INDUSTRY: Financial Services
BUSINESS: Headquartered in Bulgaria, iCard provides digital finance and payment services across Europe.
SIZE: 500 employees
BUSINESS CHALLENGE: As a provider of financial services to businesses and consumers, iCard needed to optimise its approach to identifying and remediating digital threats.
WHY THEY CHOSE QUALYS:
Founded in 2007 and headquartered in Sofia, Bulgaria, iCard offers a comprehensive range of e-banking, credit-card and e-money services to consumers across Europe, including e-wallets, virtual payment cards and gift cards with real-time payment processing in multiple currencies. The company also offers physical credit/debit cards, and provides ATM services.
For merchants, iCard is an authorised licensee of Mastercard, Visa and American Express, offering real-time payment processing throughout Europe.
As a Fintech, cyber security is the biggest challenge iCard must overcome in today’s digital landscape. Although the company has never experienced a major issue or breach in its defences, the ever-changing nature of cyber-crime makes it vital to be constantly vigilant.
Todor Kunev, Chief Information Security Officer for iCard says: "As much as 90 to 95% of our business is online; our business continuity depends on security. We look closely at everything from protecting web services to protecting against DDoS and – just like any other company with a big infrastructure – we need to prioritise our patch management so that we can focus on addressing the most urgent and serious vulnerabilities."
iCard set out to find a better method of identifying software vulnerabilities on its network.
"We decided to implement a more advanced vulnerability management system," recalls Todor Kunev. “We had used some free tools before, but they weren't very effective: we needed a more holistic solution. We researched the six tools that we identified as the market leaders to see which would be the best fit for our needs."
Based on the features, pricing and ease of installation, Enterprise TruRisk Platform was the outstanding candidate.
After the iCard team surveyed the options, implementing Qualys VM within the Enterprise TruRisk Platform was the unanimous choice. Todor Kunev explains: "Based on the features, pricing and ease of installation, Enterprise TruRisk Platform was the outstanding candidate.
"Qualys VM gives us 360-degree visibility of potential vulnerabilities, enabling us to check workstations, connections to servers and web services in a single interface. As a fast-developing company, we are always looking for ways of streamlining our processes. We have just begun adopting DevOps, and we want to implement security acceptance earlier on in the process. Now we're familiar with Qualys VM, we want to start expanding our usage in this way."
The ability to deploy Qualys Cloud Agents was another key factor in iCard’s choice. Designed for environments where it is not possible or not practical to run conventional network scans – for example, machines with dynamic IPs, remote and roaming users – Cloud Agents can be installed on any host to gather data from the entire infrastructure and consolidate it for viewing in the Enterprise TruRisk Platform.
"Using Cloud Agents allows us to automate our scans at regular intervals, saving valuable time that we would otherwise spend scheduling network-wide checks," says Todor Kunev. “This way, we can get 100% correct information on the status of our network almost in real-time. The fact the agents are lightweight and run smoothly is an added bonus."
iCard also looked at other solutions within the Enterprise TruRisk Platform portfolio, Todor Kunev notes: "We've seen good results from testing both Qualys Policy Compliance and Qualys Web Application Scanning – it's possible that we will look to deploy them in the future as a part of standardisation efforts."
Starting with around 50 company laptops, iCard is steadily rolling out Qualys agents to all 500 of its workstations.
"We chose to begin with the laptops because they travel with employees and connect to public Wi-Fi, so they represent the bigger risk," says Todor Kunev. "The Qualys software was easy to implement, so we handled most of the deployment ourselves."
He adds, "We send board members weekly updates on workstation vulnerability status, and we provide separate reports for patch management to the technical managers for each service. The reports from Qualys VM include detailed information on the remediation process, which is very helpful."
iCard is already seeing clear benefits for its security posture from adopting Qualys VM, and is saving hours compared to previous approaches to vulnerability management.
Todor Kunev explains: "Qualys VM is already helping us to prioritise our vulnerabilities. For PCI-DSS, we needed to stop supporting TLS 1.0 in our environment; we knew this would be a big challenge. With numerous migrations to be done and servers to patch, we are constantly running scans to ensure that the updates have completed successfully. Without Qualys, this would have been enormously difficult."
He continues, "We tried using a free solution to scan our PCI infrastructure last year, but initially it wouldn't work at all. After IT had fixed the tool, we discovered that the vulnerability definitions hadn’t updated, so we had to manually address that too. It wasn’t until day two that we could actually begin scanning, and even then, the tool kept crashing.
"By contrast, our last scan with Qualys VM took one hour and 40 minutes, without any of the aggravation of our previous methods."
Currently, iCard uses Qualys VM to scan 500 IP addresses, including its ATM network, using the built-in threat classification and prioritisation guidance from Qualys.
"One of the main benefits of the solution is that we no longer need to worry about vulnerability management; we just make sure the Qualys agents are in place, so there’s very little administration," says Todor Kunev. “The management interface in the cloud is very straightforward and easy-to-use, and we have high confidence in the ability of the Qualys software to identify vulnerabilities."
With Qualys VM providing clear reports of vulnerabilities, prioritised according to seriousness and exploitability, iCard can direct its IT resources to fix the most urgent and important issues first. This boosts internal efficiency while improving the company’s security posture.
Todor Kunev comments: "The added visibility makes it much faster and simpler to address potential vulnerabilities on our network. We also use the solution to discover new assets on our network – we are a very dynamic company with an active internal development community, so there are always new servers being stood up with new vulnerabilities to address. What's really gratifying to see is that people across IT are embracing the Qualys tools and seeing how helpful they can be in enhancing security across our network."