BT Managed Security Solutions Service Overview for Financials: The Most Beautiful Target

Measure, Monitor, Protect, Advise

James McCarthy

james.mccarthy@bt.com

La estructura organizativa de BT

• +100.000 employees• Revenues 09/10: +31.200 M$• The biggest R&D Center in ITC in Europe –

Adastral ParkGrupo BT

BT Global Services

Global Banking and Financial Markets

• Gartner Leader Quadrant – Worldwide Managed and Professional Network Service Providers

• 37.000 professionals providing consultancy services, managed services and supporting our customers in +170 countries

• Revenues 09/10: +12.700 M$

• Dedicated Solutions and Managed Services to the Finance and Insurance Sector

BT Latam

• One of the most profitable regions and with the highest growth potential

Our Operations in the Region

Some of our customers in the region

pasión

por nuestrosclientes

5

The Most Beautiful Target…Why?

1. Lots of Captive Users2. A Trusted Partner / Brand For

Those Users3. Hundreds of Thousands of

Transactions – Typically in Small Monetary Increments

6

The Most Beautiful Target…and How BT Protects You…

…Panda Security’s anti-malware laboratory, has discovered that hackers are creating 57,000 new websites each week that exploit approximately 375 high-profile brand names worldwide…

1. eBay – 23.21 percent 2. Western Union – 21.15 percent 3. Visa – 9.51 percent 4. United Services Automobile Association – 6.85 percent 5. HSBC – 5.98 6. Amazon – 2.42 percent 7. Bank of America – 2.29 percent 8. PayPal – 1.77 percent 9. Internal Revenue Service – 1.69 percent 10. Bendigo Bank – 1.38 percent

Findings By Customer:

7

The Most Beautiful Target…Breach Numbers are Growing…

From PrivacyRights.ORG Limited Search - Breaches currently displayed:Breach Types: HACKOrganization Types: BSFYears: 2010235,373 Records in our database from.10 Breaches made public fitting this criteria(All US Financials)

8

Introducing BT’s Managed Security Solutions For Financials

Enabling security and compliance efficiently and

cost effectively across your enterprise

Common methodology

Consulting services

Design Integration,

implementation Managed

services

Business objectives Reduce downtime, costs

Information assurance

Board confidence in Information

Risk structures & processes

Secure network and IT

infrastructure

Secure applications and

information

Enhance compliance and

governance

Secure Communications

Management

Identity Management

Operational Risk Management

Information Management

Propositions

Secure Networking

Business Continuity

BT’s proposition areas

BT Knowledge, Experience, Thought Leadership

• BT has concentrated its resources into one dedicated global practice, one of the biggest security teams in the world– 400+ full time client facing practitioners

– A further 800+ working on security including R&D and internal team

• Decades long heritage in designing, building, managing secure global networks

• Rigorous, mandatory internal security evaluation process

• Global accreditations & certifications– Practitioners validated by Cisco, ITIL and Juniper Networks

– SAS70 and ISO 9001 certified MSS provider

– Accredited to CERT & FIRST, CLEF

– FIPS 140-2; one of only 8 globally

– Active participants in IETF, ISO17799

• World leading R&D facility Adestral Park in Suffolk, England– 100 registered patents– 160 security papers published

– 30% of people with second degrees

BT’s Managed Security Solutions powered by Counterpane and the EHCOE

• Authority on enterprise security

– Pioneered outsourced security monitoring – Established in 1999

– Founder and CTO, best-selling author: Bruce Schneier

• Leading visionary in Gartner’s Magic Quadrant for MSS and EH

• Global view: 650 customer networks; Sentries installed in 38 countries; monitored data spanning 150 countries

• Seven fully redundant security operations centers

• Eleven year proven track record protecting major, high-value networks

11

Mission: Develop and implement fully-integrated managed security services that assure customers’ business continuity, improved compliance, and protection from financial loss.

12

BT Security Services CustomersFortune 500 leaders in every major industry around the globe

Business Problems Solved by Managed Security Services

• Streamline policy enforcement– Detect early warning signs of inappropriate activity– Protect against rogue employees and contractors

• Identify unauthorized activity– Real time detection of botnet- and malware-infected hosts– Regularly updated blacklists of known botnet controllers and malware

distribution sites

• Facilitate data collection for regular audits and compliance reporting– Centralized access to all security-relevant and activity logs– Easy access to archive and flexible data-mining options

• Leverage existing investments in expensive devices– Ensure IDS/IPS/firewall devices have current signatures & patches– Configure them in accordance with industry best practice

• Provide cost-effective access to senior security expertise– On demand access to world-class security analysis & personnel– Focus on strategic decision-making while tactical issues are handled

13

14

ProcessProcess Technology

People

Process Technology

We deliver crucial security information about complex threats with expert assistance on how to respond.

We do so using three main elements:

…of these, people are the most important!

Managed Security Solutions

15

Workload Reduction Enables Customers to Focus on Core Business Objectives

One of the things I’ve gotten the most mileage out of is the monthly CIO report…I use that [to show] my executives all the traffic that’s coming through… You start with millions of items and work your way down into about 50 to 60 of [incidents] a month. It’s a great way to explain the value we’re getting out of the managed security services.”

Tom Dunbar, CSO, XL Capital

30 Million

186,000

1200

5

Messages Received

Alerts Processed

Tickets Analyzed

Customer Contacts 1 Phone Call

4 E-mails

“Typical” Services Company Example (Monthly CIO Report)

16

View Across BT Counterpanes Financial Services Companies

Across our Financial Services Clients their Security Posture Index is rated as “Above Average” which indicates a high level of sensitivity towards information that is provided to them by our BT SOCs.

17

Web Application Testing – the Most Beautiful Target

• Components can consist of:– Java applets that operate within Web browser– Standalone Java applets – Standalone executable applications

• Testing determines:

– How security is integrated into the client software components– How the client software interacts with the remote server application – If any unnecessary information is entrusted in the client software– If the client software can be manipulated to provide unauthorized access to server

application

• Testing includes:– Attempt to collect as much information as possible about the client application and

server communication– Attempt to manipulate the client software without inside knowledge

Client-side Application Testing Ethical Hacking Assessment

17

18

Code Review – The Most Beautiful Path

• Reviews application code for deficiencies in the areas of security, reliability and operations.

• The review identifies strengths and weaknesses of the application software modules.

• Detection of the following types of computer abuse are attempted:– Trojan Horses - Salami techniques - Trapdoors – Logic bombs

• The EHCOE requires the following documentation in order to perform the source code review:– Source code comments and documentation– Method of invocation for each program– Options and configuration file documentation– Method of compilation for each program –

Source Code Review Ethical Hacking Assessment

18

19

What Sets BT Managed Security Solutions Apart?

IDSsFirewalls/VPNsRoutersAuthenticationAccess Control DatabasesWeb ServersNetwork OSDesktopsOthers

• United States Patent: Patent No. US 7,159,237 B2, Method and System for Dynamic Network Intrusion Monitoring, Detection and Response (Jan. 2, 2007)

• Network visibility: More than one million event rules for a broad range of network devices

• Advanced correlation technology: Multi-device, vertical market, cross-customer base

• 24/7 vigilance by certified security engineers: SANS Certification and DOJ Background investigations required for employment

20

What Sets BT Managed Security Solutions Apart?

• Consultative approach: Dedicated team assigned to the account, Monthly touch points, Quarterly reviews, pre-sales and post-sales support, ongoing available support

• Compliance audit reporting: VISA CISP/PCI, SOX, FISMA, GLBA, CA 1386,

• Service Level Agreements: Swift activation and improved compliance with 100% guaranteed access to activity data

.

21

Security Operations Centers

Physically hardened facilities• Three-factor access control• Multiple forms of surveillance• Fully-redundant power and network

100% uptime since January 2000• Full-redundancy in each center• Continuous tagging and time stamping• CPE has auto-rollover to SOCs

Geographically diverse• Facilities in major technology centers• Robust facilities built on Critical Infrastructure backbones

Audits and accreditations• Including: SAS70, ISO27001, BS7799• Analysts are GIAC certified

22

Benefits of a BT Managed Security Services for the Financial Industry

• Trusted Partner of the Financial Services Space– Current Testing Partner for the Majority of Very Large Financials

• Resilient architecture- Hardened, active/active SOCs – no downtime

• Vendor neutrality- Provides flexibility and avoids unnecessary capital outlays

• Defense in depth- Support for more types of systems, including applications,

databases AS/400, RACf, etc.

• Comprehensive and integrated solution- Reduces risk and cost - Simplifies management and monitoring of diverse technology- Advanced correlation technology (Multiple tools and flexible configuration)

Consultative Approach

• Longevity and commitment- More than 10 years of continuous growth

23BT Professional Services 23