CABLE MSO AND TELCO USE CASE HANDBOOK

Transcription

1 CALE MSO AND TELCO USE CASE HANDOOK ackground Service providers, including cable multiple-system operators, or MSOs, telecom network operators and other broadband providers, manage and secure multiple networks a customer-facing revenue-producing network, the IT/data center, and the operations and business systems networks. For service providers, all these networks are critical to their business success. Given this criticality, service providers require near-perfect network availability, high performance, scalability and flexibility to a degree not found in other types of enterprise security deployments. More Threats to All Networks Currently, cable and telco network operators are blind to many threats to their complex networks as well as their employees and subscribers. With the scale, complexity and diverse technology they must manage, service providers cannot easily see all areas where threats are entering their multiple networks or from whom. Sophisticated bad actors can inject malware into this ever-growing volume of traffic distribution points, access user devices, then quickly spread and morph to avoid control or detection. With incomplete and uncorrelated threat information often from multiple, separate legacy security systems operators cannot maintain effective security. They must expand and strengthen their security posture and visibility in all these areas. Industry Revenue Growth and Consolidation Subscriber growth has been declining. To sustain profitability, most cable operators have implemented triple-play services fixed television, telephony and broadband internet with many offering other value-added services, such as home security, mobile and others. The next phase of growth opportunity lies in the cost-efficient convergence and integration of these services and the screens from which subscribers access their services. To maintain profitability, cable and telco service providers have also seen significant consolidation of companies, networks and data centers. This has created a multitude of uncorrelated security mechanisms and an unsustainable need to increase manual intervention over time. Palo Alto Networks Security Operating Platform SS Network Workforce management Ordering Customer care illing Performance Status and traffic Utilization Internal systems usiness processes Employee support Employee applications Access and transportation Facilities and operations Transmission Figure 1: Service provider security domains Capacity planning System security Network maintenance Inventory Palo Alto Networks Security Operating Platform provides the highest security efficacy with the broadest range of deployment options and the most comprehensive visibility to help service providers profitably grow and implement strategic initiatives with the strongest security posture. Palo Alto Networks Cable MSO and Telco Use Case Handbook 1

2 Table of Contents ackground 1 Cable MSO Revenue and Customer Support Networks 3 Use Case: Provide Secure Service Delivery Through Protected OSS/SS 3 Use Case: Prevent otnet-ased DDoS Attacks Against s 4 Service Provider s and Data Centers 6 Use Case: Protect Sensitive Data and Critical Internal Operations 6 Palo Alto Networks Cable MSO and Telco Use Case Handbook 2

3 CALE MSO CUSTOMER SUPPORT NETWORKS Use Case: Provide Secure Service Delivery Through Protected OSS/SS The cable industry is undergoing significant transformation to capture new revenue and maintain profitability against new competition and declining subscriber growth. This has included expansion into new services and industry consolidation to provide a seamless experience for integrated voice, data, video, mobile and other services. Challenges Consolidation and growth have resulted in a complex array of multiple diverse, duplicated security systems located across multiple networks, data centers and operations centers. The security of cable MSOs customer-facing support systems, including operations and business support centers, is vital to business success and must support these key business objectives: Reduce Opex and improve service delivery. Simplify customer-facing business processes, such as customer acquisition and service delivery. Increase new revenue opportunity. Leverage all business investments, including security. Maintain customer trust and business integrity. Provide a consistent, secure customer experience. Threats and ulnerabilities MNOs face a multitude of uncorrelated security mechanisms and an unsustainable need to increase manual intervention over time. Specific vulnerabilities include: Security point products don t communicate natively, resulting in silos of security information and making automation difficult to deploy. Machine-based, automated cyberattacks overload security operations centers. Cyber defense that lacks machine-based automation creates more security events than most SOC teams can handle. Scaling with people does not work. Hiring more people in the SOC to ingest more threat intelligence feeds slows down response times for new threats and has become significantly less effective in today s growing threat landscape. Third-party intelligence feeds require manual response. As threats have grown in volume and sophistication, so has reliance on threat insights from a variety of sources. This has been costly both in paid subscriptions and in human capital for threat hunters to handle the review, deduplication, correlation and use of that threat intelligence. usiness Impact Connected devices, many of which will be parts of new service bundles provided by cable operators and delivered through their business and operations systems, are projected to number in the tens of billions by Disruption or compromise of these systems and devices would have a significant negative impact on new revenue. Growth must be managed in a cost-efficient manner with the highest security. Cable service providers need a highly automated, prevention-oriented approach that gets ahead of evolving attacks, provides the strongest security for customer-facing operations and business support systems for new and existing services, and enables them to maximize expansion into profitable, next-generation service delivery. Palo Alto Networks Approach Palo Alto Networks Security Operating Platform provides the highest prevention-oriented security while reducing operational complexity and providing deployment flexibility for rapidly evolving networks. The unique platform architecture reduces administrative overhead and simplifies maintenance of policies and configuration while delivering central management as well as automating threat intelligence collection and distribution. Key enefits SS Network Workforce management Ordering Customer care illing Figure 2: SS and OSS network security domains Capacity planning System security Network maintenance Inventory Using the Security Operating Platform, operators can more cost-efficiently capture revenue growth in new areas while reducing the complexity and cost of service delivery. Palo Alto Networks Cable MSO and Telco Use Case Handbook 3

4 Use Case: Prevent otnet-ased DDoS Attacks Against s otnet attacks constitute a growing concern for cable operators, telcos and other wireline service providers. DDoS-for-hire services have lowered the barriers of entry, in terms of both technical ability and cost, for criminals to carry out botnet attacks. Today, almost anyone can systematically attack and attempt to take down a company for less than US$100. IHS Markit predicts the number of IoT devices will grow from 27 billion in 2017 to more than 125 billion by 2030, making the threat from IoT-based attacks more frequent and impactful. Challenges Cyberthreats have become increasingly sophisticated over time, with attackers perfecting the techniques they use to attract victims and employing multiple application types to maximize their financial gains or inflict damage on network availability. Once malware is installed on millions of smart devices, home routers and other connected things, cybercriminals can leverage the devices both inside and outside the cable operator network to quickly launch attacks against critical, revenue-generating infrastructure. To protect their infrastructure and their own subscribers, MSOs need a preventive approach to on-net distributed attacks as well as protection against infected devices located off-net. Threats and ulnerabilities SS Network Performance Status and traffic Utilization Access and transportation Facilities and operations Transmission Using automated techniques, cybercriminals take advantage of consumer inattention and older, poorly protected infrastructure, such Figure 3: Revenue network security domain as older routers, to inflict damage. For example, In October 2016, a botnet of connected things strung together by the Mirai malware launched a distributed denial-of-service attack against the DNS service provider Dyn, causing internet service outages of many high-profile enterprise accounts. About a month later, the same malware took a different, more evolved tactic and targeted a specific vulnerability in a management interface present in routers used by almost a million customers of a Tier 1 European operator, causing the routers to crash. These two events demonstrate the persistence and rapid adaptability of cybercriminals as well as the possible negative impact of their actions on telco and cable networks. otnet/ddos customers $ $ Attack-as-a-service otnet owner... C&C Mirai botnet infrastructure 3 Notify loader the IPs of vulnerable devices Report Loader ots communicate with C2 servers 2 Report the vulnerable devices to report server 4 Log in to devices by default passwords; download Mirai payload to device C2 Traffic Exploit and malware DDoS victim DDoS attacks... 1 Scan internet for new vulnerable devices 5 Scanning and spreading Infected IoT devices become new bots Figure 4: Mirai botnet infrastructure Palo Alto Networks Cable MSO and Telco Use Case Handbook 4

5 The same techniques can be applied to devices and subscribers within MSO networks. ots are often embedded in devices without subscribers or things even being aware of them. The devices are redirected into malicious websites that load them with malware. Subsequently, a hacker located outside the provider s network typically activates the bots. When analyzing botnets, such as Mirai, there are three opportunities for detection of bots within a network, as illustrated in Figure 4. usiness Impact Attacks against revenue network infrastructure can cause service outages or degradation, impairing service quality as well as impeding operator efforts to improve service and increase revenue opportunities. Although operators have no control over off-net devices initiating attacks against their network infrastructure, early prevention is available for on-net devices through identification and policy enforcement with the Security Operating Platform. Palo Alto Networks Approach Palo Alto Networks enables the detection and prevention of botnets by focusing on the scanning and spreading, command and control, and exploit and malware interactions on the network. Options include: Detection of DNS botnet communication: The Security Operating Platform can be deployed within a strategic part of the network, such as in front of the DNS infrastructure, to ingest DNS requests (in-line or out-of-line) to identify DNS-based command-and-control, or C2, communication for botnet detection. Palo Alto Networks has developed an open source tool Safe Networking that allows the operator to forward the logs to our application, which will provide a threat dashboard that identifies the number of bots, their types and where they are located within the network. Threat detection using WildFire threat intelligence and scanning techniques: The Security Operating Platform includes Wild- Fire cloud-based threat analysis service and IoT honey pot technology to assist with the detection of scanning campaigns within a network. The honey pot sits within the operator s network and draws in botnets as they scan the network. The honey pot information, along with the intelligence gathered from the Palo Alto Networks threat ecosystem, is sent back to WildFire for analysis. The results of analysis are used to improve threat signatures and can provide the MSO with valuable information on how their network is being probed. Detection of exploit and malware activity: The Security Operating Platform can be put in-line in a passive mode for deep packet inspection to detect malicious activity, or in an active mode to block C2 traffic as well as exploit and malware downloads, depending on the amount of bandwidth and the method used to steer traffic to the firewall. enefits to Operators y enabling operators to identify botnets and infected devices prior to their attack, Palo Alto Networks can help the service provider better understand the risks posed, the number of infected devices on the network and where they are located. Armed with this knowledge, service providers, such as MSOs, telcos and other broadband providers, can decide the appropriate protection response. Palo Alto Networks Cable MSO and Telco Use Case Handbook 5

6 Service Provider and Data Centers Use Case: Protect Sensitive Data and Critical Internal Operations Service providers have consolidated companies, networks and data centers to maintain profitability in the face of declining subscriber growth. At the same time, the threat landscape has grown, and internal system breaches that compromise customer and employee data are commonly publicized. Service providers need a more effective, consistent security posture to protect all their critical data, internal operations and data centers before they become victims of attacks. SS Network Challenges The security of service providers operations, support systems and IT infrastructure is vital to their success, and hinges on successful integration with key business initiative to simplify business processes, reduce opex, improve service delivery and maintain customer trust through an impeccable security record. Threats and ulnerabilities Service providers face a multitude of uncorrelated security mechanisms and an unsustainable need to increase manual intervention over time. Specific vulnerabilities include: Security point products don t communicate natively, resulting in silos of security information. Machine-based, automated cyberattacks overload security operations centers. Cyber defense that lacks machine-based automation results in more security events than most SOC teams can keep up with. Scaling with people does not work. Hiring more people in the SOC and ingesting more threat intelligence feeds slows down response times for new threats and has become significantly less effective. Third-party intelligence feeds require manual response. As threats have grown in volume and sophistication, so has reliance on threat insights from a variety of sources. This has been costly both in paid subscriptions and in human capital. usiness Impact Security systems often consist of multiple purpose-built point products for firewalling, URL filtering, IPS and more. This increases operational complexity as well as cost and results in a less effective security posture. Palo Alto Networks Approach Palo Alto Networks Security Operating Platform provides automated and actionable application-layer visibility with consistent prevention and enforcement across all networks, data centers and form factors. The many benefits of the platform include: Increased visibility and intelligence: The platform provides full application-layer visibility across all systems, networks and locations. Comprehensive threat prevention: Our platform ensures threats are stopped, not just detected, whatever their points of origin. More efficient operations, reduced complexity: Palo Alto Networks unique architecture simplifies policy and configuration maintenance, delivering central management, and automating threat intelligence. enefits to Operators Internal systems usiness processes Employee support Employee applications Figure 5: IT network security domain Using the Security Operating Platform, telco and cable operators can ensure confidentiality of customer and employee data while reducing the complexity and cost of service delivery Tannery Way Santa Clara, CA Main: Sales: Support: Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. cable-mso-and-telco-use-case-handbook-uc