With the cybersecurity threat landscape shifting quickly and continuously, BT's security chief reckons the best form of defense is attack – that is, to attack his own defense…

July 17, 2017

7 Min Read
Why BT's Security Chief Is Attacking His Own Network

It's often said in sport that the best form of defense is attack, and that's a maxim that Mark Hughes, the head of security at BT Group, has taken on board. Except his modus operandi is to attack the very network he's responsible for protecting.

Hughes, a highly enthusiastic and open character, has an incredibly broad role as the CEO of BT Security: He is responsible for all security matters at BT (physical at 10,000 buildings as well as digital and virtual) and also for developing the telco's security services offerings, which are proving increasingly popular with enterprises and, according to Hughes, even whole countries. "In the past few years we have aggressively gone after security services business, driven largely by demand from enterprise customers, who realized they needed help," he noted during a media briefing about a new security report BT has published in partnership with KPMG LLP. (See Cybersecurity: More a People Than a Tech Challenge?)

The provision of security tools and services is a large and growing business: According to Gartner, as enterprises shift their security spending away from prevention-only solutions and more towards detect and response options, global spending on information security is set to increase by 7.6% year-on-year to hit $90 billion in 2017 and $113 billion by 2020.

Revenues from BT's security services grew by 24% year-on-year in the financial year that ended in March 2017, with the telco noting in its presentation to investors that all large network deals had security elements incorporated. Those elements can range from the straightforward provision and management of a firewall to the provision of full cybersecurity management services, where the telco would compete against the likes of Raytheon and Lockheed Martin.

Figure 1: BT Security CEO Mark Hughes: Captain of the Purple Team. BT Security CEO Mark Hughes: Captain of the Purple Team.

And there are plenty of additional security services opportunities coming down the pipe. Hughes notes that security capabilities can be offered as part of SD-WAN and NFV-based services, while the IoT sector offers a great deal beyond secure smart meter services. The IoT opportunity "is not so much in providing a security wrap around devices but in the secure management and brokering of the information gathered [from IoT deployments]. The devices are important but it's the security of the information that is the big issue."

Hughes believes BT has gone further than other telcos in developing security services, though he notes that NTT Communications Corp. (NYSE: NTT) and Deutsche Telekom AG (NYSE: DT) (T-Systems) are two examples of other telcos that have built service offerings on top of their own network security capabilities. "We have built a services business based on our network knowledge and skills, and I haven't seen others go as far as us, but that doesn't mean they're not trying!"

So there's a helluva lot to do! But Hughes appears to have energy to burn and, unlike many other heads of security at enterprises around the world, he has a large team working for him -- about 3,000 people globally.

And they're doing a lot of really interesting things. Part of Hughes's team is tasked with performing "ethical attacks" on BT's security defenses to identify weaknesses and help bolster the company's defenses before less friendly hackers encounter any chinks in BT's armor.

That process is called "red teaming" because, well, it's undertaken by BT Security's Red Team. And, naturally, it has a counterpart, the Blue Team, which defends the network in these cybersecurity war games. "It's a big overhead but it's worth it. The Red Team finds stuff and then they work with the Blue Team to fix it." Hughes points out that the Red Team doesn't wait until the completion of the attack exercises, which can last months in some cases, to point out any identified weaknesses -- that would be too risky. So the Red and Blue teams work together constantly in an ongoing "agile" manner in a process Hughes calls "Purple-Teaming."

Such processes mean the BT security team is constantly updating and strengthening its defenses to guard against Hughes's biggest headache -- the ability to respond in a suitable and efficient way. "Because we have such a large global network -- the biggest MPLS network in the world -- my main concern is that we need to be able to flex and react" in response to any breach and be able "to isolate the network" when necessary.

So have there been any major breaches? Hughes thinks for a moment… "No… we are extremely careful and vigilant," he says, adding that response times have improved dramatically in recent years, down to milliseconds in some cases.

Next page: Cybersecurity tech, AI and collaboration

Cybersecurity tech, AI and collaboration
So, in addition to his staff, what other resources does Hughes have at hand to secure BT's network and be able to offer security services? He has a core group of technology partners, including the likes of Cisco Systems, Juniper Networks, Check Point Software Technologies, Zscaler, Symantec, McAfee and Arbor Networks, but BT Security also deploys technology from specialists such as Darktrace. (See Darktrace Raises $75M, Provides Inspiration.)

And he's keen to know about security innovations: "I'm prepared to assess any security vendor to see if they have something to offer," he notes.

That assessment process isn't just for BT's benefit: Hughes's team runs a cybersecurity assessment lab that enables BT to advise customers on which technologies would be suitable for them. It has assessed solutions from about 1,600 vendors, according to Hughes.

BT Security also develops some of its own technology, most notably the Assure Analytics system that is used by BT's security analysts to identify threats. At the heart of this system are artificial intelligence (AI) algorithms, developed and patented by BT, that are used to analyze data from BT's network and present it in a visual format. That system has been is use for some time and was demonstrated by Dr Ben Azvine, BT's Global Head of Security Research and Innovation, in an exclusive video interview with Light Reading last year.

{videoembed|722327}


But the AI capabilities can only do so much. As BT security expert Alex Healy noted during a briefing for the media via a Skype video call, AI is "great at filtering the right data and analyzing it" but "isn't so good at semantics -- figuring out what the visual results actually mean."

That's where BT's trained security consultants play their role, deciding what is (or not) a significant threat and then deciding what action to take. "AI helps the analysts find the needle in the haystack by finding and cleaning up the data," states Azvine during the same Skype call. "But we still need the human analyst -- the power comes in the combination of the computing and the humans," he adds.

And human-to-human interaction is also important, notes Hughes. Engaging with and learning from the broader cybersecurity community is vital, stresses the BT man. He says there's a lot of information sharing among peers at the UK's National Cyber Security Centre (NCSC) and via network security information exchanges (NSIEs), which in turn collaborate with other parties such as ICANN (Internet Corporation for Assigned Names and Numbers), the major DNS providers, Cisco and others. He also talks to his peers at other telcos, including the likes of AT&T, Deutsche Telekom, Orange and Verizon, about ongoing developments and upcoming challenges: Recent topics for discussion have included the impact of 5G -- for example, the introduction of soft SIMs.

Hughes certainly seems to be on top of his game and, with BT dealing with hundreds of thousands of security incidents every day, he and his team need to be.

— Ray Le Maistre, Circle me on Google+ Follow me on TwitterVisit my LinkedIn profile, International Group Editor, Light Reading

Read more about:

Europe
Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like