Aflac Incorporated accelerates vulnerability management processes to boost audit efficiency and strengthen security

Real-time threat intelligence helps insurer save weeks of reporting work and remediate zero-days within hours.

www.aflac.com

INDUSTRY: Insurance

BUSINESS: Headquartered in Columbus, Georgia, Aflac provides financial protection to more than 50 million people worldwide through its supplemental insurance policies

SCOPE: International

SIZE: 11,700 employees

BUSINESS CHALLENGE: Each week, Aflac must scan more than 50,000 assets across its global business for vulnerabilities and when requested, demonstrate to regulators that remediation work has been completed correctly. How could the organization reduce the time required to gather this data during audits?

SOLUTION: Qualys VMDR® with integrated apps for asset identification and management, vulnerability management, PCI compliance, threat detection and prioritization and response.

Protecting policyholders

For more than 65 years, Aflac has provided vital financial protection to millions of people worldwide through its supplemental insurance policies. The company strives to pay cash benefits promptly and directly to the insured — empowering policyholders to focus on recovery, not financial stress.

As a Fortune 500 company operating in a highly regulated industry, Aflac must maintain a strong security posture backed by robust systems and processes for data governance and compliance.

Brian Penn, security posture manager, Aflac Incorporated, explains: “To meet security requirements set by the U.S. Department of Insurance (DOI), we must scan all our IT assets for vulnerabilities on a weekly basis — and we also perform similar types of vulnerability management activities to meet the requirements of PCI DSS and SOC 2 audits. Failing a DOI audit would expose the business to significant risk, so it’s essential that we have the proper controls in place.”

Demonstrating compliance

Aflac manages a wide range of IT endpoints, including 25,000 assets across the U.S. and another 25,000 assets in Japan. Both the U.S. and Japan businesses must show the status of active vulnerabilities to auditors and demonstrate that past remediation work has been carried out correctly.

Why Aflac chose Qualys:

  • Scans 50,000 assets for vulnerabilities each week, meeting regulatory requirements.
  • Cuts key reporting tasks from weeks to minutes, saving time during audits.
  • Reveals hidden vulnerabilities, helping Aflac take action to strengthen its security posture.
  • Delivers fine-grained data to monitor remediation work, helping Aflac cut vulnerabilities by over 55% in just six months.

“In the past, pulling together the necessary documentation during audits was a complicated, labor-intensive and time-consuming process,” continues Penn. “Because our previous vulnerability management tool didn’t maintain a full record of completed remediation work, we had to go back and manually collate the necessary information into spreadsheets.”

Penn adds: “Our previous tool also limited the number of tags we could assign to each endpoint, which made it difficult to drill down and explore data on vulnerabilities for specific groups of assets. To mitigate these challenges, we decided to look for a new approach.”

Selecting a new solution

After reviewing the leading vulnerability management solutions on the market, Aflac selected Qualys VMDR® with integrated apps for asset identification and management, vulnerability management, PCI compliance, threat detection and prioritization and response.

“Qualys VMDR delivered all the core functionalities Aflac was looking for — including Japanese language support and a strong local presence in Japan, which few other vendors could offer,” recalls Penn. “As well as providing a full audit trail for the entire vulnerability management lifecycle, VMDR allows us to apply a practically unlimited number of tags to our assets. Using tags, we can create fine-grained Qualys dashboards that highlight vulnerabilities across specific groups of assets, such as production servers or employee workstations.”

Identifying hidden threats

With support from Qualys, Aflac configured VMDR for weekly scans of its 50,000 IT assets in the U.S. and Japan, and it deployed 4,500 Qualys Cloud Agents to facilitate scanning for laptops and cloud environments.

“Our initial Qualys VMDR scans revealed that there were significantly more vulnerabilities across our estate than our previous tool was able to detect — for example, hidden in Java environments running on Linux,” comments Penn. “We went from around 42,000 critical and high-severity vulnerabilities on our radar to more than 185,000 vulnerabilities almost overnight. You can’t fix issues if you don’t know they’re there, so we were very pleased that VMDR increased our visibility of security threats.”

Taking targeted action

Equipped with deeper insights into vulnerabilities across its IT environment, Aflac is strengthening its security posture while reducing the complexity of industry audits.

“Within just six months of getting started with VMDR, we cut our critical and high-severity vulnerabilities down from 185,000 to 80,000 vulnerabilities — a reduction of over 55%,” says Penn. “Crucially, the Enterprise TruRisk Platform allows us to dramatically accelerate data-gathering for SOC 2 and DOI audits. We’ve cut the amount of work involved in a wide range of reporting tasks — from creating dashboards for our subsidiaries to preparing data for auditors — from weeks to minutes.”

Responding fast to zero-days

With Qualys VMDR, Aflac has also enhanced its responsiveness to time-sensitive incidents such as zero-days. When a new Microsoft Exchange vulnerability came to light during its evaluation of VMDR, the company identified its exposure and shut down the threat immediately.

“When news of ProxyLogon broke, we were running VMDR and our previous toolset as part of the solution evaluation process,” explains Penn. “While VMDR revealed the ProxyLogon vulnerability on our Microsoft Exchange servers right away, our old toolset took three days to display the same information. Based on the insights from VMDR, our support team remediated the vulnerability within 24 hours. Crucially, we could show proof to our Exchange team and the board that we were no longer at risk.”

Offering timely insights to all stakeholders

Aflac is now empowering teams across the business with access to the data they need to maintain a rock-solid information security posture. Penn confirms: “Each week, I export a Qualys dashboard for our PCI team within a couple of clicks — it couldn’t be simpler. For other groups, we offer direct access to the Enterprise TruRisk Platform. These teams can access real-time data, and even trigger their own scans to verify that remediation work has been carried out successfully.”

Penn adds: “We use Splunk as a central repository for software asset management and threat modeling data. By pushing real-time vulnerability management data from VMDR into Splunk, we can allow groups like our threat management team to gain immediate access to the insights they need.”

Preparing for the future

To further enhance its approach to security and regulatory compliance, Aflac plans to build on its successes with Qualys VMDR. The company is currently exploring the use of Qualys Container Scanning to support its ongoing move to the cloud and plans to redesign its security controls to adopt the Qualys Severity Score, further enriching its vulnerability management data.

“You can't fix issues if you don't know they're there, so we were very pleased that VMDR increased our visibility of security threats.”
Brian Penn
Brian Penn

security posture manager, Aflac Incorporated

“Without question, the free training we received from Qualys played a vital role in helping Aflac get to the strong position we’re in today,” concludes Penn. “We continue to meet with Qualys weekly, and they’re always ready to answer our questions or help us solve issues. Qualys VMDR makes it so easy to get the data we need to protect our business, and I frequently recommend the solution to other security specialists.”