1 Security Shield Overview
Oracle® Communications Security Shield Cloud Service (Security Shield) is a cloud service that restores trust in the phone channel.
Topics:
Security Shield assesses risk and verifies the caller ID to protect against fraud and scams. The primary services that Security Shield provides are fraud and spam mitigation and trusted enterprise calls.
Security Shield provides rich analytics that you can use to assess the deep call insights provided to examine the call center key performance indicators as well as fraud and spam details to facilitate investigations.
- Fraud and Spam Mitigation Overview
- Trusted Enterprise Calls
- General Features
- Security Shield Deplyoment Model
- Security Shield Components
- Session Border Controller and Session Router
- Cloud Communication Service
- Oracle® Communications Security Shield Cloud Service
- Security Shield Subscriptions
- Security Shield Features per Subscription
Fraud and Spam Mitigation Overview
Oracle® Communications Security Shield Cloud Service (Security Shield) identifies suspicious use of phone numbers and detects anomalies in calling patterns to flag or block fraudulent, scam, and spam calls.
Security Shield dynamically assess the risk for each call by using traffic behavior data, deterministic data, and intelligence data using machine learning. Deterministic data includes data attributes about a phone number such as line type and telecom carrier of record, whether the number is allocated or not, and many others. Intelligence data includes crowd-sourced information about fraudulent calls. Security Shield uses machine learning techniques to detect anomalies and identify potential fraud based on traffic behavior. Security Shield uses all these data inputs to classify the risk probability as well as threat prediction.
Trusted Enterprise Calls
The Oracle® Communications Security Shield Cloud Service (Security Shield) Trusted Enterprise Calls service enables you to verify your outbound calls using STIR/SHAKEN call authentication to reduce call spoofing and fraud. Security Shield can automate the end-to-end process of digitally signing calls using STIR/SHAKEN for you.
Note:
Currently, Security Shield supports only Transunion TruContact Caller ID Authentication (formerly known as Neustar Enterprise Certified Caller).SPL Requirements for Trusted Enterprise Calls
The 24.0.0.0.0 release adds new SPL options to send only inbound or outbound calls to the Security Shield cloud. You must use SPL 1.1.4 or higher for the Trusted Enterprise Calls subscription.
Important:
Customers currently using Security Shield must upgrade their Session Border Controllers to the latest released SPL, but only after upgrading their tenant to the latest Security Shield release. Get the latest version available for download from Oracle Software Delivery Cloud or My Oracle Support. Install the SPL on the external-facing realm.- spl-options ocssEnabled, inboundOnly—Allows only inbound calls
- spl-options ocssEnabled, outboundOnly—Allows only outbound calls
- spl-options ocssEnabled—Allows both inbound and outbound calls
Configuration Examples
spl-options ocssEnabled,inboundOnly:spl-options ocssEnabled,outboundOnlyGeneral Features
Oracle® Communications Security Shield Cloud Service (Security Shield) provides the following features.
- A Dashboard with graphical visualizations of your phone traffic. The Dashboard shows which events were detected, the enforcement actions applied, and more. The Dashboard also provides service management
- Call admission based on customer-managed “allow” lists and "blocklists".
Security Shield Deplyoment Model
Oracle® Communications Security Shield Cloud Service (Security Shield integrates with your Oracle Communications Session Border Controller or with your Oracle Communications Session Router. The deployment includes the Cloud Communication Service (CCS).
The Oracle Cloud Infrastructure hosts Security Shield along with other components that Security Shield uses for operations such as the Dashboard, analytics, third party integration, the data store, and other services.
Security Shield Components
The following information explains the components in an Oracle® Communications Security Shield Cloud Service (Security Shield) deployment.
A Security Shield deployment includes the Oracle Communications Session Border Controller (SBC) and the Cloud Communication Service (CCS). The Oracle Cloud Infrastructure hosts Security Shield along with other components that Security Shield uses for operations such as the Dashboard, analytics, phone intelligence look-ups, the data store, and other services. The Cloud Communications Service (CCS) and the SBC reside on-premises.
Diagram of Security Shield Components
The following diagram shows the components in a Security Shield deployment.
Session Border Controller
The SBC serves as the entry point for calls and acts as the enforcement point for implementing the actions that Security Shield instructs. The SBC also reports the end of a call, the reason for termination, and call timers, which Security Shield uses for reputation assessment and threat detection.
Cloud Communication Service
The CCS establishes a secure ground-to-cloud tunnel for on-premises Security Shield components to communicate with Security Shield components in the Oracle Cloud Infrastructure.
Oracle Communications Security Shield Cloud Service
Security Shield hosts the Web GUI, which displays tabs where you can configure, manage, and maintain the service.
Security Shield applies rules, provides call behavior analytics, sends the enforcement actions to the session border controller. Security Shield combines various sources of information to instruct the session border controller about which actions to perform on a call. Security Shield works predominantly pre-answer, but also supports post-answer control. The enforcement actions, which you can specify, can include actions such as allowing, blocking, and redirecting the call to a different destination.
Security Shield also integrates with the Data Analytics Cloud Service, which is a combination of multiple services designed to perform advanced analytics. The Data Analytics Cloud Service stores SIP INVITE messages and policy results in a data lake for analytics.
Session Border Controller and Session Router
Either the Session Border Controller (SBC) or the Session Router (SR) serves as the entry point for calls and acts as the enforcement point for implementing the actions that Oracle® Communications Security Shield Cloud ServiceSecurity Shield) instructs.
The SBC or SR also reports the end of a call, the reason for termination, and call timers, which Security Shield uses for reputation assessment and threat detection. The SBC and SR integrate with Security Shield through a proprietary REST API over Transport Layer Security.
Cloud Communication Service
The Cloud Communication Service (CCS) establishes a secure ground-to-cloud tunnel for on-premises Oracle® Communications Security Shield Cloud Service (Security Shield) components to communicate with Security Shield components in the Oracle Cloud Infrastructure.
Oracle® Communications Security Shield Cloud Service
Oracle® Communications Security Shield Cloud Service refers to the actual Security Shield service. Security Shield evaluates SIP-based calls sent from the Session Border Controller (SBC) or Session Router (SR) to Security Shield. Security Shield sends instructions back to the SBC or SR for each call it processes for how to handle the call along with any information to add to the call signaling.
- Number normalization
- Non-conformant number handling
- Access control Lists
- Integration with third-party service and data providers
- Fraud and spam mitigation service
- Trusted Enterprise Call service
- A Dashboard where you can view information about call traffic, service metrics, and information, as well as manage the service
- Security Shield can also provide advanced analytics
- Additional call signaling information
Security Shield Subscriptions
You can purchase Oracle® Communications Security Shield Cloud Service (Security Shield) by way of the following base (stand-alone) and add-on subscriptions.
For more details about the features available in each subscription, see Security Shield Features per Subscription.
| Subscription | Use Case | Type | Description |
|---|---|---|---|
| Oracle Communications Security Shield Cloud Service | Fraud and spam mitigation | Base | Helps protect telephony networks from malicious actors that launch network attacks such as Telephony Denial of Service (TDoS). |
| Oracle Communications Security Shield Cloud Service, Premium Edition | Fraud and spam mitigation | Base |
Helps protect telephony networks from malicious actors that launch network attacks using machine-learning and third-party data. Provides enhanced dynamic risk assessment and call insights. Provides access to advanced analytics capabilities. |
| Oracle Communications Security Shield Cloud Service, Trusted Enterprise Calls | Trusted Enterprise Calls | Base |
Bolsters call answering rates for outbound calls and mitigates enterprise spoofing. For digitally signing calls using STIR/SHAKEN authentication, you must either purchase the two add-on subscriptions for Trusted Enterprise Calls or bring your own license from a supported STIR/SHAKEN call authentication service. |
| Oracle Communications Security Shield Cloud Service, Trusted Enterprise Calls, Attested Call | Trusted Enterprise Calls | Add-on |
An optional, add-on service to the Oracle Communications Security Shield Cloud Service, Trusted Enterprise Calls subscription. Bundles the digital signing of calls using STIR/SHAKEN authentication with the Oracle Communications Security Shield, Trusted Enterprise Calls subscription. |
| Oracle Communications Security Shield Cloud Service, Trusted Enterprise Calls, Attested Number | Trusted Enterprise Calls | Add-on |
An optional, add-on service to the Oracle Communications Security Shield Cloud Service, Trusted Enterprise Calls. Bundles the certification and verification of the legitimate user of the CallerID for use in STIR/SHAKEN authentication with the Oracle Communications Security Shield, Trusted Enterprise Calls subscription. |
Contact Oracle Sales for more information about the subscriptions.
Security Shield Features per Subscription
The following table lists the Oracle® Communications Security Shield Cloud Service (Security Shield) subscriptions and the features available with each type
Table 1-1 Oracle Communications Security Shield Cloud Service Subscriptions
| Features | Standard | Premium Edition | Trusted Enterprise Calls | Trusted Enterprise Calls - Attested Call | Trusted Enterprise Calls - Attested Number |
|---|---|---|---|---|---|
| Calling Number Normalization | √ | √ | √ | ||
| Access Control List | √ | √ | √ | ||
| Dashboard with Service Information | √ | √ | √ | ||
| Spoofing Detection | Basic | Advanced | |||
| Traffic Pumping Detection | √ | √ | |||
| Toll Fraud | √ | √ | |||
| Routing Policy Enforced | √ | √ | √ | ||
| Dynamic Risk Assessment Using Machine Learning | √ | ||||
| Indication of Fraud and Spam Risk | √ | ||||
| Call Tag (customer header) for Inbound Calls | √ | ||||
| Advanced Analytics | √ | √ | |||
| Spam Tag Mitigation of Outbound Calls | √ | ||||
| Digitally Signing Calls Using STIR/SHAKEN Call Authentication | By way of a third-party service or bundled with add-on subscriptions | √
(For the bundled service) |
√
(For the bundled service) |