The Truth About Hedge Fund Security

Bart McDonough and Christopher Harper talk to HFMWeek about the security risks hedge fund managers face today, and the benefits of an integrated IT and security platform.

Security breaches, and the fallout that comes with them, are a grave issue affecting hedge fund managers, and understanding the danger is paramount to maintaining a healthy business environment. Internal attacks are arguably more likely to occur than external attacks, leaving a firm’s intellectual property exposed. Earlier this year, IT services provider Agio acquired security firm Secure Enterprise Computing, effectively building a single, integrated IT and security platform to address these rising industry concerns.

HFMWeek (HFM): What are the main security risks that hedge fund managers need to be aware of?

Bart R. McDonough (BM): Arguably, the highest risk comes from the actions of an employee. Due to the nature of the industry, hedge funds are unlikely to have a large external internet footprint, and as such are less likely to be targeted from a perimeter perspective. However, the well intending user is capable of gaining access to valuable, and potentially sensitive information, and can inadvertently leak this information to unauthorised parties. This leakage comes in many forms – whether through the introduction of malware via email or social media, or through the installation of unauthorised software that is then leveraged by an attacker.

Christopher Harper (CH): The unfortunate truth is that many firms have little control over the applications in their environment. The introduction of unauthorised applications makes it difficult, if not impossible, to keep these applications up-to-date, and to have any sort of control over the vulnerabilities they introduce. As Bart mentioned, these vulnerable applications can be leveraged by attackers to introduce malcode into the environment, gain control of servers or other systems, or exfiltrate sensitive data.

“These managed security solutions will integrate directly with our existing managed services for networks, storage, databases, servers, and applications.” 

HFM: How does Agio manage these types of security risks?

BM: Currently, Agio provides a number of security assessment services, including vulnerability assessments, penetration testing, and enterprise risk assessments. We also offer our clients user awareness training, robust policy consulting, and assist with applying appropriate controls around how information is accessed and tracked using the principle of least privilege and assigning access on a need-to-know basis.

CH: To dig a little deeper, our customised monitoring solution – Agio Monitoring Service (AMS) – has the capability to discover all systems and software in the environment, which provides us with a unique view into the systems and components in each of our client’s networks. This information enables us to then report on potential risks associated with unauthorised applications, and to what extent these applications pose a risk to our client’s firm. We also have the ability to detect suspicious activity on the network, and quickly take action to prevent further harm.

BM: Finally, we’re in the process of building a comprehensive suite of managed security services that includes next generation Security Information and Event Management (SIEM), Continuous Vulnerability Management, Configuration Management, Unified Threat Management (UTM), and Endpoint Security solutions. These managed security solutions will integrate directly with our existing managed services for networks, storage, databases, servers, and applications.

HFM: Now that we understand a bit more about your security solutions, tell us about the original drive behind bringing security in-house and how it helps to deal with the industry’s increasing regulatory and investor demands.

BM: The real premise of the acquisition was rooted in the belief that, as a managed service provider of technology, we could no longer outsource security. Whereas most technology providers currently maintain an outsourced relationship with a security specialist, Agio believes the critical nature of security mandates a more strategic and integrated approach. Understanding security is core knowledge that we need to possess to remain at the forefront of the industry for our clients.

HFM: What are the main benefits for managers in switching to a single, integrated IT and security platform?

CH: Not surprisingly, security is as much, if not more, about what you don’t know than it is about what you do know. Like a car’s blind spot, it’s what you don’t see within your environment, or understand when it comes to industry policies, that can be dangerous.

With that in mind, many IT services firms are focused on up-time, reliability, and providing services to the end user. Doing this well requires a strong understanding of the environment, including the applications, the networking and the supporting systems. On the flip side, managed security service firms tend to focus on the perimeter, and lack the insight into their clients’ internal systems. Combining the security expertise and background with the internal network intelligence brings an end result that is much more valuable than the sum of the two.

When security is as much about what you don’t know, a security partner unfamiliar with the ins and outs of your infrastructure is limited in the quality of security they can provide – because they too, don’t know what they don’t know about your environment, where the vulnerabilities might be, and how to intelligently build processes to prevent security issues.

“Combining the security expertise and background with the internal network intelligence brings an end result that is much more valuable than the sum of the two.”

HFM: Finally, what aspects of a firm’s risk management structure are most important when integrating a new security solution?

BM: Hedge funds possess an enormous amount of intellectual property, and they need to make sure that intellectual property stays within their virtual four walls.

Whenever you’re evaluating a security provider, you should make sure the provider understands the uniqueness of your environment and how important intellectual property is to a manager.

Your provider should also be able to perform enterprise risk assessments, whereby they evaluate your use of resources and controls, and then recommend changes to the environment that improve security. these recommendations should also include education of users and helping them to understand how you manipulate the data, the pathway it follows and where the data ultimately resides, which is critical for any hedge fund.