With 70,000 staff in over one hundred countries, Brinks cash delivery trucks are a familiar sight. However, in addition to transporting cash, the company is also specialized in the security of precious goods (jewelry, precious metals), safe deposit boxes, check processing and even flight safety.
Based in the United States, the group’s headquarters has strict security policies for its subsidiaries. Indeed, the French subsidiary faced a monumental challenge; despite being the largest in Europe, it was, of course, bound by the same security requirements as the others, who have fewer servers and a smaller perimeter to supervise.
“We were compared to the other subsidiaries in terms of absolute values in regards to the number of anomalies. In addition, the resolution time required is the same for everyone because it only takes into account the critical level of the vulnerability. Consequently, in principle, subsidiaries that have fewer servers have fewer vulnerabilities and more time to remedy them. Therefore, we were often singled out when our headquarters would launch the regular scans of our infrastructures”, recalls Vincent Lauriat, CIO of Brinks.
In fact, the Group’s standard binds the subsidiaries contractually to comply with resolution times. The decision was therefore taken to procure a tailor-made vulnerability management and compliance solution for the French subsidiary, in order to be prepared for the group’s audits, and thus have more time in which to correct them.
Why Brinks France chose Qualys:
“We already had open source vulnerability analysis tools but few industrialized and formalized procedures. Moreover, they were used by the same team that operates IT production, which were therefore both judge and party. We were therefore looking for a SaaS solution in order to have an external overview of our security posture from an outside party!” explains Lauriat.
When we were looking at the products on the market, we found that the Qualys solution stood out for very pragmatic reasons. “It was a de facto choice since it is already the solution used by our headquarters to assess us.
We therefore felt it was logical to choose the same solution, so as to be on the same scale. Moreover, our SOX (Sarbanes-Oxley) external auditor also reassured us by saying that he recognized Qualys reports as being a reliable source”, the CIO continued. Conducting the changeover and adopting the solution was easy especially because several new recruits at SSI were already familiar with the product.
After a short trial of the evaluation version free of charge, Brinks ordered a batch of external IP addresses and its teams immediately got to work because the clock was ticking! The target was to catch up with the requirements of the group before the next audit. “We very quickly gained hands-on experience and we were immediately operational. I am all the more happy to say this since I have never read any Qualys documentation”, recognizes Stéphane Guyodo, the Head of IT Innovation and Security.
In parallel with the launch of automatic scans, the team met with the business unit leaders to present them with an action plan and inform them of the issues at hand: “We clearly explained to the CIO’s teams and to the business unit teams that we were contractually bound by the Group to remediate any vulnerability of severity levels 3, 4 and 5. This commitment was signed by the Chairman and myself. It must therefore be strictly complied with! ” says Vincent Lauriat.
However, the CIO had another good reason to be demanding on this particular point; he wished to avoid entering into the remedial procedure required by the Group at all costs. “When our headquarter reports a vulnerability, we must follow a very complex procedure. More importantly, if we are not able to remedy the vulnerability within the required deadline, justifications must be provided in an internal compliance software program dedicated to SOX, which not only deals with IT but with all the procedures affected by the SOX law (accounting, wages etc.). We wished to be exemplary and compliant in respect of the requirements of the Group!”
There are currently no more external critical vulnerabilities (levels 5, 4 and 3) and attention is now being paid to defects of levels 1 and 2. Internally, the teams are now analyzing the servers, as a priority, and integrating each new workstation mastered with the automatic analysis plan (and a copy of the master is duly rescanned so as to identify any vulnerabilities present which have been added to the Qualys signatures base).
All vulnerabilities detected are subjected to a subsidiary-specific remedial procedure. “We use the ticket management tool integrated in the Qualys solution Moreover, we appreciate the fact that it is possible to generate a report in PDF format for each ticket, which we then send to the right person for remediation, without having to provide access to the platform online,” states Guyodo. These tickets are then followed up in a specific tool used for the service providers, who must apply them. Another appreciated point; until now, nobody has questioned the relevance of the tickets. “The vulnerabilities detected are always accepted and are not disputed!” notes Guyodo.
“With a highly centralized IT system for some one hundred sites, we were previously in a reactive mode, whereas with Qualys’ asset management, we can be proactive in locating and correcting our workstations.”
CSO at Brinks
Now that things are under control, Lauriat’s team have other projects for the Qualys solution. “We plan to extend its use to SOX compliance, by being able to prove a certain level of configuration for certain machines, or even their mere existence. This is where the historical archiving of the analyses will prove very useful. Also, we will consequently be able to place a tag on each asset in order to determine those subject to SOX. This will enable us to be far more precise in the remediation procedure; e.g. we can gain great flexibility in the planning phase when we need to repair an equipment by rebooting, and we known that the machine in question is not within the SOX scope,” concludes Guyodo.