Defendable Architecture program: Telenor’s Technical Security uplift

In these days of social distancing, access to connectivity provided by telecom operators around the globe, which was already important, has suddenly become a critical part of everyday routines.

Written: Apr 2020

Reading Time: 3 minutes

For many, it is the only way to work or keeping in touch with family and friends, and critical public institutions, such as hospitals and government functions, are dependent on these services being available 24/7.

But what if the communication infrastructure that we have grown so dependent on, was not reliable, not stable, or could not be trusted for being safe to use due to lack of either availability, integrity, or confidentiality? Life would have been very different indeed. As the digital world evolves, moving more into cyberspace, there are as always individuals and groups that see this as an opportunity for crime or other illicit activities.

This is the first in a series of three articles about defendable architecture, written by Erik Kvarvåg, Chief IT/NFVi Infrastructure & Security Architect at Telenor and colleagues.

According to the IBM X-Force 2020 report, over 8.5 billion records were compromised in 2019, more than a doubling compared to 2018. Ransomware was up 67% in Q4 of 2019 in a year on year assessment. This happens across a multitude of industries, ranging from government to healthcare, manufacturing, and telecom.

For Telenor, the threat actor situation is no different from other sectors mentioned in the report. Telenor’s critical infrastructure for both IT support systems and the mobile network in business units across Telenor’s nine markets are under constant attack from the same threat actors mentioned in IBM’s report – and the number of attacks is increasing. In 2017, Telenor made the decision to establish a global program to strengthen the security posture and capabilities in the different business units in order to be able to detect, resist and if required evict threat actors attacking our networks.

The initiative was a targeted approach to achieving this goal, using established concepts called “business driven defendable architecture”. In short, this concept uses a targeted and more focused approach to achieve better results with fewer resources. Trying to solve every gap and every problem in the security posture would both be costly and have a low probability to solve the actual challenges. The main pillars of a business driven solution to security are as follows:

  • Identify where the main assets “crown jewels” and business opportunities are
  • Defense strategy should be built tailored to those particular assets and business opportunities
  • Determine the gaps between AS- IS security posture and Target – closing the gaps

Defendable Architectures as first introduced by Scott C. Fitch and Michael Muckin at the Lockheed Martin Corporation, applying threat intelligence during the design, build, run and defend phases of infrastructure lifecycle and management. Combining the targeted approach with threat intelligence design, security controls, and functions specifically tailored to the assets and the adversaries attacking them.

With the establishment of the program, the different business units did the identification process of what assets were critical for their operations and mapping them according to business impact in case of a breach. A core team of experts from Telenor’s Global Business Security and IT Architecture team was preparing the strategies and implementation plans to be applied to those critical assets and the surrounding infrastructure.

The implementation plan consisted of several delivery packages:

  1. Technical security uplift: Closing the technical security gaps in IT operations, by addressing best practices such as NIST and through those implementing security controls
  2. Secure infrastructure Operations: Actively manage and control all hardware and software to prevent unauthorized access for critical systems:
    1. Security Monitoring: Ensure sufficient visibility for both the local and global SOC/CERT services
    2. Secure Infrastructure: Building a secure infrastructure (data center) to support defendable operations of critical systems
  3. Secure IT infra Services: Deploying the services needed in secure infrastructure for full functionality like DNS, remote access, etc.
    1. Secure EUC: Building a tiered active directory according to industry best practices with secure clients for access to critical systems
    2. Migration: Securely and controlled migration of critical systems from current infrastructure into secure infrastructure if applicable

After the core team completed the implementation plan, delivery packages were handed over to the business units. Local operations and security units started planning and execution immediately after.

Starting from 2018, as a result of this work, the security posture improved significantly in several business units, with a number of security vulnerabilities and incidents dropping significantly.

The following articles on security will go into the depth of the individual pillars of defendable architecture on how to design, build, run and defend an organisations infrastructure with the methodology used, the concepts of threat intelligence, threat modelling, risk assessment and how to apply these for the “right” level of targeted security controls.

Interested in more? Read the second article in this series about Defendable architecture: Security Architecture Design Phase