Early Warning System

M&T Bank taps monitoring solution to improve security and comply with Sarbanes-Oxley.

Among the requirements of Sarbanes-Oxley, banks must exhibit adequate financial controls, including information security measures. To help it comply with the regulation and improve information security, Buffalo-based M&T Bank ($52.9 billion in assets) wanted a monitoring solution that would identify and rank the security vulnerabilities of its financial systems and controls in detail, from external threats to the transaction histories of specific ACH files, according to Matthew Speare, the bank's chief information security officer. "We had no [reliable] method of monitoring our technical assets ... for regulatory risk and monitoring compliance," he says.

M&T had been using an outsourced security warning notification service, but the cost and responsiveness of the provider's services became unscalable, Speare claims. "Every time we added a new device, it might take as long as two weeks to include it [in the security threat reports]," he contends. Recognizing and prioritizing security threats in a timely manner, Speare notes, is critical to defending against them and allows the bank to deploy resources appropriately.

Moving Monitoring In-House
To improve reporting and enable the bank to react more quickly to changing security threats, Speare says, M&T sought an application the bank could run in-house. Bank officials examined a handful of solution providers, focusing its search on Securify (Cupertino, Calif.), Computer Associates (Islandia, N.Y.) and netForensics (Edison, N.J.).

According to Speare, the bank eliminated Securify's solution because it would have required the bank to purchase the vendor's proprietary information collectors as well as the reporting software. (The bank already had installed third-party data collectors, Speare notes.) So, in November 2004, M&T Bank began two-month pilots of the Computer Associates and netForensics applications.

Snapshot Institution: M&T Bank (Buffalo). Assets: $52.9 billion. Business Challenge: Improve financial controls monitoring and streamline notification of changes in security threats. Solution: Edison, N.J.-based netForensics' nFX Open Security Platform.

M&T chose netForensics' nFX Open Security Platform, Speare says, because it provided customizable asset reporting groups, quick implementation on any device or operating system, and stability regardless of the amount of processing required - he notes that the bank typically experiences 4 million events (e.g., hacking attempts, new virus alerts, the addition of new devices, etc.) per day that require monitoring. The bank installed the solution in the first quarter of 2005 in about five days, and no additional hardware was needed, Speare relates.

One full-time-equivalent employee continues to refine the software's reporting capabilities, Speare continues. "We're tweaking as we go along," he says. "It's like any other correlation engine - you need to continue to refine it."

Open Security Rides to the Rescue

The new software quickly showed its value, according to Speare. When a Trojan horse program hit the Internet in May, the nFX Open Security Platform immediately alerted the bank to any vulnerabilities, saving M&T's security team several hours in distributing patches throughout the network.

A similar situation occurred in August with the Zotob worm. Timely notification of the security threat resulted in fast distribution of protection measures, Speare recalls. "The software lets me know immediately if there's any change in the risk posture," he says.

Speare adds that the bank is examining ways to extend the system's capabilities to deliver appropriate reports to lines-of-business coordinators and security coordinators.

For more with Matthew Speare on M&T Bank's information security strategy, see Executive Q&A, "Defending the New Frontier"