The Architecture of Defence: How Cybersecurity Protects Networks

    The Architecture of Defence: How Cybersecurity Protects Networks

    In the early days of the digital age, before much of our lives moved online, cybersecurity was a castle-and-moat proposition. You built a firewall that served as the castle wall and assumed everything inside was safe. Today, that model is about as effective as a medieval town wall is against a modern military with hypersonic jets and advanced drones. Most group networks, whether they be for a university campus, a business or a government agency, operate without perimeters. For example, a university’s data might flow between on-premise servers in Bloemfontein, cloud instances in Europe and mobile devices in the hands of students and staff from on and off campus.

    To protect this dispersed ecosystem, information technology (IT) has evolved from deploying static tools to engineering a dynamic cybersecurity system. In this article, we will take a detailed look at what happens behind the screen to reveal the daily digital battle that cybersecurity professionals fight against highly sophisticated hacking syndicates. We'll look in detail at how threat detection, incident response and governance interlock to create an active architecture of defence, followed by some case studies where hackers were able to wreak havoc.

    The fully online Postgraduate Diploma in Information Technology at the Central University of Technology offers modules on advanced information security and ethical hacking that cover these topics from two different perspectives. You can use the outline below to jump to any specific cybersecurity topics and some frequently asked questions; otherwise, read on to learn more.

     

    Article Outline

    FAQs

    Cybersecurity in the Modern Information Technology Landscape

    In the last decade or so, IT has shifted from a support function to the very backbone of many modern enterprises. As businesses, governments and universities digitise their operations, the distinction between digital and physical infrastructure has blurred. 

    This convergence has made cybersecurity the most critical pillar of IT architecture. It is no longer enough to simply secure a server room; modern cybersecurity must permeate every layer of the technology stack, protecting data that is constantly in motion, in use and at rest across a globally distributed network.

    The Expanding Attack Surface in a Connected Economy

    The "attack surface" refers to the total sum of vulnerabilities and entry points that unauthorised users can exploit to enter a system. Historically, this surface was small and contained, typically limited to desktop computers physically plugged into a building’s wall. Today, the attack surface has exploded in size and complexity due to the hyper-connected nature of the digital economy. Every smartphone, smart sensor, cloud database and remote laptop represents a new potential doorway for attackers.

    In a large and interconnected environment like a modern university, this challenge is magnified. The network must support thousands of diverse devices, from high-performance research supercomputers to students' personal phones, all connecting simultaneously from different locations. This phenomenon, often referred to as the dissolution of the "network perimeter", means that IT teams can no longer draw a circle around their assets and defend the line. Instead, they must secure an environment where the perimeter is everywhere and nowhere at once.

    Why Cybersecurity Systems Require Continuous Evolution

    The primary driver for the constant evolution of cybersecurity systems is the sophistication of modern adversaries. We have moved beyond the era of "script kiddies", opportunistic hackers or teenage pranksters to an age defined by Advanced Persistent Threats (APTs). APTs are stealthy, continuous computer hacking processes, often orchestrated by nation-states or well-funded criminal syndicates. Unlike standard attacks that aim to "smash and grab" data quickly, APT actors are patient. They infiltrate a network and remain undetected for months or even years, quietly siphoning sensitive research or financial data.

    Because APTs are designed to evade traditional defences, a static cybersecurity posture is, in itself, a vulnerability. If a system is built to block only yesterday's known threats, it will fail against an APT that uses novel, "zero-day" techniques to bypass security controls. Consequently, modern cybersecurity systems must be dynamic and adaptive. They require continuous updating, real-time threat intelligence and proactive "threat hunting" capabilities to identify these silent intruders who may have already bypassed the outer walls.

    From Hardware Firewalls to Intelligent Cloud-Native Security

    For decades, the standard for security was the "middlebox". This was a physical hardware firewall installed in a server rack to filter traffic entering and leaving a building. While these appliances still play a role, they are ill-suited for a world where applications live in the cloud, and users work from coffee shops. Relying solely on hardware creates a bottleneck that slows down performance and fails to protect traffic that never touches the main data centre.

    The industry has therefore shifted toward intelligent cloud-native security. In this model, security functions are decoupled from physical hardware and delivered as software from the cloud. This allows security policies to follow the user and the data, rather than being tied to a physical location. By inspecting traffic at the cloud edge, closest to where the data is actually generated, these intelligent systems can apply complex security logic, such as inspecting encrypted traffic or verifying user identity, without the latency penalties associated with routing everything back to a central hardware firewall.

    Threat Detection: The First Line of Digital Defence

    In the architecture of modern defence, threat detection is the network's sensory system. Its purpose is to provide total visibility into the digital environment, identifying unauthorised activity the moment it occurs. While prevention tools like firewalls aim to stop attacks at the gate, detection tools assume that a sophisticated adversary, such as an APT, may eventually bypass those gates. Much like a home that has motion detectors behind an electric fence, the goal shifts from "keeping them out" to "finding them immediately".

    How Threat Detection Works

    Effective detection relies on analysing data from across the IT network to distinguish between legitimate user activity and malicious intent. This process has evolved from simple pattern matching to complex algorithmic analysis.

    Behavioural Detection vs Signature-Based Detection

    Historically, antivirus software relied on signature-based detection. This method compares files against a database of known "signatures" or digital fingerprints of malware. It is similar to a fingerprint database of convicted criminals, which can be very useful in catching criminals, but is mostly useless against first offenders or thieves with gloves. Signature detection is highly effective at catching known threats but has a fatal flaw: it cannot detect what it has not seen before. If an attacker modifies a virus's code by even a single byte, the signature changes, and the tool fails.

    To counter this, modern systems rely on behavioural detection to look for suspicious behaviour. Instead of looking at what a file is, this method looks at what it does. Think of it as the digital version of an alert security guard who sees someone pass through a security check without a hitch and then tries to climb through the CEO's office window. For example, if a PDF document suddenly attempts to execute a PowerShell script or connect to an external server in a foreign country, the system flags this behaviour as malicious, regardless of whether the file has a known virus signature. This is critical for stopping APTs, which often use custom-built, never-before-seen tools. 

    AI-Driven Anomaly Detection

    The sheer volume of data in something like a university network makes manual monitoring impossible. AI-driven anomaly detection solves this by using machine learning to establish a baseline of "normal" activity for every user and device.

    Once this baseline is learned, the AI can spot subtle deviations that a human analyst might miss. For instance, if a finance administrator who typically logs in from Bloemfontein at 8 am suddenly accesses the server at 3 am from an IP address in Eastern Europe, the AI detects this anomaly instantly. This approach is essential for identifying "insider threats" or compromised credentials where the attacker is using a legitimate account.

    Automated Alerting and Prioritisation

    One of the biggest challenges in cybersecurity is alert fatigue. Much like the fable of “the boy who cried wolf”, this is when security teams are overwhelmed by thousands of low-level warnings, causing them to miss the critical ones. Automated alerting and prioritisation address this by scoring threats based on risk.

    Rather than notifying the security operations centre (SOC) for every failed login, the system aggregates data to calculate a "risk score". It might ignore a single failed password but trigger a "critical alert" if that failure is followed immediately by a privilege escalation attempt. This automation ensures analysts focus on high-priority, verified threats rather than chasing false positives.

    Core Threat Detection Technologies

    To achieve this level of visibility, the cybersecurity system relies on a triad of the following specialised technologies and systems. 

    Endpoint Detection & Response (EDR)

    EDR focuses on the individual devices, such as laptops, servers and workstations. It records activity at the operating system level, capturing process executions, registry changes and file modifications. If an APT actor manages to infect a researcher's laptop with ransomware, the EDR tool can detect the encryption process beginning and automatically isolate the device from the network to prevent the spread.

    Network Detection & Response (NDR)

    While EDR monitors devices, network detection and response (NDR) monitors traffic between them. It analyses network packets to detect lateral movement when attackers jump from server to server. Crucially, modern NDR tools can analyse encrypted traffic (which makes up the majority of web traffic today) to find hidden threats without needing to decrypt the data, preserving user privacy while maintaining security. 

    Intrusion Detection and Prevention Systems (IDS/IPS)

    If a firewall is the security guard at the front gate checking IDs, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are the surveillance cameras and automated barriers inside the building. They are designed to inspect the content of the traffic, not just where it comes from.

    While often grouped together, they serve distinct functions in the cybersecurity architecture:

    Intrusion Detection Systems (IDS): The "Burglar Alarm"

    An IDS is a passive monitoring tool. It sits off to the side of the main network traffic and analyses copies of the data packets flowing through the network.

    • Function: It compares network traffic against a database of known attack "signatures" (like a fingerprint of a specific virus or exploit).
    • Action: When it spots a match, such as a SQL injection attempt against a university database, it sends an alert to the SOC or logs the event.
    • Limitation: Because it is passive, an IDS cannot stop the attack on its own. It can only raise a silent alarm to alert others to respond. Its value lies in visibility without slowing down network performance.

    Intrusion Prevention Systems (IPS): The "Bouncer"

    An IPS is an active control tool. Unlike an IDS, an IPS sits inline with the traffic flow, meaning traffic must pass through it to reach its destination.

    • Function: It performs the same deep packet inspection as an IDS, looking for malicious patterns, malware or policy violations.
    • Action: Because it is inline, if it detects a threat, it can automatically drop the packet, reset the connection or block the offending IP address immediately.
    • Risk: The danger of an IPS is that it can flag "false positives". If the IPS mistakenly identifies legitimate user requests as an attack and blocks them, it disrupts operations. Therefore, tuning these systems is a critical maintenance task.

     IDS vs IPS Comparison Table

    Feature

    Intrusion Detection System (IDS)

    Intrusion Prevention System (IPS)

    Position

    Out-of-band (to the side of traffic)

    Inline (in the flow of traffic)

    Primary Goal

    Visibility and alerting

    Control and blocking

    Action

    Logs and alerts (passive)

    Drops packets/blocks connection (active)

    Network Impact

    None (doesn't slow down traffic)

    Latency (can slow traffic if overloaded)

    Risk

    Alert fatigue (too many warnings)

    False positives (blocking good traffic)

    Security Information and Event Management (SIEM)

    An SIEM system serves as the central brain of the detection architecture. It ingests logs and data from EDR, NDR, firewalls and identity as a service (IDaaS) systems to provide a holistic view of the system's security status. By correlating these disparate data points, a SIEM system can piece together a complete attack narrative.

    It can do this by, for example, connecting a phishing email received on Monday (from the email gateway log) to a malware download on Tuesday (through the EDR log) and data exfiltration on Wednesday (via the network log).

    Cyber Threat Intelligence Integration

    In the past, security teams operated in silos, defending their networks based solely on what they could see within their own walls. Today, that approach is insufficient. Cyber threat intelligence (CTI) integration connects an organisation’s local defences to a global system of security knowledge. By ingesting data from external sources such as industry alliances, government agencies and commercial researchers, a security team can anticipate attacks before they come. This shift turns cybersecurity from a reactive "whack-a-mole" game into a proactive strategic operation.

    Threat-Intel Feeds as a Service

    One of the most powerful applications of the service-oriented architecture (SOA) model is threat intelligence as a service (TIaaS). Instead of relying on a static, manually updated database of blocked websites, modern firewalls and SIEMs subscribe to real-time cloud feeds. These feeds function like a 24/7 news ticker for cyber threats. If a malicious server is identified attacking a bank in Singapore at 10 am, the "signature" of that server (its IP address or domain) is instantly pushed to the TIaaS cloud. By 10.01am, subscribers worldwide automatically receive this update, and their firewalls pre-emptively block the threat.

    This service model also democratises access to elite intelligence. Historically, only the very best funded and resourced operations could afford to track global hacking syndicates. Now, through TIaaS, educational institutions can access the same high-fidelity intelligence used by Fortune 500 companies. These feeds are often categorised by industry, allowing university IT directors, for example, to subscribe specifically to "education sector" feeds that track ransomware gangs known for targeting academic research repositories and student financial aid systems.

    MITRE ATT&CK Mapping

    To make threat intelligence actionable, security professionals use the MITRE ATT&CK framework (an acronym of sorts for adversarial tactics, techniques and common knowledge). Unlike traditional models that focus on who the attacker is, the ATT&CK framework focuses on how they operate, including the tactics, techniques and procedures (TTPs). The framework acts as a periodic table of hacker behaviour, categorising every known method an attacker uses to gain access, move laterally or steal data.

    For an organisation's security operations centre, "mapping" to MITRE ATT&CK provides valuable information in the case of an attack. Instead of just seeing a generic "malware alert", an analyst sees more detail on the TTPs that were used in the attack, and these are matched to previous attacks that used the same methods. This tells the analyst exactly what the attacker is trying to do and, crucially, what they might do next. By designing defences that block these specific behaviours rather than just specific files, the system becomes resilient against even modified or new versions of malware.

    Early Warning Systems for Zero-Day Attacks

    A zero-day attack is a cyberattack that exploits a vulnerability unknown to the software vendor, meaning there is "zero days" time to fix it before it is used. Because there are no known signatures for these attacks, traditional antivirus tools are blind to them. Early warning systems bridge this gap by utilising deception technology and global sensor networks. These systems deploy "honeypots" across the internet: fake servers and data files that appear valuable but are actually traps.

    When a hacker attempts to exploit a new zero-day vulnerability on one of these honeypots, the system captures the attack in a safe environment. AI algorithms immediately analyse the traffic to understand the new exploit method. This data is then instantly converted into a "heuristic" (behavioural) rule and broadcast to the main network. This means that while the specific vulnerability in the software may remain unpatched for days, the attack method itself is detected and blocked by the early warning system before it can compromise real institutional data. 

    Incident Response: Containment, Recovery and Resilience

    In an era where determined adversaries like Advanced Persistent Threats (APTs) are constantly probing defences, the question is not if a breach will occur, but when. Incident response (IR) is the organised approach to addressing and managing the aftermath of a security breach or cyberattack. The goal is to limit damage and reduce recovery time and costs. A robust IR strategy shifts an organisation from a state of chaos to a state of resilience, ensuring that when an incident strikes, whether it is a ransomware lock-out or a quiet data leak, the response is calm, calculated and effective.

    Modern incident response is no longer a manual process performed solely by humans. It is a hybrid discipline that combines the strategic decision-making of expert analysts with the machine speed of automated tools. This combination is essential because in the first few minutes of a breach, speed is the only metric that matters. The difference between a minor nuisance and a catastrophic headline often comes down to how quickly the containment phase can be executed.

    The Incident Response Lifecycle

    To ensure consistency and effectiveness, professional IR teams follow a structured lifecycle, typically modelled on the NIST or ISO/IEC 27035 frameworks. 

    Identification

    The first step is determining whether an event is actually a security incident. Not every firewall alert requires a full mobilisation of the IR team. Analysts must sift through "indicators of compromise" (IoCs) to distinguish between a false positive (such as a user forgetting their password) and a true positive (such as a brute-force attack).

    This phase often involves "triage", where the severity of the incident is assessed to prioritise resources. For APTs, identification is particularly challenging, as these actors often use legitimate administrative tools ("living off the land") to blend in with normal traffic, making them difficult to uncover.

    Containment

    Once a threat is confirmed, the immediate priority is containment. This phase focuses on minimising the damage and preventing the attacker from moving laterally to other systems.

    • Short-term containment: This might involve isolating a specific server, blocking a URL at the firewall or disabling a compromised user account immediately.
    • Long-term containment: This involves applying temporary fixes to production systems to keep operations running while a permanent solution is developed. In the case of ransomware, rapid containment is critical to prevent the encryption of shared network drives, which can paralyse an entire organisation in minutes.

    Eradication

    After the threat is contained, the team moves to eradication. This is the cleanup phase, where the root cause of the incident is removed. It involves deleting malware, disabling breached accounts and patching the vulnerability that was exploited in the first place. For APTs, this phase is exhaustive because these attackers often install multiple backdoors to ensure they can return. Eradication must ensure that every trace of their presence is completely purged from the environment, including malicious scripts, hidden user accounts and scheduled tasks.

    Recovery

    Recovery is the process of restoring systems to normal operation. This involves restoring data from clean backups, rebuilding compromised servers and resetting passwords. Systems are often brought back online in a staged manner during the recovery process, with heightened monitoring to ensure the attacker does not return. This phase confirms that the organisation has returned to a trusted state and that business as usual can resume.

    Post-Incident Review

    Often, the most neglected but valuable phase, the post-incident review, takes place after the dust has settled. The team analyses what happened, what worked and what failed. Did the detection tools catch the threat fast enough? Was the backup data complete? This feedback loop drives the continuous evolution of the security system, turning a negative event into a catalyst for strengthening future defences. 

    Tools that Power Incident Response

    Speed and precision are of the utmost importance in responding to an incident. Security staff make use of the following specialised tools to aid them.

    SOAR Platforms and Automation

    Security orchestration, automation and response (SOAR) platforms have drastically sped up IR by automating routine tasks. In a manual world, an analyst sees a phishing alert, logs into the email server, finds the email, deletes it, and then logs into the firewall to block the sender. A SOAR platform automates this entire workflow into a single playbook. When the alert arrives, the SOAR platform executes these steps almost instantly, across multiple systems, without human intervention. This drastically reduces the response time, freeing up human analysts to hunt for more complex threats.

    Forensic Analysis Tools

    When deep investigation is needed, forensic analysis tools allow responders to investigate the digital crime scene. These tools can capture a snapshot of a computer's memory (RAM) to find malware that runs only in memory and never touches the hard drive (fileless malware). They also allow analysts to reconstruct the attacker's timeline, showing exactly which files were opened and which commands were typed. 

    Log Correlation and Root-Cause Analysis

    Log correlation engines (often part of the SIEM system) are essential for determining the scope of an attack. By stitching together logs from the web server, the database and the authentication system, these tools help analysts perform root-cause analysis. Identifying the initial point of entry is vital for understanding how the breach occurred and for ensuring it cannot happen again in the same way.

    Key Incident Response Frameworks

    When confronted with a security incident, IT professionals can refer to the following two internationally respected frameworks to learn the best practices for that particular type of incident.

    NIST Incident Response Framework

    The US National Institute of Standards and Technology (NIST) offers a cybersecurity frameworkCSF 2.0, that is the gold standard for many organisations, providing a flexible, risk-based approach to managing and responding to cyber incidents. It emphasises a continuous cycle of preparation, detection, analysis, containment, eradication and recovery.

    ISO/IEC 27035

    The International Organisation for Standardisation (ISO) established a series of cybersecurity standards, including ISO/IEC 27035, which provides specific guidelines for incident management. It helps organisations establish a structured process for reporting and assessing vulnerabilities, ensuring that incident response is not just an IT reaction but a formal business process.

    Security Management: Governance, Controls and Continuous Monitoring

    While threat detection and incident response handle the immediate "firefighting" of cybersecurity, security management is the architectural discipline that prevents the fires from starting in the first place. It encompasses the strategic layer of the cybersecurity system, defining the rules, roles and responsibilities that govern the entire IT network. In a modern university environment, for example, security management is no longer just an IT function; it is a business enabler that ensures research integrity, student privacy and operational continuity.

    What Is Security Management in IT Systems?

    Security management acts as the bridge between organisational goals and technical implementation. It transforms abstract requirements, such as keeping user data safe, into concrete, enforceable technical controls.

    Policy Design and Security Governance

    Governance is the foundation of security. It involves creating policies that dictate acceptable use, data handling, and security expectations for every user on the network. Effective governance ensures that security decisions are made at the executive level rather than being relegated solely to technical staff.

    Policy design translates these decisions into rules. Governance ensures that these policies are not just written documents but are actively enforced through technical controls and regular audits.

    Identity and Access Management

    An identity and access management (IAM) system is the gatekeeper of the digital environment. It enforces the principle of "least privilege", ensuring that users only have access to the specific data and systems necessary for their role. A guest lecturer, for instance, should not have the same network permissions as the dean of the faculty.

    Modern IAM systems manage the full lifecycle of a digital identity, from onboarding a new user to revoking access when a staff member resigns. This includes implementing Multi-Factor Authentication (MFA), which adds a critical layer of defence against stolen credentials by requiring a second form of verification beyond a password.  

    Vulnerability and Patch Management

    Vulnerability management is the continuous process of identifying and remediating weak points in the IT infrastructure before attackers can exploit them. This involves regular scanning of all servers, laptops and applications to detect outdated software or misconfigurations.

    Patch management is the remediation arm of this process. It ensures that security updates released by software vendors are tested and deployed rapidly. In a large university network, automated patch management is essential to simultaneously close security gaps across thousands of devices, reducing the window of opportunity for attackers. 

    Risk Assessment and Compliance

    Risk assessment quantifies the potential impact of cyber threats. It answers the critical question: "What happens if this specific system is compromised?" By assigning a financial or reputational value to assets, IT leaders can prioritise their budget and focus resources on protecting the most critical data first. For example, user credit card details are usually stored much more securely than less sensitive contact information.

    Compliance ensures that the organisation adheres to legal and regulatory obligations. This involves mapping internal security controls against requirements such as the Protection of Personal Information Act in South Africa (POPIA) or the General Data Protection Regulation (GDPR) in the EU. Regular compliance audits verify that the security system is not only effective but also legally defensible.

    Compliance may seem like a secondary issue and unrelated to IT security, but this is not the case. While writing this article, the CyberSecurity Hub's news feed featured an article about a legal battle over a R5 million fine that the Information Regulator wants to charge the Department of Education over privacy issues related to the publishing of matric results in newspapers. If a government agency is willing to impose such a large fine on another government agency for something it has done for decades, this should serve as a warning to any private organisations to take compliance very seriously.

    Security Operation Centres (SOC)

    The operational heart of a security management system is the security operations centre (SOC). It is the centralised facility where the people component of the cybersecurity system resides, monitoring the network 24/7.

    Roles and Functions

    A standard SOC is staffed by a hierarchy of experts with distinct responsibilities. Tier 1 analysts act as the first line of defence, monitoring screens and triaging thousands of daily alerts to separate background noise from genuine threats.
    When a serious threat is identified, it is escalated to Tier 2 incident responders, who investigate the scope of the breach using forensic tools.

    Tier 3 of the SOC hierarchy comprises more specialised analysts responsible for threat hunting and advanced response. At Tier 4, the SOC manager oversees the entire operation and coordinates strategy, communicating with the organisation's leadership during a crisis to ensure a unified response. 

    SOC as a Service Models

    Building and staffing an in-house 24/7 SOC is prohibitively expensive for many organisations. The shift towards service-oriented architecture (SOA) has popularised SOC as a service model.

    In this model, the organisation outsources the monitoring function to a specialised external provider. These providers operate large-scale SOCs that monitor multiple clients simultaneously. This allows the organisation to benefit from enterprise-grade monitoring, advanced threat intelligence, and 24/7 coverage at a fraction of the cost of building a dedicated facility. 

    Integrating SOC with Cloud and Hybrid Architectures

    As organisations move data to the cloud, their SOCs must adapt. Modern SOCs must be able to integrate with cloud and hybrid architectures. This means the SOC cannot just look at on-premises data centres; it must have visibility into cloud platforms such as Azure, AWS, and Google Cloud.

    This integration is achieved through APIs that feed cloud logs directly into the SOC's central SIEM system. This ensures that a threat actor cannot hide simply by moving their attack from a physical server to a cloud-based application, as the SOC maintains a single view over the entire hybrid estate. 

    Security Frameworks for Organisational Maturity

    To ensure that security management is rigorous and comprehensive, it is best practice to align with internationally recognised frameworks. 

    NIST Cybersecurity Framework (CSF)

    The NIST Cybersecurity Framework (CSF) is widely considered the gold standard for critical infrastructure. Recently updated to version 2.0, it organises cybersecurity activities into six core functions: govern, identify, protect, detect, respond and recover. It provides a common language for IT staff and business executives to discuss cyber risk, moving the conversation from technical jargon to business continuity. 

    ISO/IEC 27001

    ISO/IEC 27001 is an international standard that specifies an information security management system (ISMS). Unlike NIST, which is a voluntary guidance framework, organisations can be officially "certified" as ISO 27001 compliant by an external auditor. This certification is often a key requirement for establishing trust when partnering with government bodies or international institutions. 

    CIS Critical Security Controls

    While NIST and ISO provide high-level strategy, the CIS Critical Security Controls offer a practical, prioritised checklist of technical actions. Formerly known as the SANS Top 20, these controls focus on the most effective technical measures to reduce risk. They serve as an immediate "to-do list" for security engineering teams to harden the network against the most common real-world attacks.

     

    Cybersecurity Services as Service-Oriented Architecture (SOA)

    The biggest shift in the current cybersecurity landscape is architectural. We are moving away from the era of "monolithic" security, where a single appliance or software suite attempted to do everything, toward a service-oriented architecture (SOA) model. In this model, cybersecurity is not a product you buy; it is a composition of specialised, interoperable services that you consume. This shift mirrors the broader IT trend of breaking down complex applications into manageable, modular microservices.

    Understanding SOA in Cybersecurity Systems

    In a traditional IT environment, security tools were often "silos". The antivirus didn't communicate with the firewall, and the firewall didn't communicate with the identity server. In an SOA-based cybersecurity system, these functions are decoupled and exposed as services via Application Programming Interfaces (APIs).

    This means that user authentication becomes a stand-alone service that any application in the system can call. The application doesn't need to know how to check a password; it simply sends a request to the identity service and gets a "yes" or "no" answer. This architecture transforms security from a series of roadblocks into a flexible fabric that wraps around every digital interaction. 

    Why Modular Security Services Are the Future

    The primary drivers of this shift are speed and specialisation. The threat landscape changes too fast for any single vendor to master every aspect of defence. A company that builds excellent firewalls might be terrible at email security.

    By adopting a modular approach, institutions can pursue a "best-of-breed" strategy. You can use the world’s best identity provider, the world’s best endpoint protection, and the world’s best cloud monitoring, and stitch them together into a cohesive system. If a better technology emerges next year, you can swap out just that one module without tearing down your entire infrastructure. This "composable security" is the only way to keep pace with agile adversaries. 

    Core SOA-Enabled Cybersecurity Services

    The following five pillars represent the primary security functions that have successfully migrated to this service model: 

    Identity as a Service (IDaaS)

    Identity is the new perimeter. IDaaS moves login and authentication off individual servers and into the cloud.

    • Function: It provides single sign-on (SSO), allowing, for example, an online student to log in once and access course notes, messaging services and exam results without re-entering credentials.
    • Benefit: It centralises Multi-Factor Authentication (MFA). If a user is compromised, the security team can disable their access to all applications instantly from one dashboard, rather than locking them out of several different systems individually. 

    Threat Intelligence as a Service

    In the past, a firewall only knew about threats it had personally seen. Threat intelligence as a service changes this by connecting the institution to a global brain.

    • Function: Specialised providers track hacking groups globally. When they find a new virus in Brazil, they update the "hash" (fingerprint) in their cloud database.
    • Benefit: Systems that are subscribed to this service are inoculated against the threat before it even crosses the Atlantic. It turns the entire global user base into a neighbourhood watch. 

    Monitoring as a Service

    This service, often delivered as SOC as a service, outsources the responsibility for monitoring a network 24/7.

    • Function: Instead of paying for three shifts of analysts to sit in a room on site, network logs are streamed securely to a specialist provider.
    • Benefit: These providers use massive scale to detect patterns that a single team might miss. They filter out the noise and only wake up the organisation's IT staff when a confirmed, critical incident requires human intervention.

    Incident Response as a Service

    Few organisations can afford to keep a team of elite forensic investigators on the payroll full-time.

    • Function: This is typically a retainer service. When a major breach occurs (such as a ransomware attack), the institution activates the service.
    • Benefit: Within hours, a team of experts, including negotiators, malware reverse-engineers and crisis communicators, is digitally deployed to the network to take command of the situation.

    Compliance as a Service

    With tightening regulations like POPIA, compliance is a heavy administrative burden.

    • Function: These services continuously scan the network, not just for hackers, but also for policy violations (e.g., "Why is this credit card data stored in plain text?").
    • Benefit: Instead of a frantic manual audit once a year, the institution has a real-time dashboard showing its compliance score. It automates the generation of reports for auditors and regulators. 

    Benefits of SOA: Interoperability, Scalability and Adaptability

    Interoperability: The superpower of SOA is communication. Because every service speaks a common language through APIs, your email security service can tell your firewall service to block a malicious IP address automatically. This automation closes the gap between detection and response.

    Scalability: SOA services are cloud-native. If an organisation suddenly adds 5,000 new users, the identity service scales up instantly to handle the load. There is no hardware to buy or servers to install.

    Adaptability: It future-proofs the investment. As the organisation's needs change, the security services can be reconfigured rather than replaced.

    Challenges: Integration Complexity, Vendor Lock-In and Data Sovereignty

    While the SOA model reduces the burden on an organisation's security team, it comes with a few key risks that must be managed. The following are the three biggest issues to address when setting up an SOA system.

    Integration complexity: While APIs allow tools to talk, getting them to speak the same language fluently can be difficult when integrating a large number of connections from different suppliers. Managing hundreds of API connections requires a high level of developer expertise within the security team, which can lead to API fatigue.

    Vendor lock-in: Relying heavily on a single cloud provider's ecosystem (like using only Microsoft or Amazon security services) can make it difficult to leave. If that vendor raises prices or discontinues a feature, the institution is trapped.

    Data sovereignty: This is especially important for South African institutions. If you use a US-based identity as a service provider, where is the user data actually stored? Under POPIA, ensuring that sensitive personal information remains within legal jurisdictions is a major compliance hurdle that must be vetted during procurement. 

    Case Studies: Cybersecurity at Scale

    There's an old military saying: "Few plans survive first contact with the enemy." While planning is incredibly important, hackers will try to strike in unexpected places, meaning that responders need to be adaptable and flexible in their approach. The following case studies cover some of the most disruptive cyberattacks in recent years, showing how seemingly minor oversights can lead to major incidents.

    How Cloud Providers Secure Global Infrastructure

    Case study: The SolarWinds supply chain attack (2020)

    This sophisticated attack changed how we view the trustworthiness of software updates. Cloud providers eventually neutralised the attack at the cloud level, but not before causing an average revenue hit of 11% across SolarWinds' customers. The attack highlighted both the vulnerability of security systems and the importance of behavioural detection. 

    The technique: Russian state-sponsored hackers (APT29) did not attack their targets directly. Instead, they hacked SolarWinds, a company that makes IT monitoring software used by thousands of organisations. They injected a "backdoor" into a legitimate software update (Orion).

    The spread: When 18,000 customers, including Microsoft, FireEye and the US government, downloaded the supposedly safe update, they unknowingly installed the backdoor.

    The cloud response: Microsoft and AWS had to use massive threat intelligence capabilities to identify the specific behaviour of this backdoor across millions of servers globally. They effectively "de-authorised" the compromised digital certificates, neutralising the malware at a cloud level.

    The lesson: This is the ultimate argument for behavioural detection over signature detection. Because the update was "signed" by a trusted vendor, traditional antivirus software trusted it. Only behavioural tools (EDR) could catch it after they noticed that the software was acting strangely by calling out to unknown servers.

    Attack and Response: Anatomy of a Major Ransomware Incident

    Case study: The Colonial Pipeline attack (2021)

    This incident remains the definitive case study for the convergence of IT and operational technology. While it did not affect us in South Africa and the name is unlikely to be familiar, this attack had major ramifications in the US. The attack shut down the country’s largest refined oil pipeline for 5 days, causing fuel shortages along the US East Coast and prompting a federal emergency declaration. 

    The breach: In May 2021, the DarkSide ransomware gang breached Colonial Pipeline's networks using a single compromised VPN password found on the dark web.

    The containment failure: Because the pipeline's billing system (IT) was not sufficiently isolated from the pipeline controls (operational technology), the company had to shut down the entire fuel pipeline to prevent the malware from spreading to the physical pumps.

    The impact: This defensive shutdown caused panic buying and fuel shortages across the US East Coast. Aside from massive reputational and financial harm to the company, it also had to pay $4.4 million to the ransom group to restore operations. 

    The lesson: This case highlights the need for network segmentation (a core zero-trust principle). Had the billing network been completely isolated from the operational network, the pipeline could have kept pumping fuel even while the office computers were locked. The incident also prompted the US government to drastically improve its cybersecurity infrastructure. As part of its response, it created the Cyber Safety Review Board and the stopransomware.gov site to provide a central location for alerts and guidance for businesses and individuals.

    Financial Sector Threat Detection Models

    Case study: TransUnion South Africa data breach (2022)

    The data breach at credit bureau TransUnion was a high-profile local example that prompted the Information Regulator to demand that the company comply with POPIA and better communicate the scope of the risk and how it planned to address it. This financial sector attack highlights the importance of identity management and shows why financial institutions require such strong passwords and complex verification processes.  

    The breach: A hacking group known as N4ughtySecTU accessed a TransUnion South Africa server. Their method was much less elaborate than the previous two examples, as they were able to brute force a weak password belonging to an authorised client. 

    The failure: The breach exploited a lack of robust Multi-Factor Authentication (MFA) on that specific client portal.

    The response: TransUnion had to isolate the affected server and engage forensic experts to determine the scope of the breach. While the hackers claimed to have stolen 54 million records, the investigation found the actual impact to be lower.

    The lesson: A firewall is useless if the attacker has the keys to the front door. This incident underscores why identity as a service (IDaaS) with mandatory MFA and strong passwords is so important for protecting sensitive financial data.

    Government Cyber Defence and National CSIRT Operations

    Case subject: South Africa Department of Justice (DoJ) attacks (2021 and 2024)

    The 2021 ransomware attack on the DoJ ground the country’s justice system to a halt and required the intervention of the national computer security incident response team (CSIRT). In South Africa, this is predominantly handled by the CyberSecurity Hub and the ECS-CSIRT under the State Security Agency (SSA). 

    The incident: In September 2021, the DoJ suffered a ransomware attack that encrypted all information systems, freezing court operations, delaying bail payments, and halting the issuance of letters of authority. In a separate incident in 2024, the DoJ’s systems were compromised, causing significant disruptions, including a halt to child maintenance payments.

    The vulnerability: Investigations revealed legacy systems had not been properly maintained and delayed patch management contributed to the breach. The second incident, although widely reported as an external cyberattack, was in fact due to internal fraud attempts. While not directly related to cybercrime, this shows that a system also needs to safeguard itself against malicious internal users. 

    The response: The recovery process was slow because valid backups were difficult to restore across the fragmented infrastructure. The DoJ has since then bolstered up its security, ensuring that all systems are kept up to date and outsourcing their cybersecurity to an external provider. 

    The lesson: The first incident exposed the fragility of the department's systems and showed the importance of vulnerability and patch management. It also underscored the importance of keeping offline backups that cannot be accessed or encrypted. The second incident showed that systems can also be compromised from within and that robust monitoring and safeguards should be in place.

    The Future of Cybersecurity Systems

    As we look toward the latter half of the decade, the architecture of defence is undergoing a fundamental shift. The reactive models of the past that relied on a human analyst responding to an alert are becoming mathematically impossible to sustain against the speed and volume of modern attacks. The future belongs to systems that are autonomous, predictive, and intrinsically resilient. This next generation of cybersecurity will not just protect the network; it will be woven into the very fabric of the digital environment, making security as pervasive and invisible as electricity. 

    AI-Powered Autonomous Defence

    The next frontier is AI-powered autonomous defence. While current systems already use AI to detect threats, future systems will use AI to fix them without human intervention. This is often referred to as "self-healing" infrastructure. In this model, an AI agent does not just flag a vulnerability in a web server; it automatically writes and deploys a patch to fix the code, reconfigures the firewall to block the exploit vector, and isolates any affected sessions. Future systems will be able to carry that all out within the blink of a human eye, rendering the speed at which a human analyst can operate as obsolete.

    This autonomy is necessitated by the rise of "AI-vs-AI" warfare. Attackers are already using machine learning to probe networks for weaknesses at machine speed. A human response time of minutes or even seconds is simply too slow. Autonomous defence systems will engage in high-speed digital combat, countering attacks in real-time. This shift will change the role of the security professional from responder to manager, responsible for setting the rules of engagement and overseeing the strategic logic of AI guardians.

    Zero-Trust Architectures and Micro-Segmentation

    The traditional "castle and moat" security model is dead. In its place, zero-trust architecture (ZTA) has emerged as the definitive standard for future systems. The core principle of zero trust is "never trust, always verify". In this architecture, no user or device is trusted by default, even if they are inside the network perimeter or connected via a VPN. Every single request for data is rigorously authenticated, authorised and encrypted before access is granted.

    To enforce this, networks are moving toward micro-segmentation. Much like the way the hull of a ship or a submarine is designed to prevent a leak and sinking, the network is divided into thousands of tiny, isolated zones, rather than a flat network where one open door leads to every room.

    For example, if an attacker breaches a student's device in the library, micro-segmentation ensures they are confined to that tiny segment. They cannot move laterally to the finance server or the research database because the "doors" between those segments are locked by default. This containment strategy renders successful breaches manageable rather than catastrophic.

    Quantum-Resistant Cryptography

    A looming shadow over current cybersecurity systems is the advent of quantum computing. Traditional encryption methods used to secure everything from bank transactions to university records rely on mathematical problems that are hard for classical computers to solve but trivial for a quantum computer. When powerful quantum computers become available, they will be able to shatter current encryption standards, potentially exposing decades of sensitive data.

    To prepare for this "Q-Day", expected sometime in the 2030s, the future of cybersecurity involves the deployment of quantum-resistant cryptography (also known as post-quantum cryptography). These are new cryptographic algorithms designed to be secure against both classical and quantum attacks. 

    To understand why the threat of quantum computing is not science fiction, one only needs to look at Moore’s Law, the observation that computing power doubles roughly every two years. Consider the Cray-2, the world’s fastest supercomputer in 1985. It was a liquid-cooled giant used by the US military and NASA, occupying a large room to deliver a peak performance of 1.9 billion calculations per second.

    Today, the latest generation of iPhones (released in late 2025) carries a chip capable of 35 trillion operations per second. In raw mathematical terms, this pocket-sized device is more than 18,000 times more powerful than the machine that once defined the cutting edge of US national defence. If classical computing can make that leap in 40 years, the leap to quantum computing will be even more disruptive. 

    While "Q-Day" is still several years away, it already poses a threat today through a strategy known as "harvest now, decrypt later". Criminal syndicates and state-sponsored adversaries are currently intercepting and storing vast amounts of encrypted data such as diplomatic cables, trade secrets and research data. They cannot read it yet. But they are holding it, waiting for the day they build a quantum computer powerful enough to shatter the encryption. This means that private data with a shelf-life of 10 or more years must be protected with quantum-resistant cryptography immediately, not in a decade.

    Holistic Cybersecurity as a Service Market Expansion

    The future will see the full maturity of the cybersecurity as a service (CSaaS) model. As defence complexity grows, fewer organisations will attempt to build and manage their entire security stack in-house. Instead, they will consume security as a holistic utility. This expansion goes beyond simple monitoring; it includes "compliance as a service",  "disaster recovery as a service" and even "CISO as a service" to carry out the role of a chief information security officer.

    This model democratises high-level security. It means that organisations with modest budgets can leverage the same enterprise-grade protection as a major multinational corporation by simply subscribing to the service. This shift allows institutions to focus on their core mission, such as teaching and research in the case of a university, while entrusting the complex, high-stakes machinery of digital defence to specialised partners who operate at a global scale.

    FAQs: Cybersecurity System Fundamentals

     

    What is a cybersecurity system?

    It is not a single tool, but an integrated ecosystem of people, processes and technologies designed to protect digital assets. Unlike a simple antivirus program that runs on a single device, a cybersecurity system is an architecture that spans the entire network. It combines protective barriers (such as firewalls), detection mechanisms (such as sensors), and response capabilities (such as automated code) to ensure the confidentiality, integrity, and availability of data.

    How does threat detection work?

    Threat detection works by analysing network traffic and system behaviour to find "indicators of compromise" (IoCs). It typically uses two methods:

    Signature-based detection: This method matches files against a database of known malware (akin to a digital fingerprint). This is standardly used by anti-virus software programs.

    Behavioural detection: This more advanced form of threat detection uses AI to learn what "normal" looks like and flags anomalies, such as a user logging in at 3 am or a server sending data to an unknown country. 

    What is the role of incident response?

    The primary role of incident response (IR) is to minimise damage and recovery time when a breach occurs. It shifts the focus from "prevention" to "resilience". A structured IR process ensures that when an attack occurs, the team follows a clear lifecycle: identifying the threat, containing it (stopping its spread), eradicating the root cause, and recovering systems to normal operations.

    You can learn more about IR in our incident response section, where we go into detail on the IR lifecycle, IR tools, and the IR frameworks that guide best practices.

    What are cybersecurity services in an SOA environment?

    In a service-oriented architecture (SOA) environment, cybersecurity functions are decoupled from specific hardware and delivered as modular, reusable services. Instead of buying a "black box" security appliance, an organisation might subscribe to identity as a service (IDaaS) for logins and threat intelligence as a service (TIaaS) for virus updates. This allows the security system to be flexible, scalable and easily updated without rebuilding the entire network.

    You can read more about the different services offered under an SOA environment in our section on core SOA-enabled cybersecurity services. In that section, we covered the following core services:

    Which frameworks govern cybersecurity management?

    The two most prominent frameworks are:

    • NIST Cybersecurity Framework (CSF) 2.0: This voluntary guidance framework, maintained by the US National Institute of Standards and Technology (NIST), helps organisations manage cyber risk. It is organised around six core functions: govern, identify, protect, detect, respond and recover.
    • ISO/IEC 27001: An international standard that provides a formal specification for an information security management system. Unlike NIST's CSF 2.0, organisations can be officially certified as ISO 27001 compliant, which can be required for contracts with governments or large corporate partners.

    Earlier in this article, we went into more detail about the NIST Cybersecurity Framework and the NIST Incident Response Framework. We also went into more detail about the ISO/IEC 27001 standard and the ISO/IEC 27035 Incident Response Framework.

    Related Articles

    How to Leverage HR Analytics to Make Strategic Decisions

    HR analytics has become indispensable for professionals looking to enhance workforce efficie...
    Read More

    The Role of Data in Improving Public Health Outcomes

    The ability to collect, analyse, and act on accurate data is more important than ever. Acros...
    Read More

    What Is Information Technology and Which Jobs Can It Get You?

    Information Technology (IT) is more than just a support function — it’s the backbone of inno...
    Read More

    Thinking Beyond

    Request Information
    The Central University of Technology (CUT) is a leading higher education institution in South Africa, located in the Free State province. Known for its innovation-driven focus, CUT offers a range of academic programmes in engineering, health sciences, and management, empowering students with practical skills and industry-relevant knowledge.

    Follow Us

    Navigation

    Get in touch with us

    telephone-call 1 0800 233 724 (toll-free)
    inbox enquiries@online.cut.ac.za
    Copyright 2026 – Central University of Technology