Bell Business Insights newsletter

March 2010 edition

Feature article

In this issue

Secure your network beyond the perimeter

– An interview with Bell Chief Corporate Security VP Gaétan Houle

Gaetan Houle

The security of corporate networks has never been a more critical business issue, and no one knows this better than Gaétan Houle, VP of Corporate Security for Bell Canada.

How does he defend his network from the growing onslaught of security threats to ensure his organization and his customers remain protected? And what is Bell doing right now to help its customers deal with network security?

We sat down with Gaétan to find out the latest in trends and technological advances.

Bell Business Insights: Thank you for joining us, Gaétan. Let's start with your own organization. What steps has Bell taken to address the evolving network security threat environment?

Read full article

Houle: We are working to manage security in a more efficient manner. Our network is the largest in the country with over 400 firewalls. So Bell is undertaking a firewall consolidation project, which will include the consolidation of our incident monitoring capability. As Intrusion Detection Systems and other security devices proliferate on networks, it is critical to optimize the way you manage them. After all, if you can't effectively react to security incidents, why bother putting in all this equipment? In addition to this consolidation project, Bell does a lot of monitoring to protect against distributed Denial of Service attacks and malware traffic.

BI: What is Bell doing right now to help its customers deal with network security?

Houle: One big contribution is our enhanced Upstream Security capabilities that protect networks at the carrier level. This helps organizations manage risks outside of their own network perimeters. It includes filtering malware, and monitoring denial of service attacks. Another service that we offer is the detection of fraudulent use of a customer's voice mail system and PBX. For example, if a call is placed to Sierra Leone from a small company's PBX at two in the morning it would trigger an alarm at our Fraud Control Centre and we would take action to block the call.

Bell also does a lot of security consulting. For instance, a lot of companies want to converge everything onto IP to save money and enable everything that unified communications has to offer. That is a great objective, but this transition needs to be well thought-out and planned, with appropriate levels of security and redundancy, to prevent successful attacks by malware or a hacker that could significantly impact the operation of their company.

Sometimes security is outsourced to us. Technology is changing faster, and business requirements are changing faster than most security organizations can actually keep up with. Companies have to ensure that they have the governance model that allows them to be agile and a bit more resistant to reorganizations, mergers, acquisitions and so on. The recession hit hard in 2009 and security is getting cut like anything else.

BI: In what ways do large enterprises and mid-sized companies have to approach network security differently,

Houle: In large companies, they tend to have more resources to do it themselves, but they're also subject to stricter compliance requirements, whether it's Sarbanes-Oxley, or the Payment Card Industry standard because they handle large volumes of credit card information.

The size of the company can also impact the sort of security threats they face. Large companies that provide public services, such as telecoms, banks and utilities, are prime targets by hackers desperate to get their hands on people's identities or credit card numbers. Small companies are more likely victims of random malware and are less often targeted directly.

The big difference is that mid-sized companies don't necessarily have the expertise to manage all their security needs by themselves, and they have to rely on external support to address certain security risks. When budgets get cut, a lot of them will stretch the envelope. For example, they could decide to store their information in the cloud, and that's not a bad thing, but the benefits of cloud computing must be assessed against your specific security requirements. There may be some information which is best kept in-house, and organizations should insist on establishing appropriate security and resilience SLAs with their vendor.

BI: What trends do you see in the threat environment?

Houle: We increasingly see large networks of botnets either to be used in large Distributed Denial of Service (DDOS) attacks, or targeting companies to obtain users' identities, which will be sold to criminal networks. This is why Upstream Security becomes more critical in stopping the threat before it lands on your doorstep.

Other trends I see include identity theft through phishing, which is exploding. Despite rising awareness, people continue to fall for these scams. Identity theft is the fastest growing crime in North America. Things are likely to get worse with the increasing popularity of smart phones. You will see in 2010 new malware crafted to attack smart phones' operating systems.

BI: What trends do you see in network security technologies and approaches?

Houle: The use of data-loss protection tools is becoming more prevalent. Typically we put them in subnets or a security zone between a company's private network and the outside public network to look at the content of files leaving the company and trigger alarms if they contain anything confidential. Some of these tools are quite sophisticated, dealing with information flow patterns, not just searching for words.

Also, more companies are using virtual machines (VMs) to save on the number of servers they use. The problem is that there is now malware designed to cross-pollinate from one sector of a server to another. The good news is that there are also technologies to prevent it. It's a real cat and mouse game!

In general, though, security cannot be limited to the defence perimeter and needs to become more information-centric. The Microsoft digital rights management solution is a good example, tying access permissions right to the document. So security protection is getting closer to the information itself.

BI: What should forward-looking companies be thinking about in terms of securing their network?

Houle: Technology exists to secure networks, but the real difficulty seems to be putting in place a security governance model adapted to the business. Companies should address security governance issues first and come up with metrics so they can measure the effectiveness of their security program. Some companies are under attack and don't even know it.

It's important that the governance model be resilient enough to withstand whatever else is going on in your company, including major reorganizations and departures. You don't want to be one of those companies where you have only one guru, and when that guy leaves or dies, that's the death of your program. You might as well outsource part of your security program to a company that will ensure a better continuity of service.

Once governance is in place, then you can talk about technology, because you're going to have the people around the table who can make the right decisions.

About Gaetan Houle

As VP Corporate Security for Bell Canada, Gaétan Houle is responsible for all matters touching security, including IT security, physical security, security investigations, business continuity, emergency response, access management and telecom fraud detection.