Skip Links

View from inside Verizon's security SWAT team

By , Network World
May 14, 2013 11:39 AM ET

Network World - Bryan Sartin is director of Verizon's RISK Team, the communications provider's computer forensics practice, which is also the group that helps create the annual Data Breach Investigations Report (DBIR). Network World Editor in Chief John Dix caught up with Sartin to learn more about the RISK Team, get his take on the state of enterprise security, and discuss new findings from the recently published DBIR report.


Bryan Sartin
Bryan Sartin, director, Verizon's RISK Team

You lead what looks to me to be a security SWAT team. Tell us about it.

RISK stands for Research, Investigations, Solutions and Knowledge, and we have two specific areas of focus. One is for everything that Verizon does in cloud, IT, and security. We handle incidents of a civil and criminal nature for Verizon customers, whether they are on or off the Verizon network. And that spans digital forensics, computer incident response, IT investigations, but also electronic discovery. And in that capacity we're one of the largest IT investigative entities in the world. We operate digital forensic labs in five countries and have full time investigators in 21 countries.

Our second area of focus is intelligence. Case by case, in data centers around the globe, we pick up little artifacts of intelligence from our field work and process and convert that into knowledge we use to improve products, drive innovation and secure Verizon. But we also deliver that security knowledge to clients on a regular basis.

[ DATA BREACH REPORT: Chinese cyber-espionage rising, says Verizon annual report

MORE: Verizon Enterprise chief: We're headed for cloud computing's A-list ]

Was RISK home-grown or did it stem from acquisitions?

It's grown in a variety of ways. Verizon has had security capabilities for a long time because security and Internet services just go together hand in hand. If you're going to provide someone access to the Internet, then helping them access it in a secure fashion is something that makes sense. I came in from the Cybertrust acquisition back in 2007, and a large percentage of my team did as well. I believe Cybertrust was the largest privately held information security services company in the world at the time.

We thought we had the brightest minds, the best people and the best tools at our disposal, but it was one of those things where you didn't realize what you didn't have until you became part of this great big Verizon. Then we started getting access to the assets here and people from other Verizon acquisitions over the years. So we came into an environment where there was a very established security services capability and reinforced what was there.

Today we have a little more than 100 people and four background types on the team. A good percentage is from law enforcement, another is from military or military intelligence, which plays very well into that second focus I mentioned, folks like myself have more systems engineering backgrounds, and then you have others from institutional IT type roles.

What types of things do you get called in to examine?

The most common thing is the IT investigation. We're called in when the customer believes there is enough evidence of a security breach to retain an outside professional investigations company. So typically you have employees or customers complaining of fraud, or, in the last year or two, the FBI reaching out to a company saying, "Look, here's some things you need to know. You may have suffered some type of APT attack in and around this data and time." So they call us with what they believe is hard evidence of a security breach and our job is to look at their great big network and all the moving parts and determine, did this or did this not happen?

And based upon the facts, can we prove or disprove the source, show how they got in, what they took, make sure we can stop the bleeding and contain the situation, and then finally do what's necessary to set the stage for prosecution? So we often times play a pre-law enforcement type role where we're bringing together facts and evidence and building conclusions and transitioning our findings over to law enforcement to take the final step.

Why do companies hire you versus a competitor?

A: The biggest difference is the reach of Verizon's operations. We have a true international capability and that helps us better understand the legalities and all the rigmarole that goes into international investigations. But there's also the network. I could spend hours on a white board showing you some of the ways we can derive incredible types of intelligence off the Verizon backbone that helps us do things like identify sources. We can perform entire remote investigations without even going to the customer's premises. Figure out who did it, where they came from, what tools and methods they used, and what they took. Then we can pinpoint crimes back to adversaries, link many crimes together or even turn on intrusion detection systems out in the cloud and point them at one or many networks. We have some very unique capabilities.

Speaking of competition, who are you typically up against?

Many big communication companies have a capability similar to ours, and there are more boutique-type competitors in each country we operate in. We don't really have a lot of significant international competitors across the board.

Do you get involved with the government at all?

Yes, both as a service provider and also for intelligence sharing. It's become clear that there's strength in numbers when it comes to collecting and exchanging security intelligence, especially understanding the adversaries and how they work. I mean our entire remote investigations capability is supported by intelligence collection and sharing. The more we know the more we are able to see little facets.

Somebody comes to us and says -- "Look, we've got this point of entry and we see activity on these ports at these date and times, and here's where it appears to be coming from." And with good intelligence-based research you can take little artifacts like that and convert them into an entire picture. We know who did it, where they came from, how they got in, see that this is linked to these three other investigations we've conducted, and I can tell what's under that rock before we get there. A lot of that's born out of the sharing we do with government.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News