for CSPs to transform their
strengthens the value proposition for conducting
security operations. A case study analysis for a Tier 1
independent assessments, such as Nokia's SRA
CSP in Asia Pacific demonstrated that, while the SRA
service.
is sophisticated and comprehensive, it also provides
Conclusion pragmatic and achievable milestones for CSPs to
migrate towards having optimized security
The frequency, ferocity and sophistication of operations. We believe the study results highlight the
cyber security attacks will continue to increase for operational and organizational transformation
the foreseeable future. Unfortunately, many challenges that CSPs typically face. This strengthens
companies including CSPs have inadequate the value proposition of the independent assessment
security, with partial solutions that are unable to provided by Nokia's SRA. If a similar study had been
reliably detect attacks and respond effectively conducted internally, we believe that some of the key
even once they are detected. Companies must security shortcomings identified in Nokia's SRA would
anticipate that they might have already been have most likely gone unreported.
Phil Marshall is the Chief Research Officer of Tolaga, where he leads its software architecture and
development, and directs Tolaga's thought leadership for the Internet-of-Things (IoT) and
mobile industry research. Before founding Tolaga, Dr. Marshall was an Executive at Yankee
Group for nine years, and most recently led its service provider technology research globally,
spanning wireless, wireline, and broadband technologies and telecommunication regulation. He serves on the
advisory board of Strategic Venue Partners, is an Industry Advisor for Silverwood Partners – Investment Bank, and was
a non-Executive board member of Antone Wireless, which was acquired by Westell in 2012.
Marshall has 20 years of experience in the wireless communications industry. He spent many years working in various
engineering operations, software design, research and strategic planning roles in New Zealand, Mexico, Indonesia
and Thailand for Verizon International (previously Bell Atlantic International Wireless) and Telecom New Zealand.
In addition, Marshall was an electrical engineer at BHP New Zealand Steel before he attended graduate school. He
has a PhD degree in Electrical and Electronic Engineering, is a Senior Member of the IEEE and the Systems Dynamics
Society. His technical specialty is in radio engineering and advanced system modeling, and his operational experience
is primarily in communications network design, security and optimization.