Standard Chartered shores up defences

Standard Chartered is updating its security systems to better defend itself against cyber threats and more easily resolve problems such as software patch management.

The bank, which has 500 offices in 55 countries, is introducing an automated risk management system across its global security operations, as well as managed security monitoring.

The company spends $11m (£6m) of its $400m (£217m) IT budget on security every year. It plans to combine the new technologies and procedures to create a sophisticated security infrastructure capable of providing automated alerts and processes using intelligent risk-based information.

'I believe we have an opportunity to apply automation to security and what I'm aiming for is automated risk and monitoring control,' said John Meakin, group head of information security at Standard Chartered.

'Like all banks we have a number of systems that go back a number of years. For the last two years we've said, to do risk analysis and to do it rigorously, you need to automate because otherwise the whole risk management becomes dependent on independent risk analysts,' he said.

Standard Chartered is using technology from specialist supplier Citicus One.

Meakin says the bank doesn't have the time or resources to build risk processes into applications at the development stage, and doesn't want to build its own system because of the maintenance costs.

'Obviously we are a business and the whole virtue of risk is we avoid spending too much money,' he said.

'We decide what specific security mechanism is required through risk. Once we have got this mechanism it becomes the security armament.'

In addition to the automated risk processes, the bank has signed a deal with NetSec for security monitoring.

NetSec will monitor and analyse information generated from firewalls and intrusion detection systems.

'They're taking large volume of data and boiling it down to a set of potential security events and then applying human judgement to see if these events require us to raise armies,' said Meakin.

'We always want more data and the best data because we want the best way of finding a new worm as quick as we possibly can, and we need to be able to analyse that as quickly as possible,' he said.

Meakin is keen to combine these technologies to provide a sophisticated security monitoring and alert infrastructure, as well as making tasks such as patch management significantly easier.

'As I look forward from 2004 to 2005 and 2006, what we want to do is take that risk method applied to getting the right security in place, take monitoring and then we want to link them together and detail specific issues where there really is no other magic solution,' he said.

'What I'm talking about here is patch management. Ideally we like the vendor to publish a fix, then apply them across your network. We have thousands of servers and tens of thousands of desktops across the world. It's a non-trivial problem getting a patch out to any number of servers particularly when you're racing against the clock.'

Meakin says monitoring techniques will be able to automatically locate a hole and close it. The intelligence of the system will allow vulnerabilities to be identified and severity analysed against the value of the servers or systems that need patching, allowing those that are most at risk to be dealt with first.