Among the requirements of Sarbanes-Oxley, banks must exhibit adequate financial controls, including information security measures. To help it comply with the regulation and improve information security, Buffalo-based M&T Bank ($52.9 billion in assets) wanted a monitoring solution that would identify and rank the security vulnerabilities of its financial systems and controls in detail, from external threats to the transaction histories of specific ACH files, according to Matthew Speare, the bank's chief information security officer. "We had no [reliable] method of monitoring our technical assets ... for regulatory risk and monitoring compliance," he says.
M&T had been using an outsourced security warning notification service, but the cost and responsiveness of the provider's services became unscalable, Speare claims. "Every time we added a new device, it might take as long as two weeks to include it [in the security threat reports]," he contends. Recognizing and prioritizing security threats in a timely manner, Speare notes, is critical to defending against them and allows the bank to deploy resources appropriately.
Moving Monitoring In-House
To improve reporting and enable the bank to react more quickly to changing security threats, Speare says, M&T sought an application the bank could run in-house. Bank officials examined a handful of solution providers, focusing its search on Securify (Cupertino, Calif.), Computer Associates (Islandia, N.Y.) and netForensics (Edison, N.J.).
According to Speare, the bank eliminated Securify's solution because it would have required the bank to purchase the vendor's proprietary information collectors as well as the reporting software. (The bank already had installed third-party data collectors, Speare notes.) So, in November 2004, M&T Bank began two-month pilots of the Computer Associates and netForensics applications.
One full-time-equivalent employee continues to refine the software's reporting capabilities, Speare continues. "We're tweaking as we go along," he says. "It's like any other correlation engine - you need to continue to refine it."
Open Security Rides to the Rescue
The new software quickly showed its value, according to Speare. When a Trojan horse program hit the Internet in May, the nFX Open Security Platform immediately alerted the bank to any vulnerabilities, saving M&T's security team several hours in distributing patches throughout the network.
A similar situation occurred in August with the Zotob worm. Timely notification of the security threat resulted in fast distribution of protection measures, Speare recalls. "The software lets me know immediately if there's any change in the risk posture," he says.
Speare adds that the bank is examining ways to extend the system's capabilities to deliver appropriate reports to lines-of-business coordinators and security coordinators.
For more with Matthew Speare on M&T Bank's information security strategy, see Executive Q&A, "Defending the New Frontier"