Multi-layer Cybersecurity: How We Improve Telco Client Security

December 7, 2021

CUJO AI is the largest provider of multi-layer security for large network operators around the world. CUJO AI’s algorithms process data from billions of connections every day to provide a combination of traditional and machine learning-based cybersecurity at the gateway for every device on end-user networks, including computers, mobile and IoT devices.

Our multi-layer security solution Sentry combines highly advanced machine learning (ML) models that are continuously retrained with new data in both supervised and unsupervised environments, with the best traditional security measures and threat intelligence databases to provide a proven and reliable security service for over 1 billion devices in the world. This is the largest multi-layered cybersecurity solution of its type used by network service providers around the world.

This article will run through some essential elements that make up CUJO AI Sentry and how they augment its multi-layered security.

What Makes a Security Service ‘Multi-layered’

Today’s cybersecurity is not a problem that is easily solved by a single solution or approach. As more devices and people use the Internet, they encounter threat vectors and attack surfaces at almost every layer of the connection. Today’s risks range from active, targeted exploits of hardware vulnerabilities to the way a user behaves while browsing the web. For every attack surface, different approaches are needed to provide the most effective security. Multi-layered cybersecurity is an industry term that denotes an approach where these effective approaches are combined or bundled together to provide an overall safer environment.

In the case of CUJO AI, our multi-layered solution combines several traditional approaches such as real-time IP reputation intelligence, threat intelligence sources, as well as proprietary bleeding-edge machine learning (ML) models that can detect, analyze, and prevent new threat vectors, such as novel phishing websites, in real-time. A key layer in our cybersecurity stack is the device intelligence models that identify devices with very high precision and can therefore alert our clients’ end-users whenever their devices are acting suspiciously (e.g. as part of a botnet).

We also use our own network device data to train our ML engines to infer when devices are compromised, making this a unique, proven way to deploy AI in cybersecurity for telco subscribers.

The Browsing Security Layer – Proactive, AI-driven Protection

CUJO AI combines various threat intelligence sources and processes massive amounts of live data about sites and services users access. Our ML-driven website crawler assesses hundreds of millions of websites to examine their reputation.

Combining feeds of known malicious IPs, URLs and domains gives our Safe Browsing model a good foundation for analyzing completely new websites and pages to ensure that users do not unknowingly interact with malware distributors, spam or phishing sites.

Machine learning plays a key role in protecting end-users from potentially malicious websites, as it enhances the browsing security layer with phishing protection. Since phishing sites are usually short-lived and might not get blocklisted by traditional vendors for some time, ML/AI protection steps in at a crucial point to protect the end-users.

Protecting Users and Devices by Combining Threat Intelligence Sources

Our solution uses threat intelligence from multiple sources to get the broadest information about possible risks users might face as soon as they are detected. When combining the information from several sources, there are some challenges about which data to use whenever there are conflicting data points.

An example of these diverging data points is when a website is listed as malicious on some blocklists, while others do not feature it. We use the CUJO AI Engine for these decisions.

To combine these sources through ML, we use both supervised and unsupervised learning models.

Device Behavior Is Key

Every device type has a usual behavior pattern. A smart kitchen appliance will not use the same amounts of bandwidth or servers as a streaming device. Our machine learning models have learned to identify devices with very high precision. To protect user privacy, CUJO AI Explorer uses only connection metadata to detect, identify, and categorize devices.

Explorer’s device intelligence greatly helps our security solution to detect whenever a device acts out of character, as this might be an indication of a compromised machine. Device behavior analysis and device identification helps us prevent botnet activities and does not allow devices to participate in DDoS attacks. We also use traditional means of flagging device behavior, such as limits on sent and received connection requests per time frame.

Enforcing Better Network Management Behavior

Our device intelligence data is also used to alert network owners about new devices connected to their network. This allows them to have an easy way to prevent rogue devices from accessing their network. It also provides them with real-time information about device activity, which improves the way they see their network security.

Preventing Malicious Remote Access Attempts

One of the largest active threats since the start of the pandemic were remote access attempts on consumer devices. CUJO AI provides remote access protection to prevent malicious connections coming in from outside the network. This is especially relevant for IoT devices, which often have poor security, such as open ports and hard-coded admin credentials.

Does Multi-layer Security Slow Down a User’s Connection?

The short answer: No. CUJO AI uses extremely optimized processes that run parallel and do not noticeably interfere with a user’s online experience. While an ML analysis of a rare, brand-new website might last longer, it is processed in the background.

Some other signatures, such as participation in DDoS attacks or botnets are accumulated over a period of time. This means that multiple security layers have different time frames they work in, and do not have to be processed each time and do not impact a user’s connection speed.

The Scale of the Solution

Extensive testing and real-world data show that multi-layer security can be reliably deployed at a massive scale without sacrificing performance. The capacity of a single CUJO AI deployment can handle trillions of records every hour. Machine learning models are key in scaling multi-layered security systems, as they allow us to automate key areas.

Scale is an important factor in today’s cybersecurity, as protection needs to adapt to the changing threat landscape, and while ML/AI models are continuously retrained, new attacks are often larger in scale, but not as innovative. In essence, we see that existing methods are reused and combined to target larger attack surfaces, while true innovation is rare.

Phishing Protection

Another key area machine learning outperforms traditional security solutions is phishing protection. After extensive training and testing, our phishing protection algorithms have the capability to analyze websites in real time and prevent users from accessing phishing websites. This is an important measure as it closes the gap between when these sites go online and when they appear on threat intelligence databases.

Phishing websites are usually short-lived, and using ML models to analyze and block them is the best solution on the cybersecurity market.

The Biggest Challenge in Building CUJO AI’s Multi-layer Security Solution

Our biggest challenge was creating an independent reputation evaluation score for CUJO AI, based on multiple sources of threat intelligence. We often encounter situations when some sources have different information and learning to combine all those insights into a cohesive dataset is a challenge. We use supervised and unsupervised machine learning models to automate and scale our solution, which is not an insignificant challenge too, as the changing threat landscape requires us to retrain our models constantly.

End-user Behavior Is Also Important

We provide our security solution to network service providers and their end-users, and the latter have an important role to play in their cybersecurity. Even the best machine learning algorithms cannot protect them from every impersonator or social engineer. This means that end-users need to stay vigilant about their social interactions online as well as the technical signs of malicious activity. Multi-layer cybersecurity can do a lot, but it can only do so much when it comes to the user’s choices and actions.

CUJO AI Sentry is the multi-layer cybersecurity solution that protects internet users from a myriad of security risks. It is the only solution deployed to protect over 1 billion devices on network service provider networks and is used by industry-leading telecommunications companies to improve their services, product offerings, and protect end-users (subscribers).