Home Case Studies Large Globa Bank Security Large global bank
Managing Director and Head of Vulnerability Management: How hackers dug out our security team from under a mountain of vulnerabilities
Person at desk on laptop typing while holding a credit card in the other hand

Nearly every bank has a vulnerability management headache—including mine. We were buried in vulnerabilities and challenged with figuring out which ones to remediate first. After partnering with IBM® X-Force® Red’s team of veteran hackers, we achieved a significantly better level of control over our vulnerability management situation and are continuing to enjoy ongoing improvements in both practices and results.

Business challenge

Our team was overwhelmed with a huge number of vulnerabilities, including a backlog of critical vulnerabilities that weren’t being reduced fast enough. Among the problems was our inability to effectively distill aggregate trend data into actionable information for the people responsible for remediation.


The X-Force Red team dove into our mess of problems. Four months into the program, we saw a 60 percent reduction in critical vulnerabilities and a nearly 45 percent reduction in total vulnerabilities.

60% reduction of critical vulnerabilities in just four months 45% reduction in total vulnerabilities since the implementation of the solution Accurately and automatically scans millions of records closing the door on data exposure
Business challenge story
Too many vague vulnerabilities

Financial services firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries, which is why our firm has invested in and prioritized our vulnerability management program.

We had a backlog of high and critical vulnerabilities. The sheer volume made reporting, prioritizing, and tracking the issues really challenging. We simply lacked an enterprise-scale solution for vulnerability management.

We had an ineffective solution of complex spreadsheets that extracted large numbers of vulnerabilities from multiple systems and scanners—ultimately leaving both the Vulnerability Management team and other teams responsible for patching unable to deconstruct the complicated reports and drill down into the data. The reports showed an overall number of vulnerabilities and a formula-based key risk indicator, but we needed insight into how that metric was calculated and which vulnerabilities were impacting specific systems.

We felt paralyzed. The output of our vulnerability scanners allowed us to see how many vulnerabilities we had, but we couldn’t reliably correlate the data to specific systems and owners. Without effective reporting, systems administrators didn’t know where to start with patching and the vulnerability team couldn’t provide useful direction.

The stress weighed on our team. The data was so opaque, it felt like we were losing control. Every month, we reported to management, hoping the vulnerability numbers trended down, but we knew we weren’t controlling the outcome. We felt helpless.

Moreover, our vendor at the time did not take ownership of the rising concerns or address the problems with their reporting model that were preventing us from making progress. We needed to overhaul our vulnerability management program and switch vendors.

The team was feeling hopeless because we couldn’t see a way forward by way of these useless reports. It was overwhelming and a bit scary. With the old model, we were generating monthly reports but weren't actually controlling the outcome. X-Force Red helped us to take control and drive results. Managing Director Head of Vulnerability Management large global bank
Transformation story
Arming our bank with a hacker-driven program

We sought a service with the expertise, tools and intelligence to help us fix the backlog of vulnerabilities, particularly the critical ones. Selecting X-Force Red Vulnerability Management Services in November 2018 quickly proved beneficial. X-Force Red’s team of veteran hackers immediately analyzed our company’s different technology areas and different business lines. They overhauled the data model, fixed significant data quality problems, and introduced automation that they continue to enhance today.

Whereas we previously manually reviewed each vulnerability and tried to decipher which ones out of the millions were potentially the most harmful, X-Force Red’s automated ranking formula helped us prioritize the most critical vulnerabilities more efficiently and effectively.

The X-Force Red team made the formula transparent, so we knew exactly how the algorithm worked. Applying its hacker mindset, X-Force Red prioritized the vulnerabilities based on whether criminals were weaponizing them and value of the exposed asset. The automated prioritization took only minutes as compared to days with our previous manual methods. This quick turnaround helped us immediately remediate vulnerabilities to prevent attacks and allowed my team members to focus on other tasks.

There was once a lot of stagnation and noise that came with having a lot of bad data—it was overwhelming. Once cleared and filtered, we made huge progress. Managing Director Head of Vulnerability Management large global bank
Results story
Quickly eradicating vulnerabilities

With the help of X-Force Red, my team was able to attribute vulnerabilities to the proper remediation owners, but also more easily measure those owners' performance over time. Our newfound ability to support systems owners and hold them accountable has driven major progress. X-Force Red Vulnerability Management Services enables quick tweaks and adjustments to our reporting process. We now understand data we could not previously decipher for years and can ask to see that data in a specific format or as a slice, all because of X-Force Red’s Vulnerability Management Services.

The numbers do not lie. Only four months into our partnership with X-Force Red, we saw a 60 percent reduction in the most critical vulnerabilities and a 44 percent reduction in total vulnerabilities.

We are now implementing the remediation facilitation component of X-Force Red’s Vulnerability Management Services to push our most consequential issues, in manageable batches, to the systems administration teams responsible for fixing them.

In addition to the reporting and tracking aspects of the vulnerability management practice, the X-Force Red team also took ownership for driving improvements in our scanning infrastructure. We're able to scan the environment almost twice as fast thanks to reconfigurations to eliminate redundant scans and fix scanner configuration problems.

Our team is optimistic about our continued partnership with X-Force Red and the significant impact its Vulnerability Management Services has on our future security. I am extraordinarily happy—it’s not often that a partner exceeds expectations, but in this case, X-Force Red absolutely has.

With the insight from X-Force Red Vulnerability Management Services and being able to focus on the problem areas, we can clearly link owners to vulnerabilities, and the team feels empowered and finally in control. Managing Director Head of Vulnerability Management large global bank
X-Force Red

To learn more about X-Force Red Vulnerability Management Services, please contact your IBM representative or IBM Business Partner.

Read the PDF Read the blog (link resides outside of ibm.com)
Take the next step

To learn more about the IBM solutions featured in this story, please contact your IBM representative or IBM Business Partner.

View more case studies Contact IBM

© Copyright IBM Corporation 2019. IBM Corporation, IBM Security, New Orchard Road, Armonk, NY 10504

Produced in the United States of America, September 2019.

IBM, the IBM logo, ibm.com, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at https://ibm.com/legal/copyright-trademark.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.