computerwoche.de

Archiv

Bank's security chief focuses on targeting risk

31.10.2005
The constant need to patch vulnerable systems on its vast global networks has been driving London-based Standard Chartered Bank to a more risk-based approach to vulnerability management. Instead of rushing out to patch every flaw that's announced as soon as possible, the goal instead is to implement an approach that helps the bank identify the problems that matter most and to prioritize its responses based on asset value at risk. In this interview, John Meakin, Standard Chartered's group head of information security, explains what the bank is doing to help it identify the most urgent threats to its networks and which IT assets get priority for protection.

What's driving this whole effort? Deploying patches across a global, international network is a big challenge. There are lots of potential difficulties, and of course they are all magnified every time you have a vulnerability for which there is an exploit being deployed across the Internet. Given that we have already invested in automated [patch] distribution across the network, given that we think we have a very efficient way of capturing the initial information about a vulnerability and a patch, we were looking to see what other scope we had of making this problem less intractable.

How have you gone about doing that? We really have said the only way of solving this problem is to truly target where we deploy patches and when. Clearly, some of the servers on our network are more important than other in terms of the impact on our business. Equally, some of those servers are subject to a greater likelihood of any vulnerability on them being exploited. By measuring these two factors across the whole asset inventory on our network, we are able to know which of our high-value boxes are most exposed when new patches are released.

How big of a challenge has this been? It's very simple, very logical and very easy, when you put it that way. But actually doing it is a challenge in itself. First of all, it presupposes that you have a very accurate asset inventory. We've already made some investments on our network which have given us the beginnings of that asset inventory.

Secondly, we have made investments also in tools which scan for the existence of vulnerabilities across the network. The third piece of the puzzle, as an add-on to asset inventory, is a measure of just how valuable each box is, based on the data and the application that it supports.

The last piece of the picture is the ability to model, in a repeatable way, how easy it is for a vulnerability on a particular box on a particular place in the network to be exploited. A trivial example would be to say a box on your network boundary facing the Web that contains a vulnerability is at a higher risk of actually having the vulnerability being exploited than a box buried on the inside of your network.