To embed our video on your website copy and paste the code below:
<iframe src="https://www.youtube.com/embed/mEXNYTSWywo?modestbranding=1&rel=0" width="970" height="546" frameborder="0" scrolling="auto" allowfullscreen></iframe>
Guy Daniels, TelecomTV (00:04):
Hello, you are watching TelecomTV, I'm Guy Daniels. And on today's program, we are going to explore the fast changing cyber threat landscape facing communications service providers and examine how zero trust, security, and vendor approaches are shaping the industry's defenses. Well, joining me to explain more are Bob Titus, who is Chief Technical Officer for Netcracker, and Sam Visner, Security Director at Netcracker. Well, it's good to see both of you. Thanks so much for taking part in our program today. Sam, let me put my first question to you. What new threat vectors have emerged in the past two to three years that are changing the cyber threat landscape in the telecoms industry?
Sam Visner, Netcracker (00:59):
Telecom, thank you guy. Thank you for an excellent question. The threat landscape really has changed in the last few years, and it's changed in a couple of ways. The first is that we are seeing what we call the rise of advanced persistent threats. Now, the term advanced persistent threat or a PT is not new, but there's an aspect of it that is, I think somewhat different and far more alarming and dangerous than it was. The advanced part talks about the advanced technology that adversaries are using. Persistence describes really connotes the presence of nation state actors and organized criminals that treat a network, that treat a target as a formal intelligence target. They attack it, they exploit it, they build, they do reconnaissance and build exquisite intelligence about it. They are essentially treating a telecoms carrier, a telecoms provider, a communication services provider as a formal intelligence target.
(02:07):
And in doing so, they're demonstrating that they have the discipline and the resources, the formal tasking, the intelligence requirements of a foreign intelligence service. And that takes us to the second point. As the world has moved into this era of great powers competition, we are seeing a redoubled effort by authoritarian regimes to understand conduct reconnaissance of, to penetrate and to exploit communication services providers as part of their national security and foreign policy objectives and strategies. So when we look at some of these countries, particularly the more authoritarian ones, we're seeing countries that are treating attacks on the cybersecurity of telecoms companies of telcos as part of their nation state strategy to confront the United States to confront nato, to confront our partners and allies with whom we share values and interests in ways that we had not seen since really the end of the Cold War when the telecommunications industry was really quite different than it is.
(03:20):
And therefore, we're seeing efforts to penetrate critical infrastructure like telecommunications, which is considered to be a critical infrastructure sector in Europe, in Japan, in the United States, to penetrate them and preposition malware and exploitative malware within those infrastructures, both as part of competition and potentially as a prelude to conflict. This rise in geopolitical confrontation and competition has witnessed therefore a rise in the sophistication in the discipline, the persistence and the overall energy that potential adversaries are putting into exploiting communications networks. So while something like Vault Typhoon is used to penetrate and preposition malware in communications networks, salt Typhoon is being used to target those networks and target high value targets very specifically. And these are phenomena that no telecommunications services provider can afford to ignore. Thank you, guy.
Guy Daniels, TelecomTV (04:33):
No, thank you, Sam, for clearly defining the seriousness of the threat landscape. And given this, can I also ask you, what are the key limitation of today's legacy perimeter based security models in addressing these sophisticated new threats?
Sam Visner, Netcracker (04:53):
Thank you. Again, an excellent question. There are several limitations. The first is that our adversaries really do have very sophisticated means ranging from brute force approaches to artificial intelligence, to probe perimeters, find things that are not patched to find and exploit weaknesses and vulnerabilities. And second, they're working very hard to penetrate with human beings. These networks we've seen reports about North Korea, IT service IT workers who are coming on contracts, some of them in the west finding ways to become workers within the estates of information technology companies. So the legacy perimeter based defenses that have been deployed are not necessarily sufficient, both because of the insider threat that has been building as well as through phishing and spearfishing and smishing and other mechanisms to exploit human weaknesses, as well as more sophisticated approaches ranging from brute force attacks to AI-based attacks to probe the perimeters and the defenses.
(06:07):
So the fact that your signatures for your antivirus are up to date doesn't necessarily protect telco from an advanced persistent threat that has a zero day exploit associated with it that hasn't been seen before. Because a zero day is in fact hitting you on zero day. There may not be an existing or known signature. So one has to have a defense in depth approach that doesn't just rely on the perimeter. Things like zero trust, better insider threats, better identity and access management, the use of AI to be probing internally for anomalous behavior. And I think we'll be discussing some of that in subsequent comments in this conversation guide.
Guy Daniels, TelecomTV (06:56):
Thanks Sam. And yes, we will indeed pick up some of these themes later. Bob, turning to you now. Can you explain why B-S-S-O-S-S systems are a prime target for hostile nation states and organized crime?
Bob Titus, Netcracker (07:12):
Sure guy. Well, as Sam said, nation state actors bad actors, they want to be able to control and disrupt communications and communication service providers ability to provide critical infrastructure to their nation. So B-S-S-O-S-S systems control those networks and control the communication services. So they are prime targets for that. As Sam said, a prelude to physical conflict going forward. The first attack will be cyber to try and bring down communications infrastructure to try and disrupt it, disrupt the ability to communicate across government agencies. All of that is the target of nation states. The other aspect is really the data Nation states certainly want to know where politicians are in terms of geolocation. They want to know who they're calling, all those call detail records. And organized crime is very interested in the data as well that's held by these BSS and OSS systems. They want to know people's sim card, they want to know their telephone number, they want to be able to steal identities if they can duplicate a SIM and steal a SIM for a phone.
(08:31):
Most people's multifactor authentication receives codes on their phones. So if they can steal that, they can steal your multifactor authentication and then access your bank or access your credit cards. It's big business both at the nation state level and at the organized crime level. They're going after data, they're going after control of the networks, they're going after the ability to disrupt. And for service providers, many of them have hundreds and in some cases thousands of BSS and OSS systems. So the threat landscape is very large, and that landscape extends beyond the service provider borders to cloud providers, to vendors, to other partners. So it's a very wide ecosystem that needs to be protected both from hostile nation states as well as from organized crime.
Guy Daniels, TelecomTV (09:29):
And if I can ask a follow-up question here, Bob, you've explained how we already have a very wide threat landscape, but now we also have ai. So how is AI introducing new threats to operators infrastructure, and what exactly are the threats that are emerging?
Bob Titus, Netcracker (09:50):
Great question guy. There are three main areas that AI is sort of making the problem a little bit worse. First of all, AI can react dynamically in terms of an attack. So if a hostile nation state or organized crime is using ai, they can probe a service provider's network or system defenses, look for weaknesses, and then have AI dynamically determine what type of attack vector to take and how to exploit the weaknesses found. So that's the first area. The second thing about that is it allows nation states and organized crime to scale cyber attacks very quickly. So they can have lots of agents, AI agents running and constantly attacking without human intervention. Another area that's very important, Sam mentioned phishing and smishing and those types of attacks. AI can imitate people now. They can imitate their voices, they can imitate their images, their faces, and all of that can be used to make phishing attacks even more targeted, more accurate if they can duplicate a leader's face and voice asking for information requesting that they do something.
(11:17):
This is obviously a threat. People are finding it harder and harder to tell the difference between what's real and what's ai. Last but not least, service providers like every other organization are looking to use AI to increase their internal efficiency and leverage it as a tool within their organization. What that means is data that's in these OSS and BSS systems is really being democratized, right? You have lots of voice and text interfaces to get at that data through AI systems. Those AI systems are communicating to public large language models. So now that threat landscape is even broader. You need to protect that data as it's traversing across different AI systems as it's being sent out to public LLMs. So AI is really created another attack vector for these nation states and organized criminals, and that's an area that we need to focus on to protect as well.
Guy Daniels, TelecomTV (12:20):
Thanks, Bob. Well, a question now to both of you, and let me first address this to Sam. This is picking up on a comment that we heard earlier. How should we approach zero trust security across the full lifecycle and ecosystem?
Sam Visner, Netcracker (12:38):
That's an excellent question guy. And the answer that I'm going to provide is it really represents somewhat of a challenge in that we need to have zero trust, I think, within the estate, within the enterprise to be sure that we know who is supposed to have access to what resources and that we do a good job using a good zero trust architecture to mediate access, to mediate access to those resources for specific people within the enterprise. But I would extend this to both an opportunity. Bob talked about the challenge of ai. AI may also be useful, and I wrote a paper on this some time ago. AI may also be useful enabling, empowering a zero trust architecture in speeding the decision about whether or not Guy or Bob or Sam should have access to this specific resource. AI can learn whether or not that access is valid, whether or not that access is being used correctly and can ease the administrative burden on a network that's using ai.
(13:50):
That I think is an opportunity. Now here's a challenge. One of the problems that we have today is the supply chain challenge. Where does our hardware and software come from? A lot of work is being done on this, but one of the questions that has to be asked is what do we know about the security of the development environment of the software that we consume? It's one thing to do a good job of vulnerability testing of the software that we produce for ourselves within a company of the BSS and OSS systems that we produce and we deploy. But you also want to know something about the security of the software, of the development environment of your provider. And this is a problem that we've seen a number of companies have consumed software, software from well-known software providers, companies that are doing everything from network management to office automation, and have found that some of what they have consumed has had vulnerabilities that have been exploited by adversaries.
(14:57):
So one question I would ask is, what do you know about the zero trust architecture that is being employed, not just by yourself, but by the companies that are providing the software that you are consuming and that you are deploying? The last zero trust challenge that I would raise is this. Today we have many environments that are hybrid environments. Think about the coming of smart cities where you have telecommunications and cloud services and transportation and energy systems all co-mingle there. It's going to be important to understand who has access to resources that you may not control yourself for which you may have a shared responsibility. So in those instances, I think that having a zero trust architecture is particularly important because that architecture is going to have to be carrying some of the burden that in the past an internal security management organization would have to carry. Instead, in an environment in which several different actors are going to be responsible for securing thousands of resources and hundreds of thousands, if not millions of endpoints, a zero trust architecture can go a long way towards sharing that approach and giving us some assurance that the right people are touching the right resources for the right reason. But again, I think AI can enable this and make a zero trust architecture far more efficient, and I'm looking in the future to see the kinds of research and development requisite to making that happen. Thank you, guy.
Guy Daniels, TelecomTV (16:40):
Thank you, Sam. And Bob, what's your advice and recommendations on zero trust security?
Bob Titus, Netcracker (16:49):
Well, there's two things. One is, as Sam outlined for all the right reasons, zero trust is a very important journey that service providers must go on to make sure that the right people are accessing the right things, and you have the right security controls in place across the enterprise. But I would take it a step further and say zero trust is just one piece. It's not the end all be all. We can't rely on technology alone and architectures alone to secure us. So in addition to zero trust, we need to look at where are the weak points? Do you have the right processes? Do you have the right teams in place from a security perspective to secure the enterprise? I think there is a lot of work being done on the AI front. I think there's a lot of work being done on the systems front, but the reality is these service providers have a lot of old systems that haven't been upgraded yet, and that's always going to be true. So there's always going to be weak links in the chain, whether those are supply chain links or links internally within the organization in terms of older legacy systems, older technologies that just aren't as secure. So any service provider, any vendor in this space needs to look at where are the weakest links and how are you mitigating that risk? Zero trust architecture helps with that, AI helps with that, but that analysis is critical to ensure you know where your weak points are and what you're doing to address those.
Guy Daniels, TelecomTV (18:26):
Thank you. Bob. How is Netcracker working with national authorities to mitigate these threats? Sam, can I come to you first and find out what Netcracker is doing in the US market?
Sam Visner, Netcracker (18:41):
Well, thank you guy. Thanks for that question. Within the United States, NETCRACKER has joined the communication sector coordinating council in the us. Each critical infrastructure sector has an industry-led sector coordinating council that works alongside with and in concert with US national authorities, with the Department of Homeland Security and other authorities. We are a member of the communications sector coordinating council, and in fact, I serve on the executive committee of the council. So we have shared with us from the government reports about adversary activity. It's shared with us very quickly. We can share that with each other. We have means to communicate with the government regarding what we're seeing. We receive routine briefings and presentations from various government agencies and authorities about what they see happening and what they think might be happening in future. This allows us to couple the work that we're doing, our framework, our architecture, with a broader understanding of the external threat environment, one that affects the entire industry and one that our national authorities believe is important to protecting critical infrastructure. And this is part of the company's overall commitment to work effectively with national authorities, including those in the Far East and in Europe under NIST two. And Bob can walk you through our understanding of the requirements of NIST two and the framework that we've developed to respond.
Guy Daniels, TelecomTV (20:10):
Thanks, Sam. So let me ask, Bob, how are you working on a global basis with government agencies and authorities?
Bob Titus, Netcracker (20:22):
Sure. There's two important aspects. One is to understand the legislation happening in those countries. So we have customers all over the world. There's communications, infrastructure, legislation and regulations being put in place in the uk, in Europe, all over the world. So first of all, we need to understand what those regulations are. And secondly, and equally and importantly, we need to partner with our service provider customers. And we're doing that all over the world, understanding what are the local regulations, what is the government expectation around security? And then how can we help the service provider meet those standards, implement those controls, how can we work with them to make sure that our controls and our operations are supporting their regulatory commitments in giving them the assurance that their end-to-end security is going to meet what's required by the government. In many cases, we meet with governments, we tell them about our security practices.
(21:27):
We provide recommendations both to governments and to our service provider customers to make sure that as we move forward, we are coordinating and addressing these threats across the entire ecosystem because that's really important. It's not just the government, it's not just the service provider. It's not just the vendors in the ecosystem. All of us have to work together to secure the data, to secure the infrastructure and make sure that the regulations are going to meet the needs, but as well make sure that the service providers can actually live up to those regulations in a smart and effective way.
Guy Daniels, TelecomTV (22:09):
Well, we've just got time for one more question. Given the ever evolving threat landscape, when CSPs are choosing a BSS or OSS vendor, what approach to cybersecurity do they need? Bob, can you tell us why net cracker's approach to safeguarding communications infrastructure is the most appropriate?
Bob Titus, Netcracker (22:32):
Sure. Service providers depend on netcracker, not only for software, but in many cases to deliver and configure that software and to operate that software. So they need to understand that they can trust that entire life cycle to secure their data, to secure their infrastructure, to secure their services. So at Netcracker, we've approached it in a holistic way, and I think there are four key things that we've done that really make a difference. The first and as always, is having the right team. So we built a global security organization with skilled resources that are looking at zero trust architectures, that are looking at ai, that are putting security controls in place and operations to make sure that we're secure across the enterprise, and that team interfaces to our service provider customers to make sure that the end-to-end security is well accounted for and continuously improving. The second thing we do is we use the right framework.
(23:35):
So we use NIST two to make sure that we are taking the right holistic approach across our people, our processes, our technology, everything about our operations from an end end perspective is accounted for from a security perspective. And that goes for data centers, network infrastructure, hiring, all of the aspects associated with a large enterprise. The third thing we've done is we've made the right investments. We've invested in a secure software development lifecycle. We've invested in secure project delivery. We've invested in having the right operations capabilities in terms of incident management, in terms of patching. All of those aspects require investment. The other thing we've done is we've looked at how do we create a secure enclave, and we've created multiple of those to protect our customer's data and the way we interact with our customers. And that's very important because as I said, the nation states, the organized criminals, they're after the data and they're after control of those systems.
(24:46):
So setting up those secure enclaves has been very important. Last but not least, the fourth thing is we have the mindset that security is never complete. It's never done. We have to be able to react in real time. There's always going to be new threats. And I'll give you two very real examples. So there was a ransomware attack that was able to shut down endpoint detect and response agent on a server. That is something that you have security controls in place, but if they bypass those controls, then what do you do? You have to be able to react in real time. You have to be able to avert the threat, shut it down, and make sure you take corrective actions in real time. So that's an area we've invested heavily in. Another even more important example, as Sam pointed out, a lot of these nation states and organized criminals, they're not necessarily hacking in anymore.
(25:49):
They find it much easier to steal credentials, and then they have authenticated access into your network, authenticated access into your systems. So you need to be able to dynamically assess what's happening in your environment. How is the user using the application? How are they trying to access data? Are they trying to increase their permissions? Are they trying to gain root access somewhere? So looking at what's happening in your environment, looking at patterns of usage and identifying things that don't look right is absolutely critical. We had an incident with one of our service provider customers where one of the users of the application was doing strange things, requesting data in different ways, requesting data that isn't normally requested for that type of user. We were able to that in real time, go back to the service provider. And it turns out, yes, that user had their credentials phished, so we had a bad actor inside the system. We never would've known had we not been looking for those patterns. So that ability to assess in real time, that ability to react in real time is more and more critical because you can't assume that the attacks are coming from the outside. They may already be inside having stolen credentials.
Guy Daniels, TelecomTV (27:15):
Well, we must leave it there for now. It's been a fascinating discussion, Bob and Sam, good talking with you both, and thank you for sharing your views and insights with us today.
Sam Visner, Netcracker (27:26):
Guy, it's been a pleasure.
Bob Titus, Netcracker (27:32):
Thank you. Our pleasure.
Hello, you are watching TelecomTV, I'm Guy Daniels. And on today's program, we are going to explore the fast changing cyber threat landscape facing communications service providers and examine how zero trust, security, and vendor approaches are shaping the industry's defenses. Well, joining me to explain more are Bob Titus, who is Chief Technical Officer for Netcracker, and Sam Visner, Security Director at Netcracker. Well, it's good to see both of you. Thanks so much for taking part in our program today. Sam, let me put my first question to you. What new threat vectors have emerged in the past two to three years that are changing the cyber threat landscape in the telecoms industry?
Sam Visner, Netcracker (00:59):
Telecom, thank you guy. Thank you for an excellent question. The threat landscape really has changed in the last few years, and it's changed in a couple of ways. The first is that we are seeing what we call the rise of advanced persistent threats. Now, the term advanced persistent threat or a PT is not new, but there's an aspect of it that is, I think somewhat different and far more alarming and dangerous than it was. The advanced part talks about the advanced technology that adversaries are using. Persistence describes really connotes the presence of nation state actors and organized criminals that treat a network, that treat a target as a formal intelligence target. They attack it, they exploit it, they build, they do reconnaissance and build exquisite intelligence about it. They are essentially treating a telecoms carrier, a telecoms provider, a communication services provider as a formal intelligence target.
(02:07):
And in doing so, they're demonstrating that they have the discipline and the resources, the formal tasking, the intelligence requirements of a foreign intelligence service. And that takes us to the second point. As the world has moved into this era of great powers competition, we are seeing a redoubled effort by authoritarian regimes to understand conduct reconnaissance of, to penetrate and to exploit communication services providers as part of their national security and foreign policy objectives and strategies. So when we look at some of these countries, particularly the more authoritarian ones, we're seeing countries that are treating attacks on the cybersecurity of telecoms companies of telcos as part of their nation state strategy to confront the United States to confront nato, to confront our partners and allies with whom we share values and interests in ways that we had not seen since really the end of the Cold War when the telecommunications industry was really quite different than it is.
(03:20):
And therefore, we're seeing efforts to penetrate critical infrastructure like telecommunications, which is considered to be a critical infrastructure sector in Europe, in Japan, in the United States, to penetrate them and preposition malware and exploitative malware within those infrastructures, both as part of competition and potentially as a prelude to conflict. This rise in geopolitical confrontation and competition has witnessed therefore a rise in the sophistication in the discipline, the persistence and the overall energy that potential adversaries are putting into exploiting communications networks. So while something like Vault Typhoon is used to penetrate and preposition malware in communications networks, salt Typhoon is being used to target those networks and target high value targets very specifically. And these are phenomena that no telecommunications services provider can afford to ignore. Thank you, guy.
Guy Daniels, TelecomTV (04:33):
No, thank you, Sam, for clearly defining the seriousness of the threat landscape. And given this, can I also ask you, what are the key limitation of today's legacy perimeter based security models in addressing these sophisticated new threats?
Sam Visner, Netcracker (04:53):
Thank you. Again, an excellent question. There are several limitations. The first is that our adversaries really do have very sophisticated means ranging from brute force approaches to artificial intelligence, to probe perimeters, find things that are not patched to find and exploit weaknesses and vulnerabilities. And second, they're working very hard to penetrate with human beings. These networks we've seen reports about North Korea, IT service IT workers who are coming on contracts, some of them in the west finding ways to become workers within the estates of information technology companies. So the legacy perimeter based defenses that have been deployed are not necessarily sufficient, both because of the insider threat that has been building as well as through phishing and spearfishing and smishing and other mechanisms to exploit human weaknesses, as well as more sophisticated approaches ranging from brute force attacks to AI-based attacks to probe the perimeters and the defenses.
(06:07):
So the fact that your signatures for your antivirus are up to date doesn't necessarily protect telco from an advanced persistent threat that has a zero day exploit associated with it that hasn't been seen before. Because a zero day is in fact hitting you on zero day. There may not be an existing or known signature. So one has to have a defense in depth approach that doesn't just rely on the perimeter. Things like zero trust, better insider threats, better identity and access management, the use of AI to be probing internally for anomalous behavior. And I think we'll be discussing some of that in subsequent comments in this conversation guide.
Guy Daniels, TelecomTV (06:56):
Thanks Sam. And yes, we will indeed pick up some of these themes later. Bob, turning to you now. Can you explain why B-S-S-O-S-S systems are a prime target for hostile nation states and organized crime?
Bob Titus, Netcracker (07:12):
Sure guy. Well, as Sam said, nation state actors bad actors, they want to be able to control and disrupt communications and communication service providers ability to provide critical infrastructure to their nation. So B-S-S-O-S-S systems control those networks and control the communication services. So they are prime targets for that. As Sam said, a prelude to physical conflict going forward. The first attack will be cyber to try and bring down communications infrastructure to try and disrupt it, disrupt the ability to communicate across government agencies. All of that is the target of nation states. The other aspect is really the data Nation states certainly want to know where politicians are in terms of geolocation. They want to know who they're calling, all those call detail records. And organized crime is very interested in the data as well that's held by these BSS and OSS systems. They want to know people's sim card, they want to know their telephone number, they want to be able to steal identities if they can duplicate a SIM and steal a SIM for a phone.
(08:31):
Most people's multifactor authentication receives codes on their phones. So if they can steal that, they can steal your multifactor authentication and then access your bank or access your credit cards. It's big business both at the nation state level and at the organized crime level. They're going after data, they're going after control of the networks, they're going after the ability to disrupt. And for service providers, many of them have hundreds and in some cases thousands of BSS and OSS systems. So the threat landscape is very large, and that landscape extends beyond the service provider borders to cloud providers, to vendors, to other partners. So it's a very wide ecosystem that needs to be protected both from hostile nation states as well as from organized crime.
Guy Daniels, TelecomTV (09:29):
And if I can ask a follow-up question here, Bob, you've explained how we already have a very wide threat landscape, but now we also have ai. So how is AI introducing new threats to operators infrastructure, and what exactly are the threats that are emerging?
Bob Titus, Netcracker (09:50):
Great question guy. There are three main areas that AI is sort of making the problem a little bit worse. First of all, AI can react dynamically in terms of an attack. So if a hostile nation state or organized crime is using ai, they can probe a service provider's network or system defenses, look for weaknesses, and then have AI dynamically determine what type of attack vector to take and how to exploit the weaknesses found. So that's the first area. The second thing about that is it allows nation states and organized crime to scale cyber attacks very quickly. So they can have lots of agents, AI agents running and constantly attacking without human intervention. Another area that's very important, Sam mentioned phishing and smishing and those types of attacks. AI can imitate people now. They can imitate their voices, they can imitate their images, their faces, and all of that can be used to make phishing attacks even more targeted, more accurate if they can duplicate a leader's face and voice asking for information requesting that they do something.
(11:17):
This is obviously a threat. People are finding it harder and harder to tell the difference between what's real and what's ai. Last but not least, service providers like every other organization are looking to use AI to increase their internal efficiency and leverage it as a tool within their organization. What that means is data that's in these OSS and BSS systems is really being democratized, right? You have lots of voice and text interfaces to get at that data through AI systems. Those AI systems are communicating to public large language models. So now that threat landscape is even broader. You need to protect that data as it's traversing across different AI systems as it's being sent out to public LLMs. So AI is really created another attack vector for these nation states and organized criminals, and that's an area that we need to focus on to protect as well.
Guy Daniels, TelecomTV (12:20):
Thanks, Bob. Well, a question now to both of you, and let me first address this to Sam. This is picking up on a comment that we heard earlier. How should we approach zero trust security across the full lifecycle and ecosystem?
Sam Visner, Netcracker (12:38):
That's an excellent question guy. And the answer that I'm going to provide is it really represents somewhat of a challenge in that we need to have zero trust, I think, within the estate, within the enterprise to be sure that we know who is supposed to have access to what resources and that we do a good job using a good zero trust architecture to mediate access, to mediate access to those resources for specific people within the enterprise. But I would extend this to both an opportunity. Bob talked about the challenge of ai. AI may also be useful, and I wrote a paper on this some time ago. AI may also be useful enabling, empowering a zero trust architecture in speeding the decision about whether or not Guy or Bob or Sam should have access to this specific resource. AI can learn whether or not that access is valid, whether or not that access is being used correctly and can ease the administrative burden on a network that's using ai.
(13:50):
That I think is an opportunity. Now here's a challenge. One of the problems that we have today is the supply chain challenge. Where does our hardware and software come from? A lot of work is being done on this, but one of the questions that has to be asked is what do we know about the security of the development environment of the software that we consume? It's one thing to do a good job of vulnerability testing of the software that we produce for ourselves within a company of the BSS and OSS systems that we produce and we deploy. But you also want to know something about the security of the software, of the development environment of your provider. And this is a problem that we've seen a number of companies have consumed software, software from well-known software providers, companies that are doing everything from network management to office automation, and have found that some of what they have consumed has had vulnerabilities that have been exploited by adversaries.
(14:57):
So one question I would ask is, what do you know about the zero trust architecture that is being employed, not just by yourself, but by the companies that are providing the software that you are consuming and that you are deploying? The last zero trust challenge that I would raise is this. Today we have many environments that are hybrid environments. Think about the coming of smart cities where you have telecommunications and cloud services and transportation and energy systems all co-mingle there. It's going to be important to understand who has access to resources that you may not control yourself for which you may have a shared responsibility. So in those instances, I think that having a zero trust architecture is particularly important because that architecture is going to have to be carrying some of the burden that in the past an internal security management organization would have to carry. Instead, in an environment in which several different actors are going to be responsible for securing thousands of resources and hundreds of thousands, if not millions of endpoints, a zero trust architecture can go a long way towards sharing that approach and giving us some assurance that the right people are touching the right resources for the right reason. But again, I think AI can enable this and make a zero trust architecture far more efficient, and I'm looking in the future to see the kinds of research and development requisite to making that happen. Thank you, guy.
Guy Daniels, TelecomTV (16:40):
Thank you, Sam. And Bob, what's your advice and recommendations on zero trust security?
Bob Titus, Netcracker (16:49):
Well, there's two things. One is, as Sam outlined for all the right reasons, zero trust is a very important journey that service providers must go on to make sure that the right people are accessing the right things, and you have the right security controls in place across the enterprise. But I would take it a step further and say zero trust is just one piece. It's not the end all be all. We can't rely on technology alone and architectures alone to secure us. So in addition to zero trust, we need to look at where are the weak points? Do you have the right processes? Do you have the right teams in place from a security perspective to secure the enterprise? I think there is a lot of work being done on the AI front. I think there's a lot of work being done on the systems front, but the reality is these service providers have a lot of old systems that haven't been upgraded yet, and that's always going to be true. So there's always going to be weak links in the chain, whether those are supply chain links or links internally within the organization in terms of older legacy systems, older technologies that just aren't as secure. So any service provider, any vendor in this space needs to look at where are the weakest links and how are you mitigating that risk? Zero trust architecture helps with that, AI helps with that, but that analysis is critical to ensure you know where your weak points are and what you're doing to address those.
Guy Daniels, TelecomTV (18:26):
Thank you. Bob. How is Netcracker working with national authorities to mitigate these threats? Sam, can I come to you first and find out what Netcracker is doing in the US market?
Sam Visner, Netcracker (18:41):
Well, thank you guy. Thanks for that question. Within the United States, NETCRACKER has joined the communication sector coordinating council in the us. Each critical infrastructure sector has an industry-led sector coordinating council that works alongside with and in concert with US national authorities, with the Department of Homeland Security and other authorities. We are a member of the communications sector coordinating council, and in fact, I serve on the executive committee of the council. So we have shared with us from the government reports about adversary activity. It's shared with us very quickly. We can share that with each other. We have means to communicate with the government regarding what we're seeing. We receive routine briefings and presentations from various government agencies and authorities about what they see happening and what they think might be happening in future. This allows us to couple the work that we're doing, our framework, our architecture, with a broader understanding of the external threat environment, one that affects the entire industry and one that our national authorities believe is important to protecting critical infrastructure. And this is part of the company's overall commitment to work effectively with national authorities, including those in the Far East and in Europe under NIST two. And Bob can walk you through our understanding of the requirements of NIST two and the framework that we've developed to respond.
Guy Daniels, TelecomTV (20:10):
Thanks, Sam. So let me ask, Bob, how are you working on a global basis with government agencies and authorities?
Bob Titus, Netcracker (20:22):
Sure. There's two important aspects. One is to understand the legislation happening in those countries. So we have customers all over the world. There's communications, infrastructure, legislation and regulations being put in place in the uk, in Europe, all over the world. So first of all, we need to understand what those regulations are. And secondly, and equally and importantly, we need to partner with our service provider customers. And we're doing that all over the world, understanding what are the local regulations, what is the government expectation around security? And then how can we help the service provider meet those standards, implement those controls, how can we work with them to make sure that our controls and our operations are supporting their regulatory commitments in giving them the assurance that their end-to-end security is going to meet what's required by the government. In many cases, we meet with governments, we tell them about our security practices.
(21:27):
We provide recommendations both to governments and to our service provider customers to make sure that as we move forward, we are coordinating and addressing these threats across the entire ecosystem because that's really important. It's not just the government, it's not just the service provider. It's not just the vendors in the ecosystem. All of us have to work together to secure the data, to secure the infrastructure and make sure that the regulations are going to meet the needs, but as well make sure that the service providers can actually live up to those regulations in a smart and effective way.
Guy Daniels, TelecomTV (22:09):
Well, we've just got time for one more question. Given the ever evolving threat landscape, when CSPs are choosing a BSS or OSS vendor, what approach to cybersecurity do they need? Bob, can you tell us why net cracker's approach to safeguarding communications infrastructure is the most appropriate?
Bob Titus, Netcracker (22:32):
Sure. Service providers depend on netcracker, not only for software, but in many cases to deliver and configure that software and to operate that software. So they need to understand that they can trust that entire life cycle to secure their data, to secure their infrastructure, to secure their services. So at Netcracker, we've approached it in a holistic way, and I think there are four key things that we've done that really make a difference. The first and as always, is having the right team. So we built a global security organization with skilled resources that are looking at zero trust architectures, that are looking at ai, that are putting security controls in place and operations to make sure that we're secure across the enterprise, and that team interfaces to our service provider customers to make sure that the end-to-end security is well accounted for and continuously improving. The second thing we do is we use the right framework.
(23:35):
So we use NIST two to make sure that we are taking the right holistic approach across our people, our processes, our technology, everything about our operations from an end end perspective is accounted for from a security perspective. And that goes for data centers, network infrastructure, hiring, all of the aspects associated with a large enterprise. The third thing we've done is we've made the right investments. We've invested in a secure software development lifecycle. We've invested in secure project delivery. We've invested in having the right operations capabilities in terms of incident management, in terms of patching. All of those aspects require investment. The other thing we've done is we've looked at how do we create a secure enclave, and we've created multiple of those to protect our customer's data and the way we interact with our customers. And that's very important because as I said, the nation states, the organized criminals, they're after the data and they're after control of those systems.
(24:46):
So setting up those secure enclaves has been very important. Last but not least, the fourth thing is we have the mindset that security is never complete. It's never done. We have to be able to react in real time. There's always going to be new threats. And I'll give you two very real examples. So there was a ransomware attack that was able to shut down endpoint detect and response agent on a server. That is something that you have security controls in place, but if they bypass those controls, then what do you do? You have to be able to react in real time. You have to be able to avert the threat, shut it down, and make sure you take corrective actions in real time. So that's an area we've invested heavily in. Another even more important example, as Sam pointed out, a lot of these nation states and organized criminals, they're not necessarily hacking in anymore.
(25:49):
They find it much easier to steal credentials, and then they have authenticated access into your network, authenticated access into your systems. So you need to be able to dynamically assess what's happening in your environment. How is the user using the application? How are they trying to access data? Are they trying to increase their permissions? Are they trying to gain root access somewhere? So looking at what's happening in your environment, looking at patterns of usage and identifying things that don't look right is absolutely critical. We had an incident with one of our service provider customers where one of the users of the application was doing strange things, requesting data in different ways, requesting data that isn't normally requested for that type of user. We were able to that in real time, go back to the service provider. And it turns out, yes, that user had their credentials phished, so we had a bad actor inside the system. We never would've known had we not been looking for those patterns. So that ability to assess in real time, that ability to react in real time is more and more critical because you can't assume that the attacks are coming from the outside. They may already be inside having stolen credentials.
Guy Daniels, TelecomTV (27:15):
Well, we must leave it there for now. It's been a fascinating discussion, Bob and Sam, good talking with you both, and thank you for sharing your views and insights with us today.
Sam Visner, Netcracker (27:26):
Guy, it's been a pleasure.
Bob Titus, Netcracker (27:32):
Thank you. Our pleasure.
Please note that video transcripts are provided for reference only – content may vary from the published video or contain inaccuracies.
Bob Titus & Samuel Visner, Netcracker
Cybersecurity has become one of the most critical issues for telecom operators as new AI-driven attack vectors increasingly target core infrastructure, BSS/OSS systems and the wider digital ecosystem. Netcracker identifies the latest threats confronting CSPs, the shortcomings of traditional perimeter-based models and explores why a zero-trust approach is now essential across the full lifecycle of telecom networks.
Featuring:
- Bob Titus, CTO, Netcracker
- Samuel Visner, Security Director, Netcracker
Recorded September 2025
Email Newsletters
Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.
