Jason

It’s a real pleasure to be here with Simeon and Stuart from Enea. My first question is around Enea. This is a new name for some people in the industry. Can you elaborate a little bit more on that? And also introduce yourselves and your roles?

Simeon

Thanks Jason – I now have responsibility for business development of the Network Security portfolio within Enea. I’ve been with the business since we founded and we marked our 20th anniversary this year Just over two years ago we were acquired by Enea, a Swedish public company, who have a portfolio of telecom products. It’s a great fit on both sides, we have been able to bring the security capabilities to complement an existing portfolio that covers a range of market leading products including traffic management,  data management, WiFi & IoT.

Stuart

I’m Stuart McBride, Director of Product Management for our messaging portfolio. Like Simeon, I also came from Adaptive Mobile, which has become the Network Security business unit in Enea and have been with the business for seven and a half years.  Originally as Head of Threat Intelligence and now in product management.

Jason

Great excellent, guys. Thank you. So it’s been a couple of years, Simeon since we last spoke. And of course, we know that business is very interesting these days, lots of new developments. How is business in Enea?

Simeon

Growing strong, we continue to have very good adoption and growth in both the operator side of our business, as well as in markets like CPaaS and aggregators. Our security propositions spanning everything from signaling protection, covering additional barriers such as voice, to messaging  are very, very strong. A lot of people tend to think of anti-spam as really being the entry point for messaging protection & control. And for a lot of the market, being able to address that continual evolution of threats with anti-spam protection is absolutely the starting point. But in addition to that, managing commercial A2P messaging has also been a very strong growth driver. The whole industry has seen very solid growth in revenues, but also a corresponding set of challenges. Not only do we have the grey route scenarios,  where players are trying to improve margins by finding alternative routes, but we’re also finding now a whole set of additional drivers for network inspection and control solutions with functions like regulatory compliancy drivers. Increasingly we’re finding countries mandating not only the type of content, ensuring that minors are kept safe and that there’s adherence to local content laws, but also actually really starting to think about how users are impacted by the fact that, we’re always got the mobile about us 24/7. So there’s now consideration that functions like what type of content is appropriate during which times of the day, is really driving the need for protection solutions to deliver far more than that simple security. The industry is now finding there’s so much more complexity around actually analyzing what type of content, making far more automated intelligent decisions about the nature of the content, not just who is sending it.

Jason

It sounds fascinating to me, are you thinking about, or have you developed solutions around Machine Learning or AI? I suspect this is something that you’re looking at.

Simeon

Absolutely, the only way to scale when you’re processing billions of messages every single day in milliseconds, is to use some level of additional automated machine based intelligence. What we continue to determine is, it’s about having a blend of techniques and a blend of capabilities. Taking the 20 years of experience we’ve got, ensuring that these range of techniques and models are appropriately used, as the industry has seen too many sort of flash in the pan approaches of,  a silver bullet model, that frankly has high impact to legitimate traffic. So it’s about using all of these techniques, with that experience to get targeted and accurate decision making in real time. And certainly Stuart can talk more about some of the really exciting things that we’ve been doing.

Stuart

While we’ve applied AI to security for several years, our current focus is on large language models and how well we can apply them to various use cases. We’ve exceeded our own initial expectations with the results we’re achieving so far, particularly that we can train these models to be language agnostic. So instead of requiring local solutions in different regions, it actually applies to language generally. There are many use cases for this. At the moment, we are categorizing messages based on intent. At the same time our research team is evaluating new applications of similar models. For example, identifying brand names, identifying malicious traffic, and so on.

Jason

It certainly does sound like you’re in the front line of tackling these issues as they come along in the market. So it’s very reassuring to hear what you have to say about that. So, we’re here because you were voted as tier one in our SMS Firewall research by Mobile Operators. And, I have to say, there’s a lot of operators out there who really admire the work that you’re doing. And, you know, it’s a tough market, there’s alternatives, of course, and clearly, Enea is a company that is widely respected. How did you feel in the team? How did the team react to this accolade?

Simeon

What we love about this is customer recognition. It’s one thing to say you’ve got great functional capabilities, or you’ve got a great brand name, but at the end of the day, customer’s perception of our business and what we’ve delivered and achieved in partnership with them is what matters. It was great to see that recognition. What we love is the level of detail the report gets to. Being scored second highest on Net Promoter score, that really helps us feel that we’re doing the right things for our customers, that we are really helping them in their business.

Jason

Fantastic. Yeah, it’s something which we run every year and the reason for that is because we recognize that leadership in companies changes. And the perception of customers is always evolving. Now, one of the key things, as we’re talking about the evolution of SMS and firewalls, etc, is AIT, I understand you have a view on six different types of AIT. Is that correct? And can you tell us what they are?

Simeon

AIT as a term has been in circulation for a couple of years now, and what we’ve been finding is that the usage of it and the variety of definitions  starts to become almost contradictory. When we look at some of the various industry groups and their definitions what we are seeing is that, actually, a number of different types of AIT abuse weren’t being captured. So what we decided to do was create a taxonomy of types of AIT. We’re in quite an advantageous position, because, as I mentioned earlier, our customer base spans everything from A2P campaign onboarding at the CpaaS stage, so immediately as a brand, generating it, right the way through interexchange carriers, through aggregators, into the terminating operators. It really enables us to get full visibility of the entire messaging ecosystem chain. For us, AIT attacks harm our customers right the way through that ecosystem. We’ve been putting in place solutions to identify and control artificial traffic, in fact, before the AIT label was even created. When we came to actually defining these, we realized yes, that there are six distinct types. And in fact, what I would say is that the different attacks are being carried out by different organizations, for different purposes, and using different techniques. So folks sitting, for example, on an operator side may not get visibility into some of the other upstream forms of AIT.  Likewise CPaaS themselves, whilst bearing a lot of the pain of it may not see other types of attacks that are occurring downstream. So this is really what drove our initiative for creating this taxonomy of the six different types.

As to what they are  – we’re bringing out a paper that puts these in more detail. To summarize for this interview there is the bot generation. And this is the one that got all their headlines when Elon Musk came out and said  X formerly known as Twitter was being scammed to the tune of 60 million dollars a year for SMS texts by bot trafffic.. So yes, there is absolutely traffic being generated by effectively fake agents that are generating it at the point of origin in that service. From that perspective, from CPaaS down the chain, all see it as regular A2P traffic. But the challenge, of course, is detecting and controlling the abusive AIT traffic as it’s incurring cost back to the brand.

We’re also seeing attacks being injected and generated by other accounts directly into CpaaS, emulating brands and potentially abusing and defrauding the CPaaS themselves. At that second intermediary stage, we’re also seeing forms of traffic inflation occurring at the aggregator level, outside of the control and visibility of the CPaaS and  the inter-exchange carriers, but, at the point where traffic termination charges,which have recently been going through significant increases in the market,  occur.

And there is also  the age-old problem of end user generation, which is, malware or apps on the device generating traffic. Malware like Flubot never really go away, they evolve, and there are always consumer SMS package reselling apps appearing on App Stores . So, yes, six different distinct types of AIT for different purposes, sometimes financial gain, sometimes for reputational damage. It’s important to also note there are legitimate types of artificial traffic. A lot of folks in the ecosystem are using test traffic generation to look at billing accuracy, customer experience, quality of service, things like that. So, not all forms of artificial traffic are bad, but it’s critical to spot what is bad, and what is damaging. Certainly a lot of the analysts numbers are starting to show AIT figures in the region of 20 billion fake AIT SMS a year in 2023. So we really feel that AIT is a significant issue for the entire ecosystem, because if it’s not addressed, it will result in the reduction in traffic overall, brands lose, operators lose, aggregators and CPaaS lose, everyone suffers as a result of this.

Jason

Leading to my next question, which is really… there’s got to be an impact that comes then down the line. Is this going to reduce, I mean, MNO, or Enterprise confidence in SMS as a solution? Because we’ve always seen SMS growth. Now, it seems to be stabilizing a little bit, there’s obviously alternatives. What is your thoughts about that?

Simeon

I would say without a doubt: enterprises have had their confidence in SMS impacted, and that’s across the spectrum of enterprises. Take the big brands, we know and see how much they’re getting impacted. And again, we’ll be publishing some examples of the numbers in our upcoming report. But we see this can also happen with small companies, Anyone who has an interface that is able to programmatically generate messages is at risk. It’s not their core business to understand and control this type of issue, they are trying to innovate and create their own goods, products and services. If they don’t understand expensive international termination rates, or if they’re trying to enter or fulfill a particular market, and with the global connectivity that the A2P ecosystem provides, it means these brands are at risk. It’s good to see that the industry is recognizing this, and some parts of the ecosystem are starting to put in place solutions like ours and others to actually address this issue. But if we don’t keep appropriate eyes and focus on this, yes, brand’s confidence will be shaken. They’ll suffer uncontrolled spend, and that means that they will look for alternative communication channels. And there are alternative approaches out there for some of those use cases.

Jason

Those are very, very interesting points that you’re raising because you said about keeping an eye on this. And it’s really… there is no body, let’s say, or association that’s really, let’s say, focused on preventing this, as I see it. And there is attempts by companies recognizing this is bad, aggregators especially. This is not something we should continue doing or supporting in any sense. But who’s monitoring or, you know, accrediting companies who aren’t doing it? It seems to me that it’s important, like companies like yourself to focus on it. But as a whole industry, how do we clean it up for the future? I mean, it’s a big question for me.

Simeon

Oh, it really is. This is  why we’ve been working on the definition, the taxonomy, because without a detailed definition, there is no way of quantifying it. If you can’t measure, you can’t size and if you can’t size, you can’t work out the impact. So it all stems from being able to say, “Okay, what specifically are the problems that we’re looking at here”. And these top level definitions, that are contradictory, just don’t enable and facilitate that. So yes, absolutely as an industry, we need to find clarity, and perspective in being able to show where these issues are occurring,  so that we can put the appropriate focus in place to help deliver that type of protection to avoid us all ending up suffering.

Jason

So just to conclude on this point, and you said, you’re introducing a white paper on this topic, obviously, we’d be very interested to know more about that. And to, and to see what it says and I’m sure many, many of our followers would also be interested.

Simeon

Yeah, absolutely. We’ll be launching that, in the New Year, and we will keep you posted, Jason, on that. We’re trying to create something here as an industry definition, so we would welcome other industry experts insights and commentary. We really do feel the more people that we can get to focus on this and being able to quantify it, size it and talk about techniques to address it, absolutely the better.

Jason

So we touched before on AI. And actually ROCCO is in the process of running an AI research because we’re trying to identify companies who are doing AI based tools. Obviously it’s the buzzword of the year. What is an AI specifically doing? I asked you a little bit before, but maybe you could elaborate a little bit more on the kind of tools that you’re working on that have AI capabilities, let’s say.

Simeon

The first thing I would say is, we’ve been doing AI for 10 years now. We have machine learning deployments, particularly on lexical analysis going back to 2014. We have been working extensively in this area and understand the pros and the cons of bringing solutions like this to the market.

Jason

Thank you Simeon. Could you answer the question in terms of technology, Stuart?

Stuart

As Simeon said, we’ve been involved with AI for 10 years or more, but it has evolved very substantially with large language models. So what we’re focusing on now is the kind of tasks that we need to be able to perform  at a volume and speed which means there is really no alternative. So one thing is categorizing messages in real time, and categorization covers everything from whether it’s malicious, it’s phishing, it’s from your bank. Initially we’re doing a proof of concept based on the message categories for Android and Apple, at a high level, we are splitting things between Multi Factor Authentication, other notifications, and promotions, or marketing. And there’s many use cases for this, some of them will come from the operators and the service providers themselves. They want to handle this traffic differently. Some of them come from regulators, meaning the operators are obliged to handle them differently or impose various restrictions such as only sending them at certain times. Another factor is attachments; the best way to classify an image is to use AI to do it. There’s certain reasons you don’t want humans doing that job. And it’s something the big Social Networks still have to do with human intervention. But in terms of messaging, we would hope to address this problem almost exclusively with AI. The goal is to allow the AI to make as many decisions as it can, without any supervision, after going through a general training function.

Jason

Wow! So AI is really teaching itself, and evolving. Is that something you imagine? Because, I think at the very beginning of what to expect from AI, you know, when you consider it, it’s just at that point where it’s developing, but it’s at the very beginning, because there’s got to be a lot of development there, that is coming in the future as it grows, and it teaches itself more. I mean, it sounds fascinating what it’s going to be able to do.

Stuart

I think we’re all going to continue to be surprised at what it can do faster,and possibly more accurately than us.

Simeon

Just to give one example. I’ve seen a lot of technology in my lifetime, and aspects like language have always been one of those things that are a challenge. There’s such a variety of different languages that people want and like to communicate in. We have a lot of multi-language disciplines and experience in our business, and a lot of security analysts with a very broad spectrum of language skills, because we protect a quarter of the world, so we have to speak the language that our customers’ customers speak and interact with, and that’s I think one of the powers of AI. It is able to extrapolate beyond that. It really means that no matter what language folks are using to communicate, that we can help deliver that level of protection and security.

Jason

Fantastic. Thanks, guys for helping us to understand how this market can evolve with AI. I think it’s very fascinating. I would look forward to hearing more about it in the future. So what would you say then, reflecting on everything that’s been said in this interview, what is the key differentiator that an AI brings to the market? Would you say?

Simeon

First off, our focus. This is our business. There are many companies out there who provide a bit of security. They are sitting in the right place in various architectures to do security functions such as processing the traffic. But this is our business, we have security teams, we have product teams, we can focus our whole operation on these types of threats to our customers, which enables us to do things that, frankly, any other business just doesn’t have the cadence, or the discipline or the focus, let alone the expertise and experience to apply that.

Jason

It’s a very good point, I think, based on research that we’ve done in the last few years, there’s a definite interesting trend towards specialist companies who are focused on this area. I think it’s really not very easy for any Mobile Network Operator, for instance, to be able to judge what are the trends in the market to have really dedicated resources, who are on top of things, who are looking at things. It’s just the economies of scale, the fact that you have multiple customers being able to notify you of issues or that you’re identifying issues in advance and being able to alert other customers to them. I think it just makes total sense.

Simeon

Exactly that customer base, that knowledge, that insight, it’s that scale function,means we can be proactive and preventative. Techniques are continually evolving, but then they are shared and spread across the world. So the wider the visibility, the more we can provide and ensure proactive protection, because we’ve seen those techniques used elsewhere. And I think, that’s one of the characteristics of the security industry. When we talk about competition, it’s not like, say, automotive.,  This isn’t Jaguar versus Ford versus Mercedes, where they’re competing for the customer’s money. Frankly, the people we’re competing against with here are the attackers, those are the people that are evolving and changing their techniques. We stand shoulder to shoulder with the other security companies who are delivering solutions to address those. So, it means we have to be good, we have to evolve, we have to be fast, we have to be accurate.

Jason

So one final question for you, although I have a sneaky extra question. So what is Enea working on in 2023? I mean, we’re coming to the end of 2023. What have you guys been working on this year?

Stuart

One of the focuses that we’ve had in Product Management is, you may have seen that we had a portfolio relaunch. Much of our technology is the same, but the portfolio is being relaunched as we’re not just selling SMS firewalls to operators. The market has broadened to aggregators and communication providers of all sorts. And we realized the necessity of having more specific offerings for what these players need. We might have a potential customer with a very specific use case whether it be based on message categorization for handsets or some previously unknown threat to the network or users.

As we mentioned already, the biggest part of our 2023 new technology is the application of AI to text and images. And we are also, with the help of AI and other kinds of proprietary automation, working on providing options for operators who want to be more self-sufficient. Our Threat Intelligence Unit has always been a big differentiator and something that is very popular with our customers. But this expertise comes with a cost. And we want to provide a more self-sufficient option, while still offering very powerful protection.

Jason

Excellent. That sounds like a lot. You guys have a lot on. A lot of projects, but it’s really fascinating to hear.

Simeon

To put some of these things in context Apple recently announced, to the surprise of many, they are working on implementing RCS. We’ve been supporting RCS protection for eight years now, and MMS protection for 18 years, which as you have mentioned, it’s not just about text, it’s about the attachments; images,  video etc. We really see having insight and control on that rich media suite is just as important now, as the textual portion. So with those announcements it again places everything more towards where we have been and where we continue to focus on, which is protection for the whole stack.

Jason

That was my sneaky question. It was about Apple. Since that announcement, LinkedIn has been blasted with people communicating it. And then secondly, people communicating “are we going to face the same issues as we’ve had with SMS?” So it’s very reassuring to hear from you guys that that’s something that you are already working on and already solved in a sense.

Simeon

Absolutely, those same issues will be faced.  We’ve been protecting that RCS bearer for many, many years. And, yes, it not only has the same issues as SMS, but a whole range of other ones. It is higher throughput, you’ve got more of a complex protocol stack to manipulate, you can put attachments on it. That just increases the attack surface.

Jason

It sounds fascinating, guys, everything that you’re working on. I really want to thank you for your time to share with us some of these insights on AIT, especially and RCS. very topical. So thanks a lot guys.

Simeon

Really appreciate the opportunity. And we really appreciate the reports that you do. The insights give us direct feedback from our customers and the market. So looking forward to 2024.

Jason

Fantastic, thank you both guys.

If you want to support research that contributes to the transformation of our industry and puts neutrality in the first place, ROCCO is your choice.

If you have any questions, email us at hq@rocco.group.

Check our latest Reports