CUSTOMER PROFILE Ranked as one of the best banks in America by Forbes magazine, our high–tech commercial banking customer had a large, complex and distributed IT environment supporting more than 1,600 employees and 34 locations worldwide. CHALLENGES

• Risk analysis around the latest technology, including virtualization and next–generation firewalls

• Continuous compliance with financial industry regulatory standards

• Manual processes draining limited IT resources

RESULTS

• One-week deployment for quick insight to IT architecture, risk and controls

• Continuous compliance and on-demand, substantive reports

• Prioritized risk management

• Automated daily reporting on best practices

By embracing innovation, the bank had established a leadership position in the industry. “Over the past five years, innovation has really been the biggest challenge that we’ve observed in the financial industry,” said the bank’s director of IT security. “We have to be able to control and access the data as well as assign attributions.” When the IT security team deployed Palo Alto Network’s (PAN) next-generation firewalls, the risk management solution in place couldn’t keep up. The IT security team lacked network visibility and could not provide an accurate picture of their network assets or risk exposure. With limited IT resources, the bank needed to find a security management solution that could automate routine tasks. The bank also sought robust compliance support, including best practices checks, network and vulnerability analysis and complete support for PAN security. SCOPE AND SELECTION CRITERIA The bank was looking for a solution that could keep up with the complexities of virtualization and next-generation firewalls. It also needed support to maintain continuous compliance. And, where IT staff were bogged down with administering routine tasks, it was critical to implement automation to free up scarce IT resources. After a proof-of-concept (POC) trial with Skybox™ Security, the bank quickly implemented Skybox Firewall Assurance, Skybox Network Assurance and Skybox Vulnerability Control to meet these needs. DEPLOYMENT During the POC trial, the bank conducted a thorough review of the Skybox Security Suite, including next-generation firewall integration analysis. Once the organization selected Skybox to provide security analytics for their network, implementation was quick and easy. The bank simply rolled over the POC to production, and implemented the three selected modules within a week. Maintaining Continuous Compliance Compliance was a primary focus during the customer’s selection process. Skybox’s robust compliance reporting along with the ability to compare the current network configurations against an approved baseline was a major differentiator. “In the financial sector, maintaining compliance is mandatory,” said the director. “There are many regulations that we have to follow, and Skybox enables us to deliver on-demand reports to our auditors that prove that we’re compliant. The solution also allows auditors to validate results against our baselines, and baseline comparisons are critical to showing that our networks are secure.” Increasing Network Visibility and Control In addition to compliance reporting, the customer also chose Skybox for effective risk reporting capabilities. Even if the information is accurate, huge amounts of risk data is unmanageable. Skybox helped the bank identify a shortlist of actionable information to address the most critical risks. Using Skybox, the security team set up best practice checks for their existing platforms and reporting to ensure that all changes met best practice requirements. With automation, they could easily run daily reports—even with limited resources—so information is always up-to-date and the network stays secure. Network teams also used Skybox to analyze data flows when troubleshooting. The customer turned to Skybox and its reporting capabilities to keep security management processes on track. “We like to product trend reports to show where we’ve been, where we’re going and where we expect to be in the near future,” said the director. “Skybox really helps us deliver these reports.” Modernizing Technology and Security Processes When next-generation firewalls introduced even more complexities to an already large and complicated firewall estate, the customer’s existing solution and other vendors couldn’t rise to the challenge. The sophistication of Skybox’s analytics-based platform and in-depth risk analysis gave them the ability to modernize their network troubleshooting and risk reduction processes.
“Next-generation firewalls introduce a new complexity into our environment. Many competitors that we worked with just cannot keep up with innovation. Skybox, on the other hand, really worked with us, understood our environment, and tackled innovation and virtualization head-on.” ABOUT THE SOLUTION The customer deployed three modules of the Skybox Security Suite—Firewall Assurance, Network Assurance and Vulnerability Control. Firewall Assurance was able to bring all firewalls into a single view and continuously monitor policy compliance, optimize firewall rulesets and finds attack vectors that other solutions missed. With Network Assurance, the customer illuminated complex security zones and policy compliance violations, giving them the insight they needed to  reduce attack vectors and network disruptions. The addition of Vulnerability Control allowed them to improve risk management, employing security analytics to quickly identify exposures and prioritize risk as well as remediation in the context of their network. RESULTS After just one week, the commercial bank had a level of network visibility and control that they never had before. With meaningful compliance reports and validated security intelligence, they were better able to support audits and reduce their attack surface. Skybox gave them a comprehensive and accurate view of their network and its risks.

CUSTOMER PROFILE Our customer is a large, federal credit union with employees distributed worldwide, and a complex global network. The company generates more than $500 million in revenue annually and holds in excess of $20 billion in financial assets. CHALLENGES

• Complex IT architecture with thousands of interdependencies

• Unable to effectively prioritize vulnerabilities and turn analysis into meaningful action

• Lack of visibility into the value of business assets

• No tools to correlate vulnerabilities and threats with likelihood and business impact

• Compliance with government and financial industry regulations

RESULTS

• Significantly reduced vulnerability exposure window

• Harnessed total visibility to analyze access paths and connectivity for improved security—even during changes

• Automated vulnerability management processes, prioritizing risk and remediation in context

• Simulated attacks to identify access paths and vulnerabilities

• Ensured continuous compliance and implemented a Security Risk Management (SRM) program

THE PROBLEM The complexities of its network and the thousands of application interdependencies created a huge challenge for the credit union. The continuous flow of application and network changes along with software vulnerabilities overwhelmed the company. Security managers struggled to keep up with identifying, addressing and remediating threats before critical applications and data was compromised. Lacking visibility across their network and into the value of their business assets, the credit union was forced to base remediation plans on vague vendor-provided risk labels, such as low, medium and high. As a result, administrators wasted countless hours rushing to implement patches for minor risks that weren’t actually relevant within the context of the network. SCOPE Security managers needed to be able to correlate vulnerabilities and threats against their infrastructure, their critical assets, and the likelihood and potential business impact of a data breach. Only then could the company move beyond reactive firefighting to aproactive approach that effectively reduced risk, maximized return on investment and ensured continuous compliance. With heightened concerns over security breaches and spikes in identity theft, the IT security team was on high alert and the CISO knew their security posture had to change. DEPLOYMENT Transforming an imprecise vulnerability management process into a focused, intelligent business risk management program was the first step. The company started by moving away from manual, sporadic scans to regular, automated monitoring. While this action reduced the window of vulnerability caused by software flaws, the CISO and his team still couldn’t correlate vulnerabilities to business risk. “You get scan reports telling you that you have 5,000 critical vulnerabilities. But what does that actually mean?” asked the CISO. Understanding Real Business Risk The IT team had been responding to these threats with a fast and furious approach, downloading, testing and deploying patches throughout their infrastructure “We still had to manually correlate whether we should patch all our vulnerable systems and accept the business impact that meant to the organization,” said the CISO. The credit union turned to Skybox to better understand risks and vulnerabilities within the context of the network. Skybox Network Assurance collected data on network infrastructure, access and security device configurations, access paths, dependencies among devices and the risk exposure of critical assets. Network Assurance then used this data to model the network environment. From there, the organization was able to run access simulations and analyze connectivity paths and policy compliance in context with risk exposures. With the addition of Skybox Vulnerability Control, the credit union collected network infrastructure and security configurations, evaluated vulnerability scan results, and better leveraged the modeling data from Network Assurance. Using patented attack simulation, Vulnerability Control calculated all possible access paths and highlighted vulnerabilities that could be exploited by internal and external attacks and tBy modeling the credit union’s IT environment with Network Assurance and simulating multi-step attacks with Vulnerability Control, the security team was able to focus on real-world threats that could bypass the company’s deeply layered security defenses. Skybox contextually validated critical risks, empowering the security team to pinpoint the most critical vulnerabilities and have a visual representation of all possible attack vectors. From there, the solution evaluated the probability of successful exploitation and the severity of the impending business impact. Skybox provided a precise and prioritized battle plan, and management gained unprecedented visibility into the organization’s risk and governance profile. The organization transformed security management from a defensive practice to a business enablement tool.
Reducing the Attack Surface Through implementing Skybox, the credit union could mitigate daily threats quickly. Using the simulated model, the CISO was able to visualize all potential attack vectors that a new vulnerability or attack could create. When he received reports from his vulnerability scanner that 400 servers were affected by a specific vulnerability, Skybox security analytics could deduce the three servers actually at risk. The analysis showed that the company’s layers of security defenses—including firewall rules and network segmentation—provided sufficient mitigation. “The model shows us what systems need immediate attention and focuses our resources on fixing our most critical at-risk systems immediately. We can do the remaining patchwork at will,” said the CISO. Skybox helped the organization mitigate risks faster and reduce the vulnerability exposure window. “Actionable intelligence is really critical. You want to be able to make the best decisions in the shortest amount of time with the least amount of business impact. Instead of looking at four hundred servers, I can focus on three. It’s about concentrating our efforts on the right things for the right reasons in the shortest amount of time.” Avoiding Risks of Network Changes Skybox modeling capabilities proved exceptionally valuable to the CISO. Now—before the credit union deploys any new services, applications or network changes—the CISO can model planned changes within a virtual environment without experimenting on the live network and risking disruption or worse.
“It’s actionable intelligence when I need it,” said the CISO. “The organization can maximize connectivity, minimize risk exposure, reduce IT workload and improve accuracy and timeliness through automated risk modeling.” Ensuring Continuous Compliance Deploying Skybox radically changed the federal regulatory audit process. “This was the first year where rather than tearing through firewall rules, IDS logs and incident reports, the examiners focused on our risk management and assessment plans and our infrastructure strategy,” said the CISO. “The reports that Skybox generated made it completely self-explanatory to regulators as to why certain assets were more critical than others. It was a dramatic shift for us.” With the ability to associate the credit union’s security threats and vulnerabilities to their actual business impact and likelihood of breach, it’s no surprise that the CISO positioned Skybox as the cornerstone of the organization’s information security management program. “We’re focused on making Skybox the risk management center of our universe. We’re building dashboards that show risk across the entire enterprise to gain deep insight into our overall risk. It’s only possible because Skybox correlates our relevant business information with our real-world risks.” ABOUT THE SOLUTION The credit union deployed two modules of the Skybox Security Suite—Network Assurance and Vulnerability Control. Using Network Assurance’s comprehensive and automated modeling capabilities, the customer was able to gain complete visibility and command of network access and routes, laying the foundation for strategic security initiatives and maintaining continuous compliance. Adding Vulnerability Control not only gave the customer unique insight to how vulnerabilities could impact their network, but enabled them to work with the network model and simulate multi-step attacks without affecting the network. The robust solution gave them an in-depth understanding of how their security would perform under a real attack and helped them better protect critical assets. RESULTS Using Skybox, the credit union achieved total network visibility across devices and interdependent systems. The organization fully automated vulnerability detection, assessment, prioritization and remediation within the context of the network. With patented attack simulation tools, the company was able to identify access paths and vulnerabilities even for complex, multistep attacks. The credit union also incorporated modeling tools to assess the impact of a proposed change prior to implementation, preventing disruption to the live network. Automated compliance reports transformed the compliance audit process, elevating the discourse from dissecting rules, logs and reports to a strategic discussion on risk management and assessment and infrastructure plans. In the words of the CISO, “Skybox is phenomenal technology.”