The Bank of New York Mellon found technical assistance automating regulatory compliance with a healthy assembly of tools, reports Greg Masters.

With a slew of laws and guidelines already on the books, and new and ever-evolving iterations surely on the way, The Bank of New York Mellon sought relief to somehow advance into compliance to ensure its operations remained secure and efficient.

In particular, the bank, with its corporate headquarters squarely in the heart of the financial industry, One Wall Street in New York, needed to detect devices not compliant with established regulatory and compliance guidelines. As well, in cases where deficiencies were discovered, it sought to perform auto-remediation. For the IT staff, this includes making certain that access control systems are in place, and that patches to software agents (in this case, Symantec, Encase, Altris, Sanctuary) are installed and functioning properly.

"The auto-remediation allows us to migrate our resource utilization from day-to-day operations, allowing us to focus on advanced persistent and insider threats," says Daniel Conroy (left), managing director and chief information security officer at The Bank of New York Mellon.

In the last several years, BNY Mellon's information security organization has enhanced monitoring, identification and control within its environment through the purchase of additional software and toolsets. Implementing these various tools has allowed for not only remediation automation, but advanced threat and incident detection via consolidated reporting to the internal security information and event management system (SIEM) as well.

"This system also provides trending, behavior analysis and gives us the ability to focus on more critical areas, such as advanced persistent threats (APT), investigations and forensics," says Conroy.

To make his case to senior management, Conroy spoke of what could be gained in cost savings and the ability to reduce help desk calls for security-related software issues. Also, he explained how these tools would simplify and standardize the range of implemented appliances and security services, and free his team to focus on critical threats.

Once he got the go-ahead, to determine the technical controls he believed were most critical, he began with assessing the “top 10” help desk security-related calls, and then mapped policy back to technical controls and automated where possible. It was, he admits, difficult to determine the “most critical” aspects as these controls tend to work in conjunction with each other.

But, once he and his team determined what was needed, a multiphased implementation began with its initial focus on core data centers and high-risk local area networks, specifically the bank's financial trading operations.

After examining the marketplace to find the right tools, Conroy's team chose solutions from a number of vendors, including ForeScout for its NAC needs, ArcSight for its SIEM tool, Symantec Endpoint Protection for anti-virus and advanced threat prevention, SafeBoot/McAfee for further endpoint protection, and Symantec Vontu for data leakage prevention.