Hedgeweek cybersecurity interview with Options CTO, John Bryant
Options Chief Technology Officer John Bryant (pictured) explains how the company is constantly working to stay ahead of the risks posed to the hedge fund industry by cybersecurity issues…
HW: What are you doing to manage and enhance the security of the Options private cloud environment?
JB: Options has been delivering financial technology as a service for over 20 years. No one understands the needs of hedge fund industry better, and this is especially true when it comes to security. The complex nature of cybersecurity in 2015 demands that any managed platform or IT infrastructure solution must have best practice cybersecurity building blocks at its core. Not just that but the platform must also combine operational agility with absolute information security – the SOC-accredited Options platform does exactly that.
Fundamental to our ability to manage and enhance security on the Options platform is our industry-leading global team and global infrastructure, allowing our customers with global operations to work with one single vendor. This feature-rich platform includes DR / BCP, replication and redundancy, daily backups to tape, carrier diversity and in-region data centre resiliency. These features are further bolstered by industry-leading transparency around our change control processes and procedures.
We further supplement these building blocks with a dedicated cybersecurity team. This team manages an extensive security programme that includes twice-weekly security team meetings, quarterly penetration tests carried out by accredited third parties, weekly PC reboots, host and network vulnerability scans, regular action plans to baseline each client’s security posture, timely reviews of new and emerging threats and ongoing communication to clients.
We also leverage a real-time network behavioural analytics platform, Observable, in addition to monitoring platform performance, availability and anomalous behaviour with the operational intelligence platform, Splunk.
HW: Could you explain the measures you are taking to protect clients’ proprietary applications on Momentum?
JB: Momentum is an application management solution that combines a global platform, for hosting dozens of applications, with a standardised, full-service model for the delivery of many leading financial front, middle and back-office systems. As such, security is critical.
Vulnerability assessment reports and penetration testing are a key measure baked into the platform. We work with clients to ensure any OS or software is patched regularly with the latest security patches, updates and definitions. These patches are released and deployed in a controlled environment and governed by strict change control processes.
In terms of platform access, we use a multi-layered approach to security, often involving three or four layers of segregated network tiers, two-factor user authentication and strict firewall and network access-list controls. Understanding normal behaviour is also key; as such we profile customers’ usage so as to detect anomalous behaviour.
Finally, physical security is crucial, but often overlooked. All our client data is stored in tier three (or higher) data centres, which are governed by strict industry standards.
HW: What are some of the challenges that Options face to keep one step ahead of cybersecurity issues?
JB: Cyber attacks continue to progress rapidly and the nature and sophistication of the attacks we are seeing are much more evolved than even 12 months ago. In such an environment, it’s crucial an IT infrastructure provider is proactive rather than reactive.
In the last 18 months, we have invested in a number of security and compliance products to enhance our security offering. These include web-filtering appliances, Active Directory auditing, Windows file system auditing and BYOD management. We have also recently partnered with the security analytics vendor, Observable. Observable learns your network’s normal behaviour and sends alerts whenever it detects unusual traffic or behaviour (say malformed DNS queries, Dropbox uploads, FTP or SMTP traffic).
In one of our more recent security projects, we completely overhauled our mail gateways, allowing greater transparency and control into the mail entering and exiting our network. This is just one example of how we continue to evolve the platform to address new and emerging challenges.
HW: When you deliver technology outsourcing solutions to hedge funds, what are some of the key aspects that you focus on to protecting these networks from external threats?
JB: Our focus is delivering hedge funds a network that ensures operational agility and best-in-class information security.
At a macro level, the Options solution includes physical hardware isolation as standard, extensive administration encryption and control, robust network intrusion detection, cutting-edge protection measures and rigorous security change request controls.
Looking a little closer, Options enforces a multi-layer approach to virus detection for instance. Layers of defence using a number of anti-virus vendors are deployed across the infrastructure including firewalls, mail gateways and all Windows servers (there are no exceptions and this includes web access, file server & FTP). We also deploy a multi-layer firewall approach from the perimeter to internal network in all global locations. The Options platform is also able to secure and limit a firm’s outbound traffic to the Internet. Inbound traffic is blocked by default, unless explicitly requested by clients.
Data physically resides within Options managed data centre space, all of which are compliant with the physical and environmental standards detailed in ISO27001. System and applications layers are always fully dedicated to the client. Options’ SOC2/SSAE16 certification further defines key processes and control for service organisations.
HW: To what extent are you able to help managers adopt technology best practices?
JB: In the sense that Options acts as a de facto CTO for the majority of the hedge funds on the platform, we typically play a big role in helping managers adopt IT best practices and while the focus today is often on the threats resulting from BYOD, resulting mobile malware and anti-DoS appliances, it pays to get the very basics right.
As such, we have developed a security action plan and baseline report to help both new and existing clients meet the fundamental security requirements to operate in this space. Some of the base hits are even as simple as ensuring PCs and servers are rebooted so they have the latest security patches. We also focus on reducing the potential attack entry points – we disable portable media such as USBs, implement web filtering and filter spam. We also place a big emphasis on auditing a client’s systems regularly, ensuring their data is backed up and that all activity is logged.
Finally, end user IT security training and awareness should also be fundamental to any best practice approach to IT security. Employee background checks should be standard practice. Ensure staff employee contracts and staff handbook are kept up to date and relevant against current industry and market trends.
Looking to other practical steps, a well-defined password policy should be a fundamental feature of any hedge fund technology solution. No two hedge funds are the same but we recommend a number of practical steps around how they should be enforced, when they should expire and what should occur in the instance of failed log-ins.
Carefully manage your developer access too (be they your employees or someone else’s). Source code and IP should be effectively stored and use of software repositories (SVN, GitHub) should be carefully managed. Use the likes of LastPass to store, share and secure the security credentials the business depends upon.
Lastly, automate as much of the monitoring as possible to identify unusual events or behaviour.
HW: What other lines of defence can hedge funds take when guarding against DDOS, spear phishing and other forms of external attacks?
JB: We recently covered spear phishing in some detail on our company blog. Most security-conscious firms and their users will be well aware of phishing, it’s quite a common occurrence and most people are familiar with the approach.
This familiarity has, however, led to a marked increase in spear-phishing; a much more sophisticated and pointed cyber attack. Spear-phishing typically sees a cyber criminal approach a pre-determined (and often pre-researched) victim, via a ‘spoofed’ email, posing as a figure of authority within the firm, requesting they complete a certain transaction, typically a transfer of funds. There have been a number of recent high-profile victims of such an attack.
As mentioned, Options has recently undertaken a major overhaul of our mail gateways, allowing us greater control over the mail reaching the users on our platform. We can now, for instance, inspect the file attachments and links being shared on the platform and within a specific firm.
We also recognise that technology is only a part of the attack surface. We’ve been working closely with our clients to encourage greater security awareness among their employees. We now use a number of tools to monitor and improve this. One such tool allows administrators to send tailored phishing mails to their users. The tool then provides full visibility into who opens it, who responds to it and who forwards it. This type of initiative has been very well received in both investor due diligence and regulatory cybersecurity questionnaires.
HW: Finally, what would your key piece of advice be to managers – especially start-ups – who are waking up to the threats of cybersecurity?
JB: If you’re a hedge fund startup or IT manager and you are only now waking up to the threat of cybersecurity then righting the ship will be difficult without considerable investment in your existing IT. That’s also before you address user education and awareness, new and emerging threats and ongoing policies and procedures. It’s a significant undertaking for a large firm with a sizeable budget let alone a small startup.
The CTO of a large, London-based fund on the Options platform recently listed cybersecurity as the biggest challenge he faces today. His advice was to leverage an outsourced infrastructure provider as it helps to off-load a great deal of the ongoing work surrounding cybersecurity, including due diligence.
In my experience, many hedge fund start-ups don’t realise the crucial role the right technology partner can play. They also don’t realise the importance of the right technology partner to your institutional investors. They want a platform that is benchmarked against the highest industry standards and this is exactly what Options can offer.