What do telco security teams need from a SIEM?

More than “just SIEM”

06-subway.jpg

At the beginning of 2023, many of the major telecom companies in the United States were hit with a cyber attack that compromised the personal data of millions of customers. A leading telecom provider1 in the US cited a 13% jump in ransomware attacks in the past year. And in Europe, the latest cybersecurity report from European Union Agency for Cybersecurity (ENISA)2 states that telecommunications were the target for 26% of DDoS attacks, a fourfold increase from 2021 due to remote working.

So what has changed in the past couple of years? For the telecom industry in particular, two things stand out: 5G and cloud adoption. These technologies provide the backbone for various mission critical services in public safety, healthcare, and national security in addition to enabling connectivity for millions around the world. With the backdrop of rising geopolitical tensions3 and the need to protect these services, there is a need for a completely revamped approach to security. And the journey begins with a “modern” SIEM.

Top 4 security considerations when selecting a SIEM solution

1) Flexible deployment models

5G networks are increasingly becoming software-driven, supporting various deployment scenarios — multi-stack public clouds, 5G private networks, and hybrid clouds. Therefore, the SIEM solution teams select should provide similar deployment flexibility. This means it should be vendor agnostic, supporting a broad range of security controls for any underlying technology in the environment. Such an approach can empower telecom companies with holistic visibility across their expansive attack surface.

[Related blog: Elastic announces Elastic Security for Cloud, delivering new posture management and workload protection capabilities]

2) Cloud-native security and beyond

5G cloud native functions (CNFs) bring scale and flexibility to 5G networks, but they simultaneously increase the attack surface area. There are new vulnerabilities at the container level, in container networks, and from the increasing use of commodity hardware in these networks. These complexities are further compounded in a multi-cloud, hybrid environment. Security teams often face the challenge of such disparate data sets, prolonging query times significantly — especially when they are analyzing petabyte scale data typical of telecom environments. A SIEM that can parse massive volumes of data almost instantaneously and leverage automated workflows can significantly accelerate incident investigations and security threat mitigation plans in security operation centers (SOCs).

From an overall security perspective, a SIEM that can unify all the data in a multi-cloud environment is foundational toward embedding DevSecOps practices, which are synonymous to cloud-native environments.

[Related blog: Building secure and resilient telco networks]

3) Automated security

The importance of security automations cannot be overstated, and there are several underlying reasons to support it. First, the sheer volume alone makes it impossible to manually analyze every byte of data originating from these networks. Second, legacy network infrastructure will continue to coexist with 5G in the foreseeable future. That means SOCs need to correlate and analyze data from very different network elements to detect and respond rapidly. And lastly, 5G CNFs are extremely complex and ephemeral. So, the SIEM should be well supported by automated analytical models that not only simplify the analyst workflow, but also dramatically reduce the mean time to identify, detect, and respond to security threats in the network.

[Related blog: How top global CISOs protect their organizations amid rising threats]

4) Generative AI

With the sheer volume of data telecommunications companies have to keep secure, having a tool that can parse through that data in large language models (LLMs) and generate relevant results is hugely beneficial. Elastic Security’s latest addition is powered by generative AI — Elastic AI Assistant allows users to interact with Elastic Security on tasks like alert investigation, incident response, and query generation or conversion using natural language. Prebuilt prompts and context from the LLM allow Elastic AI Assistant to tailor the answer to your specific problem.

Elastic AI Assistant can also help streamline migration from a legacy SIEM by taking a user’s query from one product and converting it into an Elastic® query, saving both time and cost. 

[Related blog: Elastic introduces Elastic AI Assistant]

Let’s secure the connected user experience together

Simply put, traditional SIEMs, with their limited data ingestion capabilities, lack the context and real-time situational awareness to prevent threats at scale. A unified monitoring solution that combines SIEM, EDR, and cloud security data can automate protection, streamline investigations, and accelerate threat response time. 

Analytics capabilities must be transparent (not a “trust-me black-box”) and adaptable to user’s unique telecom environments. Elastic Security’s advanced entity analytics is a native component of the platform and its behavioral detections apply sophisticated machine learning so practitioners can hone analytics for their environment.

We’ve integrated our entity-centric risk scoring into analyst triage, investigation, and escalation workflows and use generative AI to give analysts context and guidance on their security workflows.

With threats becoming increasingly sophisticated and numerous, companies need a security solution that is built for what’s coming, not just what is happening now. Read the 2023 Elastic Global Threat report for trends in malware, endpoint, and cloud security with recommendations for security teams, analysts, and CISOs.

Originally published October 25, 2022; updated January 24, 2024.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use.

Elastic, Elasticsearch, ESRE, Elasticsearch Relevance Engine and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.