* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Products and Services](https://www2.paloaltonetworks.com/blog/category/products-and-services/)
* Tame the Wild, Wild West ...

# Tame the Wild, Wild West in Service Provider Networks

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F05%2Fsp-tame-wild-wild-west-service-provider-networks%2F)  
[](https://twitter.com/share?text=Tame+the+Wild%2C+Wild+West+in+Service+Provider+Networks&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F05%2Fsp-tame-wild-wild-west-service-provider-networks%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F05%2Fsp-tame-wild-wild-west-service-provider-networks%2F&title=Tame+the+Wild%2C+Wild+West+in+Service+Provider+Networks&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2018/05/sp-tame-wild-wild-west-service-provider-networks/&ts=markdown)  
\[\](mailto:?subject=Tame the Wild, Wild West in Service Provider Networks)  
Link copied  
By [Mitch Rappard](https://www.paloaltonetworks.com/blog/author/mitch-rappard/?ts=markdown "Posts by Mitch Rappard")  
May 30, 2018  
5 minutes  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)  
[Network Service Provider](https://www.paloaltonetworks.com/blog/tag/network-service-provider/?ts=markdown)

Let's face it: it's not easy being a network service provider today. Both wireless and wireline service providers are expected to provide exceptional service to their subscribers while, at the same time, protecting their resources from abuse and attacks. In one sense, providers must be very tolerant of the data that is allowed on their networks, but in another, they must take swift and decisive actions when a threat is seen that can disrupt service. Unlike an enterprise network, where there is strict control over the applications and protocols allowed, with a service provider, it is much more of a "Wild West" sort of mentality where, for the most part, anything goes.

To provide effective protection in this Wild West era requires deep visibility into the traffic on the network plus the ability to quickly identify the source of the threat and its target victim.

It is critical that service providers have visibility into a constantly evolving application and threat landscape. The traffic on their networks is always changing, both the applications that traverse the networks (take the rise of Google's QUIC, for example) and the threats that traverse the network (the Mirai botnet was just a twinkle in the eye of Paras Jha and Josiah White a few years ago[\[1\]](#_ftn1){#\_ftnref1}). Service providers must also be able to quickly identify the various types of malicious traffic flowing to and from their subscribers as well as determine the nature and severity of each potential threat.

Determining the nature of a threat is important since threats come in many forms. There are threats that could negatively affect the endpoint or the subscriber, such as ransomware, phishing emails and applications that perform identity theft. There are threats to the network itself, such as botnets or applications that create signaling storms. And, of course, if the bull's eye moves a bit, there are threats that target another provider's network. An example of this would be a botnet that is used to launch an attack from service provider A towards service provider B.

Not all threats require action, and service providers must be especially careful to apply accurate threat classification before any mitigating response. Accurate threat classification requires correlation of threat indicators to ensure a confident and accurate conclusion. The more data samples you have, the better your correlation efforts will go.

Put another way, you need a lot of data! To be effective, a threat intelligence cloud should include billions, if not trillions, of other real-world artifacts that are accessible for query via a machine-friendly interface. For each suspicious packet or piece of information (in security speak, we call these indicators of compromise, or IoCs) on its network, a provider needs to be able to query this threat intelligence cloud (or multiple clouds) to identify what other real-world IoCs correlate to the one seen on the network. Successful correlation sheds light on potential threats and allows appropriate responses to be taken.

Let me use a real-world example to illustrate my point.

Suppose a provider has a network sensor in place that has intelligence about malicious DNS sites, and through the course of the day, it observes several thousand suspicious queries. Some of these map to risky websites. Some of these map to malware websites. Perhaps some are even websites known to be used in phishing campaigns. While the provider wants to know about all of these examples, the provider isn't yet willing to take action on them for a number of business reasons. However, for other more dangerous and suspicious queries, the provider is willing to take action -- for example, on any domains or IPs that point to the presence of a botnet on the network that could threaten network availability. Often, these are not easily determined nor the infected endpoints easily identifiable.

If the provider were to see, in the midst of the other domains, one like *injbot\[.\]net* , would the provider be able to understand what it meant? By itself, this domain could just be a typo as a user navigates to a website. However, if the provider were able to correlate other activity from this endpoint, such as communication to *fast-message\[.\]xyz* and some HTTP requests with a User-Agent value of "2zAz," a clear picture begins to emerge. This example endpoint is most likely a part of the DarkSky botnet, which is known to launch various types of DDoS attacks. Most likely, the provider would want to identify all similarly infected endpoints as well as stop communication to all other known IPs and domains used by DarkSky. So, consider if a threat intelligence cloud is able to send back hashes for malware that has queried this domain, or even metadata, such as the name or the category of the malware (e.g., botnet or ransomware). Armed with this additional data, the provider would be well-equipped to take further steps to protect the network.

![Importance of Correlation](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/05/Importance-of-Correlation.png)

*Sample IoCs from DarkSky sample found via Palo Alto Networks AutoFocus tool*  
This is a challenging environment, but just because the traffic traversing a network seems like the Wild West doesn't mean there can't be an intelligent and effective sheriff in town. With the right tools, including the ability to leverage machines to quickly and accurately identify threats of interest as well as their sources and target victims, there is no reason a provider can't rest easy at night, knowing its customers and its network are safe.

Get more information on [Palo Alto Networks Security Operating Platform for service providers](https://www.paloaltonetworks.com/solutions/industries/service-providers/mobile-network-operators).

Additional details on our threat intelligence cloud:

* [Threat Intelligence Cloud white paper](https://www.paloaltonetworks.com/resources/whitepapers/threat-intelligence-cloud)
* [AutoFocus Threat Intelligence](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/autofocus)

[\[1\]](#_ftnref1){#\_ftn1} https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/

*** ** * ** ***

## Related Blogs

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### Establishing a New Approach for 5G Security](https://www2.paloaltonetworks.com/blog/2018/11/sp-establishing-new-approach-5g-security/)

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### Silent No More: Mobile Roamers Spur a Security Evolution](https://www2.paloaltonetworks.com/blog/2018/11/sp-silent-no-mobile-roamers-spur-security-evolution/)

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### Malicious Cryptocurrency Mining Digs Into Mobile](https://www2.paloaltonetworks.com/blog/2018/09/sp-malicious-cryptocurrency-mining-digs-mobile/)

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### The Right Way to Secure SD-WAN](https://www2.paloaltonetworks.com/blog/2018/05/sp-right-way-secure-sd-wan/)

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### The Third Mobile Network Evolution: A Perfect Response to a Security "Perfect Storm"](https://www2.paloaltonetworks.com/blog/2018/04/sp-third-mobile-network-evolution-perfect-response-security-perfect-storm/)

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### Prevent Bad Signals From Harming Network Availability](https://www2.paloaltonetworks.com/blog/2018/02/sp-prevent-bad-signals-harming-network-availability/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language