Allot’s Mobile Security: Network-based Protection that 21 Million Consumers & SMBs Subscribe to — at One Euro a Month

The IT security giants (McAfee, Symantec, and others) are creatures of enterprise networks and don’t have the time, patience, or technical background to address the unique security needs of telecoms.

Network-based cyber protection for mobile and IoT devices requires much more than security.  First of all, you need to get your hands dirty in the plumbing of comms networks.  You also need to analyze massive traffic streams in real-time and know the nuances of mobile and IoT devices, routers, and other customer premise equipment (CPE) in their wide variety — not just PCs and Macs.

And another less understood requirement is the ability to unobtrusively inject technology into a carrier’s network and cloud infrastructure so the carrier essentially has a custom solution it can control.

Helping telecoms manage, secure, and draw useful intelligence from their IP streams has been Allot’s business for 23 years.

Theirs is the business of Deep Packet Inspection (DPI), one of the toughest ones in high-tech because the problems that need to be solved are enormously complex and carriers are enormously finicky about technology that directly touches their networks.

But if a DPI supplier can parlay its deep expertise into a proprietary solution that appeals to the operator community, it just might hit the jackpot.

A few years ago, I wrote a white paper on Allot’s Security-as-a-Service solution that protects mobile users.  That solution, employed with great success by Vodafone and Telefonica, has now considerably evolved into a family of services including Allot NetworkSecure and HomeSecure.

My interview is with Allot’s Director of Product Marketing, Moshe Elias, who explains the fascinating mix of R&D, risks, challenges, and marketing innovations that are driving Allot’s unique and winning security services.

	Dan Baker, Editor, Black Swan Telecom Journal: Moshe, it would be great if you could give us an overview of your consumer and small business security service.  What’s it about?

Moshe Elias: Sure, Dan.  With our NetworkSecure and HomeSecure services we are addressing an under-served market — the consumer and mass market for mobile and computer security.  And we include businesses up to 200 employees in that scope.

These are gadget-friendly residents/homes or small businesses where often no dedicated IT skills exist in-house.

We can bring great value to that market by helping them protect their online experience, helping them protect all the network-connected devices on the premises.

By partnering with a couple of companies to integrate endpoint agents into our network story, we can also address issues such as parental control.  We cover the cyber bullying concerns of parents, too, with a partner of ours — and that service will go live in the beginning of 2020.

So these services deliver true value.  Secondly, we assist service providers to better engage with their customers, provide value — commercial value — to the service provider, and also increase customer loyalty through unique, highly-value services.

Yes, I scanned Allot’s 2017 survey report, Consumer View on Mobile Security, where you surveyed 2,150 mobile users in 80 countries.  One takeaway from the Report: mobile users seem confused about what mobile malware is.  Only 11% say they’ve purchased “on-line threat protection” for their mobile phone, yet a full 76% of mobile users surveyed feel they are “protected”.  That suggests many are not even aware what malware protection really is.  Just because you swipe or enter a password to use your phone doesn’t mean you have on-line cybersecurity protection.

It’s true, Dan.  Knowledge of the malware threat is spotty at best right now.  However, 61% of those we surveyed said they would either “buy” or “likely buy” a blanket “mobile security service” covering all their devices if their communications service provider (CSP) offered it to them.

So the good news is the level of concern is high enough that consumers are willing to pay a little extra for this protection.

We think this survey shows that device security is a great commercial opportunity for ISPs, CSPs, and mobile operators.  These particular companies are the ones who really touch the customer, they know the customer, so that these are natural allies for us as we pursue the heavy-lifting task of penetrating consumer markets.  This also plays to our strength in the telco market, with 20 years of experience of implementing DPI systems in their networks.

	What sort of knowledge is needed at the user side to implement this solution?

No skill set is required: that’s the beauty of it.  There is nothing that the customer — either as a consumer or a small business — needs to download, install, or configure, whether on the router provided by the operator or on their mobile device.

When you go to a mobile operator, after you buy your phone and data package, you’re on your own.  It’s the same principle.  They get our security as part of the package.  It is a pure network service.

We believe the public deserves a clean Internet in the same way they expect their local city or town to ensure you get a clean glass of water from the kitchen faucet.  The same care and service should be available for that other utility, the Internet.

Now, having clean Internet is not as important as having clean water, but it’s high up there.  Internet connectivity is an important staple of day-to-day life.  So, that is what we are trying to achieve.  Hopefully, a win-win situation.

	What commercial success have you had thus far with this network security service?

I can quote a financial report from Vodafone where the CEO said that their Secure Net — which is based on our solution — has already generated a 160 million Euros in revenue — and that was in May, 2018.  So, from a commercial perspective, it’s a great success.

Vodafone provides this product to most of their opcos.  They currently operate it in 10 markets globally and charge around one Euro a month.  The service is bundled into their premium customer package, and they also offer it as a limited-time free service for new customers.

All told, we have 23 million customers protected by our technology today.  These wins are with substantial public companies.  Our customers in Europe are Telefonica, Vodafone, Hutchison, Safaricom, and some of the assets of Telefonica in Latin America.  Also we have Brazil, Argentina, and we recently launched in Peru.

Now Telefonica also uses our technology to address small businesses directly, not as a byproduct.  Most of our operators will also sell to Small Office Home Office (SOHO) and to businesses but with Telefonica it’s all bundled as one service.

Telefonica deliberately split out the Small to Medium Businesses (SMB) service and the consumer service, and we contribute to both the solutions together with other vendors.  With around 100 businesses signing up every day, we estimate SMBs to be 15% of their market.  The consumer side, I think, has crossed half a million also in a very short period since the service went live there.

	Can you explain how this product was developed?  I recall a few years back when you had cloud-based security for mobile users, but this is now a broader-scoped solution.

You probably remember our WebSafe Personal product, which we overhauled into NetworkSecure.  We’ve taken all its central management and multi-tenancy capabilities, then integrated that into two additional layers:

• Allot HomeSecure — CPE or home router-based security; and,
• Allot EndpointSecure — Integration of third-party client based security.

These elements came through our acquisition of Netonomy.  Beginning 2018 it took us about a year of R&D to provide cyber security to the home.  Integration is at the cloud-level.  But when I say cloud, it is not a cloud operated by Allot, it is a cloud we built in the service provider’s data center.

And this allows us to provide a highly personalized service that includes personal reporting and a personalized policy for the family or business being protected.

The Service Provider operates it, not us.  We provide and they manage the updates so that the system is always up-to-date to defend against the newest threats — all network-based.  The integration at the core is challenging, but not impossible.  We mapped the policy of NetworkSecure to HomeSecure (the former Netonomy product) and the endpoint client so that the customer sees one service, one report and one parental control policy for all three layers.

We can also integrate security clients under our management system.  That again we can do through one policy, and have multiple enforcement points so that the customer is covered regardless of how they are connected to the Internet.  This is integrated today with third-party security solutions, namely McAfee and Bitdefender.

For router-based security, we work with the vendors of the CPE, the furthest edge of the service provider’s network.  We integrate a security agent into the CPEs without having to rip out and replace them.  That agent provides local security; it monitors the CPE itself and it provides a cool app for customers to understand what is happening in their network, receive security alerts, and know when a new device is connected to the Wi-Fi network.

It is a zero-touch device in the end because it provides security and it does that by having an onboard agent that delivers the local security — and, of course, the backend cloud-based service does the heavy lifting.

If a new device is connected to the network and is approved by the owner, then we will do the fingerprinting of that device and apply security policies based on what the device is.

For instance, if we found an Alexa device, we would make sure that it is talking to Amazon.  And if we see it is talking to a different website unknown to us or suspicious domain or a known malicious IP address, then we would disconnect the communications between the device and that malicious actor since we know it is an Alexa device and it shouldn’t be talking to the whole world.

	Now I understand you can actually guarantee that a customer will be protected even if the customer goes off-net.  That’s nifty.  How do you do that?

Dan, it’s one of the key features of NetworkSecure.  Let’s say you’ve got a child with his own mobile device who goes to the mall and logs onto a public Wi-Fi or is roaming.  Well, you’d like to be able to apply parental control so the child doesn’t access inappropriate websites when he is off-net.  You also want the security to apply in similar situations.

So what we do is — through the personal notifications   promote a client which is a third pillar of our solution — it’s really the only way you can secure off-net.  The client can direct traffic back to the service provider for security or implement security on the device.  The operator will determine which solution suits him best.  The parents can go to one Web interface or app to configure the policy, they can group the family devices any way they want, per child and setup a policy for each child.  The point is: that policy will follow the child’s devices whether he is on the Wi-Fi at home, the cellular network, or accessing from a public Wi-Fi system.

	That’s quite a commitment to the customer — protecting them whatever network they use.

It is, and to be honest not every carrier is willing to promise that.  Some service providers will say I am only responsible for when the customer is on my network.  But others will say, “No, I need to provide my customer a security experience regardless of where it is connected.” So the approach will differ between service providers but our capabilities provide the full 360-degree security offering that we discussed.

At Telefonica, we integrate with McAfee at the endpoint together with our network-based security so that when mobile customers go off-net — leave the Telefonica network — they are also secure.  With other service providers, the approach will differ based on what they want to achieve, how they want to position themselves.

	I think Allot has chosen a nice niche in mobile security.  Plenty of giant companies dominate the PC security space and have an avenue to IT departments.  But you’re coming in closer to the telecom operator and that’s a winning strategy.

Yes, that’s our edge.  We have built on our strength.  We have been in the networking business for about 20 years.  And so when we come engage an operator, we will sometimes see the more traditional security companies, whose main market is enterprises and it is clear they lack the scale, the multi-tenancy, and integration capabilities into the operator’s systems.

There’s also the issue of how you deliver that security.  We sit in-line with the operator’s network while others implement security over DNS.  Well, guess what?  If I try to hack into the web camera in your home, then I don’t need to use DNS.

And so it’s easier to bypass and if a customer’s kid goes to Google’s DNS or CloudFlare DNS, which could be encrypted or is encrypted today, then he is also bypassing all the parental controls you have put on the DNS systems.

In a way, those DNS-based services are more dangerous than not having security at all because customers think they are secure.  But in fact, those systems are easy to bypass.  Then there are the cheap IoT devices in the home that can also give you a false sense of security.  You put in a unique username and password, but those are stored in a text file, unencrypted that anyone can access.

	Moshe, thanks for this fine briefing.  NetworkSecure and HomeSecure are innovative security services for CSPs.  It gives the operator a money-maker and something of great value to consumers and small business markets.  Good luck as you build on this winner.

Thanks, Dan.  One other point I think is worth noting — we not only supply the technical expertise to deploy and maintain our solution in the operator’s data center, we have also built up our own professional practice to help operators introduce and promote this service.

We moved to a model where we share revenue with the service providers.  So instead of them having to pay upfront for our kit that goes into their network, we bear the initial cost and work on a revenue share model.

We know from experience that a big factor in success of the program is the attention the product receives in the marketplace.  So we have built a team that works with the service providers, helping them to position and market the service.  We help launch campaigns, and even look at the regulatory environment in the country to see how the regulator can help support the consumer protection we offer.

	That’s great.  I’m sure Allot’s willingness to have skin-in-the-game is another key factor in getting CSPs to commit to NetworkSecure.