How Telefónica collaborates with the GSMA to define a project use case scenarios using lean startup”?

Tuesday, September 29, 2015

The entrepreneurs of startups were the first ones to adopt the Lean Startup method when Eric Ries published in 2011 his book The Lean Startup. Big companies like Telefónica were soon enough the next ones to apply Lean Startup. Now we have witnessed how an industrial forum like the GSMA (GSM Association), the Personal Data Program in particular, adopts a hypothesis validation model to build successful products and services.

Use case in industrial forums and standardization bodies are generally defined by the forum members without market validation, and then, following a waterfall model, the technical solution for those use cases is defined.

Mobile Connect 

Telefónica has been deeply involved in the Mobile Connect project since February 2014. Mobile Connect is a GSMA cross-operator proposition to simplify people’s digital lives, offering a simple and safe identification service that offers the user total control over their privacy. The authentication is significantly more secure than typical username/password schemes as access to the account is secured via the user’s mobile device.

The Lean Startup methodology is a pilar of our innovation process since 2012, hence all our innovation projects apply this methodology. Consequently, Mobile Connect has been developed following the Lean Startup method.

Lean Startup is basically the combination of Steve Blank’s Customer Development methodology and Agile Development. As we have been applying Agile Software Development since 2006 at Telefónica (specifically in Telefónica R&D), our engineers, and in particular those that have experience as scrum masters, are the ones that have adapted themselves best to Lean Startup.

Due to the deep experience with agile that the Mobile Connect team has, the Customer Development iterations were perfectly synchronized with the Agile Software Development cycles. This allowed us to design the fastest and cheapest prototype needed in each iteration to validate, or invalidate, the project hypotheses.

Also, the Mobile Connect innovation project team at Telefónica considered the use cases defined hypothesis that needed to be validated in the market before building the solution. Therefore, they got out of the building to have face to face conversations with potential customers. In fact, after carrying out 42 interviews their first hypothesis around the customer segment proved to be wrong, so they had to pivot to another customer segment.

The team focused on the problems the customers had and then on how could Mobile Connect solve these problems according to the customers’ needs and feedback. What’s more, during this process customers really interested in the service and willing to pay for it were identified and involved in the process.

Thus Lean Startup helped identifying and defining the use cases based on clear evidences and validated learnings around the customers. As a consequence, the Personal Data Program has created workgroups that organise sessions with different service providers to identify and understand the painful problems they are facing in order to work on solutions around those problems.

A successful way to transfer an innovation project to the business unit

One of the biggest challenges we face at big companies is how to successfully transfer an innovation project to the business or product units. Actually this is something we have had the opportunity to discuss with several companies in different innovation forums and also in last year’s Lean Startup Conference in San Francisco, and there is a general agreement on that.

The most delicate moment in the life of an innovation project is when it is time to scale up and get transferred into a business unit or product line. Having stakeholders in the business unit or product line is critical, but not enough to make a successful transition.

In our experience those innovation projects that apply Lean Startup survive better to that transition because they are in a position to bring to the table tangible credibility in the form of validated market traction and even customers.

In the case of Mobile Connect we have been able to transfer successfully to the business unit the innovation project for its deployment and commercialization. In fact, this solution is going to be deployed in Argentina, Spain, Mexico and Peru this autumn and more countries are coming next year.

Moreover, the way we have done this transfer has also been different: we have not only transferred the product but also the team plus prospective customers.

This has allowed us to transfer not only the knowhow of the product, the product development knowhow and the customers, but also the complete business model knowledge as well as the market contacts and the experience achieved by the team during this time. That is, who are the customers, how should the solution be commercialized, the way to get to the customers, the pitch, the sales process, etc.

In other words, we have transferred what one of our external mentors, Mario López de Ávila, calls the complete “product toolkit”.

Besides, all the aforementioned evidences and knowledge about both the market and the customers as well as the contacts network has enabled us to smoothly transfer the team of R&D engineers to the business unit. Because that knowledge they brought to the business unit has given this team of technical people credibility among their new colleagues.

Evil FOCA is now Open Source

Tuesday, September 22, 2015


We are really happy to announce that Evil FOCA is now Open Source. We have received lots of comments and feedback about how you are using Evil FOCA, or how you would like to improve it; thousands of people are downloading Evil FOCA in a monthly basis.

Although Evil FOCA has always been free of charge, now we want to make the next step: Evil FOCA is now Open Source released under the GNU Public License 3.0. It is available in our GitHub repository: https://github.com/ElevenPaths/EvilFOCA

Our main objective with the Open Source release is that the community will be able to improve and keep Evil FOCA one of the best networking pen-testing tools. Please check our Evil FOCA’s website in order to know more about it.

What is Evil Foca and what is it able to?

Evil FOCA is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks.

The tool is capable of carrying out various attacks such as:

  • MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
  • MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
  • DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
  • DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
  • DNS Hijacking.

The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.

Within the MITM (Man in the middle) attacks in IPv4 and IPv6 Evil FOCA considers the following techniques:

  • ARP Spoofing: Consists in sending ARP messages to the Ethernet network. Normally the objective is to associate the MAC address of the attacker with the IP of another device. Any traffic directed to the IP address of the predetermined link gate will be erroneously sent to the attacker instead of its real destination.
  • DHCP ACK Injection: Consists in an attacker monitoring the DHCP exchanges and, at some point during the communication, sending a packet to modify its behavior. Evil FOCA converts the machine in a fake DHCP server on the network. 
  • Neighbor Advertisement Spoofing: The principle of this attack is identical to that of ARP Spoofing, with the difference being in that IPv6 doesn’t work with the ARP protocol, but that all information is sent through ICMPv6 packets. There are five types of ICMPv6 packets used in the discovery protocol and Evil FOCA generates this type of packets, placing itself between the gateway and victim.
  • SLAAC attack: The objective of this type of attack is to be able to execute an MITM when a user connects to Internet and to a server that does not include support for IPv6 and to which it is therefore necessary to connect using IPv4. This attack is possible due to the fact that Evil FOCA undertakes domain name resolution once it is in the communication media, and is capable of transforming IPv4 addresses in IPv6.
  • Fake DHCPv6 server: This attack involves the attacker posing as the DCHPv6 server, responding to all network requests, distributing IPv6 addresses and a false DNS to manipulate the user destination or deny the service. 
  • Denial of Service (DoS) attack: The DoS attack is an attack to a system of machines or network that results in a service or resource being inaccessible for its users. Normally it provokes the loss of network connectivity due to consumption of the bandwidth of the victim’s network, or overloads the computing resources of the victim’s system.
  • DoS attack in IPv4 with ARP Spoofing: This type of DoS attack consists in associating a non-existent MAC address in a victim’s ARP table. This results in rendering the machine whose ARP table has been modified incapable of connecting to the IP address associated to the non-existent MAC.
  • DoS attack in IPv6 with SLAAC attack: In this type of attack a large quantity of “router advertisement” packets are generated, destined to one or several machines, announcing false routers and assigning a different IPv6 address and link gate for each router, collapsing the system and making machines unresponsive.
  • DNS Hijacking: The DNS Hijacking attack or DNS kidnapping consists in altering the resolution of the domain names system (DNS). This can be achieved using malware that invalidates the configuration of a TCP/IP machine so that it points to a pirate DNS server under the attacker’s control, or by way of an MITM attack, with the attacker being the party who receives the DNS requests, and responding himself or herself to a specific DNS request to direct the victim toward a specific destination selected by the attacker.

Who are you going to believe, me or your own eyes? The dilemma of managed security

Friday, September 18, 2015

Organizations are facing a context of increasingly complex IT threats jeopardizing the everyday development of production processes. We are referring to persistent advanced attacks, zero-day threats, industrial espionage, hacktivism, etc. and at the same time the need to play by the rules (legislation and regulations) in security matters.

The challenge for organizations is to balance the tough demands of production processes and the management of the increasing complexity of threats with the intelligence and scaling required in each case. This makes necessary, not only the deployment of tools to deal with these threats, but also to have security experts or to outsource this service to specialized third parties that have trained staff and the appropriate tools to manage their security. The problem in this case is that organizations lose visibility and control over their own security.

At ElevenPaths, we believe that it is possible to go one step further in this never-ending cat-and-mouse game. The outsourced “traditional” security management is based on the operation of security tools such as firewalls, antivirus software, intrusion detectors, etc., and a SIEM (Security Information and Event Management) as a tool for collecting and correlating events generated by these security tools. The SIEM detects and alerts the operator when a security incident takes place, but the organization loses visibility of its own security and immediacy to respond.

The new approach to outsourced security management should enable the organization to have an immediate knowledge of the incident and a unified view of its security, allowing also an immediate and accurate response to the threats and the minimization of their impact on the business. This solution should also integrate both the information from all the tools used in the organization itself and external information. The organization should also benefit from a comprehensive and collective knowledge that enables it to anticipate incidents that are already happening or have happened to others.

The first step is to improve the incident detection by SIEMs. SandaS processes information received by SIEMs with a set of proprietary algorithms that detect activities that may go unnoticed for SIEMs.

The state-of-the-art dashboard enables the organization to access real-time data on its security and monitor the status of its security by the minute and how it is being managed.

Detecting an incident is not enough, a standardized classification and criticality assignment is necessary. The criticality level can be customized through SandaS according to the organization’s specific context and the affected elements. Moreover, it automatically notifies the relevant actors in that context for a more agile and efficient processing and resolution. It can even automatically execute resolution or remediation actions, thus optimizing resources.

SandaS is supported by multiple components of the ElevenPaths security platform, such as the Big Data processing framework Sinfonier, which enables the integration of internal and external sources, such as external events detected by other cybersecurity services. This allows for potential incidents to be detected faster and as closely as possible to the organization context, as well as the prevention or reduction of their impact.

Moreover, the most innovative feature of SandaS is its collaborative approach. With its global scale and the large volume of data that it handles from a variety of sources, it gets a comprehensive knowledge of suspicious evidence across its network. Thanks to this intelligence, it infers potential threats, immediately detects incidents that are already taking place and, above all, prevents them from happening in those organizations where they have not yet materialized.

To complete this view of security management, it would be required to link it to the business. It is necessary to assess the risk that threats and vulnerabilities pose for the business, as well as being able to manage the compliance with the many regulations, standards and policies. This enables us to make better decisions on the management of incidents and the definition of processes, procedures and policies for preventing and managing incidents.

This is why we have recently expanded our solution with GRC (Governance, Risk and Compliance) capabilities through the acquisition of the GesConsultor platform, which integrates into our family of products as SandaS GRC.

To find out more about the tool, check out the following video:



In upcoming posts we will get into more details on the functionality offered by the various components of SandaS and SandaS GRC which are offered through Telefonica’s Managed Security Services.

ElevenPaths acquires Gesconsultor (Gesdatos), the leading Governance, Risk & Compliance platform Spain

Monday, September 14, 2015


  • GesConsultor will be offered internationally as part of Telefónica’s security services portfolio.
  • The platform enables organisations to support business strategy, improve operating performance, mitigate operational risks and ensure regulatory compliance.
  • GOVERTIS (recently rebranded and previous owner of GESCONSULTOR /GESDATOS), will become Premium distributor and provide special consultancy services.

          Madrid, 14 September 2015.- ElevenPaths, innovative security solutions specialist for Telefónica, has acquired technology from GesConsultor the leading Governance, Risk & Compliance (GRC) platform in Spain - including its Gesdatos privacy module. This platform manages the legal requirements for safety and risk management of an organisation, in a unified and efficient way, integrating and orchestrating its key processes around three strategic areas: Corporate Governance, Risk Management and Regulatory Compliance.

With the integration of GesConsultor, ElevenPaths enriches its portfolio of Managed Security services to provide a GRC solution using its own technology, which will have a high growth potential and which it previously covered using third party solutions. To this end, the company has incorporated the solution development team into its workforce.

This solution will be sold as part of Telefónica’s security services offer through all local operators, and via its Premium Distributor, GOVERTIS (the newly rebranded founding company behind the GesConsultor platform), along with other specialised services as the solution rolls out, in full compliance with international standards and best practice.

There are currently more than 10,000 organisations which are managed via the Regulatory Compliance platform, and more than 180 associate partners using the solution. It has been widely implemented in Spain and is now expanding into Latin America.

The solution helps organisations in the public and private sectors, which are currently facing enormous challenges, in the running of their production and support processes. They must ensure their safety, properly manage risk, comply with internal policies and obligations imposed on them by legislators, regulators and customers, and direct the whole organisation to meet the objectives set. This requires the use of tools which will enable them to manage these needs, and requires professional experts who will use these tools in a way as to transform the organisation.

The solution provides the following high-level functions:
  • Enterprise Architecture Modelling, offering a true representation of the organisation, providing the level of detail required for Risk Management and Regulatory Compliance, and to specify organisational structures, information systems and the infrastructure required to operate them, for services and business processes.
  • Centralisation of Information on Regulatory Compliance, in order to manage the governing measures arising from multiple requirements of the legislative (Organic Law on Data Protection, the Spanish Security Guidelines, the Spanish Interoperability Guidelines, Critical Infrastructure, etc.), international standards (ISO 27001, ISO 27002, ISO 20000, ISO 22301, PCI-DSS, etc.), and industry regulatory frameworks or the organisation's own.
  • Risk Management, incorporating a risk processing engine based on ISO 31000 with full support for frameworks such as ISO 27005, NIST SP 800-30 or COBIT 5 for Risk. In addition, it has a specific module for the MAGERIT methodology, aligned with National Security Guidelines and Critical Infrastructure legislation based on the PILAR application.
The acquisition allows ElevenPaths to enhance its solutions with GRC capabilities, which will now be integrated into its family of products as SandaS GRC.

For further information: 

Introducing Mobile Connect – the new standard in digital authentication

Monday, September 7, 2015



The Mobile Operators hold the future of digital authentication in our hands, and so do our customers. The consumers will no longer need to create and manage multiple user names and passwords as the authentication and identification solution being developed will use the subscriber’s mobile phone number or mobile user name and information contained in the secure SIM card.

What is Mobile Connect? 
Mobile Connect is a GSMA (Global System for Mobile Communications Association) cross-operator proposition where users can authenticate with third party applications via a user account linked with their mobile phone number. The authentication provider for Mobile Connect is the user’s mobile network operator, and authentication is more secure than typical username/password schemes as access to the account is secured via the user’s mobile device.

Service Provider and/or Developers, such as digital retailers, financial institutions, online providers or governments, can use the Mobile Connect service on their applications to authenticate users. As Mobile Connect offers various levels of security for authentication, ranging from low-level website access to highly-secure bank-grade authentication, the Service Provider/Developer can choose the one most suited to its application.


Telefónica (lead by ElevenPaths as part of the Global Security Unit), along with other leading mobile operators, is pioneering the development of “Mobile Connect”, participating actively in several multioperator initiatives in both, Europe and Latam regions.

How does it look like?
Just think how many websites and applications you use regularly for which you need a user name and password. The more we use the Internet services, the more log-in details we have to remember. With Mobile Connect, there’s no need for passwords or usernames, making logging in so much easier. Although logging in through social networks can remove the need for passwords, many people worry their personal information will be used without their permission. With Mobile Connect, no information is made available to service providers without the user’s consent, making logging in more private.

With Mobile Connect, you are authenticated through your mobile phone, rather than through personal information. This makes authentication in safer and more secure.

Mobile Connect is the new simple, secure and private way to log-in.





How does it work?
The technology behind Mobile Connect is built on the widely adopted technology of OpenID Connect. Authentication is provided by the operator to the website with no person information shared without the consumer’s permission.

The Mobile Connect Logical Architecture reuses many of the Operator assets and introduces a small number of new components in order to deliver Mobile Connect.


The following diagram illustrates the key logical components that will need to be provided for, or impacted by, the deployment of Mobile Connect services.



The GSMA is working with leading mobile operators globally and in-county with a broader set of ecosystem players, such as governments, banks and retailers, to help roll out mobile-enabled digital identity solutions.

Visit gsma.com/personaldata to keep up to date with the latest developments in Mobile Connect, the secure and universal log-in solution.