Business leaders deploy IT security solutions to strengthen the external shell they create around their operation, steadfast in the belief that this primary defence offers sufficient protection against cyber threats - but the threat landscape has evolved and threats are more sophisticated.

Experts speak of a new generation of cyber threats, multi-vector attacks, malicious breaches, underpinned by the scourge of ransomware, cryptomining malware, social engineering and zero-day attacks, among others.

These threats continue to test the resolve of many businesses, which, in South Africa anyway, are also struggling with outdated IT infrastructure.

According to a report released by World Wide Worx, The State of Enterprise Security in South Africa 2019, the biggest shortcoming in cybersecurity preparedness is outdated software - 77% of IT decision-makers said it makes their organisations highly vulnerable.

Given these sophisticated cyber threats, the inadequate software and continued shortage of available security skills, it is not surprising that cyber security experts believe businesses need to turn to machine learning and AI to help keep track of who is accessing their data, from where, why, when and where.

Analytics-based threat detection and response is more relevant than ever say executives from ExtraHop, an established global provider of cloud-first detection and response for the hybrid enterprise.

ExtraHop provides enterprise cyber analytics. The company analyses all network interactions in real-time and applies advanced machine learning to help security and IT teams investigate threats.

Its platform is supplied in South Africa via its distributor partner Corr-Serve.

Ransomware scare

In August 2019, Owen Cole, a member of the ExtraHop Cybersecurity Council and VP ExtraHop Business Development EMEA, together with Wade Gomes, Country Manager and Sales Director at Corr-Serve, visited South African customers to gain insight into their cyber security needs and concerns.

Cole said the ransomware attack on Johannesburg's City Power in July this year was a major talking point.

As reported by local media, the attack on 25 July 2019 took out City Power's servers and disrupted power supply to residents of Johannesburg.

Speaking to ITWeb Africa following the customer engagement sessions, Cole said: "It's been on everybody's lips and in terms of ransomware, this week I've probably had more ransomware conversations than I have in a single week for probably two years. It was super high profile in healthcare a year-and-a-half, two years ago, because there were lots of targeted ransomware attacks on healthcare. But it's now become much more widespread, across all industries. And the ways of delivering the ransomware attacks have become more relevant and harder for companies to detect."

He added, "It's all about protection of data. Any cyber-attack or criminal attack is about one of two things: it's either disrupting that person's business, or taking the data away from that person because there's a value to it."

Phone home warning

ExtraHop says alongside ransomware, the issue of 'phoning home' should ring alarm bells.

Phoning home refers to a host connecting to a server for the purpose of sending data to the server - the 'white hat' term for exfiltrating data.

ExtraHop has issued a security advisory exposing cases of third-party vendors 'phoning home' proprietary data without the knowledge of- or authorisation from their customers.

According to the advisory, phoning data home is a common practice that can be used for legitimate and useful reasons with the customer's consent. But when customers are unaware of this vendor exfiltration, it risks exposure of sensitive data.

Cole said ransomware and phoning home have similarities and ExtraHop is aware of documented incidents within financial services, healthcare and food services industries.

In one example, a company was compromised via its air-conditioning system. All its data was fine, but the service provider that ran its air-conditioning had an open connection through which it phoned home and sent data back to its headquarters. Cyber criminals hacked the headquarters and gained access to its customer.

Phoning home also raises the issue of false positives and its impact on security efficiency.

Cole said the most important thing to ensure that an investment in security solutions worthwhile is the ability to reduce the amount of false positives.

"The biggest problem any security platform has got is this thing called false positives, where an alert is generated because it looks suspicious. What happens is the guys who respond to these alerts all of sudden say 'ah, I've seen that alert so many times, I am not even going to bother' ... and you know the one that they don't bother with, is the one that's real."

Applying context to the data that is implemented into the system is a sure way to reduce the number of false positives, Cole added.

"The system is a base platform, it's got all of the ability to decode this all this traffic and understand what's happening all automatically. If anything appears that never existed before or something that did exist changes what it does that increases its security risk, we automatically see that no matter who it is or where it is."

Silver bullet

As far as the broader Africa market is concerned and the factors that drive security solution adoption, Gomes said while everyone wants a silver bullet, there isn't one – but a system that is seamless, automatic and alerts the business to potential problems proactively adds substantial value.

AI and machine learning capability within the system enables it to highlight anomalies in terms of activity within an environment. Being able to pick up the problem without having to look for it is key Gomes continued.

"Unfortunately in this game, where there is a number of less savoury people out there looking to get into your business and get information out of there, there isn't a single way to do it. But (the best way) is to identify as quickly as possible a threat or a potential threat (internal or external)."

Despite global incidents of large scale data breaches and exorbitant amounts in fines (BA's recent £183-million fine for passenger data breach and Facebook making international headlines after millions of user records were reportedly 'exposed to the internet') Cole said that businesses are slowly realising the need to leverage analysis as part of their security strategies.

Why slowly?

Cole said: "I think there are a number of reasons and it's wrong to generalise, but one would be the fact that because it's a business problem with an IT solution means that IT people that don't understand business and business people that don't understand IT never really join in the middle."

He suggested that verticals like healthcare, finance and retail are taking the lead and are increasingly aware of the need for IT security investment.

Skills shortage

Cole and Gomes said South African CIOs and CSIOs have expressed concern over the lack of security skills in the market.

Executives say they do not have enough people and the people they do have are not sufficiently skilled.

Along with running short tailored training courses that go with every solution deployment, ExtraHop has also customised its product offering with intuitive workflows.

"One of the problems that obviously we have in all of IT, but its exacerbated here in Africa, is the skills, in all IT generally, but in security specifically. One of the things we are passionate about is using technology to upskill the staff. There are some simple ways you can do that, in terms of not only making the platform we supply simpler for people to use, but actually building intuitive workflows into it. So, if a particular thing happens, for example, we have this thing called guided workflow where our platform will coach someone through 'here's what you should be doing', and then we're trying to almost train them on the job."