Managing a breach or ‘dirty’ network

Issue 5 2021 Editor's Choice, Information Security

Nasser Bostan, head of security sales, Middle East and Africa, BT, shares BT’s insights gleaned from the SolarWinds incident and offers recommendations for organisations to step up their cybersecurity strategies.


Nasser Bostan.

In December 2020, it became apparent that SolarWinds, a major US information technology firm, had been the subject of a cyberattack that spread to its clients. The attack went undetected for months and it has had a huge impact across the entire technology ecosystem as it continues to unfold.

One immediate effect is that the whole security community is now questioning some of its fundamental practices and assumptions around how to implement a successful security environment. The attack is forcing a rethink of how to assess and manage supplier risk.

All security professionals know that you’re only ever as strong as the weakest link in your defences. And to complicate the matter further, most organisations don’t grow organically over time. They grow through a series of mergers, acquisitions and divestments which each play a part in changing their IT landscape. As their infrastructure evolves, it becomes a mixture of new, established and legacy systems from a range of different suppliers. Despite this, users expect IT to be frictionless, leading many organisations to become increasingly borderless. In this complex, blurred environment, finding ‘bad’, or even sub-optimal elements can be challenging.

In BT’s recent whitepaper, Assume breach: Managing a dirty network[1], we make six recommendations for how organisations can achieve ‘assume breach’, based on policies and solutions we’re following ourselves.

1. Know the personas on your estate (identity)

The complexity of managing and understanding personas and identities leaves many organisations blind to the activity of an attacker. In this context, identity and access mechanisms that give you visibility and control of your estate are hugely valuable. Since identity is one of the areas of compromise frequently implicated in high profile and impactful breaches, a firm understanding of the roles and users in your organisation, coupled with high confidence audit, reporting and alerting is critically important.

2. Understand your assets

It comes back to the old adage: If you don’t know what you have, how can you protect it? But understanding what and where your assets are is only one part of the problem. You also need to rigorously assess your asset life cycle strategy. The asset lifecycle is perhaps one of the most difficult aspects of successfully managing IT infrastructure and it gets more difficult as you move to the cloud and more corporate assets fall outside your traditional network perimeter. However, if you fail to identify affected versions, they can delay the remediation and patching process, even after fixes are made available, worsening the risks and impacts.

3. Prioritise modern endpoint tooling

Endpoint Detection and Response (EDR) solutions bring together next-generation antivirus with threat hunting and threat intelligence on the endpoint device, constantly analysing events to identify malicious behaviour. Although an EDR solution gives excellent visibility of adversary behaviour as it occurs, organisations often need prior understanding of this behaviour to detect and prevent it effectively. When this information isn’t available and prevention and detection fail silently, many EDR solutions monitor and record the chain of execution of activities occurring on the endpoint. This enables SOC teams to look back and verify where the attack happened.

4. Make it difficult to move between zones and workloads

Organisations must adopt a Zero Trust model that’s secure by default and only allows traffic to flow between applications that have been positively verified against policy. This will reduce the opportunity for malware or threat actors to move between network zones, servers or workloads, providing crucial protections during many cyber incidents. Creating boundaries between different zones of your network, using network segmentation and application micro-segmentation can make it more difficult for an attacker to move laterally around your infrastructure.

5. Take a systemic approach to detecting threats

Organisations invest in threat detection capabilities such as Security Information and Event Management (SIEM) to make sure they can detect compromises within their estate quickly. To fine-tune your detection, the SOC team operating the SIEM needs to adopt a systematic approach. They need a good understanding of threat actor behaviour and should work closely with their counterparts in threat intelligence to identify the behaviour of known actor groups and map this knowledge to a common classification structure.

6. Be curious

The most inquisitive and engaged people in the organisation are the analysts you have defending your estate. So, allow them to focus on using their natural talents to maximum effect by managing their workloads and automating volume activity where possible. Burdening them with repetitive or routine tasks might produce a steady flow of outputs, but it isn’t the most effective use of their time or skills. Consider automating or offloading such items to trusted providers, so your analysts can better spend their time searching things out. Pulling on loose threads takes time, but ultimately, it improves your security baseline and might just uncover the thing no-one was looking for.

Cyber attackers and criminals will never stop trying to invent new ways of gaining a return on their investments. If you can make it expensive, difficult and time-consuming for them to achieve their goal, it will limit the range and motivation of cyber attackers targeting your organisation.

[1] https://www.globalservices.bt.com/en/insights/whitepapers/managing-a-breached-or-dirty-network




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Winners of the 2025 Southern Africa OSPAs
Editor's Choice
The winners of the 2025 Southern Africa Outstanding Security Performance Awards (OSPAs) were revealed on Wednesday, 4th June, at Securex South Africa. Winners from all categories (except the Lifetime Achievement) will be featured in the second Global OSPAs set to take place in 2026.

Read more...
Deepfakes and digital trust
Editor's Choice
By securing the video right from the specific camera that captured it, there is no need to prove the chain of custody for the video, you can verify the authenticity at every step.

Read more...
A new generational framework
Editor's Choice Training & Education
Beyond Generation X, and Millennials, Dr Chris Blair discusses the seven decades of technological evolution and the generations they defined, from the 1960’s Mainframe Cohort, to the 2020’s AI Navigators.

Read more...
Back-up securely and restore in seconds
Betatrac Telematic Solutions Editor's Choice Information Security Infrastructure
Betatrac has a solution that enables companies to back-up up to 8 TB of data onto a device and restore it in 30 seconds in an emergency, called Rapid Access Data Recovery (RADR).

Read more...
Key design considerations for a control room
Leaderware Editor's Choice Surveillance Training & Education
If you are designing or upgrading a control room, or even reviewing or auditing an existing control room, there are a number of design factors that one would need to consider.

Read more...
CCTV control room operator job description
Leaderware Editor's Choice Surveillance Training & Education
Control room operators are still critical components of security operations and will remain so for the foreseeable future, despite the advances of AI, which serves as a vital enhancement to the human operator.

Read more...
Phishing attacks through SVG image files
Kaspersky News & Events Information Security
Kaspersky has detected a new trend: attackers are distributing phishing emails to individual and corporate users with attachments in SVG (Scalable Vector Graphics) files, a format commonly used for storing images.

Read more...
A passport to offline backups
SMART Security Solutions Technews Publishing Editor's Choice Infrastructure Smart Home Automation
SMART Security Solutions tested a 6 TB WD My Passport and found it is much more than simply another portable hard drive when considering the free security software the company includes with the device.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.