Near-perfect network availability is one of the most important strategic objectives for mobile network operators, or MNOs, who have supported it with billions in network investment. Historically, with malicious attacks coming primarily through the internet (Gi/SGi), operators' security strategies have focused on protecting known vulnerabilities of specific network elements, interfaces and protocols, but the environment has significantly changed. MNOs now face new malware-based incidents that threaten network availability and subscriber confidentiality. Cybercriminals have become highly sophisticated and can quickly change their malware tools to avoid detection. Attacks are now as likely to come from infected mobile or IoT devices in the radio access network or roaming partners as from the internet.
In addition, operators have witnessed significant changes in traffic, with exponential growth in roaming and signaling. These are new threat vectors with risk of service disruption from malicious actors as well as unintentional events that can overload signaling infrastructure.
Palo Alto Networks® Security Operating Platform includes a comprehensive set of software features that significantly enhance application-layer protection and visibility across all network peering points – at the internet-facing SGi interface, S1 RAN interface and S5/S8 roaming network interface points of presence.
The overall attack surface on mobile operator networks has expanded with increased IoT device connections; small-cell deployments; converged access (i.e., fixed, mobile, Wi-Fi); public and hybrid cloud; shared mobile infrastructure; and the growth of interconnected networks to support roaming (see Figure 1). The evolution from 4G to 5G and virtual networks (NFV/SDN) will continue to shift the distribution of traffic across multiple network environments, resulting in multiple threat vectors emerging that create new opportunities for hackers to exploit.
Sophisticated bad actors can inject malware into an ever-growing volume of traffic distribution points, where they can develop new exploitation techniques, leveraging data and signaling channels to attack subscribers, as well as multiple elements and networks, before they spread and morph to avoid control or detection.
Figure 1: Rapidly expanding attack surface requires full visibility across all mobile network peering points
As a result, these expanding threats, previously focused on the SGi interface, can now exploit the application layer at other mobile network interfaces, degrading the customer experience and leading to network performance challenges and revenue impact for MNOs. This requires a more comprehensive and prevention-oriented security posture that leverages application-layer visibility.
Cyberthreats have become increasingly sophisticated over time, with attackers perfecting their techniques to attract victims and using multiple application types to maximize their financial gains or harm network availability. Malware is the preferred tool for cybercriminals and thus, together with credential theft, is part of the event chain in virtually every cybersecurity incident.
Attackers can rapidly infect large numbers of lightly protected smart, mobile and IoT devices to leverage them as elements of a botnet, threatening the mobile infrastructure as well as subscribers. Attackers target devices that are largely unprotected, powerful enough, well-connected and generally ignored. IoT devices and smartphones are perfect candidates.
MNOs have traditionally maintained a security posture focused on protecting network elements and defined network perimeters with Layer 3/Layer 4 network security approaches, putting little or no emphasis on preventing application-layer threats or protecting subscribers' endpoint devices.
The known architectural vulnerabilities of 3G and 4G networks have been identified and analyzed by multiple standards groups and infrastructure vendors:
Palo Alto Networks provides a complete security platform with the deepest prevention for all network interfaces, with consistent management and application visibility across the broadest scalability range in a variety of physical and virtual form factors. The platform also includes protections for both control plane and data plane traffic.
Palo Alto Networks Security Operating Platform includes a comprehensive set of software features that work together to prevent successful security breaches and enhance application-layer visibility in mobile networks. All features are deployable across the entire portfolio, including high-performance
Figure 2: Palo Alto Networks roaming security in 3G and 4G mixed networks
physical appliances and VM-Series virtual deployments. This enables a consistent security posture across all network points, for all users, applications and locations.
MNOs can leverage application-layer visibility across data and signaling traffic at all network peering points, including:
Palo Alto Networks provides comprehensive, consistent protection, including GTP and SCTP security functions. The Security Operating Platform provides deep application-layer visibility, consistent policy enforcement and identification of already-infected devices. The platform's multilayered approach allows:
GTP stateful inspection also provides visibility into international mobile subscriber identity and international mobile equipment identity – IMSI and IMEI, respectively – which allows data sessions to be correlated to the device/subscriber. This can enable the MNO to identify infected devices engaging in attacks, notify subscribers of infection, and prevent sessions from being hijacked for malicious purposes.
GTP-U decapsulation and content inspection provides the capability to scan the content of mobile subscriber traffic carried in GTP-U tunnels.
These security measures can mitigate numerous malicious events and prevent attackers from causing network congestion, or outages that disrupt data and voice services, for subscribers and devices connected to these networks.
MNOs will gain expanded visibility across all potential mobile network attack surfaces that impact their networks and subscribers, enabling them to prevent a greater number of potential attacks and extending their ability to respond immediately and automatically as new threats emerge.
Operators need to shift their security priorities to prevention, rather than mitigation. Successful breaches or attacks and other non-malicious events that would impair network or service availability can be prevented. This requires constant, application-level vigilance across the entire network and automated, near-real-time response to unknown threats.
Malware is part of the event chain in virtually every security incident. By stopping malware installation on mobile devices or disrupting its execution if already installed, MNOs can prevent threats to their subscribers and networks.
We are the global cybersecurity leader, known for always challenging the security status quo. Our mission is to protect our way of life in the digital age by preventing successful cyberattacks. This has given us the privilege of safely enabling tens of thousands of organizations and their customers. Our pioneering Security Operating Platform safeguards your digital transformation with continuous innovation that combines the latest breakthroughs in security, automation, and analytics.
Palo Alto Networks Security Operating Platform is a comprehensive, cost-effective offering that helps mobile network operators get ahead of the tremendous leaps in cybercriminal capability to relieve multiple urgent mobile operator pain points.