Cloud protection on bifurcated network security

The scale, scope and corresponding costs of data breaches, denial of service attacks and ransomware have all increased. Many of these crimes succeeded in shutting down entire businesses for days while extorting millions of dollars as affected companies struggled to get their systems back online. In 2021 only:

  • The HIPAA Journal reported a 331% increase in breaches month-over-month, with more than five million patient records affected.
  • There have been more than 700 incidents with 457 confirmed attacks against the finance and insurance sectors, according to a Verizon Business Report.
  • According to the same report, 270 confirmed data breaches in the manufacturing sector have been reported, with 92% of these breaches targeting corporate finances. Verizon Business Report.

Details remain hazy on many of these incidents, as victims fear that disclosing information about their violation could lead to further incidents. However, most cyberattacks occur on the network where criminals gain access to a supposedly secure data center. How is this possible when most data centers have secured their networks with the latest software like firewalls, virtual private networks (VPN) or surveillance systems? The most technically savvy cybercriminals have added social engineering, spoofing, and phone fraud to their arsenal of hacking tools.

The New Era of Fraud—Two Networks

An example of next-generation fraud came from a group of scammers in Tennessee who used social engineering to trick employees of several companies into stealing $500,000 from more than 70 customers. The scammers posed as colleagues using genuine employee IDs and convinced real employees to share vital customer data. With customer data in hand, the scammers gained access to customers’ finances, private information, and retail accounts. This type of scam cannot be blocked by a standard internet firewall, VPN or any other localized monitoring system. Most network security systems have focused on the Internet, where firewalls and VPNs are effective, but very little attention has been paid to securing voice networks.

Invented in 1875, telephone and telephone networks have evolved into massive wired and wireless networks. Originating from the computer age, the Internet emerged in the late 1980s. With the acceleration in the speed of computers and the Internet in the 2000s, voice networks also shifted to the Internet and became networks of voice over IP (VoIP). Moving voice calls to the Internet made business and economic sense as part of the nascent decade of digital transformation in 2010. However, real Internet traffic is divided into distinct parts: the original Internet data with a transport of low-level data and high-level voice/session data.

Data traffic on the Internet consists of transactions, such as file transfers, emails, web browsing or messaging. Internet session traffic includes voice, video, streaming, and other services that deliver content over time or provide two-way communications. Since the Internet was never secure to begin with, multiple security systems (such as firewalls and VPNs) were created and deployed as a layer of protection. Voice networks, on the other hand, have always been secured from the outset by a trusted operator, where the trusted operator was positioned in the industry to protect the consumer. The shift from session-based traffic, like voice, to data-based networks, like the Internet, also known as VoIP, has radically moved businesses into the digital age. But this move to VoIP has also exposed session-based traffic to a whole host of security vulnerabilities and criminal activities such as social engineering, identity theft and telephone fraud.

Conventional network security breaches Voice/session breaches

Session-based breaches cannot be detected using conventional Internet security tools. Many of the sophisticated abuses mentioned above can occur above the transport Internet layer of the network. However, next-generation criminal behavior manifests itself in sessions or above the session layer of the Internet. In short: today’s fraudsters have added the deception of voice calls to their repertoire to gain access to corporate systems. While edge session controllers (SBC) can block some session abuse, many will go undetected at the edge where SBCs are deployed. And while next-generation firewalls can detect and intercept harmful transactional activity such as denial-of-service (DOS) attacks, larger session-based hacks might go undetected, such as denial-of-service. telephone (TDoS). Other session-based crimes can include identity theft, nuisance calls, and caller ID spoofing. In these cases, basic network traffic modeling could easily expose persistent or abnormal behavior of a sending or receiving party.

To protect businesses against the unique challenges of session-based cyber threats, an omniscient view of all sessions running on the network over a given time period can be provided by a cloud security service. Cloud security solutions have the ability to create patterns indicating where and how a session-based attack can occur. When a session attempt does not match the basic pattern, such as a repeated call from a foreign source or a potential denial of service attack from multiple sources, an alert may be triggered or, in some cases, the session may be completely blocked or captured for further investigation. Capturing all session data seems like an impossible task, but voice networks have a habit of capturing each piece of data in what is called a “call detail record”. The data capture capability still exists in SBCs that handle all session-based traffic.

The final issue is where to store all the data and how to build models that could take advantage of the information not just on one network, but continually build and refine the model based on many networks and many sources. This is where the cloud is the perfect architecture for storing data, creating an artificial intelligence (AI) or machine learning model of the network, and providing session blocking or capturing additional session information. Cloud modeling of session-based traffic has a corollary to basic Internet traffic. Cyberattacks that target transactional Internet communications, such as DOS attacks or fraud, are undetectable at a data entry point into the network, but given a holistic view of data traffic, they can easily be identified and blocked. This is where a cloud security solution can provide greater visibility and the ability to protect a bifurcated network.

To detect and prevent next-generation security breaches, there must be robust cloud-based security monitoring and service with a holistic view of the network to accurately model traffic and identify abnormal patterns. A cloud-based solution provides:

  • An architecture for collecting and analyzing network intelligence in the cloud
  • A centralized location to broadcast network control to the edge.
  • Secure cloud access. Like phone networks, clouds have built-in security features such as the Secure Web Gateway (GTS), Cloud Access Security Broker (CASB), firewall as a service (FWaaS), SD-WAN and zero-trust network access (ZTNA).

Since cloud intelligence can receive session information from across the network, a cloud-based session security system has the potential to lock down any network against a wide variety of threat types. With edge devices no longer sufficient to block sophisticated threats, it is the cloud that will host growing portfolios of machine learning, artificial intelligence, and advanced analytics sessions for increased monitoring and control.

Costs and risks

Costs and risks will drop significantly when the cloud is used to monitor the network and provide real-time commands to edge devices, and the advantage of software as a service (SaaS) over on-premises systems will become even clearer. . Cloud-based security solutions allow organizations to keep pace with malicious actors changing their attacks. When working in the cloud, there may be frequent updates of a security service and data. Additionally, a cloud-based security system can dynamically evolve and become smarter over time, while building a larger database of security intelligence. As communication behavior “fingerprints” are created, the cloud protection portfolio will expand, available to be shared between enterprises and even other cloud-based security systems. This is analogous to machine learning and may be referred to as network learning or communications learning, as the security solution becomes smarter based on past traffic patterns.

Had a cloud-based security system been in place to monitor both internet and session traffic, the Tennessee scam incident would have ended differently:

  • Both the employer and the employees would have visibility showing that the calls were in fact coming from outside the organization. Reception employees could have asked for additional proof of ID or escalated the call.
  • The cloud security application could have easily identified the source and relative threat level of the incoming phone number. Although this seems like very private information, there are companies that make it their business.
  • Monitoring and modeling calls to and from a business could easily reveal anomalies such as call frequency, duration, and time. Calls could easily be assigned risk or threat ratings that would put the receiving agent on high alert.

The new era of fraud demands the next generation of security. Knowing and understanding how a criminal thinks, having access to solutions that leverage AI and ML, and advanced analytics through a cloud security service can help protect both data and session-based network traffic. But the eyes of the cloud must be both on the Internet for basic data flow and on the voice network to successfully combat the next generation of fraud.

Kevin M. Risinger