Service Provider Security Challenges–and How DNS Can Help

By David Ayers, Senior Product Marketing Manager at Infoblox

Today’s communications service provider (CSP) networks are evolving to telco clouds spanning private, public and hybrid networks–expanding operational domains across the RAN, cable and core networks, private and public clouds, and Multi-access Edge locations.

With compute and storage moving to the edge to enable new types of service processing and delivery at thousands of new sites, the potential for security threats, both from third-party applications and external attackers, increases dramatically. Operators store vast amounts of personal data and are responsible for the stability of their communication services. The widespread deployment of devices outside the traditional data center footprint also exposes an expanding number of access points and creates a massive threat surface that attackers can exploit. A data breach or service failure resulting from a cyberattack can lead to severe financial and reputational damage or impact on customers–a substantial blow for any company to withstand in a highly competitive market.

While endpoint protection with detection and response capabilities is a must-have, already strained security teams must recognize the signs of an attack no matter in an evolving and growing network. But with more resources deployed at the far edge, operator IT and security teams must manage significantly more pods, VMs—sometimes hundreds at a time, and potentially thousands of containers—in physical, virtual and cloud environments. And while CSP networks have evolved significantly over the last decade, many are forced to support older legacy infrastructure for the foreseeable future. This adds a level of technical and security “debt” that they must carry, adding more vulnerabilities in the network that make it increasingly difficult to defend data and systems from attack.

The phrase “digital transformation” is somewhat cliche, but everything is evolving rapidly. The network that SecOps protects. The number of subscriber devices and things. These continue to develop in the face of an enormous evolution to cloud-native networks. This evolution challenges the team’s ability to eliminate blind spots, reduce noise/false alerts, proactively recognize areas of risk, and execute timely investigation and response activities. But beyond those basics, CSPs are experiencing the same issues as enterprises: insufficient staffing, having to secure a more extensive and expanding network, not enough funding, lack of visibility, uncertain attack surface, and legacy infrastructure.

Operators need tools that give them back time–making them more efficient and nimbler. Tools that reduce security overhead. They need mature cybersecurity solutions that expand their visibility to identify modern threats, shorten investigations, and accelerate efficient incident response.

DNS, with DHCP and IP Address Management (DDI), can help by enabling better threat mitigation. Without DDI, there is no Internet communication. But with effective DDI, you can manage and secure your network better. Every Internet communication starts with a DNS request. Like everything else, malware depends on DNS for communications, which provides an opportunity to detect threat activity other solutions miss. At the DNS layer, DNS can even expose evasion techniques like malicious tunnels, lookalike URLs, or Demand Generation Algorithms (DGA). When threat intelligence and analytics are added to a DNS server, it can block resolution or connection to websites known to be hosting malware. It can also stop data exfiltration over DNS at the source.

IP Address Management (IPAM) provides that “single source of truth” for everything with an IP address. When a new device, VM or container comes online and is given an IP address, that information is stored in the IPAM database. IPAM can keep fantastic attributes that provide context to better describe a device and even a user. Was that server installed in the downtown central office? Was it assigned to Susan from finance? What type of device is it? Is it a VM? A container? IoT? What other IP addresses did that device have in the past? In addition, DHCP fingerprint information provides more context, such as device type, OS it is running, and more. This information is a valuable context that helps your SecOps staff quickly identify which part of the network the activity arises from and if it affects a high-value asset. It can alert SecOps if any suspicious activity is detected; again, knowing the context can help security teams focus on the response.

CSPs have a variety of security tools they employ. However, nothing is as cost-effective as DNS simply because of the reduction in SecOps efforts it provides and the amount of threat intelligence a DNS server can hold and act up (millions). It provides another key benefit. It can automatically share event information with contextual data to multiple vendor platforms like next-generation firewalls, vulnerability scanners, help desk platforms like ServiceNow, or even SIEM or SOAR tools for subsequent analysis and response. Combined, DDI enables a broader and more automated cybersecurity ecosystem that can work in unison to detect and remediate threats, letting security admins gain a jump-start on remediation.

Faced with constantly shifting threat landscapes, technology, and business requirements, Infoblox can help you to grow and adapt without sacrificing security. We do this by providing reliable security visibility, control, and automation for every device, wherever they are. And we can deliver this in a way that helps you receive maximum value quickly, with minimal effort, friction, or risk.

Comments (0)
Add Comment