BUSINESS: As the development and export bank of the Republic of Croatia, HBOR helps transform entrepreneurial ideas into successful business ventures.
SIZE: 350 employees
BUSINESS CHALLENGE: With a number of different platforms and devices, HBOR previously needed a much larger team to manage IT security risks and to address them in a timely and efficient way.
- Enterprise TruRisk Platform
- Qualys PC
- Qualys VM
- Qualys WAS
WHY THEY CHOSE Enterprise TruRisk Platform:
- Enables prioritization of patching, accelerating updates and reducing administrative workload.
- Improves security posture, reducing number of security incidents to less than one percent of their previous level.
- Makes it possible for a relatively small security team to apply and enforce different policies across hundreds of servers and workstations.
HBOR Improves Security Posture through Comprehensive Vulnerability Management
To improve the security of its relatively large and diverse network, HBOR adopted a comprehensive approach to scanning for vulnerabilities and prioritizing remediation. With faster and more effective patching, the bank is better protected against a broad range of IT security threats.
Hrvatska Banka za Obnovu i Razvitak (HBOR) is the development and export bank of the Republic of Croatia. Tasked with promoting the development of the Croatian economy, HBOR provides loans, insures export transactions against political and commercial risks, issues guarantees and provides business advice. The bank helps transform entrepreneurial ideas into successful business ventures, enhancing the competitiveness of the country’s economy.
Operating as a state partner in a highly regulated industry, HBOR must protect critical systems and valuable financial information against a broad range of security threats. The organization must also ensure compliance with national and international standards in risk management. With a number of different technology platforms and devices on its internal network, HBOR previously needed a much larger team to manage IT security risks and to address them in a timely and efficient way.
Ivan Kovač, Expert in Information Security at HBOR, explains, “The key challenges for our relatively small information security team are that the number of end-user devices greatly exceeds the number of users, and that we maintain a relatively large number of servers and databases. Without a central view of software vulnerabilities or a structured process for dealing with them, it was a highly demanding task to apply the appropriate patches at the right time. This is where Qualys came in.”
“With the insight we get from our Qualys solution, we can focus on addressing the vulnerabilities that are actually relevant and critical.”
Expert in Information Security at HBOR
Comprehensive and Flexible Protection
Working with implementation partner Alfatec, HBOR adopted the Enterprise TruRisk Platform—initially deploying a physical appliance and later moving to a virtual appliance in a new, highly virtualized data center. The bank has more than 100 virtual servers; while Microsoft Windows with SQL Server databases is the most common platform, the core banking application runs on Linux with another database management system. HBOR maintains multiple virtual LANs to keep production, development and testing environments separate from each other and from the desktop landscape, the printer network and the Wi-Fi network.
Using Qualys Vulnerability Management (VM), HBOR runs weekly vulnerability scans on around 1,000 network resources, including servers, workstations, printers, routers and switches. The resulting reports are used to plan and prioritize patching, and to confirm that previous patching exercises have worked as expected.
“It’s vital to take a comprehensive approach to vulnerability management,” says Ivan Kovač. “Qualys technology gives us a view of all potential problems on the network, helping us mitigate the risk.”
An early outcome of the new, more structured approach to vulnerability management was the identification of numerous unpatched Java environments on workstations. Based on this insight, HBOR used Microsoft SCCM to uninstall Java on a company-wide basis, maintaining a patched version only on those workstations for which it represents a business requirement.
Detailed Reporting for Focused Remediation
Summarized vulnerability reports are distributed to the board of directors for information systems on a quarterly basis, including scorecards and trend information. “The Qualys tools provide pre-built reports for topics such as ‘obsolete software’ and ‘most vulnerable hosts’, which are very valuable in planning our remediation activities,” says Ivan Kovač. “We can also provide extremely detailed reports for any platform. In the Linux world, there is usually much more flexibility and less standardization than in the Windows world, so it’s extremely helpful to have reports that show multiple different remediation options.”
The HBOR IT security team analyzes the most frequent vulnerabilities in a weekly coordination meeting, checks the most vulnerable servers, and plans remediation accordingly.
“Our overnight and weekend backup jobs shorten the available windows for patching, which made it challenging to do big monthly patch sessions in the past,” says Ivan Kovač. “With the insight we get from our Qualys solution, we can focus on addressing the vulnerabilities that are actually relevant and critical, and there is plenty of time to address those without working overtime! And because we are now patching on at least a weekly basis, our systems are better protected. Malware evolves extremely fast, and Qualys is helping us move towards a continuous protection approach.”
Conforming to Internal and External Policies
HBOR is using Qualys Web Application Scanning (WAS) for its public website to reduce the risk of defacement or hijacking.
In another recent development, HBOR has begun to use Qualys Policy Compliance (PC) to check the configurations of selected resources against internal and global standards. “As our internal security and risk management processes become more mature in accordance to international standards, we recognized that the time was right to start formally benchmarking ourselves,” comments Ivan Kovač. “We are checking against dozens of different policies across all machines, covering more than 1,500 controls in more than 534,000 control instances. This would simply have been impossible to do in the past without employing a large number of additional people.”
He adds, “Currently, we are focusing on Microsoft technology-based policies and have decided that all Microsoft policies must be CIS locked. Each policy tests hundreds of controls on each relevant machine. For example, one custom unlocked policy checks 1,559 controls aligned with Cobit on all machines in our network, providing vital security information for new strategic security decisions. This extensive checking process reveals a very high compliancy level for Cobit 4.1 controls, which is also a great help during external audits.”
Visibly Better Security Performance
Today, HBOR enjoys both a significantly improved security posture and the ability to demonstrate it. “Security is about avoiding problems, and the lack of tangible outcomes can make it hard to get the right level of investment in IT security,” says Ivan Kovač. “After all, you can’t produce evidence of things that didn’t happen! The metrics that we get from the Enterprise TruRisk Platform allow us to demonstrate how security is improving through better patching, so that senior managers understand the value. Currently, our number of incidents per year is absolutely within the boundaries of acceptable operational risk.”
The Enterprise TruRisk Platform also helps HBOR to reduce the total number of vulnerabilities in targeted areas, enabling it to identify and focus on the most common and potentially severe vulnerabilities. The company’s small security team would otherwise be swamped with an unmanageable number of remediation tasks each week. Recently, the team implemented a new SIEM system that uses Qualys as one of its key information sources. In this way, the initial investment in Qualys is protected, and the synergistic value of these systems is even higher.
Ivan Kovač concludes, “As one of a number of elements in our multi-layer IT security architecture, the Enterprise TruRisk Platform helps us to efficiently assess the risk of software vulnerabilities, prioritize remediation, and monitor our performance over time.”