CUSTOMER SUCCESS MANAGER
Threat detection is more than a cat-and-mouse game. The Janus-faced nature of evaluating and disarming known and unknown strategies of the attackers has become a vital element in daily work. Having fended off one attack, the next one follows swiftly in a modified or new and unknown form. But instead of falling prey to melancholy, how great would it be if everyone in the MNO community promptly shared accumulated information and gave all participants the edge to take defensive measures against attacks. Especially since these will probably reach everyone else a few days later anyway. Reducing the attackers’ return on investment is great fun, and for operators it is vital. The GSMA T-ISAC initiative is already helping the industry a great deal, the way into a safe future is long and rocky, still.
POST Luxembourg, the main telecommunications operator of the Grand Duchy, is more than a customer for RoamsysNext. For many years there has been a long and trusting partnership that led to a variety of innovative products and product features that today support customers world-wide. Alexandre De Oliveira is in charge of telecom security at POST Luxembourg and is part of the POST Cyberforce team which has been set up to anticipate and actively fight fraud and security incidents. He has been in the telecom security business for many years, and it’s always such a rewarding experience to talk to him and gain insight into hot topics, especially with new technologies like 5G emerging.
In part two of our interview Alexandre explains the main pain points in fraud detection and exemplifies how global cooperation of operators and information sharing via the GSMA T-ISAC initiative is vital.
In RoamsysNext Insights our experts share their views on extensive industry topics and possible solutions we can offer.
Alexandre, please tell us about your daily challenges and what are the main pain points when it comes to threat detection?
The threat detection has two faces, the known and the unknown. The known includes all the attacks documented by the GSMA in the different Fraud Security documents. When it comes to the unknown, which still makes up most of our daily work, we need to make sure that we find detection strategies that allow us to detect not only what enters the network but also what leaves it without us even knowing if it is an attack or not.
In the unknown, new attacks always come with new patterns or messages that have not been explored before. But it also includes bypassing the known attacks and methods that try to circumvent existing defenses.
Alexandre De Oliveira (left) and Johannes Kaiser (RoamsysNext) at WAS10, Valencia 2019
What are you doing against it?
We overcome the unknown by analyzing the behavior of nodes, creating profiles, and ensuring that they behave like production nodes as we have seen them behave before in the same operator network. This is ultimately a daily challenge for us; attackers and fraudsters are becoming more and more creative when it comes to accessing operator information or committing fraud.
Nobody wins a battle alone
The second important point after all the research and detection we do at POST is sharing, because we will never be able to fight attackers and fraudsters all on our own. We have to do this as a community together with all the operators who are part of the GSMA initiative. Sharing will give us the edge to take defensive measures against attacks that penetrate fellow operators’ networks and that will reach us several days later. Reducing the attackers’ return on investment is key for operators.
One thing we’ve learned when RoamsysNext established the Connectivity Innovation Forum is that cooperation is crucial, especially in unsteady times like this. Since red-hot data has always been the key element to fraud detection and prevention, what do you think, how can information sharing between operators, vendors and a central organization like the GSMA be increased?
A global cooperation is vital, it’s simply impossible for operators to fight all these malicious actors all by themselves. The colleagues from CIRCL (Computer Incident Response Center Luxembourg) and POST initiated a push towards the GSMA to adopt MISP (Malware Information Sharing Platform) as their telecom security sharing platform. With combined efforts with the GSMA we managed to have a GSMA MISP instance which is really active today.
MISP is now part of the global T-ISAC initiative (Telecommunications Information Sharing Analysis Centre) to support operators in this cooperation, but it’s still a fragile ecosystem. There are only few operators who are contributing to it, that means only the most mature ones.
The challenge today is to raise awareness and ensure that a larger proportion of operators are able to understand and use this information. This is not an easy task, as most operators do not employ telecom security specialists up until today.
The GSMA will have the truly complex task of gathering everyone together on one platform, regardless of the actual geopolitical situation, and sharing vital information. What a journey!
Since 1995, the GSMA represents the interests of mobile operators and they also handle industry working groups dealing with roaming and interconnection, fraud and security, and intellectual property. How do GSMA initiatives help the industry in your field advance?
Personally, I consider the GSMA as a mirror of operators’ priorities, all published documents are mainly produced by members (operators and vendors). This also means that documents and guidelines will only be published when some of these actors have reached the proper level of maturity on this subject.
It was exactly the case with 2G, 3G and 4G security, but I think that’s changing now with 5G. Everyone has made a commitment with 3GPP (3rd Generation Partnership Project) to ensure that security is embedded in 5G signaling. This was mainly done to avoid repeating the same mistakes of the past and to make sure that the specification properly enforces the right security measures.
Looking at all the new functionalities 5G is bringing, I’m sure we will have a long way to go with all other operators to ensure the security of our future telecom networks.
Thank you, Alexandre, for these fascinating insights. Keep doing great and take care!
Gabriele Lieser joined RoamsysNext in 2020 as Customer Success Manager to strengthen the bonds with our increasing number of customers and to support the marketing team. Gabriele has a strong background in corporate sales. She studied at the Universities of Trier (Germany) and Manitoba (Canada) and is incorporated in the RoamsysNext Client Service team.
How does the GSMA approach cyber security, fraud detection and prevention? Look at the incredible useful tools and informations they provide with the Fraud and Security Group (FASG) and documents on best practice countermeasures.