Our team was overwhelmed with a huge number of vulnerabilities, including a backlog of critical vulnerabilities that weren’t being reduced fast enough. Among the problems was our inability to effectively distill aggregate trend data into actionable information for the people responsible for remediation.
The X-Force Red team dove into our mess of problems. Four months into the program, we saw a 60 percent reduction in critical vulnerabilities and a nearly 45 percent reduction in total vulnerabilities.
60% reduction of critical vulnerabilitiesin just four months
Accurately and automatically scans millions of recordsclosing the door on data exposure
45% reduction in total vulnerabilitiessince the implementation of the solution
Business challenge story
Too many vague vulnerabilities
Financial services firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries, which is why our firm has invested in and prioritized our vulnerability management program.
We had a backlog of high and critical vulnerabilities. The sheer volume made reporting, prioritizing, and tracking the issues really challenging. We simply lacked an enterprise-scale solution for vulnerability management.
Before November 2018, we had an ineffective solution of complex spreadsheets that extracted large numbers of vulnerabilities from multiple systems and scanners — ultimately leaving both the Vulnerability Management team and other teams responsible for patching unable to deconstruct the complicated reports and drill down into the data. The reports showed an overall number of vulnerabilities and a formula-based key risk indicator, but we needed insight into how that metric was calculated and which vulnerabilities were impacting specific systems.
We felt paralyzed. The output of our vulnerability scanners allowed us to see how many vulnerabilities we had, but we couldn’t reliably correlate the data to specific systems and owners. Without effective reporting, systems administrators didn’t know where to start with patching and the vulnerability team couldn’t provide useful direction.
The stress weighed on our team. The data was so opaque, it felt like we were losing control. Every month, we reported to management, hoping the vulnerability numbers trended down, but we knew we weren’t controlling the outcome. We felt helpless.
Moreover, our vendor at the time did not take ownership of the rising concerns or address the problems with their reporting model that were preventing us from making progress. We needed to overhaul our vulnerability management program and switch vendors.
Arming our bank with a hacker-driven program
We sought a service with the expertise, tools and intelligence to help us fix the backlog of vulnerabilities, particularly the critical ones. Selecting X-Force Red Vulnerability Management Services in November 2018 quickly proved beneficial. X-Force Red’s team of veteran hackers immediately analyzed our company’s different technology areas and different business lines. They overhauled the data model, fixed significant data quality problems, and introduced automation that they continue to enhance today.
Whereas we previously manually reviewed each vulnerability and tried to decipher which ones out of the millions were potentially the most harmful, X-Force Red’s automated ranking formula helped us prioritize the most critical vulnerabilities more efficiently and effectively.
The X-Force Red team made the formula transparent, so we knew exactly how the algorithm worked. Applying its hacker mindset, X-Force Red prioritized the vulnerabilities based on whether criminals were weaponizing them and value of the exposed asset. The automated prioritization took only minutes as compared to days with our previous manual methods. This quick turnaround helped us immediately remediate vulnerabilities to prevent attacks and allowed my team members to focus on other tasks.
Quickly eradicating vulnerabilities
With the help of X-Force Red, my team was able to attribute vulnerabilities to the proper remediation owners, but also more easily measure those owners' performance over time. Our newfound ability to support systems owners and hold them accountable has driven major progress. X-Force Red Vulnerability Management Services enables quick tweaks and adjustments to our reporting process. We now understand data we could not previously decipher for years and can ask to see that data in a specific format or as a slice, all because of X-Force Red’s Vulnerability Management Services.
The numbers do not lie. Only four months into our partnership with X-Force Red, we saw a 60 percent reduction in the most critical vulnerabilities and a 44 percent reduction in total vulnerabilities.
We are now implementing the remediation facilitation component of X-Force Red’s Vulnerability Management Services to push our most consequential issues, in manageable batches, to the systems administration teams responsible for fixing them.
In addition to the reporting and tracking aspects of the vulnerability management practice, the X-Force Red team also took ownership for driving improvements in our scanning infrastructure. We're able to scan the environment almost twice as fast thanks to reconfigurations to eliminate redundant scans and fix scanner configuration problems.
Our team is optimistic about our continued partnership with X-Force Red and the significant impact its Vulnerability Management Services has on our future security. I am extraordinarily happy — it’s not often that a partner exceeds expectations, but in this case, X-Force Red absolutely has.
About X-Force Red
To learn more about X-Force Red Vulnerability Management Services, please contact your IBM representative or IBM Business Partner, or download the following whitepaper: