Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1 | © 2017 Palo Alto Networks.
Threat Prevention in a Hyper-Connected
5G Environment
Galina D. Pildush, PhD, WW Consulting Engineer, SPTerry Young, Sr. Manager, SP Marketing
2 | © 2017 Palo Alto Networks.
Shared
5G
5G “Boundless Connectivity”
Connected Things
Local Networks, Controllers, & Gateways to transport networks
Connected Networks and Clouds
NFV / SDN
Legacy 3G, 4G
Fixed
Mobile
29Billion# of Global
Connected Devicesby 2022
391Million
Infected Devices @ 1.35% infection
Connected Cyber Criminals
Boundless Opportunity
Ericsson Mobility Report, November 2016
3 | © 2017 Palo Alto Networks.
Who is responsible for securing the mobile ecosystem?
Annual Industry Survey 2017Mobile World Live
40%
Security is the biggest challenge facing operators in 2017.
61%Close to two thirds place the responsibility for securing the mobile ecosystem squarely at the door of operators.
“…For the development of the 5G security requirements, the level of
risk and vulnerabilities dictate a more comprehensive review of security
than has occurred for previous generations of mobile networks…”
The Industry has Recognized the Need to Refocus on Security
Boundless Connectivity and Intelligent Automation
4 | © 2017 Palo Alto Networks.
Evolving Cybercriminal – Less Sophisticated, but better equipped!
Costs
$$
Time
Profits
• Unsophisticated attack• Not financially lucrative, but only work part-‐time• Buy readily available kits and automation tools• Depend on rapid, broad infection with proven
malware
< 6 months time
Source: Poneman Research, “Flipping the Economics of Attacks”, January 2016, sponsored by Palo Alto Networks.
5 | © 2017 Palo Alto Networks.
May 1275 - 150 Countries45k – 300k Systems May 14
230,000 in 1 DayWannaCry
“Intelligent Automation” for RansomwareWidespread reach enabled by automated ransomware and outdated computer systems
$4 Billion Business Disruption
www.cyence.net
6 | © 2017 Palo Alto Networks.
Layer 7 Intelligence+
Context-Awareness+
Zero-Trust+
Inter-Slice Security +
Intra-Slice Security
5G Security
7 | © 2017 Palo Alto Networks.
Layer 7 Intelligence + Context Awareness Prevents Malware Penetration into Providers’ Core
Malware Target Bad Actors
DNS query to C&C site(s)
Return C&C IPs
Instructions delivered infected host
Malware Execution
Malware Domain Lookup
Domain IP AddressVisit Malware Domain
Infect Host Distribution
Malware connects for instructionsC2
vEPCeNodeB
BH
X2
DNS
Connected Things
X
8 | © 2017 Palo Alto Networks.
Layer 7 Intelligence + Context Awareness Prevents Malware Penetration into Providers’ Core (cont’d)
.
.
.
.
eNodeB vMME vHSS
S1-‐MME S6a
UE Attach Request
DIAMETERSCTPIP
Lower Layers
S1-‐APSCTPIP
Lower Layers
Update Location Request/Response
UE Attach Request
UE Attach Request
Update Location Request/Response
Update Location Request/Response
X XConnected Things
9 | © 2017 Palo Alto Networks.
Intelligent Diagnostics
Remote Services
Voice Recognition
Connected Updates
Connected Media
Connected Emergency Assistance
Rear Passenger Aid
Voice Recognition
Intelligent Diagnostics
Boundless Connectivity … Connected Car … Imagine Many Been Hacked Into …
10 | © 2017 Palo Alto Networks.
eHealth … Imagine Many Been Hacked into …
11 | © 2017 Palo Alto Networks.
…
12 | © 2017 Palo Alto Networks.
Network Slicing Concept – It is All About Services
Source: Description of Network Slicing Concept, NGMN Alliance, September 2016, Version 1.0.8
• One network slice could have multiple sub-network instances;;
• A sub-network instance could be associated with more than one network slice instance.
13 | © 2017 Palo Alto Networks.
RAN
vEPCCritical Slice
Network Slicing, Simplistic Perspective …Based on Service Instance(s)
Massive Slice
Critical Slice
Massive Slice...
14 | © 2017 Palo Alto Networks.
• Context-aware Security Inter-Slices• Context-Aware Security Intra-Slice
Context-Aware 5G Requires Context-Aware Security
15 | © 2017 Palo Alto Networks.
5G Security àLayer 7 Intelligence + Context-Awareness + Zero-Trust + Inter-Slice
Security + Intra-Slice Security
Connected Things
Local Networks, Local Controllers, & Gateways to
transport networks
Internet
Gi/SGi Security
Unauthorized or Compromised Controllers
DNSSecurity
Ø Gain Instant Visibility into who/ what devices are infected and what they are infected with!Ø Take Preventative Actions, as reaction will be simply too late… Reaction is too late even in 4G!
Roaming Security
IPX/GRX
RAN Security
AutoFocus™
Connected Things
S-‐GW PDN-‐GW
H-‐PCRFHSS
MME
Threat Intelligence
vEPC
16 | © 2017 Palo Alto Networks.
5G Security MNO + Vendor + User
vS-‐GW
vPDN-‐GW
vPCRFvHSS
vMME
vEPC
17 | © 2017 Palo Alto Networks.
Questions?
MISSIONTo Protect our way of life in the digital age by
preventing successful cyberattacks.
STRATEGIC DIRECTIONTo be the leading independent security company by building the world’s most
innovative and effective security platform.
Palo Alto Networks Unit 42 Threat ResearchPapers and Blog Posts:
• Threat Research Home
• A New Trend in Android Malware
• Ewind – adware in Applications’ Clothing
• Google Play Apps Infected with Malicious iFrames www.paloaltonetworks.com