Telcos at the security frontline
Over the years, the range of services offered by telcos has grown rapidly, and in particular there has been increasing interest in providing security services. Telstra and Optus have jumped on this opportunity and have begun offering security-as-a-service (SECaaS), with the aim of combating security threats such as viruses and malware, and detecting and blocking attacks at the network layer. With mandatory data retention becoming a reality for many Australian telco providers, properly securing that customer data is fast becoming a hard requirement for all providers.
As security breaches dominate the headlines, it should come as no surprise that security is a tricky and complex business, and delivering security from the outside has its own set of challenges. In a world where people are used to ordering a service through a quick phone call or the click of a button, it is only natural for customers to turn to what is likely their longest-running and most reliable service provider and ask for additional services like security.
However, security isn't a simple plug-and-play offering like a new phone line. As a result, customers have scaled back on managed security services, doubtful that their telco can offer them security in a way they can actually leverage and be further protected. Although challenging, SecaaS can be advantageous as long as we understand the challenges, opportunities and a few best practices for delivering the service effectively.
Analyst firm Frost & Sullivan reported that the SECaaS market in Australia and New Zealand earned revenues of $591.6 million in 2012 and has forecasted it to reach $1.61 billion by 2019. According to Frost & Sullivan ICT industry manager Cathy Huang, service providers are looking to bundle security services into cloud and mobility service packages to allay security concerns among enterprises regarding the threat exposure posed by the cloud and mobile devices.
The advantages (and disadvantages) of being a provider
Telcos have a distinct advantage as they can see most of the data passing into and out of a customer’s organisation, while also having the opportunity to host customer services and manage their devices. As a result, they have a great opportunity to gain deep insight into a customer's security posture, and to identify and address potential threats quickly.
Many providers offer standard signature-based detection (network scanners, intrusion detection systems, etc.) on the customer's environment to monitor all the network traffic passing into and out of that environment. But this doesn't necessarily mean that providers automatically understand what all that customer data means or how the customer runs their business, which can hamper the effectiveness of this advantage.
The traditional signature-based scanning and detection offerings of today are becoming less and less effective as attacker's toolkits become more sophisticated and as zero-day exploits become more common. This leads to an arms race that we seem to be losing. Even in scenarios where traditional approaches effectively detect the threat, it does not necessarily mean that the threat response can be handled operationally. In many cases detected threats are lost in the noise or the people responding to the threat don't know how to respond accordingly. Often the weak point is in the hand-off between the provider and the customer—the provider can tell the customer they have a problem, but the customer doesn't know how to react to the information they've been given.
Effective approaches
When it comes to detection, there are limitations to the traditional signature-based point solutions. As a result, tools like behavioural analytics (similar to what is found in an advanced security information and event management (SIEM)), are being leveraged as an approach that is more resistant to zero-day attacks and can also detect insider threats more effectively.
A second area of interest is Big Data. The general theme here is to collect all sorts of data into one enormous repository, and then run sophisticated pattern analytics across all that data in a highly distributed mode. This approach can yield some surprising insights, but is hampered by the complexity and fuzziness of working with such raw data sources.
Combining both behavioural and big data analytics into a useful solution requires some careful thought and consideration. To do this well, the provider must develop a long-term relationship with the customer and an understanding of how that customer does business. This includes simple things like what hosts are on the company network and who works there (and whether this is expected to change or be fairly static), but it also must include company-level behavior. Each segment of useful data can inform analytic engines and improve the accuracy with which they detect real threats.
Lastly, it is essential for telco providers to engage in the management of customer-owned devices and software. Solid configuration management, monitoring, and patching customer-owned devices are important, but there are clear benefits in understanding the customer's business and designing services that better match the customer model.
Customers are not looking for a set-and-forget solution, they are looking for long-term partners to hold their hands and advise them on best practices, future planning, and the proactive remediation of issues. Not only that, a large proportion of security breaches are detected by employees, which means that helping customers understand security and empowering them to share that with all their employees will lead to greater security overall.