A New, Revenue-Generating Cloud Service for Telecoms:

Transcription

1 A New, Revenue-Generating Cloud Service for Telecoms: A Proven, Application-and-Content-Aware Telecom Service for Malware Defense, Parental/Employer Web Control, and DDoS Protection By Dan Baker, Technology-Research (TRI) Sponsored by, Allot Communications 1

2 The Cyber-Security Protection of Enterprises and Consumers via an MSSP 1 Service Sad to say, but today s incredible demand for mobile broadband, on-line video, and other communication services doesn t get CSPs excited anymore. There s a very good reason: high demand and growth is a mixed blessing because traditional revenue streams are under siege and it s hard to make a profit. VoIP is causing regular voice revenue to vanish. Apple s imessage, WhatsApp and Facebook s messenger apps are cutting deep into SMS. And greater Over the Top (OTT) competition is squeezing margins as customers opt for free or low-priced OTT services as opposed to higher cost, but better quality telecom ones. But luckily, not all IT/communications developments are working against CSPs. For instance, the surging demand for cloud services should be a golden opportunity for telecoms to make money. Why? Because, when you cut through the hype, cloud is basically about transforming off-line hardware and software into on-line services in the telecom cloud. And that shift will create a whole new generation of telecom revenue streams. Now consolidating functions in the cloud is not just an efficiency play. In some cases, the real-time and anytime/anywhere capabilities of the telecom cloud can deliver a better solution than is even possible in the off-line world, for example: A network solution cannot be bypassed; Application updates are applied much faster in the network. There are almost no delays; A network application can be policy- or regulation-driven. A telecom service doesn t drain the smartphone battery; and, The service can generate revenue for the operator. So this paper will focus on one particularly promising telecom cloud service: cyber security. In cyber security, telecoms are ideally positioned to deliver a better solution. The opportunity here is for telecoms to step up and become MSSPs or Managed Security Service Providers. Now as you well know, cyber security is a huge, well-established market served by many big firms. In fact, according to Gartner, cyber security market is growing at 8.6% and will exceed $73 billion in However CSPs don t need to chase the broader security market, which includes everything from firewalls and intrusion detection to anti-virus and SIEM solutions. They have a compelling alternative: 1 Managed Security Services Provider 2

3 CSPs can focus on three specific services and provide real-time protection from the heart of the communications network: 1. Providing real-time URL filtering to enable: Parents to block access to inappropriate websites for children or to restrict access at certain times of the day (during class time vs. bus time); and Employers to block access to inappropriate or non-job-related websites for employees. 2. Stopping malware downloads to computers & smartphones; and, 3. Mitigating DDoS (Distributed Denial of Service) attacks to protect enterprises. This paper will walk you through these three services; explain how they work and why the telecom as MSSP service has some natural advantages over competitive approaches. In the DDoS protection area, we ve also included a case study from an Asia-Pacific Service Provider, that testifies to the power of the MSSP approach. We will also show why telecom MSSP services are gaining in popularity, earning revenue, and even getting an assist from regulators in certain countries. Parental and Employer Control of Web Access The first cyber security service that telecoms can deliver as an MSSP is parental control for kids and safe browsing for enterprises. Protecting children and teenagers in cyber space is a growing concern. Parents don t want their kids exposed to websites that have inappropriate content and many governments impose their own restrictions on age inappropriate websites (or categories of web sites). Yet the number of digital platforms that can access the Internet has expanded way beyond PCs today to smartphones, tablets, and gaming consoles. So kids have to be protected on all of the new mobile devices as well. ABI Research estimates the global parental control software market was worth $1,044 million in Now such software was adequate in the past because kids would access a family PC that parents had full control of. But today, each member of the family may have his own device to surf the internet, so control is far more difficult. Employers also need to control web access to guard against employees squandering their work hours by surfing the web. Forbes magazine conducted a 2013 survey and found that 64 percent of employees visit non-work related websites daily. Forbes found the majority of workers waste their time on Tumblr, followed by Facebook, Twitter, Instagram, and Snapchat. These distractions are causing a massive loss in employee productivity, so businesses are eager to gain some measure of control. 3

4 Malware Protection Malware downloaded from the Internet is yet another major security threat. Dell/SonicWALL s 2014 annual report on security documents 78 billion post-infection malware hits in 2013 and claims the Android platform is the mobile focus of cybercriminal attacks. Meanwhile, ABI Research estimates the 2013 Mobile Security Services market stood at $1.88 billion. Once again, telecoms are in a great position to serve with an MSSP service and continual updates to a malware threat database in the cloud. Here, solution vendor access third party databases from the large security vendors who provide information about malware that should be blocked. This effectively allows telecoms to clean the traffic to the endpoint. In fact, the best practice is to embed two or more malware databases in the solution to compare the information in one against the other. Communication Service Providers can clean their pipes of malware and protect their subscribers mobile devices. Architecture of a Malware and Parent/Employer Web Access Control MSSP Source: Allot Communications 4

5 Need for a Simpler and More Effective Method for Web Access Control When it comes to smartphones, the most common way to achieve URL filtering and access control is to download a parental/employer/malware control application to the iphone or Android-based phones. However, maintaining the web access control database in the telecom cloud makes much better sense these days because the handset-resident database is never 100% updated, as the number of new websites, malware, viruses, and phishing threats is constantly expanding hourly and daily. Plus, from an operator s point of view, it s hard to support different applications for ios, Windows and the many Android flavors. It s an invitation for provisioning issues and greater calls to the help desk and subscribers not being happy. Yet another key issue is battery life of the mobile phone. Malware and parental control applications have a tendency to drain the battery at a high rate. The answer is a Managed Security service. A telco or cable operator can provide this service today and it s already being offered for a monthly fee by many operators across Europe and America. And CSP are in a perfect position to manage such a service because they know the exact profile of the subscriber or employee. The administrator of the service accesses a web interface to set preferences and specify the content that children or employees are allowed to access. And in the case of the workplace, the employer s web access administrator could even designate certain times of the day when freer Internet surfing is allowed. Multilayer Analysis Intelligent traffic filtering and multiple detection techniques Source: Allot Communications 5

6 DDoS Protection Let s now turn to the mitigation of DDoS attacks, the second leg of an effective MSSP program. It s in this DDoS area where a telecom MSSP service can dramatically improve on traditional approaches to the problem. The reason is simple: the telecom MSSP is integral to the real-time DPI engine that monitors all IP traffic on the telecom network. Not only does this make threat detection faster, once an attack is discovered, the in-line DPI engine can immediately implement a network policy to neutralize the attack. Fast mitigation is simply not possible using traditional security solutions which sit off-line and merely notify the operator when a threat profile match is found in the incoming traffic. And the power of a telecom MSSP is even more compelling when you consider that an application aware system is behavioral it learns on the fly. So it doesn t rely on searching a huge database of known DDoS attack signatures. The telecom MSSP service, then, is flexible enough to detect zero day or never-beforeseen attacks. The DPI system basically traces normal behavior on the network and notices when there s a deviation. And that abnormal behavior could be many things: high traffic volume coming from or to a single IP; a single IP sending queries all over the network; etc. And once it understands where the bot ghosts (or zombies) are coming from, it declares an attack, then automatically blocks that attack on the same pipe that the traffic is going through. In fact, the attack can be stopped even if it s not exactly clear exactly what s there or what the signature of the attack may be. The traffic is simply blocked or throttled at the service gateway while the operator is notified and asked what additional actions it wishes to take. 6

7 The Problem Enterprises Need to Deal With Source: Allot Communications DDoS and Outgoing SPAM Protection Using a Telecom Cloud MSSP Service Source: Allot Communications 7

8 Case Study: DDoS Protection using Telecom as an MSSP Service An AsiaPac telecom has been using an MSSP solution to successfully detect and mitigate DDoS attacks since late This Telecom wholesaler serves carriers, ISPs, and virtual operators. Its case below shows the power of an MSSP service in DDoS protection. a. Costly DDoS Experience using Traditional Security Solutions Back in 2012 the Telecom got a rude awakening to the threat of DDoS. Its network infrastructure came under a severe DDoS attack for a few days; its traditional security appliances routers, firewalls, load balancers, and Intrusion Prevention Systems were quickly overwhelmed. For 2 to 3 days, major clients experienced constant service disruption, in turn, damaging the years of trust the Telecom had built up with its customers. Following this incident, the operator was committed to enhancing its security with a strong, carrier-grade DDoS detection capability. c. Selection Process for a Carrier-Grade DDoS Solution To select the best solution, they did a thorough proof of concept evaluation of several security vendors, each of whom claimed to have carrier-grade DDoS protection. The Telecom soon discovered that performance was lacking in two of the solutions it tested. One solution, deployed at several carriers and featuring a large backlink capacity, failed the carrier stress test when advanced features were enabled. Likewise, a second solution widely deployed at enterprises the U.S. could not scale to carriergrade performance. A third solution was found to be quite good at DDoS mitigation, but was deficient in two other areas. First, while the solution was effective at sampling traffic 10 Gigs or higher, at traffic volumes below 10 Gig, threats would fly over the solution without detection. The second issue was the long time lag between sampling and detection. Since sampling required 30 minutes to detect a threat, the solution could not stop an attack lasting, say, 20 minutes long. Two other general issues the Telecom faced with the commercial DDoS packages it evaluated were their high cost and the long 12 to 24 hours required to insert them into the network. 8

9 d. Strengths of the Telecom MSSP Solution Selected For its MSSP service the Telecom ended up selecting Allot s MSSP solution, ServiceProtector, and that solution has been in full production for two years now. Here is a rundown of what the operator considers the solution s key strengths: 1. Mitigating Small DDoS Attacks The solution is effective at detecting small DDoS attacks whereas competing solutions tested were not. Others were only suitable for large DDoS attacks. The Allot solution does both. 2. Ultra-Fast Detection/Mitigation On average, the operator found DDoS attack packets are surgically mitigated in one to 1.5 minutes while allowing clean traffic to flow. This high speed of mitigation is made possible by the real-time nature of the solution. No other solution they tested could mitigate faster than 5 or 10 minutes since it takes time to sample data from the servers and routers. But with Allot ServiceProtector, in-the-network-anomaly detection and real-time signature creation and policy execution are self-contained in one system, enabling very high speed attack mitigation. 3. Highly Flexible Signature Capability Studying the pattern of the DDoS attacks the system defeated in the past two years, the operator noticed the clever tactics attackers employ. For instance, in some cases, the attackers launch an attack, then stop and disappear. Then 2 minutes later they come to try something else. Then they go away and come back a third time. The design of the MSSP service is especially useful in containing such sophisticated and unpredictable attacks. Signatures are essentially created on the fly from the first attack attempt to the last. Each time a new attack is launched, a new signature is created, so no matter what the attacker does, their tactics are frustrated. 4. Notification of DDoS Attack & Mitigation -- The discovery of a DDoS attack sets off a methodical process of mitigation and notification. First, an is received saying there's a DDoS on the network. Within 27 seconds another arrives saying: the DDoS is active and a traffic signature has been created for it. Then, usually in less than 1.5 minutes, reports the attack has been mitigated and the size of the attack. 5. Discovery of Bots on Customer Networks While the MSSP service was deployed to protect against external attacks, the operator was pleasantly surprised that it also discovered tens of thousands of bots that were affecting customers and launching attacks on other networks. 9

10 The operator sent the list of affected endpoints to its service provider customers so they could identify which endpoints in their networks were launching bot spamming and DDoS attacks. Of course, these service providers considered this information to be highly valuable and the operator is now considering offering such bot discovery as a chargeable service. 6. Protection of Customer Usage Overcharges Overcharging for DDoS traffic can deliver an unpleasant billing surprise for customers. But the MSSP service has proven effective in preventing this. By deploying the solution at the egress point of the network, the DDoS is mitigated before it actually affects the customers. For example, at one broadband provider, the operator was able to stop 98 Gigabytes of malicious traffic from appearing on their network and being billed to customers. 7. Single Vendor Simplicity Because the operator was already using Allot s DPI appliance in its network, the actual insertion of the MSSP service was a simple matter activating the service and testing it out. Today the solution lives in a single, unified platform from a single vendor. 10

11 MSSP as Revenue-Generator and Brand-Enhancer Telecoms are really in a great spot for offering an MSSP service as a paid service for three important reasons: 1. Several operators around the world have already taken the leap and are offering MSSP as a paid service to their consumer and business customers. In Italy, for example, an operator is charging one Euro per month for parental control and malware protection, and a high percent of subscribers have signed up for the service because it s a great value for peace of mind. 2. The public is demanding the service, particularly industrialized countries where subscribers realize that parental controls and malware protection are musthave services. The public has also become aware that handset-level protection is just not as effective in the smartphone era. 3. A network-wide security service is a competitive differentiator. It increases the value of the carrier s brand because they have cleaner pipes. Many operators are advertising the service. They also hope to be seen as socially responsible companies who care about protecting children, keeping the internet safe, and protecting business websites. To generate revenue, operators are using various marketing strategies: Offering security as a low cost per subscriber to encourage mass market adoption. Offering a security package add-on to all existing pricing packages. Delivering security as part of a premium service Upselling the security add-on when subscriber either calls the service center or is connecting to new data service. Regulators are pushing for MSSP Services While MSSP services are already generating revenue at several operators worldwide, in some nations, the regulators have actually mandated the service. In the UK, for example, the British Parliament recently enacted a law requiring ISPs and carrier to offer a parental control service. Turkey, as well, legally requires telecoms to offer such a system to clean the traffic and have each subscriber buying a phone decide what category of parental control he or she wants. Clearly the best strategy is for operators to get proactive. Better to offer the service to protect children now and start collecting revenue for it. Otherwise there s a good chance lawmakers will legislate over their heads and force operators to offer the MSSP service anyway for free: this is precisely what happened in the U.K. 11

12 P/N D Summary To conclude, then, we ve seen that a telecom MSSP can be an effective cyber security solution in three key areas: anti-malware, parental/employer web access control, and DDoS defense. To summarize our conclusions: For malware and parental/employer web access control, the telecom cloud is more efficient than trying to manage and update mobile handset and desktop applications across many operating systems. From an operator s point of view, an MSSP service is far simpler and more scalable because the solution is self-contained in the network. In fact, the same DPI system that monitors the network at the service gateway can provide the MSSP service without the need for any additional probes or hardware. And finally, the solution is gaining traction at telecoms around the world who recognizing it as a money-making service that is both socially responsible and a competitive differentiator. About Allot Communications Allot Communications Ltd. is a leading global provider of intelligent broadband solutions that put mobile, fixed and enterprise networks at the center of the digital lifestyle and workstyle. Allot s DPI-based solutions identify and leverage the business intelligence in data networks, empowering operators to analyze, protect, improve and enrich the digital lifestyle services they deliver. Allot s unique blend of innovative technology, proven know-how and collaborative approach to industry standards and partnerships enables network operators worldwide to elevate their role in the digital lifestyle ecosystem and to open the door to a wealth of new business opportunities. About Technology Research Institute Dan Baker is Research Director of Technology Research Institute (TRI), an analyst firm that has been following telecom software markets since Baker is editor of TRI s online magazine, Black Swan Telecom Journal. He also writes the Dan Baker Blog for Billing and OSS World and industry reports for Vanilla Plus. For 20 years TRI has authored dozens of syndicated reports, its latest, a 574-page study entitled, The Telecom Analytics & Big Data Solutions Market Technology Research Institute (TRI). This white paper was prepared on behalf of Allot Communications. The views and statements expressed in this document are those of Technology Research Institute and they should not be inferred to reflect the position of Allot Communications. The document can be distributed only in its integral form and acknowledging the source. No section of this material may be copied, photocopied, or duplicated in any form by any means, or redistributed without express written permission from TRI. While the document is based upon information that we consider accurate and reliable, TRI makes no warranty, express or implied as to the accuracy of the information in this document. TRI assumes no liability for any damage or loss arising from reliance on this information. Trademarks mentioned in this document are property of their respective owners. Diagrams created by Allot communications. Cover Page photo by istock.com 12