Prosperous protection: Dubai-based du deploys cloud-based vulnerability management
Dubai-based operator du turns a security investment into a business opportunity
Few organisations understand the complexities of the cyber-security landscape better than internet service providers (ISPs). Given that ISPs make up the backbone of national communication infrastructures, they provide the channels through which cyber-criminals conduct their operations, meaning that they have to constantly stay one step ahead.
Indeed, cyber-criminals recognise this as well, and as a result they often target with ISP operations with extreme force. To mitigate these threats, ISPs around the globe have built up some of the most sophisticated security operations centres to be found in any vertical, and Middle Eastern ISPs are up there with the best.
Emirates Integrated Telecommunications Company (better known as du) is a perfect example of this. Having opened for business in 2006, the telecoms provider has come to understand first-hand the threats that target the Middle East. As a result, the company employs more than 70 full-time, highly skilled security professionals, who run a 24-7 security operations centre that analyses two billion network events daily across more than 10,000 network switches and routers and 3,000 servers. The equipment, from vendors such as Cisco, Juniper Networks, Alcatel-Lucent and Huawei, runs on a number of different operating systems, and as such, each needs to be monitored carefully in order to keep cyber-criminals at bay.
Recently, du took steps to strengthen its security operations by procuring a solution that would give its award-winning security operations centre greater visibility over the network. However, along with the solution, the telecoms provider also used the project to open up a new revenue stream. This is how the company turned a security investment into a business opportunity.
Without a single, comprehensive solution for security vulnerability scanning and policy compliance, du was committing significant amounts of time, energy and money into manual exercises to understand how threat agents, probe, scan, and compromise the security of networks. Frequently du security was using internal and external resources to scan different elements of the infrastructure or to carry out compliance validation and manual configuration audits on selected technical platforms.
There were costs associated with these challenges. For example, regular audits had to be undertaken, and these would not only directly cost the security department, but would also be disruptive to operations. Instead, the operator wanted more of an automated approach to its vulnerability management.
“One of the challenges is the huge amount of vulnerabilities and risks that exist in any telecoms environment. And since we have networking sets, IT and telecoms devices, mobile devices, we have a lot of systems, a lot of access points, which produces a lot of issues. We need to identify vulnerabilities and find a way to track them through one centralised dashboard and to start minimising the impact of the vulnerabilities,” explains Ibrahim Hamza Al Mallouhi, vice president of security operations, du.
The operator began evaluating various solutions in the market, and it quickly became clear that another key requirement of the new solution would be that it could integrate into the company’s risk management solution, its security operations centre, and also its overall risk management methodology.
Having defined the requirements, du raised an RFP and approached the leading security vendors in the market. Following several meetings with vendors, as well as a string of proof-of-concepts, a shortlist of three vendors was drawn up, and then du began to look at how the technical specifications of each solution stacked up against its requirements. According to Al Mallouhi, by this point, price wasn’t as much of a consideration as getting the right technology was.
The vendor which eventually won the business was Qualys. However, this wasn’t entirely down to the fact that the vendor impressed with its solutions. The problem with Qualys was that its solutions are cloud-based. Al Mallouhi explains how this could have put a spanner in the works.
“Du has to meet the most stringent regulatory requirements of the United Arab Emirates. And one of those requirements would be that sensitive information like vulnerability data should not leave the country. This is one of the challenges we had with selecting Qualys — they’re a cloud solution, and if we were to use their typical deployment, our data would go into the cloud, outside of the UAE,” he says.
However, the Qualys team came back with an answer in the form of the vendor’s Private Cloud Platform. This, along with the Qualys Policy Compliance, Qualys Vulnerability Management, and the Qualys Web Application Scanning solutions, would solve the business challenge. However, the Qualys team also explained to du how the operator could turn the solution into a revenue-generating investment.