How Travis Perkins IT Team Turned A Near Nightmare Into Security Spend

More security budget after a near-miss? Simon Gray tells how his team achieved this difficult task

‘Disaster’ isn’t a word that IT teams like to hear. It certainly isn’t part of a PR team’s lexicon or something that CEOs like to talk about. But a brush with disaster can lead to good things as Travis Perkins learnt earlier this year.

A nasty spear phishing attempt nearly led to a cataclysmic event for the well-known construction materials supplier, when a worker received an email claiming to contain information on a purported ‘order’ for some imagined product. Clicking the link took the victim to a website in Australia, which then linked through to another site elsewhere that attempted to install malware on their machine. If it had executed, the Trojan would have spied on the company’s network and relayed information back to a server in China.

Whilst one of its existing systems managed to identify and block the threat, it only did so because it had blacklisted the Australian website. That was not enough for Travis Perkins, explains the company’s information security specialist Simon Gray.

“Had it have been sent from a different website address, it wouldn’t have blocked the file. Separately we did some analysis of the malicious file and found that our internal antivirus [produced by Sophos] didn’t know about the file,” Gray tells TechWeekEurope. “We see these kinds of attacks all the time, but it only takes one to get through and we’ve got trouble.

“Had it gone bad, it would have gone really bad. Had someone been able to get in, it would have been a major problem. We were lucky.”

Throwing money at the problem

After recovering from the initial shock, Gray and his team ran a proof of concept to show what the attack could have done. They found various holes in the network, where adequate protection was lacking, before taking their findings to the boardroom. And rather than move at a glacial pace, as is typical when it comes to security, the men upstairs chucked money at the problem quickly. It was a lot of money too. Travis Perkins decided to go all out on a new layer of its security stack, splashing on FireEye gear, which is far from cheap.

What the FireEye appliance does is filter network activity and send files through a virtual machine, where threats are speedily run through their paces to see what damage they can do, similar to what a sandbox does by looking at behaviour rather than reputation. It’s high-end, costly stuff, designed to pick up on zero-day threats. According to FireEye, since it saw the attack targeting others over a 72-hour period a year ago, only half of today’s major AV vendors were able to block the malware.

“FireEye represents an unplanned budgetary expense, which, because I raised the issue internally, got budget for it. It’s a substantial piece of expenditure, but the business saw the value of it,” Gray adds.

Indeed, the investment has already paid off to some extent. “Even in the past three or four weeks, we’ve had stuff that FireEye has picked up where everything else has failed,” says Gray. “It shouldn’t be seeing anything, but it still is. That indicates there is an issue somewhere.”

But now that it has this high-end kit, does Travis Perkins ever foresee a time when it will ditch AV completely, given how leaky most solutions are? Gray says the company will be sticking with Sophos for now, but has not ruled out ditching that particular layer altogether. “If you can implement a whitelisting-only approach, then potentially. But the issue you then have to ask how reliable is the whitelisting technology? Extra education is in the pipeline too. It was worker gullibility, after all, that could have caused carnage for the business. And security is never 100 percent guaranteed, no matter how advanced the technology is.

“If you’re relying on a signature in order to whitelist your systems and somebody is able to circumvent that, you’re stuffed.”

Regardless of what Travis Perkins does in the future, it has provided the rest of the community with proof that at least some C-level executives do understand the need for a big security budget. Scare tactics, it seems, can do the trick.

Are you a security expert? Try our quiz!