CASDEN Takes Targeted Action Against Growing Security Threats

To protect mission-critical IT systems and web applications from ever-evolving security threats, CASDEN Banque Populaire upgraded to highly accurate, efficient vulnerability scanning and remediation.

CASDEN Banque Populaire is the co-operative bank for all public sector employees in France. Founded in 1951 by and for teachers, CASDEN currently provides one million members with a range of savings and lending solutions.

Standing up to growing threats

With millions of people trusting CASDEN with their hard-earned savings, keeping customer information and business systems secure at all times is a must for the organisation.

Benoît Fuzeau, Chief Information Security Officer at CASDEN, elaborates: "As our operations become increasingly digital and we open up to the public more—for example, we now have a presence on social networks—our systems are exposed to more risks and we become a bigger target for security attacks.

"CASDEN had purchased a Qualys solution about five years ago, but it had been pretty much left in the box before I joined. With security risks growing, we recognised that we needed to strengthen our approach to risk management. Our aim was twofold: we wanted to better target and mitigate the impact of known vulnerabilities, as well as neutralise potential threats before they emerged."

Trusting in Qualys cloud solutions

Today, CASDEN uses Qualys Vulnerability Management (VM) and Qualys Web Application Scanning (WAS) solutions—part of the Qualys Cloud Platform—to enable comprehensive visibility and monitoring of its entire IT infrastructure and web-based applications.

"Working with Qualys to get the most out of our existing solutions has been a good experience," says Benoît Fuzeau. "We benefit from the innovation and backing of a large global company, as well as strong local support from a team that understands us and speaks the same language—literally. We particularly appreciate the latter part as, in our experience, it isn’t always easy to find providers that offer good local language support in France."

With Qualys VM, CASDEN scans several hundred Windows and Linux servers, both virtual and physical. This infrastructure underpins key line-of-business systems, including member databases, credit systems and electronic signature records

CASDEN takes advantage of Qualys WAS to monitor its websites, as well as Software-as-a-Service (SaaS) applications from third-party providers.

Benoît Fuzeau explains: "We use Qualys WAS to scan our main website and a few web-based applications to make sure everything is secure. We ask our SaaS delivery providers to consent to a security scan once a month as part of our contract terms. The solution isn’t intrusive at all and Qualys is a well-known, trusted name when it comes to IT security, so our partners don’t have a problem agreeing to the scans."

CASDEN performs regular scans of its systems once a month, and also runs ad-hoc scans following important security events, such as the recent attacks in France and Belgium.

Benoît Fuzeau comments: "When there is a physical security event, it often sparks an uptick in virtual attacks. To make sure we are fully protected, we launch a targeted scan after any major event to check that our critical systems are up-to-date with the latest patches."

He continues: "There is nothing complicated about setting up and running Qualys solutions; they are very easy to get to grips with. I also really like the pertinence of the reports—Qualys tells us exactly where vulnerabilities exist and gives us targeted instructions on how to resolve them."

Accurate, prioritised results

Following every scan, CASDEN provides comprehensive reports to management, right up to the level of IT director. These reports detail all vulnerabilities detected by the Qualys solutions, organised by the degree of vulnerability and type of machine.

Currently, CASDEN is working to put a security information and event management (SIEM) system in place to analyse security alerts and gain a better understanding of the relevance of each alert on a server-by-server basis.

"We essentially want to have the system itself know which are our most critical servers, so we can prioritise remediation efforts," explains Benoît Fuzeau. "For example, a scan might flag up a level 5 vulnerability on a machine that is not exposed to the web, and a level 3 vulnerability on a machine that is on the web. We should prioritise the latter because, as a web-facing system, its vulnerabilities can be more readily exploited. Having this level of nuance built into the system and our reports will help our security team work much more efficiently and strengthen our overall security profile."

He adds: "At the moment, we are focusing on level 5 and level 4 vulnerabilities as they are the most important to resolve. Once we've identified the most mission-critical servers, we’ll change to special weekly scans for these assets for an added layer of protection."

Building a strong line of defence

With Qualys, CASDEN has a powerful platform for proactively tackling the vulnerabilities that place its infrastructure and applications at risk.

"We still have some ways to go when it comes to vulnerability management, but we are making good progress," notes Benoît Fuzeau. "The first scans we ran with Qualys reported close to several thousand potential vulnerabilities; today, our monthly scans report a thousand times fewer vulnerabilities."

As CASDEN continues to identify and resolve vulnerabilities, highly accurate and targeted scanning enables the organisation to prioritise resolution efforts—saving time and resources while helping CASDEN zero in on its most critical risks.

Benoît Fuzeau remarks: "Security threats are always evolving and staying on top of it all is a constant challenge. Qualys solutions are helping us to focus on the vulnerabilities that are most critical in the context of our infrastructure, so we can work smarter to keep our systems protected."

He concludes: "Qualys solutions have brought new visibility to the vulnerabilities of our infrastructure and web applications—and the more informed we are about potential threats, the more we can do to keep our most critical assets protected. We are definitely better protected with Qualys, and it is highly probable that we have prevented potential attacks thanks to that greater level of awareness and security."