INDUSTRY: Financial Services (Wealth Management)
BUSINESS: Midwest Trust is an independent, state-chartered, non-depository trust company with extensive knowledge of current regulatory, legal, and tax implications of trust and estate planning. It provides investment management, trust services, and wealth and retirement planning.
SCOPE: Overland Park, Kansas
SIZE: 250 employees
BUSINESS CHALLENGE: To establish a top-notch vulnerability management program as part of its overall security and compliance strategy.
SOLUTION: Qualys Vulnerability Management (VM)
WHY THEY CHOSE QUALYS:
For Midwest Trust, that means going above and beyond regulatory requirements, security best practices and industry mandates. The firm wants its security and compliance strategy to also yield tangible business benefits and generate confidence among its customers.
“We have a mature, extensive InfoSec program, and we provide real business value, not just what we’re required to for regulatory compliance. We want to demonstrate to our client base that we take information security extremely seriously, so that they have that assurance,” says David Upsdell, Senior Vice President at the Overland Park, Kansas financial services firm.
That philosophy is what drove Midwest Trust to adopt Qualys Vulnerability Management (VM) about 7 years ago. “We wanted to stay ahead of the game and understand our real-time security posture. We want to be a leader in vulnerability management,” he says. “That’s why we chose Qualys.”
Since then, Midwest Trust has been using Qualys VM to perform external vulnerability scanning of Internet-facing IT assets. “It gives us a very comprehensive understanding of what our security posture looks like from the outside,” Upsdell says.
We wanted to stay ahead of the game and understand our real-time security posture. We want to be a leader in vulnerability management. That’s why we chose Qualys.
From the beginning, Midwest Trust found the Qualys solution to be extremely easy to configure and to set up, requiring no modification on the scanned servers and devices. Midwest Trust runs a scheduled perimeter scan every week, which it compares with scan results from prior weeks.
Qualys VM scans help Midwest Trust do more than just detect new vulnerabilities. It also helps the organization identify security weaknesses inadvertently created by changes made by its own staff for IT infrastructure maintenance or for business process improvements.
As part of its ITIL service management process for change management, Midwest Trust has a change advisory board that approves all significant modifications in its IT environment. The Qualys scan gives Upsdell and his team a “second set of eyes” regarding any unforeseen impact on the security and compliance of scanned IT assets, resulting from the most recent IT changes.
“If we make a configuration change on our Internet interface that results in some kind of opening or vulnerability that could be exploited, Qualys will emphasize or highlight that for us,” he says.
Qualys VM also helps Midwest Trust stay up to date with the constant flood of vulnerability disclosures made by vendors and security researchers, and which amount to thousands per year. “As Qualys becomes aware of new exploits and vulnerabilities, we get a weekly refresh from that risk management perspective,” he says.
Upsdell likes that Qualys reports are comprehensive, providing granular details about vulnerabilities and impacted assets, along with proposed remediation information. The Qualys report data is combined with data from third-party security tools, to compile a 360-degree view of Midwest Trust’s security and compliance posture.
Midwest Trust also takes advantage of Qualys VM’s reporting versatility, tailoring reports for different types of recipients. For example, an in depth weekly report goes to the vulnerability management team, which is mostly made up of InfoSec and IT operations professionals. It’s reviewed and discussed, and remediation priorities established.
Meanwhile, a monthly executive report is provided to Midwest Trust’s CEO and board members, so that they can see the progress from month to month. Stats are used to update key performance indicators on an InfoSec program dashboard.
Midwest Trust also finds value in Qualys’ cloud architecture, which saves it from the cost and complexity involved in deploying and maintaining on-premises hardware and software. “It’s very convenient not having to manage that vulnerability scanning infrastructure ourselves.”