OTP Bank Ukraine Automates Vulnerability Risk Management

This bank's switch to Qualys Vulnerability Management helped the organization streamline many aspects of its vulnerability management program and effectively reduce IT risk.

It's been stellar 15 years for the OTP Bank Group. In 1995, OTP Bank Group started its journey to Ukraine with conversion of OTP Bank Plc. (Hungary) from a national state-owned bank to private  ownership through a series of successful initial public offerings. Once successfully privatized, OTP Bank began its quest for growth. That pursuit led to an international acquisition expansion into Central and Eastern Europe and rapid growth. The result: today, OTP Bank Plc. is the biggest commercial bank in Hungary and OTP Group operates in eight countries including Bulgaria, Croatia, Romania, Serbia, Slovakia, Ukraine, Montenegro, and Russia, meeting the needs of roughly 11.9 million customers with nearly 1,500 branches, agent networks, and its state-of-the-art electronic channels.

"The amount of work we are able to do now and the amount of risk we can reduce are not even remotely comparable with the past: we can manage many more systems and do so much more efficiently with Qualys VM."

Andrii Maiba,
Head of Information Security Department,
OTP Bank Ukraine

Consider the IT infrastructure of one of its banks: OTP Bank Ukraine. Supporting its banking business is a sizable heterogeneous network with more than 5,000 endpoints. And keeping that infrastructure secure is no small undertaking. However, as the bank grew, so did the demands on its vulnerability management program. Having in place a comprehensive way to find and fix system misconfigurations and outdated software not only is crucial to keep systems secure, but also is fundamental to deal with most industry and government regulations. "We have used various vulnerability scanning tools over the years," explains Andrii Maiba, Head of Information Security Department. "But it required a significant amount of labor to maintain regular network vulnerability scanning processes."

In addition to being time consuming, relying on various vulnerability management applications and correlating those results manually made it challenging to conduct analysis and trust the corresponding results. "Our company sought not only to standardize on a vulnerability scanner, but to put into place the processes that would enable us to build out the full vulnerability management life cycle," he says. To maximize staff resources, a vulnerability management solution should be able to automatically discover all networked devices, identify vulnerabilities, and provide mitigation information and guidance based on business value.

Selecting the Right Vulnerability Assessment Solution

Following a thorough evaluation, the IT team at OTP Bank Ukraine selected Qualys Vulnerability Management (VM). because of its well- designed vulnerability management workflow, accuracy, and the quality of support made available by a local integrator. Now, Qualys VM assesses not only OTP Bank's production network, but also all of its Web-facing systems. As part of the Qualys IT Security and Compliance Suite, Qualys VM automates the vulnerability management life cycle for organizations of all sizes. Through its Software-as-a-Service (SaaS) delivery model, Qualys provides OTP Bank with detailed network discovery and mapping, asset prioritization, vulnerability assessment reporting, and remediation tracking according to business risk. Powered by the most comprehensive vulnerability knowledge base in the industry, Qualys VM spots and helps to remedy the software flaws and system misconfigurations that make many exploits and attacks successful. Also, as an on demand solution, there is no additional infrastructure to deploy or manage at any of these locations. "We sought a way to streamline many functions of our vulnerability management efforts, and that's what Qualys VM has helped us to achieve," says Maiba.

Results: Greater Risk Reduction While Utilizing Fewer Resources

Initially, OTP Bank Ukraine used Qualys VM to assess its Web perimeter as the IT team added more critical systems. "We then automated the assessments of our critical systems, and soon included database servers for vulnerability and compliance assessments," says Andrii.

In addition to meeting internal security objectives more effectively, the vulnerability management initiative also was driven partially by the need to comply with the Payment Card Industry Data Security Standard, or PCI DSS. PCI DSS aims to help any organization protect customer credit card information so it doesn't end up in the wrong hands. PCI DSS requires that standard security practices be put into place, including the use of firewalls, anti-virus programs, encryption of cardholder data in transit and at rest, and vulnerability scans to keep systems secure. "During the Preliminarily PCI DSS Audit, Qualys has allowed us to comply with all requirements of the Standard related to organization of vulnerability management. As an Approved Scanning Vendor (ASV), Qualys has helped us to ensure the regular ASV-scanning of our Card Infrastructure," says Mr. Maiba.

"Since implementing Qualys VM, we have successfully built a full vulnerability management program that has enabled us to assess a broader range of systems and platforms, and through automation, decreased the amount of labor dedicated to vulnerability management," says Maiba. "And we can more quickly assure remediation of vulnerabilities according to our security policy baseline."

The outcome: Andrii Maiba and his team now are able to reduce risk while utilizing fewer resources. "The amount of work we are able to do now and the amount of risk we can reduce are not even remotely comparable with the past; we can manage many more systems and do so much more efficiently with Qualys VM," he says.

With Qualys VM, OTP Bank Ukraine was able to meet its goal to reduce risk successfully and more effectively manage vulnerabilities and maintain compliance with PCI DSS – and Maiba isn't stopping there. "We plan to use Qualys VM to streamline our compliance operations, harden our security policies and bring the configuration status of all of our internal systems to an even higher security level," he says.