How to Build an Efficient SOC for a Modern Telecom Network
The Diameter signaling protocol is natively more secure than SS7 proved to be, yet it is still prone to certain industry threats.
Securing signaling protocols, however, is just one aspect of telecom security. According to the European Commission report, over 48% of total user hours were lost due to system failures and hardware failures in particular. Legacy systems no longer cope with the increased loads in a timely manner. Neither are they properly hardened to withstand emerging cyber threats.
The above data strongly indicates that telecoms need to get a better grip on security monitoring tasks, as well as implement more proactive defense measures. That is the task SOC in telecom is well-positioned to accomplish.
The Two Types of SOC Service Models.
As a dedicated business unit, a security operations center (SOC) uses a mixture of standard operating procedures (SOPs) and technology solutions to monitor, evaluate, respond, and prevent cyber-threats in telecom.
Such units can be established in-house or commissioned “as a service” from a vendor. Building a SOC in-house requires higher levels of cybersecurity maturity, niche expertise, and respective budgets. For example, enterprises with a total security budget of $31 million allocate a third of it to SOC maintenance.
Opting for SOC managed services, on the other hand, eliminates the OPEX costs of setting up operations in-house. Additionally, such operational partnerships provide immediate access to required telecom security knowledge, as well as operational best practices and adoption guidance.
The two most applicable SOC service models for telecom are managed SOC and dedicated SOC.
Also referred to as SOC as a Service, the managed SOC model assumes inclusive delegation of security operations center setup — from initial security assessment to SOC architecture configuration, team onboarding, and ongoing maintenance.
A managed SOC unit operates as an on-demand extension of your security operations, fully covering a spectrum of security needs such as:
- L1/L2/L3 support
- Automated threat detection implementation
- Security analytics implementation and reporting
- Custom SOC use cases implementation, based on SLAs
All of the above are approached with SIEM (Security Information Event Management) and SOAR (Security Orchestration Automation Response) best practices in the core.
Managed SOC is the optimal solution for local and regional telecoms as this service model offers the optimal price-to-value ratio. An experienced managed SOC provider can assist with both the technology adoption and staffing.
What you receive:
- Custom security architecture configuration
- SIEM/SOAR toolkit configuration
- Compliance with applicable regulatory requirements (GDPR, CNPI, etc.)
- Security personal resources, shared with other vendors
Case in point: Infopulse recently assisted a telecom provider with the SIEM system (Azure Sentinel) introduction and configuration. After conducting an in-depth assessment of the customer’s security architecture, security needs, and existing technology portfolio, our security specialists helped identify the priority use cases for SIEM and implement them. This has helped the provider rebalance the technology costs and improve security coverage.
As the name implies, a dedicated SOC unit assumes establishing a specialized remote unit for covering all your security tasks 24/7. Unlike managed SOC services, the staff is not shared with other vendors and works exclusively for your organization.
Dedicated SOC services are a good alternative to building SOC teams in-house as this model enables:
- Faster access to required talent
- Proactive support with establishing proper SOC service functions
- Standard operating procedures development
- Security architecture configuration and hardening
- SOC staffing levels definition and schedule development
- Supporting implementation and configuration of a technology solution
The above, however, comes at a higher investment. You do not only need to just build SOC operations, but also ensure their continuous efficacy. Respectively, a higher level of operational maturity is required for both establishment and day-to-day oversight. This makes the dedicated SOC model more applicable to larger telecoms — national and global corporations, requiring better levels of regional coverage.
A dedicated SOC unit can cover a wider range of custom SOC use cases, ranging from baseline support and network traffic monitoring to AI-powered anomaly detection and predictive threat intelligence.
Sample telecom-specific tasks that a dedicated SOC unit can cover:
- SIP systems security and protection against common attack vectors (server impersonation, tempering message bodies, etc.).
- SS7 network protocol protection (e.g., against Intra-PLMN messages, traffic redirection/inception, etc.)
- SMS fraud cases (such as GT scanning, SMS spoofing, SMS faking, etc.)
- Voice fraud cases (e.g., International Revenue Share Fraud, False Answer Supervision, roaming fraud, number hijacking, etc.).
- VoIP networks hardening and protection (e.g., using secure management protocols such as SDES, ZRTP, and DTLS).
The definite advantage of a dedicated SOC team is a highly customizable, comprehensive security coverage. Apart from getting assistance with the initial SOC architecture and team setup, you also benefit from the ongoing recommendations and continuous improvements to your security and customer service levels.
Case in point: To ensure better regional coverage, Deutsche Telekom recently set up a SOC unit in Singapore — its 17th center of the same type. The company reports facing over 42 million cyberattacks per day, with occasional spikes to 60 million. Having such a wide network of SOC units enables Deutsche Telekom to analyze over 2.5 billion security-related events daily, using a mixture of human and AI-powered security resources. Such a setup allows them to perform near-immediate issue remediation and real-time updates to customers.
How to Build a SOC: Business Case for Adoption in Telecom
Telecom, like no other industry, understands the importance of data security and compliance. It follows that many already realize the need and value of establishing a SOC unit. However, it is the operational intricacies that slow down adoption. If that is your case, we suggest the following three-step framework.
1. Assess Your Security Needs and Processes
While SOC covers some aspects of reactive security, it is primarily a proactive cybersecurity unit, aimed at threat detection and early prevention, rather than remediation post-attack.
Respectively, you need to understand where your company stands security-wise before working out the optimal contingency plan. This entails conducting an in-depth IT architecture assessment and formalizing:
- Which critical IT infrastructure protection scenario should be implemented?
- What baseline event monitoring and logging practices have to be in place?
- How should a reactive cybersecurity response plan be executed?
- What threat detection, prevention, and monitoring capabilities do you require?
Additionally, as per ETSI recommendations, it is worth separately determining:
- Target of Measurement (TOM) — the minimum part of infrastructure that should be continuously monitored to ensure operational security.
- Security Assurance View (SAV) — a detailed representation of the measurement results (i.e., how the information on operational security assurance will be reported).
These two metrics should help you create common ground for confidence among all security teams and standardize reporting and communication on security incidents.
2. Create a List of Requirements for SOC Operations
Having identified the security jobs to be done, you need to translate these into specific functions your SOC team will take on.
Most managed SOC vendors propose tiered service coverage plans. Approaching the selection with a personalized list will help you select the optimal service package or negotiate custom use cases to avoid gaps in coverage.
Specifically, a list of requirements for SOC should include:
- Security monitoring (e.g., 24/7, real-time monitoring for a list of network components, OSS/BSS applications, environments, and host operating systems).
- Incident management (e.g., specific SLA metrics for initial response time, mean recovery time, etc.).
- Staffing requirements (e.g., types of cybersecurity roles you look to fill in, optimal staffing schedule).
- Threat detection capabilities (e.g., SIEM/SOAR implementation on Azure or VoIP threats detection).
- Network hardening requirements (e.g., if you wish to implement extra protection for IoT networks or implement Software Defined Network (SDN), etc.).
Essentially, you need to have clear requirements for two levels — technological and operational.
Let us dwell a bit further. SOC team composition and overall attributes are crucial factors for success. A subpar schedule will result in incomplete coverage and missing security roles.
A well-performing telecom SOC team has to cover four essential roles:
- Security Analyst
- Security Specialist
- Threat Investigator
- SOC Manager
These specialists should have a bounded list of responsibilities, feasible rotation schedules, and receive ongoing training on new operating procedures.
Learn more about the key characteristics of high-performing SOC teams in telecom.
3. Compare Vendors
Once you know what assets you need to protect and how to better do so, get back to SOC service model selection.
Managed SOC services offer the benefit of faster implementation. This option is also better suited for telecoms with lower overall levels of cybersecurity maturity as you benefit from the vendor’s expertise and guidance when it comes to technology selection and the establishment of the operating procedure. Operating costs are highly competitive too since you are sharing rotated staff with other clients. However, this factor may be a deal-breaker for larger telecoms, requiring more extensive monitoring and complete data/operations isolation as per compliance requirements.
In that sense, establishing a dedicated SOC unit makes sense. Plan for a longer setup timeline, yet benefit from the unlimited scope of security tasks and SOC use cases the newly established entity can handle. A dedicated SOC is a staunch choice for vendors, requiring extra local resources and expertise, as well as access to the latest technology tools without the expense of opening another office in the region.
State-of-the-art security tools cannot alone cope with the alarming volume of daily threats telecoms face today. Cybersecurity in telecom is a balancing act of talent, technology, and proven procedures for localizing potential vulnerabilities and covering those gaps before they manifest into disruptive breaches. Essentially, that is what SOC unit delivers.
Contact Infopulse telecom security specialists to discuss different scenarios for SOC adoption. Receive personalized guidance on rightsizing the SOC service model to your type of operations.