DT's Breitbach Discusses Changing Cyber Strategies

Cyber defense is increasingly extending deeper into the network as adversaries find vulnerabilities to exploit at every level. In order to combat those advanced threats, service providers need to change their strategies and tactics, according to Thomas Breitbach, head of the Cyber Defense Center at Deutsche Telekom.

In this Telco Transformation Q&A, Breitbach -- who has more than 20 years of experience in IT and telecommunications security at Deutsche Telekom AG (NYSE: DT) -- talks about cybersecurity threats across mobile devices and within virtualized networks, among other security topics.

Telco Transformation: Your company recently launched a new security operations center (SOC). How does it upgrade the capabilities you have especially in reference to the growing virtualization of telecom networks?

Thomas Breitbach: We want to react quickly to cybersecurity threats. By bringing people and tools -- such as sandboxing technologies, sinkhole analysis and honeypot monitoring together at one place -- we expect the response time will be significantly lower. We have also invested enormous amounts of money in the tools to detect and deter cybersecurity threats. The SOC provides services not only to our own network but also quickly communicates with our customers to stop the threats from spreading.

TT: Emerging threats like zero-day exploits, especially on end-points like mobile devices, have been top-of-mind for mobile operators. These exploits are hard to detect. What are you doing to improve your capability to quickly find them?

TB: We have expanded our sensor network, which we are using for smartphones, desktops and on the devices of our employees. Our cyber defense software looks for anomalous behavior as a sign of potential malicious activity and we analyze the data to determine the impact it is having on the observed devices.

TT: Zero-point exploits often penetrate the network. Do you have sensors embedded there to find malicious software?

TB: We do have sensors in the network also to track any unusual flow of traffic. However, it is very hard to find malicious activity there with countless devices and large volumes of traffic and only a few packets of zero-day code targeting a single or a few devices. The proper way is to look at targeted mobile devices.

TT: Cyber adversaries have been known to penetrate virtual machines in the network and they can masquerade as the trusted authorities of the network to control the flow of traffic in a malicious manner. How do you manage such risks?

TB: Yes, this is, of course, a critical point. We do intense testing to ensure a separation of the control plane from the transport layer that connects us to our customers. I do not recall any case where malicious software could penetrate the border separating the transport layer and the control plane. Similarly, we want to have a border between the management traffic and customer traffic. In short, we want to have borders between the steering logic and the user traffic as far as possible.

TT: Does this affect the functionality or the services you provide to your customers?

TB: No, this does not affect the customer experience.

TT: AI is widely recommended as a means to cope with the scale and speed of emerging cyberthreats. With the data that your sensors generate, are you also able to automate the process of reacting to cyberthreats by activating actuators with the control plane?

TB: Automation is certainly the key to the process. It is applicable when you are sure you do not have false positives. We do have machine learning and artificial intelligence tools in place and we try to integrate them into our security information and event management system. At this juncture, we are not prepared to automate the process of reacting to cyber adversaries, but we are moving in that direction. Meanwhile, we are perfecting our algorithms to ensure that we don’t encounter false positives.

TT: The Mirai attack that disrupted services for 900,000 Deutsche Telekom customers recently is a new kind of threat that evolves continuously and enlists hundreds of thousands IoT devices to mount attacks. How does it affect the cyber defense methods you use to keep your customers secure?

TB: Our router was in the pathway of the attack, the attack overwhelmed it, but it was not compromised. We see IoT associated botnet threats as the most challenging. Many of the connected devices are not patchable or not maintained, and manufactured by small companies who accord priority to time-to-market and are not accustomed to placing sufficient attention on security. We are mulling our options, but I believe that in the context of software-defined networks we will have to quarantine the infected machines. Recent changes in the German telecom law allow us to quarantine. In the past, it was prohibited because the traffic was expected to be delivered.

TT: If you quarantine connected devices, it defeats the purpose of providing connectivity, which could happen frequently. Right?

TB: Yes, that is true, so we will have to do it intelligently. The plan is to quarantine only parts of the network at any given time -- taking out some of the ports while rerouting the traffic to alternative ports.

TT: What did you learn from the Mirai experience for the future?

TB: Mirai was a wake-up call for us and the industry. We recognized the need for advancing our threat intelligence capabilities. Also, we are now aware of the need for manpower to probe the impact on routers and the network overall. Furthermore, we realized the need for upgrading the processes in the network to speed up the response to such attacks. Finally, we now communicate continuously with our suppliers to quickly patch the flaws in the software.

TT: Virtualized networks are believed to provide new means to trap cybercriminals. One example spinning virtual machines up with fake user information or anything else that cyber criminals find valuable to follow their tracks and detect their presence. How effective are such means for cyber defense?

TB: Yes, that is a good tactic. We have a big honeypot network and we are doing this in the open source community as well. We have one thousand different virtual machines for this purpose. We learn a lot from the data exposed by this network about how vulnerabilities are exploited. It also helps us to warn our customers when they are part of a botnet.

— Kishore Jethanandani, Contributing Writer, Telco Transformation