At the end of May 2021 ROCCO Research’s Jason Bryan spoke with CSO of AdaptiveMobile Security Simeon Coney about their recent success in ROCCO’s SMS Firewall vendor benchmarking research, about SMS attacks in 2020 and AdaptiveMobile Security’s plans for 2021.

Jason: Simeon, thank you for joining me, it’s great to meet you. First of all, what’s your role in in AdaptiveMobile Security?

Simeon: I’m the head of our messaging business strategy. I’ve worn many hats, and am now looking after our messaging business & strategy. I’m responsible for evangelising our solution with partners and customers, doing a lot of work with industry groups, sharing our expertise and insights. Always looking for the next new area, what else can we do? How can we be better at what we do?

Jason: Right. Good point! So Simeon, what inspired you to get into the telecom space?

Simeon: It was for entirely selfish reasons. I was coming out of University, having done a degree in Computer Engineering.  I didn’t enjoy programming, and knew I wanted to travel, which I hoped Telecoms would enable. And I’ve got to say, I’ve been pretty successful in that, you can’t be in this job and not travel!

I started back in 1990, just at the start of telecoms deregulation across Europe. So, I really rode that whole wave of building out second, third, fourth operators, right across Europe, ended up building networks spanning the globe. I really haven’t looked back at all. I’ve worked selling equipment and solutions suppliers, as well as on the other side, working within operators creating networks and building operational teams.

In terms of getting into AdaptiveMobile Security, at the time, I was actually doing a security start-up creating the world’s first Unified Threat Management Platform. From that, with some friends from the industry, we were looking at the 3G licence auctions thinking, there’s a lot of investment going into 3G here, yet who’s really thinking about securing all of this. We knew how standards were focussing on connection security, checking network legitimacy for users, and its subscriber legitimacy for networks, yet nobody was really thinking about the transaction itself.

We took this concept of providing a single node that would deliver multiple security functions at scale. We also had a background in enterprise security, and knew a typical enterprise solution could at that time size for a maximum of maybe 20,000 people, yet a typical telco could be 200 million. So in a completely different set of scale challenges, different operational management techniques and new security insights, created an opportunity to be first to market with scalable solutions, all in context of all the different bespoke protocols that Telco’s had across their networks.

From that we founded AdaptiveMobile Security, which was this concept of a network protection platform that could sit in the heart of operators’ networks complementing all the infrastructure spanning across different vendors, different infrastructure types and services, delivering consistent protection. And frankly, that’s been the mantra ever since, it’s stood us in great stead. I do remember early customer meetings, holding up an old Nokia phone and saying at some point we’ll be doing more than voice calls on these. And I think I managed to get that one pretty right!

Jason: The landscape for security has changed vastly of course. I picked up on some figures on Wikipedia recently about cybersecurity and they indicated the companies who had had serious cyber-attacks. A lot of them were telecoms companies, to the effect that potentially, there was even half a billion subscribers who had had some kind of impact from cyber security. It was absolutely astounding for me, that there wasn’t, you know, more attention given to this space. I guess that’s something you guys work with all the time?

Simeon: Yeah, it’s an interesting one. I mean, certainly, my observations are that much of the attention has been focussed on the enterprise security opportunities, given the addressable market size of buyers. So in selling enterprise security, you’ve got  several million businesses you can sell to, you’ve got 10s of 1000s of large enterprises, you got hundreds of 1000s of mid-size ones and millions of  small businesses. There is a whole ecosystem serving this broad enterprise market within the analyst community, who can talk about not just internet firewalls, IDS, IPS, UTM, and the whole spectrum of capabilities, generating a lot of attention. Understandably this is also fuelled by the very large supportive ecosystem of suppliers and distributors. Whereas on the telecom side, there’s always been a relatively limited number of infrastructure suppliers and with roughly 900 carriers out there, a limited number of geographically dispersed buyers – which makes it harder to assess the attacks, have visible discussions and build the attention.

The barrier to entry for new solutions is also a lot higher in Telecoms. For enterprise security solutions it is relatively easy to start off selling to enterprises by starting small; build something, get first customer adoption and then expand. Whereas, selling into telcos, you’re putting something in that is integrating with their critical services. If it goes wrong, it’s going to affect customers, and has an implication to company reputation. So, there is most definitely a higher barrier to entry.

I would say those are the characteristics why the visibility of the markets has not been to that same extent. Another big factor is up until roughly four or five years ago, most people were very unaware of what mobile network attacks really were. Now many people are aware what robo calls are, and might have seen an occasional spam – especially with the increase in Flubot generated messages across Asia, Europe, and moving to the Americas.

That’s partly down to the attacks, and most definitely down to the pervasiveness of mobiles. I mean, you find someone who has got a mobile device, that’s using it not just for communication, but it’s used for some part of their daily life, whether it be their business, whether it be for personal use, all of those services, that creates such a compelling target for attackers. It’s this sort of intrinsic embedded nature of mobile infrastructure in our daily lives, which has most definitely given rise to this wave of focus on cybercrime, and continued innovation of that.

The rise in cybercrime has most definitely created more public visibility. It’s not unusual now on mainstream media to see this as a front-page story.

We’re going to start seeing so many more, with all the new interfaces with 5G, with the trend of moving to more centrally IP orientated infrastructures rather than closed protocols. It’s clearly creating, bigger attack surfaces.

Jason: Yeah, absolutely. It’s very scary, the potential of IoT in terms of those potential openings for cyber-attacks is profound.

Simeon: I would say there’s such a spectrum, some being most definitely deliberate, some being not malicious in intent. Some IoT devices, misconfigured, miswritten apps, miswritten equipment, equipment that just doesn’t have proper interactions, all of those things can create significant security issues, even if that wasn’t the intent, as well as of course, deliberate, targeted cyber-crime.

Jason: So let’s talk about SMS. It’s with great pleasure that we saw AdpativeMobile Security as one of our Tier One Vendors in 2021 for SMS Firewall. What was the reaction in the company when you heard the news?

Simeon: It was amazing because, we’ve been doing this for 17 years and for the longest time many of our customers were reluctant to make public comments regarding mobile security. But now, our customers are now in a position of greater awareness and can share their views on security, explaining what they’ve done to protect their network and sharing their experiences, this helps everyone. From our perspective, it’s fantastic to be able to talk about everything that we’re doing. Today we are protecting a quarter of the world, however it can be difficult to get our story out there and have our customers feel comfortable about vocalising their security challenges. So, we love the concept of the report stemming entirely from customer feedback, the voice of the customer is really powerful. I think the fact that you’ve encouraged and built-up customers to have that trust in the report, to be more open and contribute is a fantastic thing for us. It lifts the whole industry, I mean, brilliant to be recognised as a vendor, but you know, from our perspective, it’s education, education, education, anything that gets more people talking and raising awareness is a good thing.

Jason: So in terms of 2020, obviously, it’s been a pretty unusual year. Have you seen any specific change in the number of SMS attacks last year?

Simeon: Most definitely, yes, every year sees an increase. Sometimes some types of attacks will decrease to be offset against growth in new types of attacks.

Most definitely, though, everyone has had a different life experience in 2020. And what we’ve seen is attackers taking advantage of that. The fact that people are not in social communities in the office. We’ve most definitely seen that isolation of people has been exploited by attackers for social engineering attacks. It’s one thing saying, oh, I got this message, what do you think, when you’ve got that little doubt in your mind. If you’re there with colleagues or with friends, you can test that, which you can’t at home and they are exploiting that. We’ve seen a big increase in that sort of social engineering.

Over the past 18 months so many of us have been using new ways of collaborative remote working, with unfamiliar tools, which again, have created security challenges. With so many new cloud services being introduced, even from the big providers, cybercriminals have been exploiting weaknesses – both technical and social engineering. SMS is commonly the mechanism and the vehicle used, as victims respond to the immediacy of a text message, with the scope of brand association without the full protection an enterprise environment offers.

Another area we’re seeing being exploited are the changes so many businesses have adopted, with remote staff working from home, using personal devices, even personal numbers to contact people, or withholding calling identity. Coupled with the new demands with COVID associated communication, from all sorts of new government and health bodies that people have never spoken to before people are responding more to unknown contacts,  So, I would say those three factors have all given rise to an increase in cybercrime. All messaging related.

Jason: Fascinating. We certainly know from our research that, SMS traffic has really increased in the last year, it’s been a saviour to many brands for marketing and transactional messages in the pandemic.

Simeon: SMS continues to be so successful, due to the mantra of, it just works for everyone. And, unfortunately, that also means the barrier to criminal entry sending attacks using SMS still remains low, it doesn’t take much to buy and set up a sim bank, or to set up an account with any those of the CPaaS API companies that do less due diligence and vetting of new accounts than the majority. Hey, presto, the world’s at their fingertips.  It remains a global accessible system, with all the upsides. Businesses remain in contact or relationships with their customers wherever they are, but it’s just as easy for a cybercriminal anywhere in the world to have that exact same reach and scope.

Jason: Which do you think is the most urgent issue that needs to be addressed with the SMS firewall ecosystem today?

Simeon: It’s impossible to give you the most urgent because there’s just too many important issues. But also, because there’s priorities in four different areas that need to be addressed in parallel.

Firstly for both operators and aggregators who are seeking to safeguard their business, supporting them with regulation that is not overly prescriptive, but empowering, whilst ensuring the privacy requirements are considered. The risk is regulators consider privacy and security as separate and unrelated. Whereas, it is actually a complex line to walk that fine distinction between security and privacy, and often regulation on one side doesn’t fully consider the other. So I would most definitely say the regulatory environment to support protection is one area.

Another key area that needs more focus is the consequences for spammers and attackers. Taking action against those who are perpetrating the attacks.  When it’s seen as a risk free crime, and there are low barriers to entry, attacks are unfortunately going to continue to rise and be successful because the attackers wouldn’t do it if it didn’t work or had an unacceptable level of risk to them personally. Coming back to the first theme we discussed, raising awareness that there are consequences to doing this, as well as sharing knowledge and techniques on how, where and why to implement defences is absolutely critical to improving those defences.

And I think looking inside the ecosystem, improving the cooperation between carriers and aggregators, and CPaaS is a big one.  I do think, in certain regions, the commercialization of A2P, is still lagging, and there is scope to improve access to message delivery, sometimes grey routes are literally a necessity to reach customers. Coupled with understanding the sensitivity and dynamics of pricing, as it is a complex topic.

Lastly, on the topic of firewall defences. Software without service is doomed to fail. A lack of tuning, and active management of the abusers means the defenders will lose the war against those motivated to bypass those defences. Working in close partnership, understanding the pain points, the commercialization pain point, the monetization, new product enablement, new relationships and changes in dynamics. Shining the light on these issues increases understanding.

But overall, it is most definitely improving the ecosystem, as people are getting a better understanding of what their customers are doing and what their customers want. By customers, I mean, both you and I as end users as well as A2P sending businesses, building the relationships with them. We see scope for innovation or facilitation of that relationship, protection of that relationship, and delivery of new tools, new services, and better experiences. There is so much to be done.

Jason: One thing which I’d like to understand and maybe you can give us your view, is the process that happens within the company in order to keep a track of, let’s say, the latest trends that are happening in fraud, and then equip the firewall itself to deal with them. How does that work normally within the company?

Simeon: It is not enough to provide software, I’d say, understanding how that software interacts with the network, how it interacts with the traffic, and most importantly with the business of the operators, aggregators, end users  and sending businesses is critical. So, it’s a continual discovery, continual tuning, it is itself the mechanism for discovering those new trends.

We see some trends that are regional, we see certain social techniques that work in certain regions that then get copied to other regions, as that region themselves becomes more susceptible to that type of attack. For example, sometimes there’s a real mind-set that the threat is solely coming from sim banks. So, people are considering how do I stop some Sim banks inside my network? There are most definitely some banks that exist but that is not the sole problem. It’s about appreciating that there are so many enablers that can create attacks. So, from our perspective, being able to share the knowledge of what we see as trends becomes key. Sharing expertise about insights, education helps. From a practical level, being able to share configurations and techniques in the platform means that people can be proactively protected as those attacks come in.

There is no geographical barrier that the attackers observe – they are sharing knowledge, they themselves have a global organisation. So, as a supplier and a provider of service, it’s absolutely critical that, we work together and consider the impacts on a global basis.

Jason: Last year, 2020, there was a lot of opportunity for people to sit back and to kind of reflect on their businesses again, what they’re doing. And that’s also the case for these kind of attack companies. So what have they invented that we don’t know is coming until next year, or maybe later on in the year? And how do we predict it?

Simeon: Certain attacks are most definitely predictable. I mean, I would say that for the most part, going back to the commen

t of software and service combined, we are typically operating the service on behalf of the customer. By being deployed so widely in networks across the world, with our continual managed services, we’re actually seeing attacks right at the genesis.

We can pre-emptively configure and plan against attacks but occasionally attacks will come out of the blue. This is due to a combination of mechanisms. These days machine learning is quite good at discovering attack types. Normally, machine learning needs enough of a hook to be able to see it, that’s where the human intelligence side comes in. Subscriber feedback, again, is another useful mechanism. There is no one silver bullet, you’ve got to use a range of different techniques to continually analyse the situation. The main thing is a mind-set every day, as a school day, you’ve got to sit down at your desk and say, I am going to learn something today, probably many lessons.

The one absolute consistency is everything is not consistent. Every attack type changes.

Jason: Now, you mentioned grey routes, and obviously the industry has been working towards eliminating grey routes. What action is AdaptiveMobile Security taking on this?

Simeon: AdaptiveMobile Security have been leading the charge against grey routes. We supply not only to the carriers, but we also supply many aggregators, and CPaaS. We appreciate that certain territories are harder to get connectivity in to, but the widespread use of grey routes results in price erosion and commoditisation for the whole market, coupled with significantly increased risks to the carried traffic which is not good for anyone. The increasing focus on grey routes starts to show to the whole ecosystem that there is more to the industry than just price. Because right now, predominantly, everything has been about price, it’s always about who’s got the cheapest price, hence why you end up with a sort of a positive reinforcement on grey routes. Whereas I think, when people start to look more at integrity and quality of service delivery capability, and then trading that off against price, it starts to show an ecosystem where people can differentiate, which is the important thing for a successful market.  Some people will always differentiate based on price, but others will differentiate based on their capability for quality, and other ways of innovating in commercial service. That I think is an exciting future for commercial messaging.

Jason: How would you describe AdaptiveMobile security in 2021?

Simeon: What I’m very proud of is that we have become: a trusted partner to our customers, to help them secure that business. So, no matter what area they’re working on, whether it be SMS, or new services like RCS, 5G, 4G, signalling security, or commercial traffic, and how they manage all those new partnerships that trusted relationship where they talk with us and we all go along on the journey together.

We’ve got great products and an excellent team on execution and we do what we say. I like to feel that we are very collaborative, and that we work with several players in the industry to help deliver better protection, at the end of the day, we need people to be kept safe, the worst possible outcome is that end users feel that a mobile device cannot be trusted, that is a loss for everyone.

Jason: So, what is AdaptiveMobile security working on right now?

Simeon: We’ve got a number of irons in the fire. I just touched upon the commercial messaging side of things. We are really innovating heavily on that. It’s great to see that there are things like regulatory requirements, operator code of conducts, as well as people starting to look more at service differentiation, which really creates a very positive partnership, how can we help everyone in those environments, keep people safe, have a better experience, and help them grow their business. Delivering new signalling capabilities, new signalling protections and all the topics you’ve covered in your report.

5G security is a topic that you’ve probably seen that we’ve done some recent interesting research and publications on, because that’s a whole new area for everyone. And continuing to build on our intelligence. 2021, it’s an exciting year for us.

Jason: It’s been a real pleasure chatting with you Simeon, any closing remarks?

Simeon: I would close with an illustration of successful security. AdaptiveMobile have deployments across the globe, including great coverage across North America, where we protect over 80% of the traffic . The one thing that’s a little frustrating at conferences, is that we often hear people stand up and say “how can we protect voice against robo dialling, the attackers will soon stop doing that and move on to messaging”. Messaging is already protected. We are stopping millions of messaging attacks a day. It’s more that voice hasn’t caught up with messaging security yet. The best security is one where those protected are kept safe, and unaware of the hard work continually being done to keep them safe – it supports, and doesn’t impact, their daily digital lives.