Tolaga Research February 2018

Harness the Power of Intelligence

Taking Communication Network Security to

New Heights
A Case Study of Nokia’s Security Risk Assessment
Author: Dr Phil Marshall
This Custom Report was Commissioned and Sponsored by Nokia

Executive Summary

��

��

��

© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 1

 Tolaga Research
Harness the Power of Intelligence
A Call to Action
It has the makings of a perfect storm. The world is
rapidly becoming digitized and communication
networks are adopting enterprise IT based
technologies. This is being supported by
advancements in IP technology and innovations such
as cloud and virtualization, digital transactions and
big data, broadband mobility and the Internet-of-
Things (IoT). The benefits from advancements in
communications networks and digitization are
tremendous. However, there is a dark side.
Technology advancements expose communication
networks to new attack vectors and digitization
creates vulnerabilities that have not been seen in the
past and cannot be addressed with conventional
security solutions. Digital transactions, big data and
IoT dramatically increase attack surfaces and the
potential impact of attacks. Bad actors are motivated
to launch malicious attacks because of the increased
commercial and political impact of new and emerging
attack surfaces. When attacks are successful, the
actions of bad actors are reinforced. This has resulted
in a dramatic increase in the frequency and ferocity of
security attacks.
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com
With dangerous self-reinforcing conditions in play
(see Exhibit 1), bad actors have bigger incentives and
better tools than ever before to launch sophisticated
attacks, often with very little resistance from their
victims. Commonly organizations are lulled into a
false sense of security with partial solutions that are
unable to detect sophisticated attacks, and to
respond effectively even when the attacks are
identified. High profile breaches are being reported
with increased regularity in the media. However, this
is merely the ‘tip-of-the-iceberg’, since most security
breaches are not publicly reported.
The security challenges for communication service
providers (CSPs) are particularly acute, as they
navigate the transition to enterprise IT-centric
network technologies. This, coupled with heightened
customer expectations and stringent compliance and
regulatory requirements. Commonly CSPs have siloed
security solutions and organizational structures that
are woefully inadequate in protecting against the
sophisticated security attacks launched daily by bad
actors.
Page 2
 Tolaga Research
Harness the Power of Intelligence
Exhibit 1: Dangerous self-reinforcing conditions are propelling security threats
Disruptive Technologies
decouple services from
infrastructure with
convergence to circumvent
conventional security solutions
Disruptive
Technologies
Transformation at the heart of
a secure future
Security breaches can be extremely costly, and when
reported, can also have a disastrous impact on the
brand and credibility of the victim organization. The
stakes are high, and organizations must anticipate
that they might have already been compromised and
don’t know it, or will be soon – irrespective of the
security prevention measures they have in place. It is
common for breaches to remain active for many
months before being detected, and even when
detected, they can prove extremely difficult to
eliminate. Furthermore, since the sophistication of
attacks is increasing at an unprecedented rate, it is
not enough to just focus on threat prevention.
Prevention must be complemented with technologies,
processes and governance regimes to detect, respond
and recover from security breaches when they occur,
and to continually evolve to the changing threat
landscape.
Exhibit 2 illustrates a holistic approach that is needed
for modern security solutions. This approach is
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com
Bad actors are motivated
Increased by commercial and political
Attacks drivers to increase attacks
More bad actors emerge
as the rate of successful
and impactful
attacks increase
More Bad
Actors
Disruptive technologies
and services amplify attacks
and motivate bad actors
challenging to implement since it must span
organizational and management silos, and requires
end-to-end operational integration, and coordination
amongst specialized security technology solutions.
Assets and data protection, business continuity and
effective disaster recovery must be assured, identity
and access must be managed, and privacy protected.
Organizations need specialized security
competencies, extensive governance and policy
frameworks and advanced technologies that are not
constrained by legacy operational models.
Generally multi-phased security transformation plans
are needed, which must be prioritized and executed
by skilled practitioners. Organizations often lack the
necessary resources and are constrained by internal
operations and conflicts of interest, to transform their
security operations effectively. In these cases, we
believe that it is necessary for organizations to
outsource their security transformation efforts to third
parties who have the necessary competencies and
benefit from being independent.
Page 3
 Tolaga Research
Harness the Power of Intelligence

Exhibit 2: A holistic approach needed for effective security, but is challenged by traditional
technical and operational silos

Prevent
vulnerabilities from known attacks,
with regular security software,
patches and system updates
Detect
when systems have been (or appear
to be) compromised. Increasingly,
detection requires heuristics with
AI and machine-learning

Respond
rapidly to minimize the impact and
eliminate the cause of an attack
or identified vulnerability
Recover
systems efficiently after
initial responses have been executed.
Effective recovery is needed to
minimize service impact.

Technology Governance Operations

complemented with Security Integration services

Nokia places CSPs on the right
security transformation path
Nokia is a recognized industry leader in security,
and has products and services with end-to-end
capabilities that are particularly well suited for
Communication Service Providers (CSP). Its
NetGuard security management product
portfolio helps secure and protect physical, and
virtual communication networks. This is
and other targeted Managed and Professional
Services (see Exhibit 3). Within its Managed
Services portfolio, Nokia provides a
comprehensive Security Risk Assessment (SRA)
solution for CSPs. The SRA enables CSPs to assess
their security compliance and develop a
transformation roadmap to address their
shortcomings.

© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 4

 Tolaga Research
Harness the Power of Intelligence

Exhibit 3: Nokia Delivers a Comprehensive Security Risk Assessment Solution

Security Security Managed

Products Professional
Integration Security
(e.g. NetGuard) Services
Services Services

Security ISMS Security

Infrastructure Monitoring Security
and
Management Compliance and Risk
Assessment
Services Management Response
Transformation Security

Cyber Security Attack Use Outputs and

Inputs and
Reference Case Deliverables
Context
Architectures References Security Risk Index
Technical
Gap Analysis
Commercial Process Technology Maturity Matrix
Regulatory
Control Control Prioritized Security
and Compliance
References References Roadmap

Nokia’s Security Risk Assessment security management systems). The structure of

Solution
Nokia’s Security Risk Assessment (SRA) solution
enables CSPs to evaluate and benchmark their
security operations, identify shortcomings and
develop manageable transformation strategies.
The SRA solution is designed specifically for
communications networks and underpinned by
industry standards such as ITU-T X.805 (Security
architecture for systems providing end-to-end
communications) and ISO/IEC 27001 (Information
Nokia’s SRA is shown in Exhibit 3 and includes:
● Inputs and contextual assessments to ascertain the
state of technical, commercial and regulatory
compliance within the company being assessed.
● Cybersecurity Reference Architectures, Attack Use
Case References, and Process and Technology
Control References, and;
● Outputs, that include a Security Risk Index, Gap
Analysis, Maturity Matrix, and a Prioritized Security
Roadmap.

© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 5

 Tolaga Research
Harness the Power of Intelligence

Cyber Security Reference ● Cyber Defense Capabilities, to assess the

company's ability to prevent, detect, recover from,
Architectures
and respond to security attacks. This is supported
Nokia’s SRA has Cyber Security Reference by an extensive Attack Use Case database that
Architectures (CSRA) that are tailored for the Nokia maintains.
specific needs of the company being assessed.
● Process, Technology and Operations, which
The CSRAs consist of several components (see
focuses on the security of network and
Exhibit 4), including:
infrastructure, applications, data and identity and
● A Cyber Security Strategy Framework, which access management. In addition, Nokia has a
assesses whether the company is aligned with Transformation Security module, which pays
leadership support for a security led strategy. It specific attention to security disruptions from
also assesses the maturity of cyber security in cloud, big data, mobility, social media,
the organization and its governance, risk and virtualization and IoT.
compliance management capabilities. These
are complemented with threat modeling and
resilience assessments.

Exhibit 4: Nokia has a comprehensive Cyber Security Reference Architecture

Cyber Security Strategy Cyber Defense Capabilities Process, Technology and

Framework Operations
Business Aligned and Network and Infrastructure
Prevent Detect Security
Leadership Driven Strategy
Application Security
Cyber Security Data Security
Recover Respond Identity and Access
Organization Maturity
Management
Governance, Risk and Attack Use Cases
Compliance Management Transformation Security
(Cloud, Big Data, Mobility
Threat Modelling and Social Media, Virtualization
Resilience Assessments and IoT)

Cyber Security and Privacy Awareness

© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 6

 Tolaga Research
Harness the Power of Intelligence

Attack Use Case References
Nokia maintains an extensive Attack Use Case
Library that fulfils an important role in ensuring
that the company is sufficiently protected against
known security threats. The Library is an active
database that is continually updated as new
security threats are identified. These threats are
catalogued according to the ITU-T 805.X (805.X)
standard to reflect their impact on end-to-end
security. The 805.X standard separates complex end-
to-end architectures into logical components, to
characterize eight security dimensions, in addition to
management, control and end-user layers and
infrastructure, service and application planes. Nokia’s
reference library also identifies the telecom systems
and user interfaces, technology layers, and the
specific technologies and solutions involved, see
Exhibit 5.

Exhibit 5: Nokia Fortifies its SRA with an Expansive and Growing Attack Use Case Library

Use Case Library with ITU-T 805.X Classification

Expanding Use Case Library Classification
Telecom Centric Attacks Dimensions
Traffic Interception | Passive Listening | Cloning | RAN Outage |
IMSI-catcher/Fake BTS | SS7 Entry Point Abuse | Hostile SS7 Location Request Communication Security
| Femto-Cell Based Signaling Attacks | SS7 MSU Bill Artificial Inflation |
VoIP Originated SS7 Injection | Web Attacks | Exploit Injection | Information
Disclosure | Mediation and Billing Attacks | Billing System Flooding for

No-Repudiation
Prepaid Abuse | Intelligent Network Attacks | Malware |Privacy | Charge
Access Control

Authentication

Confidentiality
Bypass | SMS/VMS Messaging Attacks | MMS Attack | Lawful Interception

Availability
System Attacks |Reverse Charge SMS Fraud | Prepaid Abuse | SMSC Scanning
Discovery and Abuse | Location Based Service Unauthorized Access |
Integrity

Privacy
HLR Authentication | Flooding VLR Stuffing | Illegal Call Redirection |
SMS to MSC Direct Addressing ....

IT Attacks
Denial of Service | Traffic Interception | Unauthorized subnet access
Layers Management | Control | End User
to confidential data |Unauthorized user/device on the network | Log deleted
from source | Volumetric DDoS | Unauthorized data capture |
Planes Infrastructure | Service | Application
Data exfiltration | Unclassified data | Anti-virus failed to clean | Excessive port
blocking attempts |Excessive scan time-outs | Malicious websites from
multiple internal sources | Multiple infected hosts detected in an subnet | Telecom Systems and Interfaces
Excessive SMTP traffic outbound | Excessive web or email traffic outbound | (HSS, PCRF, MME, HLR, eNodeB. GGSN,Gi, Gn, S1, S5, GRX,
C&C communication |Excessive connections to multiple sources | Repeat IPX, IN, Routers, Switches, Servers etc.)
attack from a single source | Repeat attack from a multiple sources |
Scanning or probing by an unauthorized host | Scanning or probing by an
Technology Layers
(access, transmission, core, IMS/IP, OSS/BSS etc.)
unauthorized time window | Anomaly in DoS baselines |Reconnaissance |
Malware | Privacy | Device out of compliance | Behavior anomaly | Zero-day | Technologies and Solutions
Web Attacks | Exploit Injection | Information Disclosure | Anomaly in user (2G, 3G, 4G, 5G, Fixed Network, IoT Analytics etc.)
access and authentication | Multiple logins from different locations |
Multiple changes from administrative accounts ......

© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 7

 Tolaga Research
Harness the Power of Intelligence

Process Control References for
Compliance
Nokia's Process Control References evaluate a
CSPs compliance with industry standards of
practice for security. These Process Control
References also incorporate best-practices that
Nokia has gleaned from its extensive experience
in the field. For this purpose, Nokia has
developed its Unified Compliance Framework
(UCF), which is illustrated in Exhibit 6.
In total, Nokia has 117 security controls in its UCF.
These controls span 13 domains, which are
summarized in Exhibit 7 and include, security
governance and compliance, asset management,
network architecture and control, software and
application security, data centric security, identity and
access management, security monitoring and threat
intelligence, security incident and response
management, threat and vulnerability management,
security aspects in business continuity and disaster
response, privacy, third party security and security
training and awareness.

Exhibit 6: Nokia's Unified Compliance Framework

Nokia Unified Compliance Framework

Outputs and deliverables
Test Procedures
Test of Design | Test of Operating Effectiveness | Security Process
Security Maturity Assessment Compliance Effectiveness
Unique Set of Security Controls Security Maturity Matrix
Based on Cyber Security Reference Architecture (CSRA)
(see Exhibit 5) Recommendations for
Test Procedure Improvements
Foundational Sources and References
CSF | ISO 22301 | CSA/CSM | PCI DSS ENSA | NERC | GAPP | Recommendations for
ISO 27001 | COBIT 5 | SOX | ANSI/ISA | ITU-T | 3GPP |DSCI Security KPIs

© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 8

 Tolaga Research
Harness the Power of Intelligence

Exhibit 7: Nokia's Unified Compliance Framework Controls

© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 9

 Tolaga Research
Harness the Power of Intelligence

Once the UCF domains listed in Exhibit 7 have domain whether the CSP needs to focus on "People",
been identified and assessed, scores for each "Process", or "Technology". In addition, the
domain are derived according to the maturity identified security weaknesses are assessed in the
index phases described in Exhibit 8. context of a CSPs ability to "Prevent", "Detect",
"Respond", or "Recover" from security attacks.
The SRA provides practical recommendations,
milestones and key performance indicators (KPI)
for CSPs to improve their security operations. The
recommendations, identify for each control

Exhibit 8: Security Index Phases of Maturity

Phase 5 Processes have been refined to a level of good practice based on

results from continuous improvement and maturity monitoring with
Optimized other NSPs and enterprises. It is used in an integrated way to automate
workflows with tools to improve quality and effectiveness, making the
enterprise quick to adapt

Phase 4 Management monitors and measures compliance, and proactively

addresses inadequate processes. Processes are constantly improved
Managed for good practice. There is limited and fragmented use of automation
and Measurable and other tools.

Procedures have been standardized and documented and communicated through

Phase 3 training. Processes are mandated; however, it is unlikely that deviations will be detected.
Defined The procedures themselves are not sophisticated, but formalize exisitng practices

Phase 2 Processes are developed to a stage that simlar procedures are followed by different people
undertaking the same task. There is no formal training or communication of standard
Repeatable procedures, and responsibility is left to the individual. Since there is a heavy reliance on
but Intuitive the knowledge of individuals, errors are likely.

Evidence organization recognizes issues exist and need to be addressed. However, there are no standardized
Phase 1 processes; Instead ad hoc approaches are applied on a case-by-case basis. Management and governance
Initial is disorganized.

© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 10

 Tolaga Research
Harness the Power of Intelligence

Case Study: applicable security controls was investigated.

Security Risk Assessment for a Tier 1
CSP in Asia Pacific
Nokia has been conducting SRAs for its
customers across the globe. One such customer is
a Tier 1 CSP that operates networks in Asia
Pacific. The CSP wanted to bring closer alignment
between its enterprise and network security, and
contracted Nokia because of its security portfolio,
SRA solution and specific focus towards the CSP
market.
Nokia conducted its SRA using a seven-step
process, which is summarized in Exhibit 9. An
initial environmental assessment was conducted
to determine the project scope, with emphasis
towards identifying a statement of applicability
(SoA). The SoA defined the security controls
within Nokia's Unified Compliance Framework
that were relevant to the project.
A design assessment of the SoA was conducted
relative to processes and practices followed by
the client. The operational effectiveness of
Vulnerability assessments and port scanning were
performed to support the analysis of the security
controls, and to establish minimum base-line security
standards. In addition, threat modeling was
conducted based on the eight security dimensions
associated with the ITU-T X.805 standards, shown in
Exhibit 6.
At the completion of the project, Nokia published a
detailed assessment report, which included high level
benchmarks, base-line indices, and milestones and
recommendations for future improvements. Although
there were 83 security controls for which the CSP was
non-compliant, the report recommendations
provided clear guidelines for achieving basic
compliance and moving the CSP’s security to a higher
maturity level.
Amongst the Top 10 recommendations from the
Nokia's SRA, tangible and specific guidelines were
provided for the following:
● Security policy alignment with relevant global
standards.

Exhibit 9: Seven-step process for conducting a SRA project

1 2 3 4 5 6 7
Initial Environmental Identification of Minimum
Design Test of
Assessment and Project Vulnerability Baseline Threat
Assessment Operational
Scope Discussions Statement of Assessment Security Modeling
of SoA Effectiveness
with Client Applicability (SoA) Standard

1 Key observations along with the 3

Define the overall Security Index
impact of non-compliance, root-cause
Score for the assessment
and detailed recommendations
2 Define maturity rating for each of the 4 Define the prioritized
13 domains along with the
security roadmap
compliance percentage

© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 11

 Tolaga Research
Harness the Power of Intelligence
● Third party security.
● Security KPIs.
● Governance.
● Network architecture.
● Personnel training and certification.
● Attack detection, and;
● Security incident reporting.
Nokia's SRI revealed that amongst the thirteen
security controls, the CSP is at an "Initial"
maturity level for twelve, and a "Managed"
maturity level for "Security Aspects of BCP/DR".
We believe that this is reflective of the maturity
level of many CSPs and a compelling driver for
CSPs to use Nokia's SRA.
Within the study, operational "Process" was by
far the dominant concern, appearing in twelve of
the thirteen security controls assessed. The
operational activities relating to "People" and
"Technology" appeared 5 and 4 times
respectively. We believe that the prevalence of
“Process” related issues illustrates the difficulties
CSPs face with organizational transformation. This
strengthens the value proposition for conducting
independent assessments, such as Nokia's SRA
service.
Conclusion
The frequency, ferocity and sophistication of
cyber security attacks will continue to increase for
the foreseeable future. Unfortunately, many
companies including CSPs have inadequate
security, with partial solutions that are unable to
reliably detect attacks and respond effectively
even once they are detected. Companies must
anticipate that they might have already been
© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com
attacked and don't know it, or will be soon,
irrespective of the security prevention measures in
place. CSPs are particularly vulnerable as they
upgrade their networks with enterprise IT centric
technologies, address heightened customer
expectations and adhere to strict compliance and
regulatory requirements.
With the growing prevalence and sophistication of
zero-day attacks, security prevention solutions are no
longer adequate and must be complemented with
technologies, processes and governance regimes to
detect, respond and recover from breaches when they
occur, and continually adapt to the threat landscape.
This creates complicated operational and
organizational transformation demands that are
commonly stifled by legacy environments and
conflicts of interest. In many cases, these
complications can be mitigated through managed
services offerings, provided by companies like Nokia.
Nokia is a leading security solution provider for CSPs
and recently launched a Security Risk Assessment
(SRA) solution within its managed services portfolio.
This solution is comprehensive and uniquely
positioned to provide tangible insights, indices,
guidelines and milestones for CSPs to transform their
security operations. A case study analysis for a Tier 1
CSP in Asia Pacific demonstrated that, while the SRA
is sophisticated and comprehensive, it also provides
pragmatic and achievable milestones for CSPs to
migrate towards having optimized security
operations. We believe the study results highlight the
operational and organizational transformation
challenges that CSPs typically face. This strengthens
the value proposition of the independent assessment
provided by Nokia's SRA. If a similar study had been
conducted internally, we believe that some of the key
security shortcomings identified in Nokia's SRA would
have most likely gone unreported.
Page 12
 Tolaga Research
Harness the Power of Intelligence

About the Author

Dr. Phil Marshall

Phil Marshall is the Chief Research Officer of Tolaga, where he leads its software architecture and
development, and directs Tolaga's thought leadership for the Internet-of-Things (IoT) and
mobile industry research. Before founding Tolaga, Dr. Marshall was an Executive at Yankee
Group for nine years, and most recently led its service provider technology research globally,
spanning wireless, wireline, and broadband technologies and telecommunication regulation. He serves on the
advisory board of Strategic Venue Partners, is an Industry Advisor for Silverwood Partners – Investment Bank, and was
a non-Executive board member of Antone Wireless, which was acquired by Westell in 2012.
Marshall has 20 years of experience in the wireless communications industry. He spent many years working in various
engineering operations, software design, research and strategic planning roles in New Zealand, Mexico, Indonesia
and Thailand for Verizon International (previously Bell Atlantic International Wireless) and Telecom New Zealand.
In addition, Marshall was an electrical engineer at BHP New Zealand Steel before he attended graduate school. He
has a PhD degree in Electrical and Electronic Engineering, is a Senior Member of the IEEE and the Systems Dynamics
Society. His technical specialty is in radio engineering and advanced system modeling, and his operational experience
is primarily in communications network design, security and optimization.

© 2018 Tolaga Research | Newton | Massachusetts | United States | www.tolaga.com Page 13