Sandvine Cyber Threat Analysis & Management

©2021 Sandvine CONFIDENTIAL

Cyber Security Threat surface is expanding

#1
Most targeted vertical – ^246%
telecommunication Increase targeting
operator satellite operators

7.7M
IoT devices are connected ^150%
to the internet every day Increase targeting
wireless operators

20:1
Estimated ratio of IoT devices 5 DAYS
behind firewall versus directly new attack vector discovery
connected to the internet to weaponization

Operators are being increasingly attacked

©2021 Sandvine CONFIDENTIAL

Impact of Cyber Activities

Increasingly sophisticated cyber activities

have far-reaching implications on network infrastructure,
services, customer experience, and brand reputation.

©2021 Sandvine CONFIDENTIAL

Challenges for the Network Operators

As they provide the backbone of content delivery, Operators are prime targets for cyber attacks
• Lack visibility into unknown threats and threats coming from their own subscribers
• Limitations of most firewalls/IDS/IPS not being context aware around subscribers, devices, locations
• Ransomware attacks surging; with below the surface cost far greater than above the surface cost
• IoT devices introducing security challenges; with low level of protection & infrequent updates

Determining the origins of malicious activities and understanding the pattern of those activities
• Who’s attacking the subscribers? What’s the IP address? Where are attacks coming from? which ISP
are hosting? Who are the subscribers impacted?

Securing network perimeter is not enough

©2021 Sandvine CONFIDENTIAL

Protecting the network starts with subscribers

Most users do not keep Apps and OS up to date

Subscribers becoming an army of infected user devices
• Platforms like iOS and Android are constantly found with new Used by criminals to conduct malicious activities
vulnerabilities.

Apps downloaded from insecure stores

• One of the major reasons for getting compromised and Bot-herder owner
Online black
weaponized for attacks and spreading viruses and malware to market and operator

other users Click fraud Identity theft

Malware operating in stealth mode Spammer

BOTNET Spam runs

• Actively protects itself from detection and removal by client- Thousands of
based anti-malware software compromised
devices
Phisher
Phishing attacks

Multiplicity of connections types on the devices

• Public Wi-Fi hotspots, USBs, laptops and other devices through Attacker
Bluetooth, increasing exposures to threats
Spam and host Malware to lure more nodes

©2021 Sandvine CONFIDENTIAL

Attack surfaces in fixed network

East-West

Attack surface is BIG

North-South
Attack surface is BIG
Infected Internet
Smartphone Computer

Infected Wireless Firewall Access Core Network

Laptop DSL / Fibre
PC Router Router
Optic / Cable Network
Publically Addressed Network Router

Threat Actor

Tablet Mobile
Phone
• Sources of attacks are more and different
• Number and Types of devices are not controlled

©2021 Sandvine CONFIDENTIAL

Attack surfaces in mobile network – 4G

East-West Firewalls cannot help here MME

The assumed culprit
North-South
Attack surface is BIG

S1-MME Gx Attack surface is SMALL

S11
Infected
Smartphone PCRF
S1-u

Malicious/ eNodeB SPGW/PCEF

Compromised FW/CGNAT
Device
Target
Radio Network Core Network (EPC) Service
Botnet/Malware C&C

• Defense is built around the perimeter to stop incoming attacks from internet
• A malicious or compromised device or an infected smartphone can impact more end-user devices
without going out of the perimeter
• Complete traffic visibility in both directions is critical to cover the complete attack surface

©2021 Sandvine CONFIDENTIAL

Attack surfaces in mobile network – 5G SA
Firewalls cannot help here The assumed culprit

East-West P5G SBA

North-South
Attack surface is BIG

AMF SMF PCF

Attack surface is SMALL

Infected N2 N4
Smartphone
N3 N6

Malicious/ NR UPF
Compromised FW/CGNAT
Device
Target
Service
Botnet/Malware C&C

• Defense is built around the perimeter to stop incoming attacks from internet
• A malicious or compromised device or an infected smartphone can impact more end-user devices
without going out of the perimeter
• Complete traffic visibility in both directions is critical to cover the complete attack surface

©2021 Sandvine CONFIDENTIAL

 Sandvine Cyber Threat Analysis and Management

9 ©2021 Sandvine CONFIDENTIAL

 Sandvine’s ANI Cyber Threat Analysis and Management

Value Proposition: Sandvine’s Security offers CSPs a network-based solution for real-time threat detection, classification and mitigation that protects
subscriber’s QoE from cyber threats and malicious traffic using full subscriber contextual awareness and rich up-to-date cyber threat information.

Subscriber Insights

Cyber Threat Cyber Threat Threat Detection

Analysis Management Threat Classification

Real Time
Flexible deployment and variety of
Complete threat visibility with full Threat Visualization
actions on known and unknown threats
subscriber contextual awareness
Filtering Capabilities

Provides CSPs granular metadata, threat classification Builds on Cyber Threat Analysis capabilities to enable CSPs SIEM integration Over Kafka
and detailed statistics, malware, phishing and malicious real time mitigation policies on identified threats to protect
sites using threat intelligence databases. subscribers from networks threats and malicious traffic
Traffic Mirroring for Analysis

GeoLogic Cyber Threat Intelligence Database

Mobile Fixed Cable Satellite

©2021 Sandvine CONFIDENTIAL

 Crowdstrike and Sandvine

Cyber Threat Intelligence Recognized leader and innovator

Build from Crowdstrike visibility on At the top of Gartner quadrant

High quality, high value IOC data

Tens of Millions of Endpoints
Fresh, accurate and up-to date
180+ Countries

4+ Trillion Events per week Matching of flow against multiple

criteria
3.4+ Billion Malware Samples

1.2+ Million Malware Collected Daily > 40 different threat types

detected
Unencrypted Attack Telemetry Data

Updates Every Hour Rich set of Metadata

Combining the best from two market leaders

©2021 Sandvine CONFIDENTIAL

 Security Solution Overview
Cyber Threat Analysis and Management Use Cases

Threat Detection & Classification Capabilities

Real-time matching of flows > 40 Threat types detected Rich metadata classification Geo Location

• Server Hostname • Botnet participation, • Malware name • Geo-IP location properties for each
• flow
IP Addresses • Botnet C&C Communication, • Malware family
• Ports • Identifies server location: including
• Crypto Currency Theft • Malicious confidence country, region, city and owner of
• Protocol ID • Malware Activity, • MITRE and Kill Chain the IP address
• Subnets • Creates reports for locations where
• Attack Activity, • Target industries
• URL most threats are coming from
• Phishing activity • Threat actors
• Geo Location
• Fraud activity • Domain type
• Ransomware • IP address type
• Adware • Activity cluster
• etc

Detection of more than 40 threat types with millions of entries in the cyber threat intelligence database
Categorization and grouping capabilities for better visibility to the phases of an adversary attack lifecycle

©2021 Sandvine CONFIDENTIAL

 Offering & Value Proposition
Visibility on the Cyber Attack Life Cycle and opportunity for CSPs

Reconnaissance Sandvine’s Security allows CSPs to

Information gathering, fingerprinting,
finding vulnerabilities
• Identify infections earlier allowing operators to
proactively intervene before major problems
appears
Cyber Weaponized & Delivery • Define the correct mitigation strategy and selecting
Actions on Objectives
Execute actions on victim’s network Attack Life Create attack and deliver the the most surgical policies
to achieve the objectives/goals weaponized payload to the victim(s )
• Gain visibility on actions preceding the attacks
Cycle • what happened in the network during the attack,
• where the attacks are coming from and
• how policy changes were able to mitigate the
Installation and C&C Exploitation impact on the attack traffic.
Code “Phone home” to its command & control Detonation of the attack and malicious
for further instructions and updates. software gets executed by the victims’ systems

©2021 Sandvine CONFIDENTIAL

 Security Solution Overview
Use Cases Dashboards

Overview Dashboard
• Shows a worldwide map view of where threats are originating,
including a table sorted by the highest number of threats.
• Allows for the selection of specific threat categories, devices,
and locations using global filters.

Trends Dashboard
• Provides details on threat types and a trend view of the threats
over time.
• Stats on Mitigated Treats [with Cyber Threat Management]

Subscriber Dashboard (24.10)

• Provides detailed threat information on individual subscribers
and views on the trends over time.

Updated every five minutes and shows the last rolling hour
of data. Users may select a different time period.

14 ©2021 Sandvine CONFIDENTIAL

 Benefits of the ANI Portfolio

Distributed Architecture Model

PCRF • Scale and performance at the data
plane layer without a traffic steering
Sd / Gx Gy
(TSE) layer
Maestro Insights
Gx Simplified Control Plane Layer
• Replaces the SPB and SDE for
subscriber mapping with Maestro
RAN
Data Layer
• Highly scalable and granular data
Statistics
storage at subscriber and application
Cable
levels
Visualization Layer
• Powerful and more visual reporting
WiFi
ActiveLogic P-GW/ ActiveLogic through ANI Portal and Deep Insights
Access Router

15 ©2021 Sandvine CONFIDENTIAL 15

Cyber Threat Analysis and Management
Unique Value Proposition

Sandvine plays its due role in an ecosystem of security solution providers which will work in a
coordinated manner to thwart security threats on network operators’ networks

Contextual Awareness Rich Databases Multi-Purpose Platform Network Based Detection

Complete understanding
of subscriber context,
device manufacturer,
model and OS, location,
L7 application context
Databases that provide A single platform with No dependency on client
up-to-date and actionable multiple solutions offers or gateway devices,
intelligence exhibiting multi-headed value software or operating
malicious activities like proposition systems
malware distribution,
botnet C&C server
communication

Multiple unique features to create a strong cyber threat analysis & management solution

©2021 Sandvine CONFIDENTIAL

Sandvine Can Help

Sandvine’s Cyber Threat Analysis and Management

• Protects subscribers from a range of network threats and malicious traffic that can
compromise equipment and data
• Minimizes such impact, resulting in CAPEX / OPEX reduction and improved overall customer
experience
• Protects and elevates the value from existing security investment
• Preserves brand reputation

©2021 Sandvine CONFIDENTIAL

 Thank you

Copyright ©2021 Sandvine Corporation. All rights reserved. Any unauthorized reproduction prohibited. All other trademarks are the property of their respective owners.

This documentation, including all documentation incorporated by reference herein such as documentation provided or made available on the Sandvine website, are
provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by Sandvine
Corporation and its affiliated companies ("Sandvine"), and Sandvine assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions
in this documentation. In order to protect Sandvine CONFIDENTIAL and confidential information and/or trade secrets, this documentation may describe some aspects of
Sandvine technology in generalized terms. Sandvine reserves the right to periodically change information that is contained in this documentation; however, Sandvine
makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.

©2021 Sandvine CONFIDENTIAL