Leading Financial Institution Uses Fortra Vulnerability Management to Manage Risk During Digital Transformation
This leading financial institution has been in business for over 75 years, and as of 2020, had assets exceeding $2 billion and over 200,000 members. Committed to continually improving the customer experience, the financial institution began a three-year digital transformation. It made innovative updates and changes to systems and overall infrastructure that have ultimately helped make business easier and more secure for its members.
The institution launched a digital transformation project to:
Cybersecurity was a central consideration throughout the process. The institution needed a security solution to help maintain and improve cybersecurity and compliance during this digital expansion. Amid the transitional phases of this project, both the old and the new infrastructures would need to remain tightly secured, protecting vital client and company information. The team needed tools and support to ensure new infrastructure was configured securely and that daily changes to infrastructure didn’t create new vulnerabilities.
The institution was already using Digital Defense’s Fortra Vulnerability Management (formerly Frontline VM™) to perform host discovery and vulnerability scans on external (internet facing) and internal IP-based systems and networks. However, it was not taking advantage of some of Fortra VM’s key features that could help make security efforts easier.
A key feature of Fortra VM, Security GPA, became a more integral part of the processes after the institution’s state auditors recommended using Frontline to monitor internal and external risk scores. Frontline Security GPA is an intuitive security rating metric provided in a letter (A,B,C,D, F) grade and numerical GPA. The Security GPA weighs asset importance and criticality as well as vulnerability severity to provide a full picture of an organization’s security posture. Additionally, Security GPA is dynamically generated and reflects even the smallest changes in vulnerability.
The institution’s CTO/CISO began using Security GPA as a motivator and Fortra VM as a key component of the team’s vulnerability prioritization. This work earned the institution an award from Digital Defense because their GPA steadily improved and landed in the top 2% of all Frontline users.
The institution’s oversight committee met monthly to review its business and security landscape. A local statute requires that an oversight committee acknowledges and either accepts or mitigates risk to the institution. The CTO/ CISO used Security GPA as an informative, yet simple metric when presenting to technical and non-technical committee members. These security conversations were greatly simplified by using the easily understood letter and number rating to convey complex security concepts.
The institution had a Frontline Pro subscription, which includes a Digital Defense Personal Security Analyst (PSA). The CTO/ CISO’s team worked closely with the Digital Defense PSA who configured the new infrastructure and helped build new scan policies in Frontline for the institution. Pro support gave the project team more time to focus on deploying their new infrastructure, and confidence that their scan policies were in expert hands. Their PSA also helped analyze scan results and provided direct remediation planning guidance. This resulted in a more effective and mature vulnerability management program for the team.
Part of the institution’s digital transformation was converting to a virtual infrastructure. Digital Defense helped the institution save a significant amount of time by working with their virtual hosting provider to configure a new Frontline RNA virtual appliance. The virtual Reconnaissance Network Appliance (Frontline vRNA™) is powered by Digital Defense’s proprietary scanning technology, which enables:
“Moving to the vRNA made economic sense,” the CTO/CISO indicated. “In our network setup, a hardware appliance required colocation and hosting, adding costs that weren’t tied to a virtual appliance.”
During the transition from the legacy infrastructure to the new cloud-based infrastructure, the CTO/CISO’s team managed both simultaneously. They were retiring assets from the legacy system and deploying new assets in the new virtual infrastructure on a daily basis, and used Fortra VM to scan both environments. They ran nightly vulnerability scans on the new environment while still running scans on the old IP address scheme twice a week. This helped ensure daily changes weren’t creating new vulnerabilities.
The team relied on their Security GPA to monitor and report on risk after making changes to the new environment. If their GPA decreased, they would compare current, previous, and trending scores, with the ability to drill down into at-risk assets if needed.
"We trust Frontline. We were decommissioning and breaking down systems daily, and the Security GPA helped us identify and prioritize any new issues.” —CTO/CISO
Defense-in-Depth
The financial institution uses a defense-in-depth approach to securing its critical infrastructure. The CTO/CISO’s team built out multiple defensive layers to protect its most important assets and data. Frontline plays an important role in the defense-in-depth model. It is used in the network layer to proactively search for weaknesses across infrastructure and is one of the first lines of defense.
Risk Management using Frontline Security GPA
During this digital transformation project, Security GPA provided many benefits. It served as the guiding metric indicating whether daily system updates introduced new vulnerabilities in both new and old infrastructure. It also helped facilitate stakeholder communication with easily understood metrics and reporting. Lastly, this dynamic metric served as a motivator to the team to improve security posture.
Transition Security Oversight and Monitoring
Because Fortra VM comes with the ability to automate or run unlimited, on-demand scanning, the institution was able to conduct vulnerability assessments multiple times a day to check their daily changes and ensure that no new weaknesses were introduced. During the transition, the team also maintained their legacy infrastructure, leveraging the automated scanning in Frontline for oversight as they retired assets.
According to the CTO/CISO, Frontline was essential to a secure conversion.
”I was in Frontline daily because I wanted to make sure we weren’t missing anything that needed to be addressed in the new environment.” —CTO/CISO
Ongoing Workflow Management
The PSA provided by Digital Defense manages end-toend service delivery, including customized reporting of assessment and remediation efforts. Additionally, the team can view progress through Fortra VM’s intuitive online dashboard, Frontline Active View™, and their PSA can respond quickly to any enterprise-wide issues.
Remediation Monitoring
The institution uses a service provider to manage the patching of their new infrastructure. To maintain visibility into the service provider’s progress, the CTO/CISO consults scan activity in Fortra VM daily. This level of insight into the vendor’s responsibility aligns vulnerability prioritization between both organizations.
Best-in-Class Security Expertise
This institution, as well as all of Digital Defense’s clients, benefit from the Vulnerability Research Team (VRT). The VRT proactively analyzes aggregate data to accelerate the discovery of flaws and then analyzes these flaws for the rapid identification of Zero-Day vulnerabilities, further bolstering their security.
The Frontline.Cloud SaaS vulnerability management and threat assessment platform supports Fortra Vulnerability Management, Frontline Web Application Scanning™, and Frontline Active Threat Sweep™ that together provide:
The Frontline.Cloud platform virtually eliminates false-positives associated with legacy vulnerability management solutions while also automating the tracking of dynamic and transient assets and prioritizing results based on contextualized threats and business criticality.
Industry: Credit Unions & Banking
KEY SOLUTIONS
RESULTS
Customers in the financial sector, including banks, credit unions, and financial services, choose Fortra VM to help protect their organizations and clients from increasing malware threats and costly data breaches. Fortra solutions also help financial organizations achieve and maintain compliance, including PCI, GLBA, SOX and more.
*At the time of this case study, Fortra VM and its corresponding security solutions were referred to under the Frontline brand.
Look to Fortra Vulnerability Management.
Copyright © Fortra, LLC and its group of companies. Fortra®, the Fortra® logos, and other identified marks are proprietary trademarks of Fortra, LLC. | Privacy Policy | Cookie Policy | Sitemap