Real-Time Voice Protection with SBC Guard

August 1, 2022 · by · in Security, Session Border Controller, SIP · Leave a comment

Without continual growth and progress, such words as improvement, achievement, and success have no meaning.

Benjamin Franklin

As most of my readers know, I began this blog writing about the specifics of the Session Initiation Protocol (SIP).  In fact, for the longest time I called this site SIP Adventures and filled these pages with scores of articles about SIP headers, call flows, RFP extensions, and the many protocols that work alongside SIP.  While I enjoyed sitting down with Wireshark traces and sharing what I saw, I came to a point where I felt I had said it all and branched off into many of my other interests — Artificial Intelligence, the Internet of Things, Cloud Communications, and most recently, developing microservices on AWS, Azure, and Google platforms.

However, one SIP thing I’ve never tired of writing about is security.  Perhaps that’s because security is a constantly evolving subject where the so-called best practices change on a regular basis.  It also doesn’t hurt that in my spare time I act as an unpaid technical advisor to Assertion and remain very close to the subject.  Assertion is a cyber security company that specializes in securing an enterprise’s communications infrastructure.  Specifically, they look at the Session Border Controller (SBC) as the cornerstone of SIP security and have developed tools that scan an SBC’s configuration, setup, and logs to find and report security issues.

For the most part, these SBC scans are concerned with problems that have occurred or are waiting to occur.  And while a log can tell you that something is happening right now, the timing of that analysis is crucial.  The response time of a human being after seeing a logged security issue will ultimately decide if a hack is thwarted or allowed to continue.

That’s not to say that SBC scans are worthless.  Regularly scanning an SBC is essential to preventing and minimizing the damage of a voice attack. Not scanning is akin to turning off the virus checker on your PC and hoping for the best.

The Best Defense Occurs in Real-Time

SBC Guard© builds upon everything Assertion has learned from the tens of thousands of SBC scans they’ve performed over the last several years and turns historical processing into real-time protection.  SBC Guard still considers the SBC the center of the SIP universe, but rather than concerning itself with logs and configuration items, it works directly with SIP messages.  This allows it to make go/no-go decisions about every SIP session when it matters most – as the session is being established and as it is progressing.

Here is an easy to grasp diagram of where SBC Guard fits within an enterprise’s existing voice network.  Take note of the Defender module. 

SBC Guard

By working directly with an SBC, Defender sees every SIP message before the enterprise’s call server does.  Using real-time AI along with Assertion’s years of call processing experience, messages are analyzed individually as well as holistically with previous SIP traffic to make Block/Allow decisions.  This prevents everything from denial-of-service attacks to voice spam from hitting the Avaya/Cisco/Microsoft/whatever platform.

Additionally, Defender can process these messages at rates exceeding 500 sessions per second with a response time of less than 10ms.  This allows SIP traffic to come into the enterprise without any significant delay.

Lastly, Defender is only concerned with SIP signaling and is never in the media path. This eliminates any annoying voice delays or distortion. It’s the SIP interpretation of the Hippocratic Oath — “Do no harm.”

Protections

Technology architectures are interesting, but in the end, folks want to know “what does this thing do for me?”  Here is a short list of the attacks that SBC Guard protects against.

Any one of these attacks can do significant damage (money, business disruption, angry customers, etc.) to an enterprise, but collectively they can bring a voice platform and its users to their knees.

One of the most exciting aspects of SBC Guard is that it learns over time. Not only does it become smarter by protecting a particular enterprise. SBC Guard crowd sources from all the enterprises it works with to better understand the current nature of voice attack vectors. Best of all, it does this in real-time. For instance, a robocall attack on one enterprise will immediately be identified on the next enterprise. It’s a little like the United States’ motto, “e pluribus unum.”

Call Screening

If you are like me, you wonder about things.  I wondered “how does SBC Guard implement call screening?”  In other words, how does it decide if a call is good or a call is bad?  Well, it’s a combination of a lot of factors.  These include:

  • Calling number / number groups
  • STIR/SHAKEN header
  • Who drops the call
  • Time of day / Time of week
  • Call duration
  • Calling frequency
  • Calling multiple numbers of the same enterprise
  • Calling multiple enterprises at the same time (this is an example of crowd sourcing)
  • Third-party databases of knowing bad actors

By combining all these techniques in a methodical, holistic manner, SBC Guard can be sure of why one caller must be blocked and another allowed.

No SBC on earth can do all this. While some may do one of the above (e.g. STIR/SHAKEN), there isn’t a single SBC that will do all call screening methods at once for a comprehensive security assessment. To add salt to the wound, most enterprises haven’t even turned on the SBC screening features that are supported. Thankfully, SBC Guard automatically utilizes every method out-of-the-box.

Outbound is Just as Essential, Too

Protecting a company from malicious inbound calls is important, but so is ensuring that its outbound calls are not blocked or marked as spam. SBC Guard does this by constantly monitoring the reputation of an organization’s call traffic and works with the third-party call blockers to ensure that an enterprise’s numbers don’t wind up in blocked or spam lists. No company wants to call their customers and have those calls show up as “spam risk” on their customers’ telephones. I can assure you that I will not answer anything malicious looking and expect that others feel the same.

Mischief Managed

I get bored easily, and for better or worse, I find that learning new ways to secure digital communications to be a never-ending thrill.  The bad actors are out there, and they aren’t about to stop looking for ways to carry out their nefarious deeds.  It’s up to the good actors to stop them before they are able to do any harm.  Assertion and SBC Guard are among the latter.

To learn more about Assertion and SBC Guard, check out their website here.

Advertisement
Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: