The magnitude of scale, scope and the corresponding costs of data breaches, denial-of-service attacks and ransomware have all been on the rise. Many of these crimes have been successful at shutting down entire companies for days while extorting millions of dollars as the affected companies struggled to get their systems back online. In 2021 alone:
- HIPAA Journal reported a 331% month-over-month increase in breaches with over five million patient records affected.
- There were over 700 incidents with 457 confirmed attacks on the financial and insurance industries, according to a Verizon Business Report.
- There were 270 confirmed data breaches in manufacturing reported, with 92% of those breaches targeting the companies’ finances, according to the same Verizon Business Report.
Details remain murky on many of these incidents as victims fear divulging information about their breach could lead to further incidents. However, most cyberattacks occur across the network where criminals gain access into a supposedly secure data center. How is this possible when most data centers have secured their networks with the latest software like firewalls, virtual private networks (VPNs) or monitoring systems? The most technically-savvy cybercriminals have added social engineering, spoofing and telephony fraud to their arsenal of hacking tools.
The New Age of Fraud—Two Networks
An example of next-generation fraud came from a group of scammers in Tennessee that used social engineering to trick employees of several companies into stealing $500,000 dollars from more than 70 customers. The scammers posed as fellow employees using authentic employee IDs and convinced the actual employees to share vital customer data. With the customer data in hand, the scammers gained access to the customers’ finances, private information and retail accounts. This type of scam cannot be blocked by a standard internet firewall, VPN or any localized monitoring system. Most network security systems have focused on the internet, where firewalls and VPNs are effective, but there has been very little attention given to securing voice networks.
Invented in 1875, the telephone and telephone networks have evolved into massive wireline and wireless networks. Growing out of the computer age, the internet emerged in the late 1980s. As the speed of computers and the internet accelerated into the 2000s, voice networks, too, moved onto the internet and became voice over IP (VoIP) networks. The moving of voice calls onto the internet made good business and economic sense as part of the nascent digital transformation decade in 2010. However, the actual traffic on the internet is bifurcated into distinct parts: The original internet data with low-level data transport and high-level voice/session data.
Data traffic on the internet consists of transactions, such as file transfers, emails, web surfing or messaging. Session traffic on the internet includes voice, video, streaming and other services that deliver content over time or provide two-way communications. Since the internet was never secure to begin with, several security systems (such as firewalls and VPNs) were created and deployed as a protection layer. Voice networks, on the other hand, were always secured from the start by a trusted carrier, where the trusted carrier was positioned in the industry to protect the consumer. Moving session-based traffic—such as voice—onto data-based networks—such as the internet—otherwise known as VoIP, radically moved companies forward into the digital age. But this move to VoIP also exposed the session-based traffic to a whole host of security vulnerabilities and criminal activity such as social engineering, spoofing and telephony fraud.
Conventional Network Security Misses Voice/Session Breaches
Session-based breaches cannot be detected using conventional internet security tools. Many of the sophisticated abuses mentioned above may occur above the transport internet layer of the network. However, next-generation criminal behavior manifests in sessions or above the session layer of the internet. In short: Today’s fraudster has added voice calling deception to their repertoire to gain access into enterprise systems. While session border controllers (SBCs) can be expected to block some session abuses, many will go undetected at the edge where SBCs are deployed. And while next-generation firewalls may detect and catch nefarious transactional activity such as denial-of-service (DOS) attacks, larger session-based hacks could go undetected, such as telephony-denial-of-service (TDoS). Other session-based crimes may include identity theft, nuisance calling and caller ID spoofing. In these instances, basic modeling of network traffic could readily expose either persistent or abnormal behavior of a sending or receiving party.
To protect companies against the unique challenges of session-based cyberthreats, an omniscient view of all the sessions running through the network over a period of time can be provided by a cloud security service. Cloud security solutions have the ability to build models of where and how a session-based attack may occur. When a session is attempted that does not fit the baseline model, such as a repeated call from a foreign source or a potential denial-of-service attack from several sources, an alert may be raised or, in certain cases, the session may be completely blocked or captured for further investigation. Capturing all the session data sounds like an impossible task, but voice networks have a legacy of capturing every piece of data in what is known as a “call detail record”. The data capture capability still exists in SBCs that process all session-based traffic.
The final problem is where to store all the data and how to build models that could take advantage of information not only about one network, but continuously build and groom the model based on many networks and many sources. This is where the cloud is the ideal architecture to store data, build an artificial intelligence (AI) or machine learning model of the network and provide blocking of sessions or capture of additional session information. The cloud modeling of session-based traffic has a corollary to basic internet traffic. Cyberattacks that target transactional internet communications, like DOS attacks or fraud, are undetectable at a data entry point in the network, but given a global view of the data traffic may readily be identified and blocked. This is where a cloud security solution may offer greater visibility and the ability to protect a bifurcated network.
To detect and prevent next-gen security breaches, there must be strong cloud-based security surveillance and service with a holistic view of the network to accurately model traffic and identify anomalous patterns. A cloud-based solution provides:
- An architecture for gathering and analyzing network intelligence in the cloud
- A centralized location to disseminate control of the network out to the edge.
- Secure access to the clouds. Like the telephony networks, clouds have some built-in security functionality such as the secure web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS), SD-WAN and zero-trust network access (ZTNA).
Since cloud intelligence may receive session information from the complete network, a cloud-based session security system has the potential to lock down any network against a vast number of threat types. With edge devices no longer adequate for blocking sophisticated threats, it will be the cloud that becomes home to growing portfolios of machine learning, artificial intelligence and advanced analytics sessions for greater surveillance and control.
Costs and Risks
Costs and risks will drop significantly when the cloud is used to monitor the network and provide real-time commands to edge devices, and the advantage of software-as-a-service (SaaS) over on-premises systems will become even more clear. Security solutions based in the cloud afford organizations the ability to keep pace with the speed at which bad actors change their attacks. When operating in the cloud, there can be frequent updates to a security service and to the data. Additionally, a cloud-based security system can dynamically grow and get smarter over time, while growing a greater database of security intelligence. As “fingerprints” of communications behavior are created, the cloud portfolio of protection will expand, available to be shared across companies and even other cloud-based security systems. This is analogous to machine learning and may be called network learning or communications learning because the security solution becomes smarter based on past traffic patterns.
If a cloud-based security system had been in place to monitor both internet traffic and session traffic, the Tennessee scamming incident would have ended differently:
- The employer and the employees would have visibility that showed the calls were actually coming from outside the organization. The receiving employees could have asked for further proof of identification or escalated the call.
- The cloud security application could have readily identified the source and relative threat level of the incoming phone number. While this seems like very private information, there are companies that make this information their business.
- Monitoring and modeling the calls to and from an enterprise could readily expose anomalies such as frequency, duration and time of calls. Calls could readily be assigned risk or threat assessment scores that would put the receiving agent on alert.
The new age of fraud demands the next generation of security. Knowing and understanding how a criminal thinks, having access to solutions that leverage AI and ML and advanced analytics through a cloud security service can help protect both data and session-based network traffic. But the eyes of the cloud have to be on both the internet for basic data flow and the voice network to successfully combat the next generation of fraud.