Including unified communications in your risk considerations before it’s too late

While our children can’t imagine a world without mobile phones and video chats, I bet you remember pushing the buttons on a desk phone. Or maybe even rotary dial phones! Oh how times have changed.

Communication is essential for an organization to thrive. We quickly evolved over the last few decades from stationary phones and devices to the myriad of options we use today collectively dubbed unified communication (UC).

While remarkable for business, the continued and rapid pace of UC advancement also creates opportunities for attackers and challenges for us to secure without slowing down business.

How do we know if we’re doing enough?

To find out, I talked with Kevin Riley (LinkedIn), the Chief Technology Officer and Senior Vice President, Engineering at Sonus.  Kevin drives Sonus’ innovation and development activities, with a particular focus on enabling SDN and NFV Cloud-based architectures of the future. He has more than 20 years of software development and engineering experience and has been instrumental in Sonus’ efforts to drive an industry leading technology roadmap. Prior Sonus, he served as VP of platform engineering and director of Core Software, and has held software development manager positions at Verivue, Sentito Network, Cisco and Telebit.

I loved the candor and direct style of our conversation – and you’ll see it come through in our Q&A below. Kevin has a good grasp of all the challenges we face, and offers some compelling insights on how to think about UC to improve our approaches in the context of everything else we have to focus on, too.

Do the threats to unified communication (UC) signal a problem for security leaders to pay attention to?

Attacks against unified communications (UC) are some of the fastest growing and most misunderstood threats organizations face today. Think about it – more enterprises are adopting IP-based voice, video and instant messaging services. They are coming to the peak of their digital transformation journey. And some of those services, like voice, have never operated over IP before, meaning there is a new IP application that organizations must protect. Beyond that, UC is now a wide-open window in and out of the enterprise supporting voice, video and file transfer. So, it’s not just a matter of protecting what gets onto the network, but what leaves the network as well.

The three main threats against UC security leaders must start paying attention to are denial of service, toll fraud and data exfiltration. Of course, each of these attacks presents its own set of challenges, but a zero-trust security posture dictates that security strategies must address all three. When organizations take control of their security posture and protect UC as vigorously as any other application on their network, they’ll be on the path to a more secure network.  

These threats feel familiar. Are they the same, or has the situation changed a bit?

There are two things that are changing the communications security landscape. The first, as I mentioned, is that more and more organizations are moving to pure IP-based UC. Previously voice communications were transmitted through twisted copper wires, but as soon as you move any application over the internet, your network is now subjected to new threat vectors since attacking over IP is significantly easier than penetrating the legacy copper plant. The second reason is that many organizations don’t want to host their own UC systems anymore. While moving UC to the cloud enables flexibility, convenience and cost savings, it also exposes a new attack surface.

Organizations should also consider the impact of BYOD. We’ve all heard how BYOD has given rise to Shadow IT and other threats, but it also presents a fundamental change to how organizations have historically protected devices. For years, organizations were only concerned with making sure their employees had access to desk landline telephones (i.e. a closed system). Employees never used personal devices for corporate work. Today, the number of devices organizations need to protect are unbounded, expanding across home computers, mobile phones, tablets and more. And from a UC perspective, those applications are being used across all those devices, making the attack surface even larger.

So you’ve explained how UC presents a new and emerging threat to organizations. How are people securing UC today?

For the most part, organizations are using firewalls to protect their network. Now don’t get me wrong, firewalls are great at certain things like deep packet inspection and threat intelligence. But that’s just on the IP data side of things. In UC terms, this equates to payload scanning for signatures.  Unfortunately, firewalls don’t have the awareness or statefullness to protect complex SIP services such as voice and video calls from application layer exploits. In other words, UC applications exceed the IQ of the standard enterprise firewall.

We all know there is no one solution that is going to completely secure the enterprise. But in terms of UC, session border controllers (SBCs) are the firewall for real-time communications. SBCs have inherent security features, such as per-session state awareness, protocol filtering, topology hiding, encryption and service awareness that enables granular enforcement of application usage and dynamic black listing when application abuse is detected. This functionality enables SBCs to protect UC applications from SIP-based attacks in a way that firewalls – and even advanced next-gen firewalls – simply can’t. Beyond that, they also provide intelligent routing, signaling interworking and media services to ensure the quality of UC experiences.

What question do you suggest leaders ask to discover a better way to protect UC?

The most important question that security leaders can ask is, “How would my security posture change if all of my tools and solutions worked together?” When I speak with organizations, I always tell them that their security solutions currently work like a conga line. Each device does exactly what they’re good at, and passes off issues to other devices in the conga line if something arises that they are not equipped to handle. Think about it – once devices start sharing security information with each other, the overall security posture of the entire network strengthens. A simplified way to think about this synergy is through the lens of a neighborhood watch. Once a homeowner informs their neighbor of an attempted break in, the rest of the neighborhood is on higher alert for similar activity from the same burglar. A multi-faceted attack, which is increasingly common, is more effectively mitigated.

The same collaborative approach should be taken when protecting UC. For instance, if an SBC detects potentially anomalous behavior across UC applications it can shut down the questionable session. Once this happens, the information can be shared with other devices, like firewalls, routers or other SBCs, who can be on the lookout for similar anomalous behavior on other applications. By taking a collaborative, east-west communication approach to security – where each device across an enterprise shares information, data and policies – the trust level of communications and the overall security posture of the enterprise is increased. Ultimately, this provides a better way to address today’s increasingly sophisticated and advanced threat landscape.

Are you suggesting security leaders need to start over and try again?

Absolutely not.

New threats – like attacks on UC applications – will continue to emerge and evolve as organizations and networks expand and digitalize. Instead of starting over, security leaders should work to better monetize what is already in their network. By taking stock of solutions that already exist across the network, they can set a plan to better utilize those solutions to ultimately drive more value from what they already have through contextual collaboration.