1 | © 2017 Palo Alto Networks.

Threat Prevention in a Hyper-­Connected

5G Environment

Galina D. Pildush, PhD, WW Consulting Engineer, SPTerry Young, Sr. Manager, SP Marketing

2 | © 2017 Palo Alto Networks.

Shared

5G

5G “Boundless Connectivity”

Connected Things

Local Networks, Controllers, & Gateways to transport networks

Connected Networks and Clouds

NFV / SDN

Legacy 3G, 4G

Fixed

Mobile

29Billion# of Global

Connected Devicesby 2022

391Million

Infected Devices @ 1.35% infection

Connected Cyber Criminals

Boundless Opportunity

Ericsson Mobility Report, November 2016

3 | © 2017 Palo Alto Networks.

Who is responsible for securing the mobile ecosystem?

Annual Industry Survey 2017Mobile World Live

40%

Security is the biggest challenge facing operators in 2017.

61%Close to two thirds place the responsibility for securing the mobile ecosystem squarely at the door of operators.

“…For the development of the 5G security requirements, the level of

risk and vulnerabilities dictate a more comprehensive review of security

than has occurred for previous generations of mobile networks…”

The Industry has Recognized the Need to Refocus on Security

Boundless Connectivity and Intelligent Automation

4 | © 2017 Palo Alto Networks.

Evolving Cybercriminal – Less Sophisticated, but better equipped!

Costs

$$

Time

Profits

• Unsophisticated attack• Not financially lucrative, but only work part-­‐time• Buy readily available kits and automation tools• Depend on rapid, broad infection with proven

malware

< 6 months time

Source: Poneman Research, “Flipping the Economics of Attacks”, January 2016, sponsored by Palo Alto Networks.

5 | © 2017 Palo Alto Networks.

May 1275 -­ 150 Countries45k – 300k Systems May 14

230,000 in 1 DayWannaCry

“Intelligent Automation” for RansomwareWidespread reach enabled by automated ransomware and outdated computer systems

$4 Billion Business Disruption

www.cyence.net

6 | © 2017 Palo Alto Networks.

Layer 7 Intelligence+

Context-­Awareness+

Zero-­Trust+

Inter-­Slice Security +

Intra-­Slice Security

5G Security

7 | © 2017 Palo Alto Networks.

Layer 7 Intelligence + Context Awareness Prevents Malware Penetration into Providers’ Core

Malware Target Bad Actors

DNS query to C&C site(s)

Return C&C IPs

Instructions delivered infected host

Malware Execution

Malware Domain Lookup

Domain IP AddressVisit Malware Domain

Infect Host Distribution

Malware connects for instructionsC2

vEPCeNodeB

BH

X2

DNS

Connected Things

X

8 | © 2017 Palo Alto Networks.

Layer 7 Intelligence + Context Awareness Prevents Malware Penetration into Providers’ Core (cont’d)

.

.

.

.

eNodeB vMME vHSS

S1-­‐MME S6a

UE Attach Request

DIAMETERSCTPIP

Lower Layers

S1-­‐APSCTPIP

Lower Layers

Update Location Request/Response

UE Attach Request

UE Attach Request

Update Location Request/Response

Update Location Request/Response

X XConnected Things

9 | © 2017 Palo Alto Networks.

Intelligent Diagnostics

Remote Services

Voice Recognition

Connected Updates

Connected Media

Connected Emergency Assistance

Rear Passenger Aid

Voice Recognition

Intelligent Diagnostics

Boundless Connectivity … Connected Car … Imagine Many Been Hacked Into …

10 | © 2017 Palo Alto Networks.

eHealth … Imagine Many Been Hacked into …

11 | © 2017 Palo Alto Networks.

…

12 | © 2017 Palo Alto Networks.

Network Slicing Concept – It is All About Services

Source: Description of Network Slicing Concept, NGMN Alliance, September 2016, Version 1.0.8

• One network slice could have multiple sub-­network instances;;

• A sub-­network instance could be associated with more than one network slice instance.

13 | © 2017 Palo Alto Networks.

RAN

vEPCCritical Slice

Network Slicing, Simplistic Perspective …Based on Service Instance(s)

Massive Slice

Critical Slice

Massive Slice...

14 | © 2017 Palo Alto Networks.

• Context-­aware Security Inter-­Slices• Context-­Aware Security Intra-­Slice

Context-­Aware 5G Requires Context-­Aware Security

15 | © 2017 Palo Alto Networks.

5G Security àLayer 7 Intelligence + Context-­Awareness + Zero-­Trust + Inter-­Slice

Security + Intra-­Slice Security

Connected Things

Local Networks, Local Controllers, & Gateways to

transport networks

Internet

Gi/SGi Security

Unauthorized or Compromised Controllers

DNSSecurity

Ø Gain Instant Visibility into who/ what devices are infected and what they are infected with!Ø Take Preventative Actions, as reaction will be simply too late… Reaction is too late even in 4G!

Roaming Security

IPX/GRX

RAN Security

AutoFocus™

Connected Things

S-­‐GW PDN-­‐GW

H-­‐PCRFHSS

MME

Threat Intelligence

vEPC

16 | © 2017 Palo Alto Networks.

5G Security MNO + Vendor + User

vS-­‐GW

vPDN-­‐GW

vPCRFvHSS

vMME

vEPC

17 | © 2017 Palo Alto Networks.

Questions?

MISSIONTo Protect our way of life in the digital age by

preventing successful cyberattacks.

STRATEGIC DIRECTIONTo be the leading independent security company by building the world’s most

innovative and effective security platform.

Palo Alto Networks Unit 42 Threat ResearchPapers and Blog Posts:

• Threat Research Home

• A New Trend in Android Malware

• Ewind – adware in Applications’ Clothing

• Google Play Apps Infected with Malicious iFrames www.paloaltonetworks.com