With 120,000 employees and 14.7 million online banking customers, Charlotte, N.C.-based Wachovia's universe of end users and the number of devices connected to its network is immense. Keeping the $808 billion asset institution safe from emerging security threats falls to Peter Makohon, VP of information security, Wachovia threat and vulnerability management. But while protecting Wachovia's network against ever more sophisticated attacks is a constant challenge that requires eternal vigilance, Makohon says protecting the bank's customers is an even bigger challenge.
BS&T: How long have you been with Wachovia?
Makohon: I've been with the bank for 13 years, joining when it was First Union [which merged with Wachovia in 2001]. I've been in my current role for four years. During those first nine years, I worked in network services, helping to establish many of the enterprise network tier 3 work processes and automation capabilities.
BS&T: What are some of your current responsibilities?
Makohon: I manage a team that focuses on emerging security threats and security event analysis. We build, maintain and manage a number of information security automation solutions, including an enterprise vulnerability management system. Most of our resources are spent analyzing and protecting against malicious software and other emerging threats.
BS&T: Has the security environment changed since you took on your current role?
Makohon: Several years ago threats were mostly from highly visible worms and malicious software intended to disrupt the business and provide notoriety for the people who wrote the software. Today we're seeing an underground economy that uses malicious software for profit by stealing personal information and accessing financial transactions.
In addition, malware has become very sophisticated and can disable anti-virus protection and other security controls. It can enable keystroke logging, and can understand and navigate the electronic forms used for conducting financial transactions. There are even crimeware tool kits complete with service contracts for sale to criminals.
BS&T: As the fourth largest financial institution in the U.S., is Wachovia a major target for cyber criminals?
Makohon: Wachovia and other larger banks are definitely on the radar of cyber criminals. My team and I spend a considerable amount of time studying cyber criminal tactics and trying to understand the different security controls that are available to prevent criminals from getting customer information. We have established relationships with industry forums and peer financial institutions to discuss ways to thwart these criminals and protect our institutions and our customers.
BS&T: How has the growth of online banking complicated network security?
Makohon: Because we have a large number of online banking customers all over the world accessing Wachovia with their own computers, it's challenging to ensure that our infrastructure and applications are protected. But an even more pressing challenge is protecting our customer base.
BS&T: Describe the network monitoring support provided by Somerset, N.J.-based Lumeta.
Makohon: Lumeta helps us with internal monitoring of devices connected to our network. We also use Lumeta to test the security of our perimeter network by performing leak tests. A few years ago we designed, built and deployed an enterprise security management system that takes feeds from different internal and external security intelligence sources, such as third parties that monitor financial services phishing activity.
Lumeta has been in production at the bank for several years, and we continue to add licenses as we build out our infrastructure or add devices due to M&A activity. The data and capabilities that Lumeta provides are critical for maintaining the security and integrity of our enterprise network.
The real benefit of a solution such as Lumeta is that you can take information from Lumeta's network discovery process and feed it into other security tools, and use that information to prioritize and protect everything attached to the enterprise network. Information security is a lot like purchasing insurance in that you have to have it, but you hope you won't have to use it. One of our goals is to keep Wachovia out of the newspapers by ensuring that we do everything we can to protect our customers' data.
BS&T: How has the regulatory environment around data security changed?
Makohon: Regulatory scrutiny has increased, partly due to the changing threat landscape, and partly due to regulators and auditors with more-sophisticated technology knowledge. The result is more questions and higher expectations.
BS&T: Are there any technology innovations on the horizon that might improve information security?
Makohon: One of the current challenges in combating malicious software is that operating systems allow malware to run without checking to see if the application is on an approved list that should be allowed to execute. It will be greatly beneficial when operating system vendors adopt a standard approach for supporting application authentication. That means that any application preparing to run on any platform -- be it a laptop, desktop or server -- is authenticated for that platform.
Virtualization and sandboxing technologies that protect transactions and ensure integrity of a workstation and application are promising. The goal will be to protect the session from whatever else is going on on the machine.
BS&T: Does end-user authentication still play a significant role in combating security threats?
Makohon: Yes, but it's become a more complex environment -- not only do we have to protect the Web site from unauthorized access by authenticating the end user, we also have to provide assurance to the end users that the site they are accessing is the proper Web site. Essentially, we need two-way mutual authentication between the customer and the financial institution.
Corporations and enterprises have to track exactly what devices are on the network. The networks that were built in the 1980s and the 1990s were focused on establishing connectivity. Networks in the very near future will need to support role-based access that only allows users to access resources provisioned to their roles. We've got to provide end users with additional functionality but also protect the devices that they can access.
We have to make this as transparent as possible for the end user. We highly value understanding the user experience and ensuring it's as seamless as possible without compromising security.
BS&T: What has been your greatest career challenge?
Makohon: As I transitioned from being an individual contributor to a manager and leader, I struggled personally with being able to maintain technical competence and lead large technical initiatives.
Name: Peter Makohon
Title: VP of Corporate Information Security, Wachovia Threat and Vulnerability Management
Education: State University of New York (SUNY) at Geneseo, B.S. in Computer Science
First Job: Working for a UNIX systems integrator.
Hobbies: Coaching and playing soccer, community service, and researching information security topics.