BUSINESS: Headquartered in Riyadh, Saudi Telecom Company (STC) is the largest telecommunications provider in the Middle East and North Africa, with a reported revenue of SAR 50.75 million for 2017. STC was established in 1998, and currently serves around 100 million customers worldwide, through a fibre-optic network spanning 158,000 kilometres.
SIZE: 17,000 employees
BUSINESS CHALLENGE: Saudi Telecom sought to attain greater threat visibility for its world-class IT systems, which would enable it to even more efficiently identify and address any potential vulnerabilities across a wide variety of operating systems and applications.
Headquartered in Riyadh, Saudi Arabia, Saudi Telecom Company (STC) is an international telecommunications provider, offering landline, mobile and internet services in Saudi Arabia and neighbouring countries. In addition, it is a key enabler of digitalization for both the public and private sector, in alignment with Saudi Vision 2030.
STC is also a major conduit for government and business communications in Saudi Arabia, supporting corporate clients of all types and sizes. Ensuring a secure network is therefore a top priority for STC; the company must both protect its own systems from direct threats and avoid the possibility of passing any threats through its network to customers.
As one of the country's foremost service providers, STC is seen as the backbone of communications in Saudi Arabia. To maximise the speed and quality of its response to potential vulnerabilities, STC first needed to improve the visibility of its IT systems.
Yasser Al Swailem, General Manager of Cyber Security for STC, explains: "Our infrastructure is large and includes a huge variety of different operating systems, network infrastructure and applications, each of which have different methods and tools for assessing vulnerabilities."
As part of STC’s next generation cyber security roll-out, improving identification and remediation of vulnerabilities is a priority for maximizing uptime and preventing data leakage for its customers.
Yasser Al Swailem continues: “The biggest challenge is availability; bringing systems down for too long in order to patch them could inconvenience our customers. In addition, the complexity and diversity of systems across the company requires our team to perform manual ad hoc vulnerability assessments, which are costly in terms of time and effort. We decided that we needed a more automated, comprehensive and accessible approach to vulnerability management, to further improve our IT infrastructure.”
Why Saudi Telecom Company chose Qualys:
After thorough analysis of potential vendors and due-diligence exercises, STC chose Qualys Vulnerability Management (VM) on the Enterprise TruRisk Platform to improve the visibility of threats to its network.
Yasser Al Swailem comments: “We chose Qualys VM because it gave us the flexibility and ease-of-use we were looking for, backed by the solid Qualys database of known risks and vulnerabilities. We also adopted Qualys Policy Compliance (PC), to help us check system configurations against our internal best-practice models.”
He adds: “Another major advantage was the opportunity to make use of the Qualys Private Cloud Platform (PCP). We host our own instance of the Qualys cloud solution, so we can assure our customers that absolutely all data remains in-country. For some customers – especially those in government – this is a key requirement.”
Adopting Qualys PCP also provided a ready-made path to creating a new service offering. It was always a milestone for STC to be able to offer cloud-based cyber-security services to customers; with the private-cloud solution from Qualys, the company is building a full multi-tenant environment. “We are already providing Qualys VM on an as-a-service basis to our subsidiaries in other countries, which saves them having to source, buy and deploy their own solutions,” says Yasser Al Swailem. “This is the first step towards offering value-added services to our customers. We are currently building an online portal for customers to configure and run their own cyber-security services on a highly automated basis.”
STC is using Qualys VM to scan more than 9,000 servers weekly, covering a wide variety of builds of Microsoft Windows, Linux and Unix. The company pushes the output into its governance, risk management and compliance (GRC) solution, which acts as the single internal point of trust for security reporting.
Yasser Al Swailem adds: “All of the technical reports go directly from Qualys VM to our Technology & Operation teams, who can then quickly apply the recommended patches on a prioritised basis according to severity and exploitability. We also provide status and trend reports to our executives, so that they can see the positive impact of our investment in the Qualys technology.”
Armed with risk-profiling intelligence from Qualys VM, STC has better visibility of the threats it faces today and can prioritise its remediation activities to ensure that emerging issues are rapidly addressed.
“Now we can see which systems are at most risk, we can understand the threat better,“ says Yasser Al Swailem. “Qualys VM has also had an indirect impact on the security culture at STC, encouraging developers and system administrators to become even more engaged with security. In the past, vulnerability reports were manual and highly subjective; today, objective reports are available on easy-to-use dashboards and can be customised to each person’s needs, so people are starting to take advantage of the information to improve their own approaches to security.”
“We don't think of Qualys as a vendor but as a fully-fledged partner, and we look forward to bringing the benefits of their technology to many of our customers in the near future.”
General Manager of Information Security, STC
The introduction of Qualys VM has enabled STC to achieve a significant year-on-year reduction in the number of potential vulnerabilities present on its network. The improved visibility of vulnerabilities means that the company can prioritise remediation while ensuring that critical systems remain available when they are most needed. Equally, STC spends far less time and effort on manual scans and reports, enabling it to focus resources on addressing the most serious potential threats. This in turn has helped the company accelerate average remediation times, enhancing its cyber resiliency.
“As the next step, we are looking at implementing Qualys Cloud Agents to provide a new capability: scanning public interfaces continuously,“ says Yasser Al Swailem. “Our digital services require that we extend our perimeter to include our partners and that creates an element of third-party risk. Cloud agents will make it easier to monitor our third-party vendors and customers’ systems, providing us more visibility beyond the edge of our network.”
The combination of the private-cloud solution and the local presence of Qualys technical personnel in Saudi Arabia is another positive element for STC.
Yasser Al Swailem concludes: “Our ability to access direct local support from Qualys is another reason for customers to sign up to our new cyber-security-as-a-service offering in the cloud. We don’t think of Qualys as a vendor but as a fully-fledged partner, and we look forward to bringing the benefits of their technology to many of our customers in the near future.”