Banking on Trust

When this large community bank needed a way to move from ad hoc manual scans to a continuous vulnerability and risk management program, it turned to Qualys.

For more than 80 years, First Federal Bank of California, now OneWest Bank, has held a singular focus: meeting the banking needs of its community. This full service bank offers an entire spectrum of financial products and services, often only expected from larger financial institutions, as well as an unparalleled level of service. The greater Los Angeles metropolitan area has noticed and rewarded First Federal by helping it grow to the fourth largest Los Angeles-based financial institution, with thirty-nine branches and assets exceeding $6 billion as of June 30, 2009.

“The way Qualys is designed, everything — all the reports, all the scanning, all the results — is very easy to access from anywhere. All of this together: the automation, the detailed reports, and centralized management, translates into improved security. And that’s exactly what we wanted to achieve.”

Thomas Tse,
Network Security Officer,
First Federal Bank of California

Thomas Tse

Much has changed in the banking world since First Fed's founding in 1929. One constant, however, in those eight decades, is the fact that trust is the foundation of financial services. And, today, with most transactions and many customer interactions occurring electronically, that means a rock-solid IT infrastructure. It means that business-technology systems must be highly available and secure.

To ensure that its systems are both secure from breaches and always available to its customers, the bank's IT and security team relies on Qualys. Qualys is delivered as an on-demand Web service, and its vulnerability and security check database is updated continuously — without ever requiring software or manual updates to be conducted by its users.

Simplifying the Vulnerability Management Lifecycle

“Qualys is accurate and easy-to-use,” says Brian Rodeck, vice president, technical services manager at First Fed. “We wanted to have as current and as accurate a view of the status of our systems as possible, and that requires automated assessments and an up-to-date database,” Rodeck says.

Today, Qualys provides First Fed a powerful and reliable way to protect and secure its systems throughout the entire vulnerability management life cycle, including asset discovery, asset grouping, vulnerability assessment and analysis necessary for effective vulnerablity management. Also, because of Qualys’ on-demand architecture, there are no additional operational or administrative burdens for First Fed to contend with — once deployed, all system maintenance, vulnerability signature updates, and software enhancements are provided directly from Qualys’ Secure Operations Center. This means that Rodeck and his team don’t have to waste time updating and managing on-premise software.

“The fact that Qualys performs all of the maintenance of the appliance is a huge benefit to us,” says Thomas Tse, network security officer at First Fed. “Because Qualys handles all of the security updates and related support, we don't have to worry about anything. We just use it,” Tse says.

Customizable Reporting, Actionable Vulnerability Information

Beyond automation, Qualys also has solved the second challenge First Fed faced: extracting meaningful information from assessment reports. Through Qualys’ powerful and flexible reporting options, First Fed is able to create intuitive and easy-to-read reports for both executives and technical managers. “Qualys’ reports help us to focus on the areas we need to. For instance, we can generate reports that give business managers the information they need to know, or we can create reports that will help us to focus on any critical, pressing vulnerabilities. It helps us know what matters right now,” Tse says.

Also saving a considerable amount of time is the detailed description Qualys provides for each vulnerability it finds. This includes the security threat consequences if the vulnerability is exploited, and the recommended solution to fix the vulnerability, including links to the appropriate patches. “When Qualys finds a vulnerability, it doesn’t just kick out an alert that states 'you have this vulnerability' -- it details how that vulnerability can be secured,” he says.

Because Qualys is securely accessible from any Web browser, Rodeck and Tse can manage risk from anywhere. “The way Qualys is designed, everything — all the reports, all the scanning, all the results — is very easy to access from anywhere,” Tse adds. “All of this together: the automation, the detailed reports, and centralized management, translates into improved security. And that’s exactly what we wanted to achieve,” he says.