How the worldwide telecom operator Orange adopted an innovative way to detect breaches of its infrastructures

  • Industry:
  • Emplacement:
    Worldwide
  • Revenue:
    €41 B

Use Case

How the worldwide telecom operator Orange adopted an innovative way to detect breaches of its infrastructures

Orange is France’s longest running and largest telco operator. It provides mobile and Internet communication services to its clients in more than 30 countries spread across the globe. It is a technical leader in 4G and 5G networks and sits on multiple normalization committees to define the future of telecommunication protocols and architectures. Powered by more than 150,000 employees worldwide, it continuously delivers its services and innovation to 260 million clients worldwide.

Keyfacts

Benefits
Ability to efficiently detect flaws and attacks
Enrich log collection with contextualized AD alerts
Better return-on-investment compared for the SIEM
KPI’s
1 centralized Alsid console for all monitored domains
Multiple domains in multiple forests
More than 270,000 protected users and services accounts analyzed in less than 1:30
Interlocutors at Orange
1 Risk Officer
1 Security Manager
1 Active Directory Architect
1 AD expert from Orange Cyber Defense
Alsid dedicated team
1 Senior AD Security Engineer
1 Technical Account Manager
Integration plan insights
Less than one day to fully monitor the biggest domain of Orange Group
On-premises deployment to keep all data in Orange infrastructure
A dedicated integration partner to provide support and operational help on the platform
Challenges
Solutions

Telco operators manage large and highly interconnected infrastructures. On top of their own systems, they act as an integrator for corporate clients and provide connectivity services to private individuals
worldwide. This results in one of the biggest infrastructures globally with numerous devices, users, and services. Being able to continuously monitor this perimeter with traditional approaches such as log analysis is extremely difficult due to the sheer size of the system. Thousands of devices and applications continuously emit logs—the global volume of which can be huge. Effectively collecting and correlating them is nearly impossible on infrastructures that large.

As one of the major communication services providers worldwide, Orange faces the most advanced attackers and must be protected against state-of-the-art intrusion attempts. Maintaining resilience
against them on such a large scale is a challenge for the security team. Countless parameters, systems, permissions, and user behaviors must be checked to ensure no attacker manages to infiltrate the network. Extremely challenging objectives required Orange to find a yet-to-beinvented solution, one capable of solving the problem efficiently at a global scale. As for many corporations, the whole system is built around a large-scale Active Directory infrastructure: Orange architecture team got in touch with the Alsid engineering team to design of a robust solution for their needs.

Alsid’s analysis does not use logs to detect security deviances and attacks, hence ignoring many of the pitfalls of competing solutions. By querying the heart of the infrastructure, Alsid’s solution was able to give a clear view of the security risks and changes without having to ingest gigabytes of logs.

Deployment was done quickly, as no software agents or privileges were required. A simple virtual appliance was installed and configured on one of Orange virtualization farms in less than half a day. While the amount of data to process was daunting, Alsid’s development team made some ritical adjustments to the algorithms used by the solution. The result was on par with Orange security team expectations: instant view of the global infrastructure with clear, quick wins and risks identified as well a dynamic remediation plans ready to be implemented.

After the core network monitoring, Orange started to progressively extend the monitoring perimeter to international subsidiaries. Local administration teams often lack the technical resources to identify complex Active Directory security flaws: Alsid solution empowers them so that they can proactively fix problems, while also giving the global CISO a vision on their security state.

Given the scale of our infrastructure and the challenges we are facing, there are not many technologies able to tackle them efficiently. Alsid solution deployment and performances are key differentiators for us.
Arnaud MARTIN
ORANGE GLOBAL CISO

Results

State-of-the-art detection and remediation

Being safe from most advanced cyberattacks is a challenge all major telecom operator must face. Alsid solution is continuously updated and receiving new or refined Indicators-of-Exposure to ensure the latest attack tools and techniques are properly detected. Indicators-of-Exposure embed clear descriptions of the security flaws, how to fix them, and points to relevant online documentation. While Orange can boast a world-class security team, Alsid solution removed most of the burden required to maintain their AD security skills up-to-date. The time gained can be spent on further analysis or other high-value tasks.

Enriched SIEM data and increased coverage

Detecting advanced attacks by analyzing logs at Orange’s scale is a challenging task. Terabytes of raw logs emitted by servers or endpoints must be loaded in SIEM solutions and analyzed by hand-written
rules that are hard to maintain. By querying the AD database and correlating thousands of technical objects and parameters, Alsid solution sends alerts to SIEM only when a security incident happens, or
a new flaw appears. This strategy allows to enrich raw AD logs collected by the SIEM with preprocessed information and ease the correlation. It increases the attack detection scope, as many advanced AD attacks do not even trigger event logs or only trigger subtle changes.

Fit security analysis to business context

Orange infrastructure is unique due to its size and scale. After deployment, Alsid’s engineering team noticed that some fine-tuning could be made to the solution configuration so that it would better fit
Orange needs. By working closely with the Orange security team, Alsid security engineers were able to adjust the product’s indicators using the built-in configuration feature. Both parties strongly benefited from this collaboration: Orange feedback was invaluable for identifying the perfect settings.

State-of-the-art detection and remediation

Being safe from most advanced cyberattacks is a challenge all major telecom operator must face. Alsid solution is continuously updated and receiving new or refined Indicators-of-Exposure to ensure the latest attack tools and techniques are properly detected. Indicators-of-Exposure embed clear descriptions of the security flaws, how to fix them, and points to relevant online documentation. While Orange can boast a world-class security team, Alsid solution removed most of the burden required to maintain their AD security skills up-to-date. The time gained can be spent on further analysis or other high-value tasks.

Enriched SIEM data and increased coverage

Detecting advanced attacks by analyzing logs at Orange’s scale is a challenging task. Terabytes of raw logs emitted by servers or endpoints must be loaded in SIEM solutions and analyzed by hand-written
rules that are hard to maintain. By querying the AD database and correlating thousands of technical objects and parameters, Alsid solution sends alerts to SIEM only when a security incident happens, or
a new flaw appears. This strategy allows to enrich raw AD logs collected by the SIEM with preprocessed information and ease the correlation. It increases the attack detection scope, as many advanced AD attacks do not even trigger event logs or only trigger subtle changes.

Fit security analysis to business context

Orange infrastructure is unique due to its size and scale. After deployment, Alsid’s engineering team noticed that some fine-tuning could be made to the solution configuration so that it would better fit
Orange needs. By working closely with the Orange security team, Alsid security engineers were able to adjust the product’s indicators using the built-in configuration feature. Both parties strongly benefited from this collaboration: Orange feedback was invaluable for identifying the perfect settings.

Contactez-nous

Découvrons ensemble comment Alsid peut améliorer la sécurité de vos infrastructures d’annuaire

Contactez-nous