Protecting a Global Telecommunications Company
September 19, 2017 • Amanda McKeon
Our guest today is BT’s Vice President, Security UK and Continental Europe, Luke Beeson. Located in London, he leads teams who deliver cybersecurity services to customers, while simultaneously protecting BT’s own systems.
We discuss the challenges a large organization like BT faces when it comes to protecting themselves and their clients, the affect the upcoming GDPR regulations may have on the company and organizations around the world, and how they set their priorities across a broad spectrum of products and services.
We’ll also get his take on the role of threat intelligence in his day-to-day security strategies.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and thanks for joining us for episode 24 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire. Our guest today is Luke Beeson. He’s vice president for security in the UK and Continental Europe at BT in London. Mr. Beeson leads teams who deliver their cybersecurity services to customers, while protecting BT’s own systems as well.
BT is the holding company that owns British Telecommunications. They have operations in around 180 countries. They provide landlines, mobile, and broadband services in the UK, and they also provide subscription television and IT services. We discuss the challenges a large organization like BT faces when it comes to protecting themselves and their clients, the affect the upcoming GDPR regulations may have on them and organizations around the world, and we’ll get his take on the role of threat intelligence in his day-to-day security strategies. Stay with us.
As a global internet service provider, clearly, security at BT is a very high priority for us. We have a security organization of about two and a half thousand strong. Within that organization, we’re focused on both the protection of BT and the delivery of services to our customers. We’ve very deliberately kept those teams together so that we can take what we see as a global internet service provider — i.e., the good, the bad, and the ugly of internet traffic — and translate that into information intelligence that helps us A, Protect BT, but also, B, protect our customers through the managed security services we provide them. As part of that, obviously, we need to have a very good insight into the threat landscape, and we call it our “ringside seat” as an internet service provider because we can see into what’s going on in the internet, to a degree, obviously.
Then, in terms of threats that we face in the telco sector, specifically, I think I pick out three key threats. The first one being, actually, the fact that some of the tradecraft that the attackers are now using is becoming more and more complex, and we are starting to see, and have seen for some time now, a bleed across from nation-state-level capability into criminal and organized gangs. They have worked out very effectively how to use that capability to make money in the cyber domain, and so that’s really upped the ante in terms of the arms race that we will face.
We are seeing more and more sophistication in the attacks that are being crafted. At the same time, we’re still seeing some of the traditional threats, such as DDoS. DDoS for us, as a telco, is a big, big problem, and we’ve invested very heavily to make sure that we can protect ourselves and our customers, but the volumetrics of attacks that we’re seeing and the scale of those volumetric attacks are starting to question some of the foundations of the internet. We’re spending a lot of time working with our peering partners, other internet service providers around the world, to make sure that we have plans in place and agreements in place, such that we can maintain the integrity of the internet when we see these big, high-volume attacks. Also, it’s the length of the attacks. We’re seeing DDoS attacks going into 24, 48, 72 hours, at times. The sustained nature of the attacks makes it sometimes challenging to continue to mitigate them.
I think the other thing I would talk about, as a telco, is availability. We always talk about the CIA of security — the confidentiality, the integrity, and the availability. Availability for a telco is a huge deal, particularly for us at BT, having recently become a sports broadcaster. Not so recently now, several years ago, but the investment that we’ve made in buying sports rights for premiership football here in the UK, and also for European football, means that we simply cannot afford to have a black screen. There’s a huge amount of effort, from a security perspective, being put in to make sure that that’s the case and those pictures are not interrupted. Availability is a big, big deal for telecommunications providers.
What about your place as a member of the overall cybersecurity community, in terms of sharing the information that you gather in response to some of these threats?
Again, we take that very seriously. Clearly, in the UK, we play a pivotal role in helping to share information, so we will actively share any intelligence and information that we gather from our network with other providers, and there’s a close network of telecommunications companies in the UK, but also in the various industry information sharing groups that we’re part of. We also work closely here in the UK with the National Cybersecurity Center, and they help to share on some of the information that we may provide them and vice versa, so I think in this security world that we all operate in, information sharing, intelligence sharing, is crucial because you only have to look at how our adversaries are operating, and they are very, very good at sharing information and jumping on the latest vulnerability and sharing the exploits that they’ve created. If we don’t share information, we’re fighting with one hand, if not two hands, tied behind our backs, so we take that very seriously and we are making sure that we are in the middle of all of the different forums that share information and intelligence.
You mentioned the increasing velocity and length of various attacks. I’m wondering, how much does automation play a part in what you do? Particularly, we hear a lot of talk about things like machine learning and artificial intelligence. Are they playing a role in your ability to keep up with these attacks?
They’re certainly helping. We’d like to have more of that capability. I wouldn’t go as far as saying we’re using artificial intelligence, but I would say that we’re definitely using machine learning. Our cyber defense platform is a great example of that, so we have built our own visual analytics and our own algorithms to effectively allow the computers to start to learn the environment and pick up on trends and patterns that might indicate something bad about to happen. So we are, wherever possible, trying to complement human intuition with machine learning, and I think that’s … really, I think that’s where we are in the world of cybersecurity right now.
I don’t think we’re in an arena where we’re all using artificial intelligence, and we’re replacing the human brain. I think, actually, we’re a reasonable way from that. I think human intuition’s still very important, very powerful, but it helps to be complemented with some machine learning. We’re definitely doing that. I think at a more basic level, actually, the orchestration of rule changing and making changes in the network based on information that you’re seeing in the security world is very important, because we talk a lot in security about being intelligence-led and risk-based. Well, being intelligence-led and risk-based is great, but it’s only as good the action you take off the back of it, so I think there’s a lot of development required in orchestrating and automating network changes off the back of intelligence. Then we start … we can automate that whole process so that, fundamentally, the security posture of your organization changes when you learn something new. At the minute, that’s quite reliant on human intervention.
What are the challenges for an organization as large as BT? How do you stay agile despite your size?
That’s a very good question, and it can be a challenge when you’re a company with over 100,000 employees and you’re operating across 180 countries. Remaining nimble, keeping agile, you’ve just got to … it can be difficult. One of the things we’ve done, which has helped greatly, is we try to embrace new technology. We’ve done that through something called our “cyber assessment lab.” We have a team of people in our research and development center here in the UK, and they are constantly testing and evaluating new security technologies, and we’re bringing that to play in BT when we deem it appropriate, and when we think the technology has reached a maturity level and we can deploy it. So that’s from the technology perspective, that’s what we’re doing.
But, we’re too quick to talk about technology and security. We should also talk about people. From a people perspective, we’re investing heavily in bringing in new recruits, specifically new apprentices, so school-leavers who have an aptitude and a way of thinking that we think fits well in cybersecurity … and also graduates, fresh graduates, so we’re starting to very much build our own human intelligence and human capability. I think it’s really important that we focus on the people side of security as much as we do on the technology side, because ultimately, it’s a people problem and we need people to help solve it. So, yeah, focus on new intake and improving the skill set is really important as well.
If we made cars in the same way that we made cars 100 years ago, for sure, we’d have a skill shortage of car makers. But we don’t, of course. We’ve evolved how we make cars and actually we’ve introduced a lot of automation and robotics, and we don’t need so many people to make cars, and I think the skill shortage that we all talk about in the security domain, no doubt that’s a problem, particularly at the very high end of the skill set. I do believe that a combination of upskilling an interesting resource and better orchestration and automation, which we described earlier, probably ultimately holds the answers. I don’t think, necessarily, the answer is getting hundreds and hundreds and thousands and thousands of more people doing computer science degrees, as much as I’d like that to happen. I think it’s probably a combination of that, and more orchestration and automation.
I want to switch gears and talk about GDPR. GDPR is on the horizon, and surely, it’s in your sights. How is GDPR going to affect you at BT?
Yep, it’s definitely on the horizon. The horizon’s getting much closer, so, May 2018. It’s an important piece of regulation for all of us, I’d say, or certainly all of us who work in organizations who will be handling European citizen data. For us, here in the UK, the ongoing Brexit negotiations will have no impact on that, so we can’t Brexit our way out of it. We’re absolutely working hard in BT to make sure that we understand what it is that we need to do to change the way we operate, to make sure we’re compliant, of course, with that regulation.
That involves a lot of hard work, looking deep into our system stack and operating platforms. I think, stepping away from the BT approach to GDPR, but more generally, in the industry, I think it’s going to be a very interesting time because within the regulation, it talks about organizations having to take reasonable measures to protect customer data. I think we probably all say, in the security industry, that yes, we’ve got some ideas about what reasonable might mean, but there aren’t any key, defined best practices outside of ISO 27001 international best practices. There’s the NIST framework, there’s some really good guidance from SANS, there are lots of different frameworks.
I think what we may see off the back of GDPR is a few test cases in a court of law, and actually, we start to get some case law around what “reasonable” means in the information security world. For me, that will be very interesting, and I guess what we’re all hoping is, we’re not that first case that comes to court. Of course, we’re working hard to make sure that that isn’t the case, but somebody probably will be. I think we’ll all learn a lot about the general perception of what measures should be taken. And as I say, we can all have a pretty good stab at that in terms of security configuration, auditable processes, and all the rest of it. It will be interesting to see how a court of law interprets it.
Obviously, since we’re talking about a global internet, what ripples do you suppose GDPR will have around the rest of the world?
I think it will bring, or has the potential to bring, a lot more standardization in the security domain, in the privacy domain as well, I should say. I think that can only be a good thing. As we, as consumers, become more global and want to access our own data from any device, from any network, from any country in the world, then I think we need regulation and the assurance that that data is going to be treated in the same way wherever you are. I think it’ll bring — well, I hope it will bring — consistency of data processing. Clearly, that’s what all of these different changes and regulations … only time will tell. It’s certainly going to be an interesting time.
The regulation dictates that it’s applicable to any company who is handling and processing a European citizen’s data. We know that most — certainly most large — American organizations will have European customers, and therefore be dealing with their data. So, yeah, I think it’s going to have a big impact. Almost have as much of an impact in America as it does here in the UK.
I want to switch and talk about threat intelligence. When it comes to your organization, what role does threat intelligence play in the business that you do day to day?
It plays a big role. Five or six years ago, we all made a very deliberate play to bring in some experts in this field. We have our own threat intelligence team, as do many organizations now. That team operates at the heart of our operations, so if we have any kind of operational incidents or they pick up on any intelligence threat, they’re straight on conference calls, they’re right in the middle of that operation and working with our operational team to see how we can best mitigate the threat. Or, if we’ve had an incident, they can perhaps work backwards and see what threat might have caused it.
So, really important for us. It’s also something that we’ve built into the service we deliver to our customers, so, a differentiator in that regard. Particularly because of our ringside seat that I described on the internet as a globalized “T.” We absolutely try, wherever possible, to be intelligence-led in our approach to security. And we don’t limit that to information security, it’s for security as a whole, so from a physical perspective, as well, we do a lot of work to make sure that our physical estate is protected, and that requires threat intelligence, as well.
Can we talk about the necessity to transform pure, raw information into intelligence? I wonder if you could speak to that.
It’s always … I’m not an intelligence specialist in that particular domain, and instead I [inaudible 00:15:11] my terminology, but information being turned into intelligence is interesting. I’ll always remember, as an operational manager, trying to put some metrics around threat intelligence, and it’s very difficult. It’s really almost an art form. What we discovered, and what we found was, that you’ve got to take it through to the outcome. Ultimately, what we want is for an action to be taken in our network that makes our network more secure, and that action being taken off the back of some information, or intelligence, if you want to use that word.
We started to really focus in on actionable intelligence, which I know a lot of people talk about, but that’s what really became key. And really understanding, what are the outcomes that you want to achieve. It’s almost like having specific use cases in your organization so that you can direct the threat intelligence team to focus in on those. So what they’re doing, day-in, day-out, is fundamentally making a difference to the security posture of your organization. I think there is a risk in the intelligence world that you gather, and fuse together, and harness lots and lots of information and arguably describe that intelligence, but that intelligence never sees the light of day and never actually changes how the organization operates, and therefore how it’s protected. I think that’s a really important thing to focus in on in intelligence, is actual intelligence and tasking the intelligence team based on the outcomes that the business needs to achieve.
How do you personally prioritize your responses to the various indicators that come in? When your team comes to you and says, “These are the things that are happening in our network, to our customers.” What’s your process for choosing what demands your immediate attention?
For us and for our customers, we would go through a process of understanding the cryptomatics, and invariably, information security has applications, so we would use that as a taxonomy to then prioritize indicators. For example, if we saw a significant threat against our BT sport platform, and there was about to be a live football, or I should say, soccer match on, we would jump on that right away. It’s a combination of operational intelligence and understanding what your critical assets are, and using that to prioritize the indicators. And we do exactly the same with our customers. We sit down with our customers for a day, or longer, if it was required, to really understand what it is that’s crucial to keep their business running, and then if we start to see threats or indicators against those particular assets.
What sort of general advice do you have for those who are in the cybersecurity business? From the vantage point that you have with BT, what sort of advice would you give for those who are out there fighting the good fight every day, trying to protect themselves and their customers?
I think — and this might sound counter-intuitive — but I would try to achieve simplicity. I think in the security domain, we are very good at over-complicating a situation, and granted, sometimes it can be very complicated. But, in my experience, keeping things very simple, focusing in on your most critical assets, being very clear about the impact from particular incidents so that it gets a proportionate response and really bringing things down to their core components … to keep them simple, and keep it in the language of the organization that you’re working with so it makes sense.
We always talk about security, or cybersecurity, being a board-level agenda item. Well, it might well be, but they’re speaking a different language to the board, and we’re going to quite quickly get out of alignment. So, I think it’s about simplicity, it’s about speaking the language of the organization that you’re working in, and it’s about focusing in on outcomes to make the organization more secure.
Our thanks to Luke Beeson for joining us, and thanks to Joel Hare from BT for coordinating the call from the other side of the pond.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
And remember to save the date for RFUN, the sixth annual threat intelligence conference coming up in October in Washington, D.C. Attendees will gain valuable insight into threat intelligence best practices by hearing from industry luminaries, peers, and Recorded Future experts. All the details are at recordedfuture.com/rfun. I’m planning on attending and the CyberWire will be recording our daily podcasts from the conference, as well.
We hope that you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.