MSCI Stays a Step Ahead in the IT Security Arms Race

Protecting thousands of servers with automated scanning and vulnerability analytics

Financial services companies are highly aware that ever-evolving IT security threats pose a significant operational risk to their business. As operational risk management increasingly becomes a focus area for both the financial services industry and its regulators, the visibility of IT security has never been higher.

In particular, companies that act as partners or suppliers to the financial services industry need to take IT security very seriously. Failure to pass a customers’ security audit could spell disaster for the relationship, and for the company’s reputation within the industry.

Balazs Szeplaki, VP, Global Information Security Engineering & Operations at MSCI Inc., comments, “We work in the financial services industry, but primarily we’re a technology company. Our financial service sector clients need to be confident that our applications will keep their data secure.

“For that reason, we take security extremely seriously – we have more than 30 people in our security team. According to industry analysts, something like 80 percent of vulnerabilities are caused by not keeping patches up to date, so patch management is a major focus for this team.”

Protecting a Large and Complex Infrastructure

MSCI needs to ensure that its entire IT infrastructure is protected – from the customer-facing web servers through its DMZ to its database servers, internal servers, Citrix desktop servers, and network devices. In total, it has more than 8,000 virtual servers to monitor, each of which may have multiple IP addresses. To maintain a 45-day patching window across this complex infrastructure, the company relies on the Enterprise TruRisk Platform, an integrated suite of solutions that deliver critical security intelligence on demand and automate the full spectrum of auditing, compliance and protection for IT systems and web applications.

“The rapid growth of our infrastructure has meant that we simply couldn’t do without a patch management and monitoring tool,” explains Szeplaki. “In particular, the need to start managing network devices as well as servers has greatly increased the complexity.

“The ability that Qualys gives us to discover and tag every asset in our infrastructure, and organise them into a hierarchy by business unit, is critical – because it allows us to see where the vulnerabilities are and how critical they are.”

Sophisticated Analysis and Reporting

In particular, Qualys Vulnerability Management provides analysis and reporting tools that make it easy for our teams to assess how different parts of the business are performing on patch management, and create scorecards that highlight patch levels and how long patches have been outstanding. This helps the company maintain a 45-day patch window for high-risk vulnerabilities.

The analysis capabilities also help the team communicate up to senior management and to customers about the current IT security status – keeping visibility at a high level within the company, and reassuring customers that MSCI’s reputation for excellent security is well deserved.

Rapid Response to Emerging Threats

“Take Heartbleed, for example,” says Szeplaki. “The moment they saw the announcement, the team did a complete scan of the infrastructure. Our customers were on the phone almost immediately, asking whether we were exposed. Within 24 hours we were able to provide a definitive answer to our executive board: none of our systems were vulnerable.

“Part of the advantage of working with Qualys is the speed with which they implement common vulnerabilities and exposures (CVEs) into their scanning systems. Again, in Heartbleed’s case, they put a preliminary CVE in place almost instantly, and then refined it when their SSL experts had fully analysed the problem. This agility really distinguishes Qualys from other vendors.”

Protecting a Reputation for Excellence

Another important aspect of the relationship for MSCI is the credibility of Qualys solutions within the financial services industry. MSCI is regularly audited by its clients, and using a well-known and respected IT security toolset makes these audits easier for both parties.

“When we tell our customers that we use Qualys, everyone is happy,” says Szeplaki. “Working with a recognised industry leader means we don’t have to answer 30 extra questions during an audit. If we say Qualys, they know they can move to the next question.”

Extending Security into the Future

Walters and his team are keen to extend their patch management toolset with additional capabilities from the Enterprise TruRisk Platform.

“We’re just starting to work on a ranking system for vulnerabilities, which should help us prioritise patching more effectively,” he explains. “For example, a given vulnerability might be serious, but only affect a relatively unimportant or well-protected system. Fixing that vulnerability may be a lower priority than a less serious vulnerability that affects more important or exposed systems.

“We are also looking at ways to automatically distil the highly detailed reports that Qualys provides into summaries that really bring the key points home to the business. At the moment we can automate some of these tasks in Excel, but the Qualys tools keep getting better, and we foresee being able to do everything within one system in the future.”

He concludes: “Information security is always an arms race. The threats are evolving all the time, and you need the right tools to stay one step ahead. Our partnership with Qualys means we can be confident that our scans will pick up the latest vulnerabilities, helping us remediate problems faster and ensure that we and our clients are always protected.”