Maintaining peak practice
As shopping activity surges at this time of year, what is the impact on carrier security? Gareth Willmer looks at the issues
It’s that time of year again, when shopping goes into overdrive. The rise of online activity for events such as Black Friday and Cyber Monday, followed by the Christmas period, creates a massive surge in internet traffic in some countries.
The figures suggest that online sales in the US alone topped $5 billion this Black Friday (24 November), and e-commerce giant Alibaba reported sales of $25 billion during China’s Singles’ Day on 11 November.
It may seem that such surges, during which fears of cyber attacks on shoppers and retailers can rise and telecoms infrastructure might already be under stress, would logically pose a heightened threat to the security of carriers and their networks too – especially given the rise in distributed denial-of-service (DDoS) attacks alongside the growth in the internet of things (IoT). But how much of an impact do such days really have on carriers’ security?
Telecoms carriers tend to say their networks are already built to cope with surges in traffic throughout the rest of the year for events such as big sporting occasions and new product launches, meaning they are well-placed to deal with security demands no matter what day it is. And the wide-scale, often global reach of major players aids insight into traffic.
Chris Richter, VP of global security services at CenturyLink, says there is sometimes an uptick in cyber attacks during events such as Black Friday and Cyber Monday – though there is not necessarily a direct, verifiable correlation between increased traffic and attack attempts.
“We do sometimes see a spike in that kind of activity around the holiday season,” says Richter. He explains, for example, that the heaviest recent DDoS activity in the last couple of years has been on 26 December, when many people both shop in online sales and start up their new gaming devices after Christmas.
Richter says CenturyLink’s network is, however, already well-prepared, without having to make special plans for these particular events. This is because it is set up to deal with heightened traffic and large volumes of attacks, mitigating between 100 and 120 DDoS attacks every day. “We’re an organisation that handles more than 1.3 billion security events every single day and we’re also monitoring and reporting on over 3 million computer systems every day across our customer base,” Richter adds. “We have to be at a heightened state 24/7.”
So Richter claims that while such events pose a heightened threat to many retailers, which need to make adjustments to cope with seasonal spikes, CenturyLink itself does not necessarily see any greater threat to its network or services.
In addition, if the US carrier’s threat intelligence platforms detect suspicious activity and predictors of attack that threaten customers, it can help customers prepare in advance for these. The company has, meanwhile, been stepping up the application of machine learning for attack prediction, and has a large network of scrubbing centres and products such as its Adaptive Threat Intelligence service for enterprises and wholesale customers that offers global threat analytics to identify attack patterns.
AT&T reiterates this ethos of vigilance throughout the year in its own practices. The company applies the same rigour with threat detection and pre-emption efforts on these high-volume shopping days as on any other day, says Brian Rexroad, VP of security platforms at AT&T. “There are significantly large numbers of important transactions every day of the year that also deserve a high level of attention.”
Rexroad acknowledges that there is some increase in transactions during events such as Black Friday and Cyber Monday, but says this is not particularly notable given the overall capacity of the network, with an average of 186 petabytes of data crossing AT&T’s network each day.
“There is no increase to security threats during the surges,” he explains. “There is some increased probability that attackers might attempt to disrupt transactions to attract attention, but this scenario is generally rare.”
Nonetheless, he claims AT&T does increase its level of attention to any security events that might impact commerce transactions, and is sensitive to any perceived changes in network traffic during the holiday season.Rexroad says the company’s DDoS mitigation capabilities allow attack traffic to be filtered and scrubbed in an automated fashion, without customers having to deploy or manage any infrastructure.
At BT, meanwhile, Steve Benton, GM of cyber and physical security operations, says the company has well-practised and prepared “playbooks” to deal with any issues with traffic peaks throughout the year – and that peaks during major shopping events are not out of line with those that BT sees across the year.
“We are scaled to be able to cope and flex with that,” he says, with other surges around sporting events and things such as new iPhone launches. And he points out that commercial entities also seem to have started spreading their offers more across the year to help minimise potential issues.
Across security as a whole, BT is seeking to take an ever-more in-depth view. “We are very much shifting towards a big data approach to security, so we are using our cyber security platform, which is a modular big data architecture that draws in lots of information from across our enterprise, enriches it, correlates it, and allows us to find those interesting things that need to be looked at more deeply,” says Benton.
Although major carriers believe they are already well equipped from
their past experience to deal with surges during big shopping events, they also think retailers themselves need to be on the alert for issues.
From its previous research, Verizon says it has not witnessed significant spikes in cyber activity around the retail space during these peak times – “but obviously more shoppers purchasing online or in store increases the number of opportunities that may be presented to cyber criminals”, says Laurance Dine, managing principal for investigative response at Verizon.
The company therefore has recommend-ations for retailers to protect against breaches – although highlighting that these apply at all times rather than just in the holiday season.
These include vigilance about evidence of device tampering, using the latest methods to encrypt data, and ensuring robust policies for processing customers’ payment cards. Verizon helps cust
omers put these into practice through professional services consultants and security teams.
Verizon, meanwhile, plans to continue evolving its security offering in 2018 to make it even more embedded in its platform – offering more end-to-end managed security infrastructure for the network, developers and applications.
“In today’s threat landscape, it’s all about global scale – but openness and informa
tion sharing to combat the bad guy, both online and in the real world, will also become the norm,” adds Dine.
Like other carriers, though, he stresses that “we see the ongoing security of our network as a crucial component every day of the year. Security isn’t a one-off activity; it is an ongoing process.”
A number of industry observers also say that carriers are well accustomed to dealing with surges aside from those on these peak shopping days. “There are many other events that create increased traffic that carriers are used to handling,” says Mike Sapien, VP and chief analyst for enterprise services in the US at Ovum. “There may be some slight increase in threats due to the volume, but I don’t believe it is directly proportional.”
Vitaly Mzokov, solution business lead at cybersecurity company Kaspersky Lab, says, however, that although Kaspersky has no evidence of, for example, more DDoS attacks on these specific days, major surges in traffic can pose a threat to telcos.
He adds that cyber incidents during events like Black Friday have demon-strated “that telecoms providers are still in the process of reviewing their own concepts of providing both reliable and secure infrastructures for enterprise-level customers”.
On the other hand, says Mzokov, Kaspersky’s detection data on financial malware and financial phishing has recently showed no major variation between the number of attacks on Black Friday, Cyber Monday and Singles’ Day compared with the rest of the year.
Meanwhile, Steve Wallage, managing director of BroadGroup Consulting, says that from a data centre perspective, heightened traffic has the potential to cause a headache for data centres, where he says server utilisation is often at a level of about 10% – so there may be some concern if this peaks. However, historically the main concern has been performance and the risk of outages rather than cyberattacks, he says.
Ultimately, one key message seems to be that carriers need to remain proactive to stay ahead of the game. This type of approach can be summed up with the way that AT&T is moving in this area.
“To continue to pre-empt attacks, we are accelerating our own pace of innov-ation, aggressively implementing automation to minimise threat exposure, and advancing managed security service offerings to help customers protect themselves from threats,” says Rexroad.