Fortinet on telco security operations - the why it matters and how to build it - Membership
Home
...
Membership Member Resources
Fortinet on telco security operations – the why it matters and how to build it
Monday October 27, 2025

Fortinet on telco security operations – the why it matters and how to build it

Resource thumbnail

Recent successful attacks have shown that telco infrastructure and subscriber data are not only vulnerable to cyberattacks but are increasingly their prime targets for threat groups possessing a profound understanding of their inner workings. This article, by GSMA Member Fortinet, explores what’s driving this rise and how operators can strengthen their defences.

In 2024, FortiGuard Labs, Fortinet’s threat intelligence and research organization, saw a four-fold increase in the number of security events within Telco networks.

Regulators are demanding Telcos implement broad cybersecurity measures to maximize availability and speed up recovery from attacks. But as demonstrated by Salt Typhoon solely relying on cybersecurity infrastructure and hygiene is not enough – the required availability of Telco networks and services cannot be sustained without investment in Telco-specific Security Operations (Telco SecOps) tools and capabilities across its infrastructure and domains.  

Beyond SecOps, Telco SecOps is required 

Most of the SecOps tools and capabilities used in Telco security operation centers (SOC), are designed for enterprise IT environments, user devices, workplace applications, public cloud, identity/authentication systems, and user-application traffic monitoring. 

Telcos, however, are very different: their scale, distribution, architecture, protocol stacks, standards, traffic flows, domains, systems, and use cases, result in unique characteristics and requirements. Telcos need to move from a mind set and model of basic security and perimeter controls to a full-blown Security Operations model, sized, designed and built specifically for telecom – a layered, holistic, defense strategy: 

A three-layer pyramid diagram. The top layer, labeled "SecOps," lists: visibility/correlation/detection, incident response, threat intelligence, and 3rd party integration. The middle layer, "network and resources protection," lists: eliminate attack vectors, detect/stop threats, sensor role. The bottom layer, "security hardening and hygiene," lists: users, teams, credentials, vendor selection, trust zones, hardening, patching, procedures.

Security hardening and hygiene: patching, segmentation, strong passwords, and security zones. Many of the recent telco attacks have gained initial access through unpatched systems and weak or stolen credentials.  

Network and resources protection: using cybersecurity tools (firewalls, EDR, PAM, ZTNA, MFA, etc.) to provide visibility and telemetry to the SecOps platform, stop attacks, slow their progression, and limit their impact – independently or via SecOps automation. 

Telco SecOps: built on a model rooted in deep understanding of Telco technologies, architecture, and use cases. delivering: 

  • Operational security: Real-time visibility, detection, automation, and reporting of attacks and threats specifically designed for telco use cases. This should include reconnaissance scans, lateral movements, signaling abuse, communications anomalies, and subscriber ID misuse. 
  • Asset visibility: Full view and inventory of all telco components, RAN, core, signaling, cloud, and IT. This enables the detection of shadow assets, rogue nodes and jump hosts, and provides context to enrich alerts, guide response, and meet regulatory requirements. 

From experience from recent Telco attacks, priority should be given to applying Telco SecOps for Telco management plane, as this is the route most used by attackers to penetrate the network.  

Key Telco SecOps attributes 

A Telco SecOps platform must encompass and reflect the complexity of telco networks: 

  • Cross-domain correlation: visibility and monitoring across domains and systems (RAN, transport, core, exposure, IT, control and user planes, data and signaling).
  • Support for telco protocols and identity models (including GTP, Diameter, SIP, and SIGTRAN, and identities based on SIM, devices, and network contexts). 
  • Support Telco-specific use cases reflecting hybrid environments and threats: most Telco attacks in recent years have started in IT, followed by lateral movement into different systems’ management plane. Supported use cases must therefore include hybrid attack chains, covering both “traditional” IT and Telco domains. 
  • Support for high-volume telemetry, threat intelligence enrichment, CMDB context, and risk scoring. Native visualization and automation are key to meeting required scale and performance. 
  • AI tools and capabilities: AI technologies play a key role in uncovering behavioral anomalies, detecting zero-day threats, identifying patterns, and automating response across complex telecom environments.  
  • IT and Telco-specific threat intel: this should include telco-targeted campaigns and TTPs (tactics, techniques, and procedures) mapped to frameworks like MITRE ATT&CK, including its ICS and telecom extensions. 

Telco SecOps platform components 

The Telco SecOps platform, in relation to the overall cybersecurity ecosystem, should consist of the following components and functions: 

Diagram showing Telco SecOps Platform connecting Telco Domains (RAN, Transport/IP Core, Packet Core, OAM, Roaming) via event collection to an AI-enabled data lake. Includes modules for investigation, automation, and security, plus Use Cases and Threat Intelligence.

AI-Powered Application Layer 

At the core of Telco SecOps lies a layer of AI-powered analytics, orchestration, automation, and response engines. These engines ingest data from an AI-enabled data lake to process and provide SOC teams with visual dashboards to manage workflows and trigger automated playbooks across Telco domains. AI tools streamline operations via intelligent triage, summarization, threat hunting, compliance reporting, and context-aware support. 

AI-Enabled Data Lake 

Built for easy consumption by AI, the data lake contains Telco cross-domain data, such as inventory, logs and telemetry, coupled with threat intelligence, indicators of compromise (IoC), and industry security frameworks. 

Cybersecurity functions 

Telco infrastructure security functions, such as firewalls, serve either as sensors (providing visibility, context, detection, alerts, and logs), cybersecurity enforcement agents (implementing policies, playbooks and overall incident response), or both.


These functions also enable improved domain cross-correlation – critical in identifying complex or stealthy advanced persistent threat (APT) activity. The richest cybersecurity infrastructure is the higher the Telco SecOps effectiveness in identifying and mitigating threats. Below are examples of key SecOps cybersecurity functions Telco should implement: 

  • Attack Surface Management (ASM): Keeps track of exposed services, misconfigured devices, leaked credentials, shadow assets, and unpatched routers/gateways—across internal, external, and cloud environments. 
  • End point Detection and Response (EDR): Focused on telecom-critical systems like OSS/BSS and IT servers. Provides visibility into endpoints where possible. 
  • Network Detection and Response (NDR): Monitors mirrored traffic (e.g. management ports, GTP, DNS, HTTP/2) non-disruptively. Helps detect lateral movement without disturbing production environments.  
  • Deception: Positioned throughout the infrastructure to detect lateral threat movement and anomalies. Gives early warnings and visibility into attacker techniques and behavior without disruption. 
  • Firewalling: Used for network segmentation and protection, also providing support and visibility into telco-specific protocols such as GTP and Diameter. 
  • Privileged Access Management (PAM): Provides privileged account and credential management and session monitoring to control and audit access to the management plane of sensitive network assets and systems. 

Threat intelligence 

Threat intelligence provides the Telco SecOps platform with up-to-date info on threat actors’ attack methods and techniques, campaign-level indicators, vulnerabilities, Indicators of Compromise (IoCs), outbreak alerts, and more. It provides insights that help anticipate, prevent, and respond to attacks, enabling Telcos to be more proactive in their cybersecurity strategy and posture. 

Telco use case library 

Contains a set of pre-defined configurations, dashboards, playbooks, and reports to facilitate the implementation of specific Telco use cases. These can be used as the base for specific customization for each Telco environment. 

Implementing a Telco SecOps platform will help Telco SOC personnel to prevent, detect and mitigate attacks faster and more efficiently, improving service availability and limiting potential damage. Telco Network planners will gain a better understanding of their cyber risks, helping them to better plan their cybersecurity investments. Telco CISOs will gain precious support in meeting regulatory requirements and achieving both their business and cybersecurity goals. 

If you’re a member and would like to be featured in our monthly Member spotlight, find out more here.