Integrating Telecommunications Infrastructure with a SOC:
A Strategic Framework for Telco SIEM Implementation –
White Paper

 

In today’s interconnected world, telecommunications service providers form the very backbone of our digital society. They facilitate everything from simple phone calls and text messages to complex data transfers, internet access, and critical infrastructure communication. This central role makes them a prime target for malicious actors. A successful attack on a telecommunications provider can have devastating consequences, ranging from service disruption and financial losses to the compromise of sensitive personal data and even national security. Therefore, robust security measures are not merely a best practice for telecommunications providers – they are an absolute necessity

At the heart of any effective security posture lies continuous security monitoring. The need for security monitoring in a telecommunications provider environment arises from several interconnected factors. The sheer complexity of telecommunications provider networks, encompassing a vast array of interconnected systems, devices, and protocols, creates a sprawling attack surface. While this paper focuses on the integration of telecommunication devices with a Security Information and Event Management (SIEM) system, there is also a large enterprise IT network in the telecommunications environment that connects to and hosts services for the telecommunications provider networks, and it too needs to be monitored.

Telecommunications providers handle vast amounts of sensitive customer data, including personal information, call records, IMSI details, and browsing history. Safeguarding this data from unauthorized access and breaches is paramount. Monitoring helps detect suspicious activity that could indicate a data breach, enabling timely intervention and minimizing the impact on affected individuals. While external threats often dominate headlines, internal threats, whether malicious or accidental, can also pose a significant risk. Monitoring can help detect insider activity that deviates from established baselines, potentially uncovering malicious intent or unintentional errors that could compromise security.

The evolution of telecommunications infrastructure from hardware-centric systems to Software-Defined Networks (SDN) and Network Functions Virtualization (NFV) has fundamentally changed the security monitoring paradigm. The integration of diverse and evolved network elements into a SIEM system and Security Operations Center (SOC) presents significant challenges for telecommunications providers due to the scale, complexity, and heterogeneous nature of their infrastructure. They must adopt a structured approach to SIEM integration that considers both legacy network elements and modern cloud-native infrastructure components. The complexity is further amplified by the need to monitor and correlate events across multiple technology generations—from legacy 2G/3G networks to advanced 5G infrastructure—while maintaining comprehensive visibility across the entire service delivery chain. This integration challenge is compounded by the diverse vendor ecosystem typical in telecommunications environments, where equipment from multiple manufacturers must coexist and interoperate. Each vendor often implements proprietary logging mechanisms, event formats, and security controls, creating a complex tapestry of security data that must be unified within the SIEM platform.

A systematic approach to SIEM integration is therefore essential, encompassing everything from business requirement gathering, initial planning, use case definition, Key Performance Indicator (KPI) creation, and architecture design to ongoing optimization and maintenance of the security monitoring infrastructure

Approach to setting up a SIEM

In the dynamic landscape of telecommunications, the integration of network devices with SIEM systems in a SOC requires a carefully orchestrated approach that balances multiple organizational imperatives. Telecommunications providers must consider below listed factors to ensure that they approach the SIEM integration to achieve specific objectives.

Telecommunications providers must begin by establishing clear use cases that align security monitoring with their operational objectives, ensuring that the integration delivers tangible value beyond basic security compliance. The regulatory landscape shapes the foundation of this integration strategy, as telecommunications providers operate under stringent oversight that demands comprehensive monitoring and reporting capabilities. In most cases, the potential for transforming security data into actionable business intelligence presents opportunities for value-added services, making it crucial to design the integration with future analytics capabilities in mind. In the overall service provider network, the challenge due to the sheer volume of log data generated by telecommunications network devices—from core network elements to customer-facing systems—necessitates a thoughtful consideration of storage infrastructure that can scale with the organization's growing needs. This abundance of log data also underscores the critical importance of optimization strategies, as unrefined log collection can quickly overwhelm even the most robust security monitoring systems, making it essential to implement intelligent log management practices that balance comprehensive security visibility with operational efficiency.

Identification of SIEM use cases

The integration of network devices with security monitoring infrastructure serves multiple objectives that extend beyond traditional security concerns. Understanding these use cases and developing the SIEM platform accordingly helps telecommunications providers justify the investment and design an integration strategy that delivers maximum value to the organization.

Fraud detection and prevention

Telecommunications providers face unique fraud challenges that can significantly impact revenue and reputation. By integrating network devices with SIEM systems, providers can detect and respond to various fraud scenarios in real time. For instance, when a sudden spike in international calls occurs from multiple subscribers to a specific destination, the SIEM system can correlate this pattern with historical baseline data to identify potential PBX compromise attempts. Similarly, monitoring signaling traffic from SS7 networks helps identify subscription fraud, where criminals attempt to exploit roaming services or bypass billing systems.

Regulatory compliance monitoring

Telecommunications providers must demonstrate the ability to continuously monitor compliance with the regulations of each jurisdiction they serve. Integrating network devices with SIEM/SOC infrastructure creates an auditable trail of security events and configuration changes. For example, when an engineer modifies access control lists on core routers, the SIEM system captures these changes and their authentication context and maintains chain-of-custody documentation that proves compliance with change management requirements.

Infrastructure protection and availability

Telecommunications infrastructure represents critical national assets that require sophisticated protection mechanisms. SIEM integration enables providers to detect and respond to threats targeting core network components. For instance, monitoring Border Gateway Protocol (BGP) routing updates across border routers helps identify potential route hijacking attempts that could disrupt internet connectivity for entire regions. Similarly, correlating authentication failures across network management interfaces helps detect coordinated attempts to compromise network infrastructure.

Network performance and security correlation

The convergence of security and network operations provides valuable insights into service delivery. When network devices feed performance metrics into the SIEM system alongside security events, service providers can identify security incidents that manifest as performance issues. Consider a scenario in which a Distributed Denial-of-Service (DDoS) attack targets the provider's DNS infrastructure. In this situation, the correlation between increased DNS query volumes, network utilization metrics, and security events enables faster detection and response, ultimately protecting service availability for legitimate customers.

Incident response and service-level agreements

The integration supports incident response processes and helps maintain service-level agreements. When security events from network devices flow into the SIEM system in real time, security teams can rapidly assess incident scope and impact. Consider a scenario in which a zero-day vulnerability affects specific router models. With integrated monitoring, a team can identify all affected devices, prioritize patches based on exposure, and demonstrate compliance with contractual response-time obligations.

Customer experience impact analysis

Security events often have direct implications for customer experience. By correlating security monitoring data with customer-facing services, providers can proactively address security issues before they affect subscribers. Consider a scenario in which a malware infection causes a customer's device to generate excessive signaling traffic. Integrated security monitoring can identify this behavior, enabling the provider to notify the customer and prevent service degradation for other subscribers sharing the same network resources.

Regulatory requirements

Telecommunications providers operate under a complex web of regulatory requirements that directly influence their security monitoring practices. These requirements must be carefully considered during the integration of network devices with SIEM and SOC infrastructure to ensure continuous compliance while protecting critical communications infrastructure.

Data protection and privacy

Telecommunications providers handle vast amounts of sensitive customer data, including call records, location information, and personal identifiers. Privacy regulations require providers to implement robust monitoring controls that can detect and prevent unauthorized access to this information. When integrating network devices with security monitoring systems, providers must ensure that the monitoring itself doesn't violate privacy mandates. This means implementing strict access controls on monitoring data, masking sensitive information in log files, and maintaining detailed audit trails showing who accesses what information and when.

For telecommunications providers operating in or serving customers in the European Union, the General Data Protection Regulation (GDPR) establishes strict requirements for protecting personal data. The National Institute of Standards and Technology (NIST) framework provides a comprehensive approach to security monitoring through its core functions: identify, protect, detect, respond, and recover. North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards like CIP-007-6, CIP-008-5, and CIP-010-2 dictate monitoring guidelines for telecommunications providers supporting critical infrastructure. Similarly, various controls (A.12.4, A.12.7, A.16.1, and A.18.2) in the International Organization for Standardization (ISO) 27001 Information Security Management standard provide a framework for security monitoring

Critical infrastructure protection

As essential service providers, telecommunications companies must comply with critical infrastructure protection regulations. These regulations typically require continuous monitoring of network infrastructure for security threats and operational anomalies. The monitoring system must be capable of detecting and alerting on potential compromises quickly enough to prevent service disruptions. For instance, when a core router experiences multiple failed authentication attempts followed by configuration changes, the security monitoring infrastructure must correlate these events and trigger appropriate response protocols within mandated timeframes.

Lawful interception requirements

Many jurisdictions require telecommunications providers to maintain capabilities for lawful interception of communications when presented with proper legal authorization. This requirement creates unique challenges for security monitoring integration, as providers must ensure that their monitoring systems can distinguish between authorized interception activities and potential security incidents. The monitoring infrastructure needs to maintain detailed records of all interception activities while protecting this sensitive information from unauthorized access.

Communication service continuity

Regulatory frameworks often specify minimum service availability requirements for telecommunications providers. Security monitoring plays a crucial role in meeting these obligations by detecting and responding to events that could impact service delivery. The integration must support real-time monitoring of service-affecting security incidents and provide adequate visibility into the security posture of critical network components.

Incident reporting obligations

Telecommunications regulators typically require prompt reporting of security incidents that meet certain threshold criteria. The security monitoring infrastructure must support this requirement by collecting and correlating relevant event data that helps determine when an incident meets reporting thresholds. This includes maintaining accurate timestamp information, preserving event context, and supporting the generation of regulatory reports in required formats.

Records retention and auditability

Regulations specify varying retention periods for different types of security event data. When integrating network devices with security monitoring systems, providers must implement retention policies that satisfy the longest applicable retention period while managing storage costs effectively. The system must maintain the integrity and authenticity of retained data, ensuring that it remains admissible for regulatory investigations or legal proceedings.

Cross-border data handling

Many telecommunications providers operate across multiple jurisdictions, each with its own regulatory requirements. Security monitoring systems must accommodate these varying requirements, particularly regarding data localization and cross-border data transfers. This might necessitate implementing monitoring architectures that can segregate data based on jurisdiction while maintaining comprehensive security visibility.

Cybersecurity framework alignment

Although specific frameworks vary by region, most telecommunications regulators require providers to align their security practices with recognized cybersecurity frameworks. Security monitoring integration must support the controls and metrics defined in these frameworks, enabling providers to demonstrate continuous compliance through automated monitoring and reporting capabilities.

Industry alignment

The telecommunications industry's unique security challenges and interconnected nature necessitate a standardized approach to threat intelligence and security monitoring. The GSMA Mobile Threat Intelligence Framework (MoTIF) represents a collaborative industry effort to establish a common foundation for security monitoring and threat intelligence sharing among telecommunications providers. This framework becomes particularly crucial when designing the integration approach for security monitoring infrastructure, as it ensures that the collected data can contribute to and benefit from industry-wide threat intelligence initiatives.

The GSMA MoTIF framework changes how telecommunications providers approach security monitoring by establishing standardized taxonomies for mobile threats and security events. When integrating network devices with SIEM and SOC infrastructure, providers must consider how their monitoring architecture will align with these standardized classifications. This alignment enables providers to contribute meaningful threat intelligence to the broader telecommunications community while simultaneously enriching their security monitoring capabilities with industry-wide insights. The framework's emphasis on mobile network infrastructure, signaling protocols, and subscriber security provides a comprehensive lens through which providers can evaluate their monitoring requirements.

Shown below is the MoTIF matrix referenced from the public GSMA FS.57 document.

GSMA MoTIF matrix (Source: GSMA FS.57 Mobile Threat Intelligence Framework [MoTIF] Principles)

Data analytics

Security monitoring infrastructure in telecommunications networks serves as a rich source of data that, when properly analyzed, can provide profound insights beyond traditional security use cases. Understanding how to harness this data effectively transforms security monitoring from a cost center into a strategic asset that drives business value.

Network behavior analytics

The extensive data collected from network devices enables sophisticated behavioral analysis that can enhance both security and service delivery. By applying advanced analytics to this data, telecommunications providers can develop a deep understanding of normal network behavior patterns. When analyzing network traffic patterns, providers can identify subtle anomalies that might indicate security threats or service issues before they impact customers. For instance, machine learning algorithms processing historical traffic data can establish baseline behaviors for different times of day and days of the week, as well as seasonal variations. This behavioral baseline becomes invaluable for detecting anomalous patterns that traditional threshold-based monitoring might miss.

Subscriber experience analytics

Security monitoring data contains valuable insights into customer experience metrics. By analyzing authentication patterns, session data, and service access logs, providers can understand how customers interact with their services. This analysis helps identify friction points in service delivery, such as repeated authentication failures that might indicate usability issues rather than security threats. Furthermore, analyzing security event data alongside customer support tickets can reveal correlations between security controls and customer satisfaction, enabling providers to optimize security measures without compromising user experience.

Threat intelligence generation

The vast amount of security monitoring data collected across a telecommunications network can be transformed into actionable threat intelligence. By analyzing attack patterns, malicious behavior indicators, and security incidents across their infrastructure, providers can develop proprietary threat intelligence that benefits both their security operations and their customers. This analysis might reveal emerging attack trends specific to telecommunications infrastructure, enabling providers to enhance their security controls proactively and share insights with their enterprise customers.

Service development insights

Analytics performed on security monitoring data can inform service development decisions. By analyzing how customers interact with security controls, providers can identify opportunities for new service offerings or improvements to existing services. For instance, analysis of VPN usage patterns might reveal demand for advanced security services among specific customer segments, guiding the development of new secure communication offerings.

Cross-domain analysis

Security monitoring data becomes particularly valuable when analyzed alongside data from other business domains. By correlating security events with customer relationship management data, network operations data, and business performance metrics, providers can develop a more comprehensive understanding of their operations. This cross-domain analysis might reveal, for example, how security incidents impact customer churn rates or how security investments correlate with customer retention.

Storage considerations

The massive scale of telecommunications networks generates an unprecedented volume of security monitoring data, making storage architecture one of the most critical aspects of SIEM and SOC integration. Understanding and implementing appropriate storage strategies ensures both operational efficiency and regulatory compliance while managing costs effectively.

Storage volume planning

Telecommunications providers must carefully consider the exponential growth of security monitoring data. A typical provider's network generates security events from multiple layers of infrastructure—from radio access networks to core switching systems, each producing thousands of events per second. When we examine a medium-sized provider's daily log generation, we might see upwards of 10 terabytes of raw security event data. This volume multiplies when we consider the need to store enriched data with additional context and correlation information.

The planning process must account for various factors that influence storage requirements. Network growth projections play a crucial role; as providers expand their 5G infrastructure, for instance, the number of connected devices and network elements increases dramatically, leading to corresponding growth in security event data. Similarly, the introduction of new services or security controls often results in additional logging requirements that impact storage needs.

Data lifecycle management

Effective storage management requires comprehensive data lifecycle policies. The lifecycle begins when security events are first captured and includes several crucial phases:

●      Initial processing and enrichment: Raw security events undergo enrichment with additional context, potentially increasing their storage footprint. The storage architecture must accommodate both the original events and their enriched versions while maintaining data integrity and relationships.

●      Retention period management: Different types of security events require varying retention periods based on operational and regulatory requirements. For instance, authentication events might need longer retention than routine network health checks. The storage system must support flexible retention policies while ensuring that no premature data deletion occurs.

●      Regulatory requirements management: Telecommunications providers must navigate a complex landscape of regulatory requirements that directly influence how security monitoring data is stored, managed, and eventually disposed of throughout its lifecycle. For example, under EU regulations, providers must classify data into distinct categories that determine their lifecycle requirements:

◦    Traffic data: Information about call routing, duration, and network usage patterns must be retained for 6 to 24 months, depending on the member state’s implementation of the Data Retention Directive.

◦    Location data: Geographic information about mobile device connections requires special handling, with retention periods typically limited to 12 months.

◦    Subscriber data: Basic account and identity information may be retained for the duration of the service relationship plus an additional period specified by national regulations.

Data compression and optimization

Storage optimization techniques play a vital role in managing large-scale security monitoring data:

●      Real-time compression: Implementing efficient compression algorithms reduces storage requirements while maintaining quick access to recent events. The compression strategy must balance storage savings against processing overhead, particularly for high-volume event sources.

●      Deduplication: Telecommunications networks often generate redundant security events across different monitoring points. Intelligent deduplication strategies can significantly reduce storage requirements while preserving essential security context. For example, multiple failed authentication attempts from the same source might be consolidated without losing critical security information.

Log integration principles

Telecommunications providers must adopt a systematic approach to log collection and integration that encompasses both traditional network elements and modern virtualized network functions across their infrastructure. This integration strategy needs to account for the diverse array of network segments, including Radio Access Network (RAN) components like base stations and radio controllers, Multi-access Edge Computing (MEC) nodes that process data at the network edge, transport network elements handling data transmission, core network components managing subscriber and service data, and interconnection points for peering and roaming services. Each network segment generates distinct log types, from signaling protocol messages like Diameter and SS7 to application-level logs from virtualized network functions. These logs serve multiple SOC use cases, including threat detection, service availability monitoring, fraud prevention, and security compliance verification. The horizontal nature of telecommunications infrastructure necessitates careful consideration of log sources from various categories of devices, including physical network elements, virtualized network functions, cloud-native network functions, security appliances, and operational support systems. Network operators must particularly focus on monitoring critical interfaces and protocols unique to telecommunications, such as the S1 interface in LTE networks, Diameter signaling in the core network, and GPRS Tunneling Protocols (GTPs), as these represent potential attack vectors that could compromise network integrity and service availability.

Categorization of devices

The effectiveness of security monitoring in telecommunications networks heavily depends on proper categorization of devices and systems, which determines logging priorities, retention policies, and integration approaches. Understanding these categories helps security teams implement appropriate monitoring strategies that align with both operational requirements and security objectives.

Category 1: Critical security and core network devices

At the heart of telecommunications infrastructure lie the critical security devices and core network elements that form the foundation of service delivery. These devices require the most comprehensive and granular logging configuration due to their central role in network operations. The main routing and switching infrastructure in this category handles the bulk of network traffic, making its logs invaluable for detecting network-based attacks, traffic anomalies, and potential service disruptions. Authentication servers, including Home Subscriber Servers (HSS) and Authentication, Authorization, and Accounting (AAA) systems, process sensitive subscriber credentials and generate crucial security events that must be monitored in real time. Security appliances such as firewalls, intrusion prevention systems, and DDoS mitigation platforms generate high-priority security alerts that demand immediate attention from SOC teams.

Category 2: Supporting systems and service platforms

The second category encompasses systems that, while not directly involved in network operations, handle sensitive customer and operational data that requires careful monitoring. Billing platforms generate logs that are critical for detecting fraud attempts and revenue assurance. Customer databases, including Customer Relationship Management (CRM) systems and subscriber databases, require monitoring to ensure data privacy and detect unauthorized access attempts. Service delivery platforms, which manage value-added services and content delivery, generate application-level logs that provide insights into service usage patterns and potential security violations. The logging requirements for these systems focus on data access patterns, authentication events, and transaction logs that could indicate fraudulent activities or data breaches.

Category 3: Edge and access network systems

The third category includes edge devices, access networks, and auxiliary systems that form the outer layer of the telecommunications infrastructure. Radio access network components like base stations and small cells generate logs related to subscriber connectivity and signal quality. Edge routers and access switches produce logs that help monitor the network perimeter and detect unauthorized access attempts. Auxiliary systems, including monitoring platforms and testing equipment, generate operational logs that, while less critical, still contribute to the overall security posture. The logging strategy for these devices typically focuses on volumetric anomalies, access control violations, and operational status changes.

Integration priorities and considerations

In telecommunications networks, the strategic integration of network devices into SOC infrastructure requires a carefully planned approach that balances security requirements with operational efficiency. This prioritization framework ensures that the most critical security monitoring capabilities are established first, followed by progressive integration of supporting systems.

Critical security and core network integration (Category 1)

The integration of Category 1 devices represents the foundation of telecommunications security monitoring. These devices generate security-critical logs that serve as the primary data source for detecting and responding to security threats. Core network elements like Mobile Switching Centers (MSC), Mobility Management Entities (MME), and Session Border Controllers (SBC) process millions of subscriber sessions daily, making their logs invaluable for security analysis. The authentication servers, including HSS and Authentication Centers (AuC), handle sensitive subscriber credentials and generate authentication logs that must be monitored in real time to detect potential compromise attempts. Similarly, billing mediation platforms process charging data records that are crucial for detecting fraud attempts and revenue leakage.

The integration of these devices demands immediate attention for several compelling reasons. First, these systems process and transmit sensitive subscriber data, including location information, call metadata, and authentication credentials. Any compromise of these systems could lead to severe privacy breaches and regulatory violations. Second, these devices form the backbone of service delivery, making their security logs essential for maintaining service continuity and detecting potential service-affecting security incidents. Third, the logs from these devices provide visibility into critical network protocols like Diameter and SS7, enabling the detection of protocol-specific attacks that could compromise network integrity.

Supporting systems integration (Category 2)

Once Category 1 devices are successfully integrated, telecommunications providers should proceed with the integration of Category 2 systems. These supporting platforms, while not directly involved in network operations, handle significant amounts of sensitive customer and operational data. Customer databases store personal information, service preferences, and account details, making their access logs valuable for detecting unauthorized data access or potential insider threats. Service delivery platforms managing value-added services generate application-level logs that can reveal attempts to exploit service vulnerabilities or conduct fraud.

The integration of Category 2 devices follows a "should" priority level because while they handle sensitive information, their logs are typically less time-critical for incident detection and response compared to Category 1 devices. However, their integration remains important for maintaining a comprehensive security monitoring posture and supporting forensic investigations when needed.

Selective edge and access network integration (Category 3)

The integration of Category 3 devices requires careful consideration of specific use cases beyond routine security monitoring. These devices, including RAN elements and auxiliary systems, generate enormous volumes of operational logs that can quickly overwhelm storage systems and consume SIEM licensing capacity if not properly filtered. The decision to integrate these devices should be driven by specific business requirements or security use cases that justify the additional resource consumption.

For instance, if a telecommunications provider needs to analyze subscriber usage patterns for security anomaly detection or requires detailed visibility into edge network behavior for specific threat hunting scenarios, the integration of relevant Category 3 devices becomes warranted. However, this integration should be preceded by careful planning to implement appropriate log filtering and aggregation mechanisms to ensure that only relevant security events are forwarded to the SOC infrastructure.

Types of logs for integration

In telecommunications environments, effective security monitoring relies on the collection and analysis of diverse log types generated by various network elements, services, and applications. Understanding these different log types, their formats, and their security implications is crucial for implementing comprehensive security monitoring. To generate the best result from a SIEM tool, consider feeding the following types of device logs into the monitoring tool.

Authentication and access control logs

Integration priority: MUST

Authentication logs form a critical component of security monitoring in telecommunications networks. These logs are generated when users, systems, or subscribers attempt to access network resources or services. In traditional network elements, authentication logs often come from RADIUS or TACACS+ servers, providing detailed information about administrator user access attempts, privilege levels, and command execution. In virtualized environments, authentication logs might originate from identity and access management systems or Kubernetes cluster authentication events. The correlation of these logs helps security teams detect unauthorized access attempts, privilege escalation activities, and potential credential compromise scenarios. For instance, multiple failed authentication attempts across different network elements might indicate a systematic attempt to breach network security.

Security event logs

Integration priority: MUST

Security event logs are generated by dedicated security devices and security modules within network elements. These logs often follow structured formats and contain specific security-related events like firewall policy violations, intrusion detection alerts, and malware detection events. Traditional network elements typically generate these logs through Simple Network Management Protocol (SNMP) traps or syslog messages, while cloud-native environments might use container security logs or security event feeds from cloud security posture management tools. Security event logs are crucial for detecting and investigating potential security incidents, such as unauthorized access attempts, policy violations, or malicious activities within the network. Their integration is nonnegotiable due to their direct security relevance and the potential impact of missing critical security events. Another important consideration is identifying the types of events that need to be logged, specifically allowed or denied events from a security device like a SS7 firewall. Logging denied security events is crucial for detecting potential threats and unauthorized access attempts while maintaining system performance. Unlike logging all events, which can overwhelm storage and processing resources, focusing on denied events helps the SOC quickly identify suspicious patterns, such as repeated login failures or blocked network connections. This targeted approach not only conserves system resources but also makes threat analysis more efficient by reducing noise in the logs and highlighting activities that warrant immediate investigation.

Audit logs

Integration priority: MUST for administrative actions, SHOULD for system-generated events

Audit logs provide a detailed record of system and user activities, making them invaluable for security monitoring and compliance purposes. In telecommunications environments, audit logs capture configuration changes, system modifications, and administrative actions across both traditional and virtualized network functions. These logs often maintain structured formats that include timestamps, user identities, actions performed, and the outcome of those actions. The correlation of audit logs across different systems helps security teams track unauthorized system changes, detect potential insider threats, and maintain compliance with security policies. Logs recording administrative actions and configuration changes MUST be integrated due to their security significance and potential insider threat indicators. System-generated audit events SHOULD be integrated after careful filtering to focus on security-relevant information. This tiered approach ensures critical security visibility while managing log volumes effectively.

Operational logs

Integration priority: SHOULD with selective filtering

Operational logs provide insights into the functioning of network elements and services. While primarily used for performance monitoring, these logs can also indicate security-relevant events. Traditional network elements generate operational logs through syslog or SNMP, while virtualized functions might use container logs or cloud platform logging services. The security significance of operational logs becomes apparent when analyzing service disruptions that might indicate denial-of-service attacks or when investigating performance anomalies that could signal security incidents. Operational logs SHOULD be integrated with appropriate filtering mechanisms in place. While these logs can indicate security-relevant events, their high volume requires careful selection of the events to forward to the SIEM system. Service providers should establish clear criteria for identifying security-relevant operational events and implement filtering at the source to prevent SIEM overload.

Protocol-specific logs

Integration priority: MUST for security-relevant protocols, MAY for others

Protocol logs require a differentiated approach:

●      MUST integrate: Signaling protocol logs (SS7, Diameter) due to their security implications

●      MUST integrate: Authentication protocol logs (RADIUS, Diameter)

●      SHOULD integrate: GTP protocol logs for roaming and interconnect interfaces

●      MAY integrate: Other protocol logs based on specific security use cases

Telecommunications networks generate extensive protocol-specific logs that require special attention in security monitoring. These include logs from signaling protocols like Diameter and SS7, which can reveal attempts to exploit protocol vulnerabilities or commit fraud. The logs often contain structured information about protocol transactions, including source and destination addresses, message types, and transaction results. Security teams correlate these logs to detect protocol-specific attacks, such as SS7 map scanning or Diameter-based location tracking attempts.

Log severity levels and their security implications

Telecommunications logs typically follow standardized severity levels, ranging from Emergency (level 0) to Debug (level 7). Understanding these severity levels is crucial for proper security monitoring:

●      Emergency (0) and Alert (1): Indicate critical security events requiring immediate attention

●      Critical (2) and Error (3): Often signal security-relevant system failures or policy violations

●      Warning (4): May indicate potential security issues requiring investigation

●      Notice (5) and Informational (6): Provide context for security investigations

●      Debug (7): Useful for detailed forensic analysis during security incidents

Priority recommendations based on severity:

●      MUST integrate: Emergency (0), Alert (1), and Critical (2) events

●      MUST integrate: Error (3) events related to security controls

●      SHOULD integrate: Warning (4) events with security implications

●      MAY integrate: Notice (5) and Informational (6) events based on specific use cases

●      SHOULD NOT integrate: Debug (7) events unless needed for specific investigations

Domain-based integration guideline

EPC/LTE

The Evolved Packet Core (EPC) in LTE networks, shown in the figure below, represents a critical telecommunications infrastructure that demands comprehensive security monitoring. Understanding the threats, risks, and appropriate monitoring approaches helps telecommunications providers implement effective security controls and detection mechanisms

LTE architecture

More details on the LTE architecture can be found in the 3GPP white paper at
https://www.3gpp.org/images/PDF/lte_advanced_SAI_paper.pdf

Threats and risks in the EPC/LTE environment

Infrastructure-level threats and risks

The core network infrastructure faces sophisticated attacks that can compromise service delivery and subscriber privacy. Attackers often exploit vulnerabilities in signaling protocols, particularly Diameter and GTP, to breach network security. Malicious actors might attempt to compromise network elements through unauthorized access, often targeting management interfaces or misconfigured network services. Configuration tampering on core network elements can lead to service disruption or unauthorized traffic routing. Additionally, DDoS attacks targeting core network components can cause widespread service outages.

Subscriber-related threats

Subscribers face various risks from attacks targeting their service usage and privacy. Location tracking attempts through exploitation of signaling protocols can compromise subscriber privacy. Authentication bypass attacks might allow unauthorized access to network services. Subscription fraud through compromised subscriber credentials or SIM cloning affects both subscribers and operators. Man-in-the-middle attacks at the radio interface or core network can intercept subscriber traffic.

Security use cases for SIEM/SOC implementation

Diameter protocol attack detection

●      Monitor Diameter authentication requests for unusual patterns.

●      Track location update requests for potential subscriber tracking.

●      Detect unauthorized Diameter peers attempting connection.

●      Detect excessive retransmissions or invalid response codes.

●      Identify abnormal message sequences indicating protocol exploitation.

SS7 attack detection

●      Detect SS7 Unauthorized Message types.

●      Track subscribers.

●      Detect fraud and DDoS.

Subscriber authentication anomalies

●      Monitor authentication failures across MME/HSS interfaces.

●      Track simultaneous authentications from different locations.

●      Detect unusual roaming patterns indicating potential fraud.

●      Identify multiple authentication attempts within short timeframes.

Core network access control

●      Monitor administrative access to core network elements.

●      Track configuration changes on critical network functions.

●      Detect unauthorized attempts to access management interfaces.

●      Identify privilege escalation attempts on network elements.

Traffic pattern anomalies

●      Monitor unusual traffic patterns through Packet Data Network Gateways (PGW) and Serving Gateways (SGW).

●      Track sudden spikes in signaling traffic.

●      Detect abnormal roaming traffic patterns.

●      Identify unusual subscriber behavior patterns.

System integrity monitoring

●      Track system file changes on core network elements.

●      Monitor process creation and termination.

●      Detect unauthorized software installation.

●      Identify system resource exhaustion attempts.

Table 1.        EPC/LTE network elements and logging requirements

5G

The transition to 5G represents a fundamental shift in telecommunications architecture, introducing a cloud-native, service-based approach that differs significantly from traditional mobile networks. Unlike previous generations that relied on point-to-point interfaces between network functions, 5G adopts a flexible, software-defined architecture in which network functions communicate through Service-Based Interfaces (SBIs). This architectural evolution, combined with technologies like network slicing, edge computing, and virtualization, enables unprecedented service capabilities but also introduces new security challenges that require sophisticated monitoring approaches.

5G architecture

More details on 5G architecture can be found in the 3GPP 5G system overview at
https://www.3gpp.org/technologies/5g-system-overview

Threats and risks in the 5G environment

The 5G network architecture, as shown in the above figure, introduces new security challenges due to its service-based architecture, network slicing capabilities, and integration with edge computing. The virtualization of network functions and the adoption of cloud-native principles create an expanded attack surface where traditional perimeter-based security approaches are insufficient. Attackers can potentially exploit the service-based interfaces between network functions to gain unauthorized access or disrupt services. The distributed nature of 5G networks, with their emphasis on edge computing and low-latency services, means that security breaches can have localized yet severe impacts on critical services. Network slicing, while providing isolation between different service types, introduces risks related to slice security policy enforcement and cross-slice isolation breaches. The increased reliance on software-defined networking and NFV exposes the infrastructure to software-based attacks, including container escape vulnerabilities and orchestration system compromises.

From a subscriber perspective, while 5G introduces enhanced security features compared to previous generations, risks still exist. The integration with non-3GPP access networks creates potential vulnerabilities in authentication and authorization mechanisms. The support for massive IoT deployments introduces risks related to device authentication and management at scale. Enhanced Mobile Broadband (eMBB) services, with their high bandwidth capabilities, can be targeted for data interception or service theft. Ultra-Reliable Low-Latency Communication (URLLC) services, critical for industrial applications and autonomous systems, face risks from timing attacks and service disruption attempts that could have severe real-world consequences.

Security use cases for SIEM/SOC implementation

SBI monitoring

●      Detect unauthorized Network Function (NF) registration attempts.

●      Monitor NF service discovery patterns.

●      Track abnormal service access patterns.

●      Identify suspicious inter-NF communications.

Network slice security monitoring

●      Track slice creation and modification events.

●      Monitor slice resource allocation.

●      Detect cross-slice interference attempts.

●      Identify slice policy violations.

Edge computing security

●      Monitor MEC platform access.

●      Track application deployment changes.

●      Detect resource utilization anomalies.

●      Identify unauthorized edge service access.

Container and orchestration security

●      Monitor container runtime activities.

●      Track orchestration platform events.

●      Detect unauthorized container access.

●      Identify suspicious container behavior.

Authentication and access monitoring

●      Track User Equipment (UE) authentication events.

●      Monitor non-3GPP access attempts.

●      Detect anomalous registration patterns.

●      Identify subscriber profile modifications

Table 2.        5G network elements and logging requirements

IMS

The IP Multimedia Subsystem (IMS) serves as the control layer for delivering multimedia services over IP networks, acting as a crucial bridge between traditional telephony and modern IP-based communications. As the foundation for voice over LTE (VoLTE), voice over Wi-Fi (VoWiFi), and Rich Communication Services (RCS), IMS integrates various protocols, including Session Initiation Protocol (SIP), Diameter, and H.248/Megaco to enable seamless service delivery. This complex protocol interaction, combined with the need to maintain high availability for critical voice and messaging services, creates unique security monitoring requirements. The interconnection of IMS with both legacy networks and modern IP services further emphasizes the importance of comprehensive security visibility across all communication layers.

IMS architecture

More details on general IMS architecture can be found at the ETSI TS 123 517 technical specification at
https://www.etsi.org/deliver/etsi_ts/123400_123499/123417/07.00.00_60/ts_123417v070000p.pdf

Threats and risks in the IMS environment

The IMS infrastructure faces multifaceted security challenges due to its position as a convergence point for various communication services. SIP-based attacks targeting the IMS core components can lead to service disruption or unauthorized access to voice and multimedia services. The exposure of SIP interfaces to external networks, particularly through interconnects and roaming partnerships, creates opportunities for toll fraud, service theft, and signaling-based attacks. Registration hijacking and identity spoofing attempts can compromise subscriber services and privacy, while malformed SIP messages can potentially crash critical IMS components or cause service degradation. The integration with legacy networks through media gateways introduces risks associated with protocol translation and interworking functions, potentially exposing both domains to cross-protocol attacks. Additionally, the dependency on DNS for service routing creates vulnerabilities that could allow DNS poisoning or hijacking to redirect traffic to malicious endpoints or cause service outages.

Security use cases for SIEM/SOC implementation

SIP signaling monitoring

●      Detect unauthorized SIP registration attempts.

●      Monitor for SIP flooding attacks.

●      Track abnormal call patterns indicating fraud.

●      Identify malformed SIP message attacks.

SBC security monitoring

●      Detect blacklisted phone number or IP address with successful registration.

●      Detect multiple successful and failed registration attempts.

●      Detect fraudulent user-based activity.

●      Detect misconfigured or incorrectly provisioned profiles.

●      Track IP address associated with multiple user profiles.

●      Monitor high volumes of failed registrations for brute force indicators.

VoIP security detection

●      Detect unauthorized IP activity targeting VoIP devices.

●      Identify malicious code delivered via phishing or watering hole attacks.

●      Monitor binary files used to deploy malicious scripts.

●      Detect anomalous device behavior indicating compromise.

Media gateway security

●      Monitor media gateway access attempts.

●      Track unusual traffic patterns through gateways.

●      Detect unauthorized protocol translations.

●      Identify resource exhaustion attempts.

Service authentication and authorization

●      Track IMS registration events.

●      Monitor service profile modifications.

●      Detect multiple registration attempts.

●      Identify unauthorized feature access.

Interconnect security

●      Monitor interconnect signaling patterns.

●      Track border element security events.

●      Detect unusual traffic volumes.

●      Identify attempts to misuse protocols.

DNS security monitoring

●      Track DNS query patterns.

●      Monitor DNS response validity.

●      Detect cache poisoning attempts.

●      Identify unusual DNS traffic patterns.

Table 3.        IMS network elements and logging requirements

Transport/MPLS network

The transport network serves as the telecommunications infrastructure's backbone, providing critical connectivity between various network domains through Multiprotocol Label Switching (MPLS) technology. Unlike access or core networks that focus on subscriber services, transport networks prioritize high-speed, reliable data transmission between network segments, making their security requirements unique. MPLS networks create virtual paths through the infrastructure using Label-Switched Paths (LSPs), enabling traffic engineering and service separation. This sophisticated traffic management, combined with the network's role in carrying multiple traffic types (user data, signaling, management) across different network segments (RAN, core, IMS), makes security monitoring particularly crucial, as any compromise could affect multiple services and domains simultaneously

Transport network

Threats and risks in the transport/MPLS environment

The transport infrastructure's critical nature makes it an attractive target for sophisticated attacks aimed at disrupting network connectivity or intercepting traffic. MPLS label spoofing attacks can redirect traffic flows, potentially exposing sensitive data or causing service disruption across multiple network segments. The distributed nature of transport networks, which often span large geographical areas, creates numerous points of potential compromise through unauthorized physical or logical access to network elements. BGP-based attacks targeting the control plane can manipulate routing tables and traffic paths, leading to traffic blackholing or unauthorized traffic redirection. The integration of legacy Time-Division Multiplexing (TDM) services with packet-based transport introduces complexity around protocol conversion points, creating potential vulnerabilities in hybrid networks. Additionally, the reliance on network management systems for configuration and monitoring creates risks because compromised management access could lead to widespread network disruption.

Security use cases for SIEM/SOC implementation

MPLS control plane monitoring

●      Track LSP establishment and teardown events.

●      Monitor label distribution protocol messages.

●      Detect unauthorized label advertisements.

●      Identify abnormal path changes.

●      Detect manipulation of labels.

BGP security monitoring

●      Monitor BGP session states.

●      Track routing table modifications.

●      Detect unauthorized peer announcements.

●      Identify route hijacking attempts.

Network element access control

●      Monitor management interface access.

●      Track configuration changes.

●      Detect unauthorized access attempts.

●      Identify privilege escalation events.

●      Detect password brute force attempts.

●      Detect reconnaissance attempts.

Traffic engineering security

●      Monitor bandwidth reservation patterns.

●      Track Quality-of-Service (QoS) policy changes.

●      Detect unauthorized traffic prioritization.

●      Identify resource allocation anomalies.

Physical infrastructure security

●      Monitor environmental alarms.

●      Track physical access events.

●      Detect fiber cuts or tampering.

●      Identify power system anomalies.

Table 4.        Transport network elements and logging requirements

Value-added services

Value-Added Services (VAS) represent the diverse portfolio of enhanced telecommunications offerings that differentiate service providers and generate additional revenue streams. These services— including VoLTE, broadband, IPTV, Video on Demand (VoD), and Wi-Fi—share common infrastructure elements but maintain unique service delivery requirements. The integration of these services with core network components, coupled with their direct interaction with end users and content providers, creates a complex security landscape. The convergence of different technologies, protocols, and content delivery mechanisms requires a sophisticated security monitoring approach that can protect both the service infrastructure and the subscriber experience while ensuring content security and service continuity.

Threats and risks in the VAS environment

The multifaceted nature of VAS creates a diverse threat landscape that spans both infrastructure and content security domains. Service theft and unauthorized access attempts are common across all VAS platforms, with attackers attempting to bypass authentication mechanisms or exploit misconfigured service policies. Content piracy and unauthorized redistribution pose significant risks for IPTV and VoD services, where premium content could be intercepted and illegally shared. In broadband services, subscriber line exploitation could lead to unauthorized network access or service theft through techniques like MAC address spoofing or Dynamic Host Configuration Protocol (DHCP) starvation attacks. VoLTE services face risks from signaling exploitation and voice fraud attempts, while Wi-Fi services are vulnerable to rogue access points and man-in-the-middle attacks. The integration with billing systems creates additional risks in which service usage could be manipulated to avoid charges or conduct fraud. Additionally, the reliance on Content Delivery Networks (CDNs) and caching systems introduces risks related to content integrity and unauthorized access to cached content.

Security use cases for SIEM/SOC implementation

Service access monitoring

●      Track service authentication events.

●      Monitor service activation patterns.

●      Detect unauthorized service access.

●      Identify service usage anomalies.

Content security monitoring

●      Monitor content access patterns.

●      Track content distribution events.

●      Detect unauthorized content access.

●      Identify content manipulation attempts.

Subscriber authentication

●      Monitor authentication methods.

●      Track failed authentication attempts.

●      Detect credential abuse patterns.

●      Identify unusual access patterns.

QoS security

●      Monitor service degradation events.

●      Track resource utilization patterns.

●      Detect service disruption attempts.

●      Identify QoS policy violations.

Wi-Fi security monitoring

●      Track access point associations.

●      Monitor authentication methods.

●      Detect rogue access points.

●      Identify wireless attacks.

Table 5.        VAS network elements and logging requirements

Conclusion

In this white paper, we have explored a comprehensive framework for implementing security monitoring across diverse telecommunications domains. Our approach reflects the complex nature of modern telecommunications infrastructure while providing a structured methodology for security teams to implement effective monitoring solutions.

The foundation of our framework begins with the fundamental understanding that not all network elements carry equal weight in security monitoring. By establishing a clear device categorization system—differentiating between critical security devices (Category 1), supporting systems (Category 2), and edge devices (Category 3)—we have provided telecommunications providers with a practical way to prioritize their monitoring efforts. This categorization directly influences integration priorities, ensuring that the most security-critical elements receive immediate attention while managing resource utilization effectively.

Building upon this categorization, we developed a detailed understanding of log types and their security significance. From authentication logs that reveal potential security breaches to protocol-specific logs that expose sophisticated attacks, each log type serves specific security monitoring objectives. The framework establishes clear integration priorities using MUST, SHOULD, and MAY recommendations, helping organizations make informed decisions about log collection and analysis.

Our domain-specific analysis—covering EPC/LTE, 5G, IMS, transport/MPLS, and VAS—demonstrates how this framework adapts to different technological contexts while maintaining consistency in approach. Each domain presents unique security challenges, from signaling protocol exploitation in core networks to content security in VAS. By examining threats, risks, and security use cases specific to each domain, we provide security teams with actionable insights for implementing effective monitoring solutions.

The structured presentation of devices, their categories, and required log types for each domain creates a practical reference for security teams implementing SIEM solutions. This approach ensures that service providers can systematically deploy security monitoring while maintaining focus on their most critical assets and security objectives. The consistent framework across domains also facilitates cross-domain security monitoring and correlation, essential for detecting sophisticated attacks that span multiple network segments.

Perhaps most importantly, the framework acknowledges the evolving nature of telecommunications infrastructure. From traditional network elements to virtualized functions, from legacy protocols to modern service-based interfaces, the approach remains adaptable while maintaining its core principles of prioritization, comprehensive coverage, and practical implementation.

As telecommunications networks continue to evolve, this framework provides a foundation that can adapt to new technologies and service models while ensuring effective security monitoring. The principles established here—device categorization, log type prioritization, and domain-specific security use cases—will remain relevant even as network architectures and services transform, making this a valuable reference for telecommunications security professionals implementing and maintaining security monitoring solutions.

Looking ahead, this framework can be extended to address emerging challenges such as cross-domain security correlation, automated response capabilities, and integration with artificial intelligence-driven security analytics. The structured approach we have established provides a solid foundation for these future enhancements while ensuring effective security monitoring in current telecommunications environments.

 

Authors

Tiju Johnson

Customer Delivery Security Architect

Basel Zahran

Consulting Engineer