Cloud Platform
Support

Societe Generale Bank Montenegro Enhances Internal Network Security and Shrinks Regulatory Risk

Information security compliance is a priority for Societe Generale Bank Montenegro. With automated internal vulnerability scans, the bank has gained the fine-grained insights it needs to identify and resolve cyber threats in a timely manner.

www.societegenerale.me

INDUSTRY: Banking

BUSINESS: Societe Generale Bank Montenegro is a leading provider of retail and corporate banking services.

SCOPE: National

SIZE: 290 employees

BUSINESS CHALLENGE: To help ensure compliance with stringent regulatory requirements, Societe Generale Bank Montenegro wanted to find a way to rapidly identify and eliminate vulnerabilities in its internal network.

SOLUTION:

  • Qualys Vulnerability Management
  • Qualys Policy Compliance

Founded in 1906 as Podgorička banka (Bank of Podgorica), Societe Generale Bank Montenegro is today part of one Europe’s largest financial groups. Offering a range of retail and corporate banking services, Societe Generale Bank Montenegro operates a network of 20 branches and employs approximately 290 people.

Reducing Risk in the Age of Digital Banking

In heavily regulated industries such as banking and financial services, a strong information security posture is essential to mitigate the reputational and financial risks of data breaches. While internet-facing devices often attract the most attention from information security teams, it is equally important to protect assets inside the firewall.

A member of the Societe Generale Group, Societe Generale Bank Montenegro aims to ensure that internal as well as external endpoints are hardened against constantly evolving cyber threats.

Boris Janicic, Head of IT at Societe Generale Bank Montenegro, explains: “In recent years, the growth of digital banking has driven a significant increase in the frequency and stringency of new regulations around information security. To reduce our exposure to these regulatory risks, it’s extremely important that we patch all of our systems against vulnerabilities in a timely manner.

In addition to the internet-facing servers that support its digital banking services, Societe Generale Bank Montenegro manages an estate of around 550 IP-connected endpoints in its internal network. This estate includes workstations and networking devices, as well as servers that power the organization’s core banking systems.

In the past, we relied on open source tools to perform internal vulnerability scans,” continues Boris Janicic. “We have a lean IT team—and because our previous approach relied heavily on time-consuming manual processes, we were only able to perform one full internal scan per quarter, which was the minimum requirement set by our regulator. Furthermore, our previous approach only enabled us to scan a small subset of IP-connected devices in our internal network, which limited our ability to detect and remediate potential threats.

Why Societe Generale Bank Montenegro Chose Qualys:

  • Automates the internal vulnerability scanning process, enabling Societe Generale Bank Montenegro’s lean IT team to focus on remediation work.
  • Enables ad hoc scanning, helping the bank to meet its objective for remediating severe vulnerabilities within a defined period of time.
  • Generates fine-grained reports instantly, reducing the cost and complexity of compliance audits.

Deploying an Automated Scanning Platform

For more than 10 years, businesses across the Societe Generale Group have relied on Qualys Cloud Platform to run external scans of IP-connected devices. In accordance with guidelines set by the Group, Societe Generale Bank Montenegro decided to roll out Qualys Cloud Platform for internal scanning purposes.

With support from Qualys, we deployed the Vulnerability Management and Policy Compliance modules,” recalls Boris Janicic. “The configuration process was very straightforward, and we quickly established repeatable patterns for automated scanning based on the Qualys severity ratings for common vulnerabilities and exposure [CVEs].

Today, Societe Generale Bank Montenegro uses Qualys Cloud Platform to run more frequent, detailed and comprehensive internal vulnerability scans than ever before.

We now use Qualys Vulnerability Management to perform an automated scan every month—and in the future, we aim to set up scans that run even more frequently,” says Boris Janicic.

Before each scan, we use the asset discovery capabilities of Qualys Cloud Platform to ensure we don’t miss anything—for example, if an administrator changed the IP address of one of our workstations.

After the scan is complete, we receive a fine-grained report that shows the vulnerabilities in each asset across our estate, ranked based on their severity scores. Equipped with this data, it’s now far easier for us to make informed, timely decisions about which vulnerabilities to prioritize.

Using the Policy Compliance module, it is now simpler than ever for Societe Generale Bank Montenegro’s IT team to prepare reports for regulators and group management teams.

With Qualys Cloud Platform, we can now track our policy compliance across all of the IP-connected devices and network infrastructure in our estate, and generate detailed, accurate reports at the touch of a button whenever we need to,” comments Boris Janicic.

“Qualys Cloud Platform is by far one of the most user-friendly security solutions we use in Societe Generale Bank Montenegro—and in my opinion, it’s the best vulnerability scanning solution available on the market today.”
Boris Janicic
Boris Janicic

Head of Information Technology Department, Societe Generale Bank Montenegro

“The main value of the File Integrity Monitoring agent is how lightweight it is—enabling us to achieve real-time change detection with minimal impact on performance.”
Boris Janicic
Boris Janicic

Head of Information Technology Department, Societe Generale Bank Montenegro

Reacting Fast to Evolving Threats

Since deploying Qualys Cloud Platform for internal vulnerability scanning, Societe Generale Bank Montenegro has significantly reduced its exposure to regulatory risks.

When we ran our first internal scan using Qualys Cloud Platform, we found that over 18 percent of our servers—a mixture of Windows and Linux machines—had level four or five vulnerabilities,” explains Boris Janicic.

One thing that surprised us was that most of the serious vulnerabilities were concentrated in our Linux servers. Linux is typically considered more secure than Windows, and because there was no automated patching regime for the Linux machines in the estate, a significant number of vulnerabilities had slipped through unresolved.

With deeper insights into its security posture, Societe Generale Bank Montenegro can identify opportunities to refine its internal security policies.

We aim to remediate level four and five vulnerabilities within a defined timeframe—and thanks to Qualys Policy Compliance, it’s easy for us to monitor outstanding security tasks and ensure we stay on top of them,” comments Boris Janicic. “Looking ahead, we plan to give more of the IT team direct access to Qualys Cloud Platform, as it will empower them to implement fixes without waiting for us to send them the latest vulnerability report.

Based on its success with internal vulnerability scanning, Societe Generale Bank Montenegro is exploring the possibility of deploying File Integrity Monitoring, an extension to Qualys Cloud Platform.

Boris Janicic adds: “The main value of the File Integrity Monitoring agent is how lightweight it is—enabling us to achieve real-time change detection with minimal impact on performance.

Boris Janicic concludes: “Qualys Cloud Platform is by far one of the most user-friendly security solutions we use in Societe Generale Bank Montenegro—and in my opinion, it’s the best vulnerability scanning solution available on the market today. As we continue to integrate Qualys solutions into our information security processes, we’re confident that we can further strengthen our security posture.