As RTC and SIP adoption grows, hackers are preying on vulnerabilities. Enterprises need networked security architecture underpinned by machine learning, says Kevin Riley
IT teams have long been focused on securing data in storage and data in motion, and have invested continuously on ensuring their infrastructure, communications networks, applications and access management control policies are hardened and updated as new threats surface and cyberattacks become more sophisticated and frequent.
Too often, however, these same teams, who are now responsible for all applications, including voice, video, messaging and collaboration platforms, are not aware of the vulnerabilities associated with real time communications (real time communications would consists of Unified Communications or UC suite of applications that include Voice over IP, Video over IP, collaboration and messaging, etc.), including cyber criminals who are attacking entire enterprise networks by hacking into real time communications systems, finding “unlocked doors and windows” in otherwise ironclad enterprise computing and network environments.
In a “real time world” it is mission critical to protect the network, endpoints, call flows and media (in addition to applications) to ensure uninterrupted quality of service, while equally important to protect the entire cloud and computing environment given that cloud communications which lack the proper security software can create pathways into the entire enterprise technology environment. Attacks on contact centers is just one example of what can happen when cloud communications are not fully secured.
Moving UC into the cloud moves the perimeter of enterprise networks, making the perimeter more porous – thus increasing attack vectors. Voice and video calls, for example, will still need to pass from the cloud through your network and vice versa. Remote workers won’t be in your network when making a call using the UC service, however, their media and signaling flows will most likely still traverse your network at some point. And even if a Unified Communications as a Service (UCaaS) provider has encrypted all the media and signaling, there may still be issues.
Most enterprise networks traditionally have been designed to secure incoming and outgoing data communications and not real time communications. Real time communications applications, including UCaaS differ from purely data-based applications because they use the IP-based Session Initiation Protocol (SIP). Despite all of the benefits that SIP offers including improved interoperability, scalability and flexibility for creating IP sessions in a network, it is not adequately covered by typical IP data security elements such as firewalls. The SIP protocol complexity and real-time allocation of network flows, which cannot be known in advance, render generalized IP-data security counter-measures inadequate.
As RTC and SIP adoption grows, hackers are preying on vulnerabilities created by a lack of understanding of the risks and subsequent lack of best practices to address these threats and protect the network. Some bad actors will target SIP specifically for toll fraud or Distributed Denial of Service, (DDoS) attacks, but more likely this will be their point of entry for other forms of malicious activity such as disrupting operations, identity theft, financial theft, corporate espionage or supporting other nefarious agendas.
This makes SIP more of a means to an end, and it will be futile to build a security plan to only address specific motives or types of hackers. Without proper security on real-time communication networks, enterprises will only have reactive after-the-fact options when more serious threats strike. Not only can hackers cause financial loss by accessing corporate data and accounts through a SIP breach, but some would not hesitate to use the same breach to launch DoS – Denial of Service attacks. By constantly flooding the network with SIP messages through that breach, they can disrupt or even shut down operations, and much like kidnapping, will only stop once they have extracted blackmail payments from enterprises. Even this is no guarantee, as once that breach is fixed, hackers may well keep pinging your network to find new points of entry, because they know SIP can be highly vulnerable if not properly secured.
And while firewalls protect traditional data, stand-alone firewalls aren’t adequate to protect SIP-based applications. In many cases specific firewall functions must be turned off to enable voice and video to work.
Here’s a common example. To transmit a voice or video call through a standard firewall, enterprises turn off the SIP application layer gateway (ALG) functionality to enable UC services to function properly. Doing so creates a security opening through which cybercriminals can steal data or direct DDoS attacks.
If enterprises want to truly secure real time cloud communications, they need to have a clear and deep understanding of the potential associated threats and this includes having a complete view of their network. They should also possess the capabilities to either mitigate or completely eliminate these threats, while also having the ability to quickly and easily aggregate and correlate their network data. But no single network element can do this alone. What is needed is a networked security architecture underpinned by analytics and machine learning that implements advanced UC threat detection and automated mitigation.
Critical Elements of Secure Real Time Functionality
Following are critical architectural elements to consider for securing real time network functionality.
They include the ability to:
1) Identify and pinpoint Real-Time Communications security threats by using advanced algorithm and machine learning techniques to mitigate attacks from large volumes of unwanted calls coming into the network. While these calls may appear valid, they can tie up or crash mission-critical communication applications such as call centers, IVRs or PBX trunks with long call duration times.
2) Quickly spread security policies across network “enforcers” to close the security openings exposed by SIP and Unified Communications (UC). Distributed security policies between Session Border Controllers (SBC) and next-generation firewalls help stop bad actors at the edge of the network, while delivering a more effective and holistic security methodology across the converged data and communication network.
3) Have a single enterprise-wide view of the end-to-end network to identify instances such as repetitive calling patterns to and from anomalous places and flag them in real-time. As more fraudulent calls are made they are quickly identified and blocked, thus mitigating expensive toll charges.
4) Leverage tools such as databases to quickly identify the source of robocalls and apply policies to the edge of the network, stopping these calls before they disrupt customers or employees.
5) Leverage analytics tools for network-wide monitoring, reporting and troubleshooting to quickly identify and mitigate any network anomalies.
For example, establishing a behavioral analytics model of voice, video sessions and IP port activity allows an enterprise to quickly identify and mitigate deviations from this baseline, whether Telephony Denial of Service (T-DoS) attacks, quality of experience issues, toll fraud, or potential data exfiltration.
With compliance issues over data protection and privacy high on the agenda of customer-facing operations, including the General Data Protection Regulation (GDPR )going live in the Europe in May 2018, more and more attention is being paid across the entire cloud compute and communications environment.
The impending enactment of this significant piece of legislation along with other recent high profile breaches and a fiduciary responsibility in protecting their customers and their reputations has already caused many smart companies to pause and plan, to limit their exposure to bad actors who are committed to conducting malicious activities like identity theft, DDoS attacks, Telephony DoS and robo-calling. The benefits of a “cloud first” and someday “cloud only” approach to business communications make the ROI of understanding your network and its vulnerabilities and proactively securing these exposed areas well worth it. A “Zero Trust” security posture implies that every enterprise application must be fully secured. Enterprises must ensure that their UC infrastructure is locked down via advanced, networked threat detection mechanisms.