Crnogorska Komercijalna Banka Enhances Operational Security for Commercial and Retail Banking

Identifying and remediating vulnerabilities with a robust, efficient and highly automated risk-management framework

Formed in 1997 and headquartered in Podgorica, Montenegro, Crnogorska Komercijalna Banka (CKB) is one of the country’s leading financial services providers. With almost 500 employees, CKB now serves more than 300,000 private customers and businesses in the Montenegrin market.

In 2007, CKB became a subsidiary of OTP Bank Group, which operates in nine countries including Bulgaria, Croatia, Romania, Serbia, Slovakia, Ukraine, and Russia, with a total customer base of more than 12 million people.

Ensuring High Security for All Systems

Security is a top priority for CKB, as Saša Šćekić, Head of Information Security Department at Crnogorska Komercijalna Banka, explains: “We are the largest bank in Montenegro, and as the business has grown, the number of internal and external systems in our IT environment has grown also.

“One of the main objectives is to protect our core banking systems and sensitive client data. This is a complex task because the proliferation of heterogeneous, best-of-breed systems within our IT landscape means that the size of the attack surface increases continuously.”

Identifying Security Challenges

To protect its clients’ data and safeguard against the reputational risk of a breach, CKB wanted to ensure that it could always deliver tight security across its IT environment.

“Like in any financial services organization, our security perimeters are both complex and dynamic,” says Saša Šćekić. “We make changes to the network environment frequently, which, combined with the distributed nature of our systems, can increase the risk of unintentional security holes.

“System scans are one of the most effective methods to identify technical security risks. Previously, we used a variety of open-source tools to control our vulnerability management processes, and this approach presented challenges.

“Using multiple scanning tools increased the amount of time we had to spend training our personnel. It also meant that we had to spend a significant amount of time each month maintaining the toolset by applying the latest patches, which was a distraction from higher-value activities.”

Replacing Multiple Tools With a Single Solution

To enhance its operational security, CKB deployed Qualys Vulnerability Management – an enterprise-class, cloud-based solution – to map all assets and identify potential vulnerabilities.

“What impressed us most was the extensive knowledge-base at the heart of the Qualys solution,” says Saša Šćekić. “Qualys Vulnerability Management enables us to tap into a wealth of domain expertise in the enterprise security space, without the need for a costly and complex on-premises software deployment.”

Selecting a Trusted Partner

Working together with Qualys business partner Khaoticen, CKB configured Qualys Vulnerability Management to support its IT operational security requirements.

“Our experience with Khaoticen was extremely positive,” says Saša Šćekić. “It was clear that the Khaoticen team were experts in security solutions, and reacted rapidly whenever we required assistance. The streamlined approach to solution configuration and the highly intuitive Qualys Vulnerability Management interface enabled us to start getting value from the solution almost immediately.”

Ensuring Regulatory Compliance

Today, CKB uses the Qualys solution to generate Common Vulnerability Scoring System (CVSS) metrics for each of its systems. These scores help the company to assess vulnerability and prioritize the relevant remediation activities.

Saša Šćekić comments: “The solution enables us to perform comprehensive scans without impacting the performance and availability of key systems. We can fine-tune our vulnerability scans to minimize the number of false positives, and overall, we are seeing accurate results.”

Protecting Every Endpoint

Equipped with its cloud-based vulnerability management solution, CKB can meet its security objectives more efficiently than ever before.

“Whether a business has 500 endpoints or five million, the underlying security processes should always be based on the same principles and standards,” says Saša Šćekić. “The Qualys solution enables us to automate key aspects of the vulnerability management process, which frees us to focus attention on other areas.”

Delivering Advanced Reports at the Touch of a Button

Because CKB has now consolidated multiple tools and technologies into a single solution, it has shrunk the amount of manual work required to produce its reports.

Saša Šćekić says: “Reporting is an important part of our overall risk-management strategy, and Qualys Vulnerability Management is helping us to dig deeper into our data and disseminate security insights more effectively.

“Today, we can generate external PCI-DSS reports at the touch of a button, as well as internal-facing reports that meet the individual requirements of our technical and managerial business users.

“For example, whenever Qualys Vulnerability Management identifies a remediation requirement and opens a remediation ticket, we can generate a report for the owner of the system, and track the progress of the job from end-to-end. Whenever we want to remediate a system, we need to confirm the change with the system owner, and reporting within the Qualys solution makes this much easier to achieve.”

Saša Šćekić concludes: “Qualys Vulnerability Management has become an integral part of the bank’s overall security landscape, and it has certainly improved CKB’s security posture.”