We sat down with Ryan Hitt, chief technology officer of CapWealth Advisors, to chat about security during a recent “Customer Conversations” webinar. CapWealth Advisors is a Tennessee-based, SEC-registered investment advisory firm that provides wealth management services for individuals, families, foundations, and institutions. With just 13 employees, it has more than $1 billion in assets under advisement.
Among his many responsibilities, Ryan is tasked with ensuring the integrity of all client data. In the following Q&A, he fills us in on what keeps him up at night and how FireEye helps him go back to sleep. Ryan will also be a guest speaker at the upcoming Cyber Defense Virtual Summit (April 7-8), where he will share the CapWealth Advisors story.
Q: What sensitive information assets does your company possess that you must protect?
A: The financial services industry, as everybody is aware, has been under attack. We’ve got a wide range of clients, from institutions to private individuals. We manage client assets, and initiate client transfers of funds such as securities. We’ve got a lot of sensitive client data, a lot of transaction records, and a lot of financial planning information. All this is stored internally.
Q: From a security perspective, what do you worry about most today?
A: Zero-day threats. Everybody’s afraid of the unknown because you’ve got no idea how to counter it. It’s like preparing for a football game. You try to stay ahead of what somebody else is going to do. So we’re taking a more offensive approach instead of simply being defensive. If you’ve had a breach and someone is running in the background for seven months stealing client data – as Mandiant discovered is common – you’ve got a big problem on your hands. That’s the kind of stuff that keeps you up at night. Then there are the long-term financial losses as well as reputational losses that would result from a breach. Not only the company, but also potential clients or customers have their reputations at stake. Finally, we’re big web users, which led us to the FireEye NX solution. We do a lot of research on the web. We’re constantly online and the potential for having something malicious in the background – be it phishing or other method of attack – it’s pretty scary. We’re also governed by the Securities and Exchange Commission (SEC), which is a good thing because they keep you on your toes.
Q: Why did you look at advanced threat detection in general and FireEye in particular?
A: We’re always looking at the worst-case scenario. Every threat out there, in my opinion, is advanced. You have to be offensive in your approach. So we’ve installed the best. The NX Series works very differently than a traditional firewall. It provides us with a layered defense and allows us to attack things in real time to kill the threat. It’s the kill-chain concept. With web traffic specifically, we needed to layer the protection. NX sits behind our firewalls to do that deeper packet inspection.
Q: Are you using the NX Series in in-line or detection mode?
A: We’re using it in in-line mode. That seems to be the best approach. We can go ahead and block something and then if we want to dive into it and investigate it after the fact, that’s great. However, at least we know we’re blocking it upfront, which is, in my opinion, the most important thing.
Q: Why did you choose FireEye?
A: It ties into our overall firm philosophy of only using the best of breed. If you want high-quality results you’ve got to get high-quality products.
Q: What kind of research did you perform before making your decision?
A: We especially wanted to know the FireEye management team, so we researched them carefully. We feel that the management team in place is capable of staying ahead of the curve – advancing the technology, hiring the right people, going in the right direction. We look at FireEye as a partner so that was important. I also had an opportunity to speak to a lot of internal people at FireEye. They were fantastic – extremely knowledgeable and very willing to help. And as we researched the product, a lot of knowledgeable people in the industry would smile and say, “Yeah, they’re great,” when I mentioned FireEye. So that really helped me make a decision.
Q: Can you walk us through the deployment?
A: We used a FireEye partner, and had a demo appliance put in first so we could kick the tires and take it for a test drive. The guys came in and we went through a network diagram and figured it out. Once we got the demo appliance in place we went through a configuration process that was fairly simple. Then, of course, we ran some test malware through the system to prove it worked. We got up to speed on the appliance itself by looking at the dashboard and the reporting methodologies. It was fairly painless.
Q: Can you briefly describe the day-to-day administration and operation of the NX Series?
A: It’s been smooth. We’ve had a few alerts. They’ve been good. They seem to be instantaneous. For example, somebody in our office was working on a legitimate website – something we wouldn’t frown upon, by any means – and apparently there was something lurking in the background. So we got an alert and while we were looking at the alert that individual was still on the website. That’s how quick it was. Whatever it was got blocked, which was good. We were running that in-line defense we just talked about. Operating the actual interface is simple. It’s got some bells and whistles if you want to go that route but the reporting is straightforward. And it gives you a lot of detail about the alerts and threats that your appliance may have encountered.
Q: How would you compare it to other technologies that are out there?
A: One of the things we really liked about the NX Series was the zero false positives. We haven’t had any. With traditional defense mechanisms there are a lot of those false positive alerts and you’re running around trying to figure out what’s legitimate and what’s not. We don’t have a large IT staff. We outsource some of it. Our job here is to manage money and make money for our clients. So having tools in place with alerts that are active and accurate was pretty important.
Q: Please describe what changes – such as personnel, policy, processes and procedures – you made to incorporate FireEye products?
A: Deploying FireEye actually motivated us to rewrite our policies. Our original policies were more reactive. We took FireEye and put it in the center and layered our defensive perimeters around it. If something breaks through our defensive line, in theory, which in this case would be our firewalls, we’ve got FireEye waiting in the background. It is ready to attack, stop, block, detonate, kill – however you want to call it – whatever risk that’s presented at the time. We started writing our policies around that concept.