In-depth interview: network security in the age of digitisation

By Ansie Vicente
Johannesburg, 26 Sep 2016
The lack of skills in the security world remains an issue for vendors, systems integrators and customers alike, says Stuart Trainer of EOH.
The lack of skills in the security world remains an issue for vendors, systems integrators and customers alike, says Stuart Trainer of EOH.

The biggest security concern among medium-sized companies (500-5000 seats) in South Africa remains the ability to execute, say EOH Technology Solutions and Cisco.

Stuart Trainer, business unit director for Information Security in the technology solutions cluster of EOH, says security spend among these companies is comparatively lower than among companies in the enterprise space, and tends to be "a more consolidated security spend".

"They buy technologies that are already integrated. Larger enterprises use fit-to-purpose technologies, whereas smaller companies typically buy unified technologies that fulfil multiple functions," he says.

Trainer's business unit comprises consultants and engineers who are responsible for delivering information risk and compliance solutions and cover all facets of IT security to a variety of customers across South Africa. The unit maintains a number of vendor relationships, among them a Cisco Gold partnership.

Terry Greer-King, director of security at Cisco, says: "One of the key success factors for cyber criminals is that they frequently use tools that users trust or view as benign in order to launch their campaigns and infiltrate systems. According to Cisco's 2016 Annual Midyear Cybersecurity Report, JavaScript and Facebook scams were cited as the most common attack methods. The number of WordPress domains used by criminals has risen by 221% between February and October 2015 alone.

"Some businesses have already learnt the hard way and probably understand better than most that security can no longer be an after-thought. It is therefore critical that businesses today are on the front foot, which means adopting a holistic, integrated approach to security. Treating security as a process that addresses the entire threat spectrum - before, during and after an attack - is the only way to effectively mitigate all sources of risk."

Trainer explains: "Unlike in the EU and USA, network security is still selling in South Africa. Overseas, companies are on a compliance drive but small IT environments generally don't have specialist skills, and look to systems integrators or vendors to bring the different security solutions together for them in an easy-to-manage package," Trainer says.

"Network security is not the most glamorous part of security, but the perimeter is disappearing; it will fade with time even though we're doing more. Security is moving closer and closer to the endpoint and that will be a necessary move. SA will see a lot more drive towards compliance, as we are currently seeing internationally. Things like the POPI Act will drive that," Trainer says.

Either way, the lack of skills in the security world remains an issue for vendors, systems integrators and customers alike, Trainer says. "The lack of proper security expertise is a certainty. I wish large corporates and IT companies would stop trying to build their own security operations centres and rather consolidate into a number of specialist players in the market. We have seen too many security projects fail. People want the big room with the big screens, but the expertise doesn't exist in the numbers required to do it properly."

Trainer would like to see some consolidation among vendors, too. "As a rule, we address between 30 and 35 building blocks of security per deployment, and there are hundreds of vendors for each block/control - choice is not always a good thing. Companies are buying best-of-suite rather than best-of-breed because they can get a better price with bulk discounts. But you don't solve security issues with commercial decisions."

He says that as a rule, medium-sized companies are not dealing well with security threats. "Most companies have some controls in place, but they are usually inadequate for the current security landscape. Companies are lurching from crisis to crisis or implementing the touted 'latest and greatest' from vendors, but it is simply not true that a single vendor can do everything that needs to be done," he laments.

Greer-King adds: "We found in our Annual Security Report that many organisations are relying on creaking network infrastructures that are old, and outdated, as well as running vulnerable operating systems. Between 2014 and 2015, the number of organisations that said their security infrastructure was up-to-date dropped by 10%. The research also found 92% of devices run software with known vulnerabilities. On average, each piece of software on those devices contained 26 such weaknesses."

"Some industries also look particularly vulnerable - with some organisations in financial services, healthcare and retail running software that is at least six years old. Elsewhere, the government, electronic, healthcare and professional sectors are at the highest risk from malware attack. Prioritising security capabilities is not only important for protecting organisations and their customers' data, assets and reputation, but is fundamental to successful digital transformation, which is where we're seeing business growth occur," Greer-King says.

What companies actually need is a prioritised approach and strategic plan, says Trainer. "They need a fit-for-purpose plan of what to do for their organisation. Security is very theoretical and companies need help to interpret their needs into practical solutions. For instance, ransomware can be blocked at four or five different levels. What can their IT department actually take on - because whatever they use will cost them time and money? Do they have the budget? Can the broader organisation accept that level of change?"


The first step is to conduct a gap analysis between current and fit-for-purpose security strategy, he says. This can then be broken up into what Trainer calls "mini-plans for a prioritised approach".

"The plan has to be somewhat flexible, but provide a framework you're working against. Everyone has to have input and buy into that plan. It takes two or three years to execute against the plan. Your risk profile doesn't drop immediately but it slowly gets better over time."

About more specific concerns, Trainer says ransomware remains a real threat. "Unless you have good controls in place - new controls, not the ones you had in place two years ago - there is a chance you will be hit. During the attack, do all you can to stop it from spreading. Your only chance of recovery (apart from paying the ransom, which we don't advise) is restoring from a backup," Trainer explains.

Greer-King says: "Ransomware is a very real issue for businesses of all sizes. Last year, Cisco, with the help of Level 3 Threat Research and Limestone Networks, identified the largest Angler exploit kit operation in the US, which targeted 90,000 victims every day and generated tens of millions of dollars a year by demanding ransoms off victims. Our research estimates that, currently, 9,515 users in the US are paying ransoms every month, amounting to an annual revenue of $34 million for certain cybercrime gangs. As such, a holistic, integrated security policy that addresses the entire threat continuum - before, during and after an attack - is the most effective way of mitigating all sources of risk, and 2015 demonstrated how much so."

After the attack, Trainer believes companies have to put in place network controls at the gateway into the company and controls at endpoints. He is wary of specialised security analysis tools and what he calls "consulting by the kilogram" (the thicker the report, the higher the consultant's fee) to assist in compiling a strategic security plan.

"Yes, all tools have to be facilitated by a security expert or consultant to deliver a really useful report - you always need the human factor, but not a 300-pages report. What most companies actually need is a 15-page report that spells out: do this part now, do some of that part in parallel, and budget for these three things next year," he says.

Greer-King agrees: "Regardless of the strength of their technology defenses, businesses must assume they will still be attacked. So rather than trusting security tools to prevent them in the first place, organisations should have a plan in place for when an attack occurs - including an infrastructure inventory, a full response plan, and an external communications strategy. Investing in security is still paramount to reduce the chances of attacks being successful, but dealing with data breaches in a mature way is now critical to any IT security plan."

"The truth is IT can't control all connectivity and use of technology any longer. As the amount of data businesses collect grows, so does the growth of data-collecting devices. More devices will simply mean more ways to attack. Nothing is going to be safe. There will be sensors everywhere to collect data, connect cities and ultimately change the way the world operates. But not every data point, not every sensor, will have a firewall. The type of attacks and threats we're now seeing means having a piece of anti-virus software or a firewall is not enough. Every time an employee uses a new device in the work place, so the threat surface of the business expands. Therefore, investing in a more thorough security portfolio is key, and of course, having a response plan to an attack is paramount," Greer-King says.

Editorial contacts