Case study: IT-GRC automation: Advancing visibility & control

The Bank of New York Mellon found technical assistance automating regulatory compliance with a healthy assembly of tools, reports Greg Masters.

With a slew of laws and guidelines already on the books, and new and ever-evolving iterations surely on the way, The Bank of New York Mellon sought relief to somehow advance into compliance to ensure its operations remained secure and efficient.

In particular, the bank, with its corporate headquarters squarely in the heart of the financial industry, One Wall Street in New York, needed to detect devices not compliant with established regulatory and compliance guidelines. As well, in cases where deficiencies were discovered, it sought to perform auto-remediation. For the IT staff, this includes making certain that access control systems are in place, and that patches to software agents (in this case, Symantec, Encase, Altris, Sanctuary) are installed and functioning properly.

"The auto-remediation allows us to migrate our resource utilization from day-to-day operations, allowing us to focus on advanced persistent and insider threats," says Daniel Conroy (left), managing director and chief information security officer at The Bank of New York Mellon.

In the last several years, BNY Mellon's information security organization has enhanced monitoring, identification and control within its environment through the purchase of additional software and toolsets. Implementing these various tools has allowed for not only remediation automation, but advanced threat and incident detection via consolidated reporting to the internal security information and event management system (SIEM) as well.

"This system also provides trending, behavior analysis and gives us the ability to focus on more critical areas, such as advanced persistent threats (APT), investigations and forensics," says Conroy.

To make his case to senior management, Conroy spoke of what could be gained in cost savings and the ability to reduce help desk calls for security-related software issues. Also, he explained how these tools would simplify and standardize the range of implemented appliances and security services, and free his team to focus on critical threats.

Once he got the go-ahead, to determine the technical controls he believed were most critical, he began with assessing the “top 10” help desk security-related calls, and then mapped policy back to technical controls and automated where possible. It was, he admits, difficult to determine the “most critical” aspects as these controls tend to work in conjunction with each other.

But, once he and his team determined what was needed, a multiphased implementation began with its initial focus on core data centers and high-risk local area networks, specifically the bank's financial trading operations.

After examining the marketplace to find the right tools, Conroy's team chose solutions from a number of vendors, including ForeScout for its NAC needs, ArcSight for its SIEM tool, Symantec Endpoint Protection for anti-virus and advanced threat prevention, SafeBoot/McAfee for further endpoint protection, and Symantec Vontu for data leakage prevention.  

All integration was performed internally by his team, Conroy says, "as vendors typically do not incorporate connectivity/communication with competitors." However, he points out that ForeScout's integration with ArcSight did facilitate endpoint visibility and auto-remediation.

"As a practice, we encourage vendors to work together – and that's the point," he says.

Profile: BNY Mellon

Established: 1784

Headquarters: One Wall Street, New York, NY 10286

Ticker Symbol: NYSE: BK

Assets: U.S. $1.2 trillion under management; U.S. $25.5 trillion under custody or administration

Locations: 36 countries, serving more than 100 markets worldwide*

Chairman and CEO: Robert P. Kelly

President: Gerald L. Hassell

Employees: 49,000 worldwide

To achieve integration, Conroy says the tools needed to be integrated into a framework. In the event a policy is violated or code/agents are not running at the desktop level, auto-remediation is performed, he says. If the established thresholds (time, amount of incidents) are exceeded, this is reported to the SIEM and a help desk ticket is generated.

One takeaway after his experience with this installation process, Conroy would like to see metrics standardization across the industry. It would, he says, allow for these metrics to be posted centrally (publicly, yet potentially anonymously) so businesses can compare their level of compliance against the industry as a whole.

And, when asked how these tools support compliance, operational metrics and auditing, Conroy says that auto-remediation maintains compliance, while the detailed logs of incident resolution and historical trends are maintained at the SIEM level for examination by auditors.

He's seen tangible benefits already, he says. There has been a reduction in help desk calls and subsequent desktop technician visits. As well, the historical data retention for both incidents and events has provided ample evidence to successfully pass audits.

Further benefits come from simplification. And, integration of all the components reduces the workload from IT department-related to operational compliance and regulatory issues, he says.

"Plus, there is the added benefits of demonstrating where a lack of standards exists. The consolidation of tools ensures for standard operating system builds." As well,  it detects “unnecessary” complexity and allows for a “leaning” of the environment, he adds.

As far as program expansion, at this time Conroy says operations will be rolled out to subsidiaries and affiliates, where legal conditions permit.

Can other enterprises benefit from this approach? "It all depends on the maturity of the current security program, the available funding and senior leadership commitment," says Conroy. "It is essential to first ensure that policy is coherent and enforceable. Mapping these polices to the implementation is the first step toward full GRC automation."

Having technical and well-schooled IS professionals on staff is also a key factor in success, he says.

Provided these foundations are in place, he recommends a phased approach. "Phase one would be to choose an appropriate NAC and enforcement tool set and provide the necessary resources required for deployment and configuration," he says. "Always keep in mind the end goal of automation and incident reporting." 


GRC technologies applied: NAC & SIEM

Among different vendors working with the Bank of New York Mellon, ForeScout and ArcSight, help automate the bank's security operations and compliance operation. ForeScout provides real-time information about the compliance status of endpoint devices – determining if they are patched and if the AV is running. In addition, it can gauge if all servers on the data center system are configured properly, and what users or groups are currently on the network.

"Based on predefine rules, ForeScout can identify and automatically fix endpoint security issues without disrupting the user, such as activating a disabled DLP client, changing settings to a personal firewall or moving an infected system to a VLAN," says Scott Gordon, VP, worldwide marketing at Forescout Technologies. 

ArcSight's tool provides situational awareness by aggregating information from many different security products, cross-correlating and analyzing the data, and presenting more intelligent information to network and security operations. This facilitates alerting, investigations and compliance reporting, and can be used to automatically detect sophisticated threats and violations.

Typical network control gaps that impact GRC are related to real-time visibility and control, says Gordon. "For managed devices, such as an employees' notebook, there are issues where client security software is often not up-to-date, misconfigured, disabled or not present."

Additional risks include zero-day attacks, blended attacks (advanced persistent threat), port misuse, or intermittent blacklisted application use – all of which can evade conventional point security approaches, he says. For example, using a printer port to gain access to a network domain. 

Lastly, Gordon points out that security blind spots occur because of the numerous systems and users that are not corporate managed, such as guest and contractor systems and personal mobile devices, such as smartphones and tablets. These potential threats introduce control gaps, impact GRC and add to operational costs.

This is where the integration between ForeScout and ArcSight's products provides real-time visibility, compliance and control of all endpoints and users, he says. "ForeScout sends real-time information about all endpoints – such as who owns them (including guests and contractor), where they are located, and why they are noncompliant – to the ArcSight SIEM platform."

The ArcSight SIEM platform is then able to correlate this information with other data coming from the rest of the enterprise to identify the compliance violations that present the greatest risk.

"This lets security managers take action to mitigate the most important threats," Gordon says. "When ArcSight is combined with ForeScout, the mitigation can be automated from within the ArcSight SIEM console down to the desktop and/or network switch through ForeScout's endpoint security controls. 

For reprints of this case study, contact Elton Wong at [email protected] or 646-638-6101.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.