Managing the Changing IT Security Requirements in Financial Services

Security would be easy if it wasn’t for all the changes, as any IT manager will tell you. Other sectors of IT, such as customer relationship management (CRM) or enterprise resource planning (ERP), can continue to function efficiently without significant change for long periods of time.

But with security, every network extension, every opening or closing of a new office, every merger or acquisition, weakens your security stance and exposes your company to risk. And that’s before you consider the ever-increasing numbers of new threats, from malware and crimeware to hacking attempts.

Standing still isn’t an option – if you don’t adapt or change your security infrastructure and policies to keep pace, your networks are exposed. Yet just the act of making network changes can introduce unexpected vulnerabilities – which in turn, further complicates the security issue.

So, how should IT teams scan and assess network devices, processes and people to ensure consistent availability, security and compliance? The traditional approach is to undertake a lengthy, manual inventory of all existing equipment and assets, followed by a similar manual effort to try to identify all the rules that have been implemented across the network to ensure security, privacy and compliance with regulations.

The Chains of Change

This manual approach creates its own risks. The IT team becomes distracted by stocktaking on networks, diverting resources away from strategic security tasks. And of course, once the inventory is complete, the network may change, or new risks may emerge – and the cycle begins again.

Is there a way to break the chains of change and stop playing constant catch-up? The answer is automation. Automated risk modeling tools can provide a complete and accurate picture of the organisation’s network, making it possible to simulate attack scenarios and compare possible responses.

This reduces human error, gives management a dashboard view of security, availability and compliance exposures, and gives IT teams accurate and prioritised action points to help mitigate critical risks.

From Manual to Auto

A UK financial services company wanted more effective management and control of its estate of 200-plus firewalls, distributed across its multiple offices and branches. It also wanted to be able to automate critical security processes, to free up IT administration time and enable staff to focus on other strategic issues.

As constant availability of financial information to its clients is key, the company needed to ensure its firewalls were secure and compliant with company requirements. This was complicated by the company’s recent, rapid growth, which has meant greater network complexity to support a growing user base.

To monitor the security status of the network, the company relied on resource-intensive manual assessment projects. Identifying security gaps and potential compliance issues was a chore, and based on the subjective viewpoints of teams of engineers.

As a result, the company’s chief security officer (CSO) decided that a strong layer of analysis and security process automation would provide the highest level of security possible. To solve its network security issues, the company conducted an evaluation of vendors offering solutions such as rule base management.

However, these only solved a small part of the overall security and network management problem. The CSO wanted a solution that gave a complete picture of the entire network, enabling quick identification of where security holes exist.

The company chose Skybox because it conducts its analysis in a virtual environment, providing clear information on areas of concern, without affecting the network. Additionally, it is able to demonstrate that the appropriate controls are in place to validate that networks are secure and compliant.

The company’s firewall managers can better understand the rules that are causing problems and fix them before a security breach can occur. Prior to the implementation, penetration testing was used regularly, but had a narrow scope that did not provide a full view of potential firewall rule errors or mistakes.

Deployment Matters

The implementation of any solution would have been challenging for the company, as its network was complex following several mergers. Once the implementation processes were identified, the network map was created using configuration data from the firewalls and routers. The company was quickly able to identify key areas of concern and put remediation plans into action.

Several significant results have been realised after implementing the solution. These include the ability to visualise its very complex network, identify threats to assets and mitigate them, and manage the risk levels to a satisfactory level.

“The automation has replaced manual processes and will introduce efficiency gains that we could not have realised on our own,” says the company’s CSO. “The ability to test future changes in a virtual environment prior to deployment will save time that was previously dedicated to problem-solving discussions within change control teams.”

Vulnerability and compliance analysis is now run on a daily basis, providing clear reports on the network’s current connectivity and compliance status.

Challenges of a Merger

The company’s recent merger with another financial company was the first big challenge for the new solution. The introduction of 3,000 new employees, a network that was not completely understood, and the addition of devices not previously in the system have tested the scalability of the product.

However, says the CSO, “the solution has already proven to be more than capable of acquiring and automatically analysing large amounts of data that would be unfathomable if we tried to digest them manually. We are very happy to have this working, living model of our network.

“The ability to visualise actual threats and create a simulated attack scenario quickly identifies any asset that is susceptible to a potential security breach,” adds the CSO.

In conclusion, change is inevitable in security – but it doesn’t have to take over an IT team’s workload. With the right approach to automation, IT can embrace and keep ahead of change, without tears.


Related reading