The Power of Vulnerability Scans: Fifth Third Bancorp’s Journey to Enhanced Cybersecurity

Written By Winton

In the ever-evolving cybersecurity landscape, organizations face increasingly sophisticated threats that can compromise their digital assets and sensitive data. To illustrate the transformative power of vulnerability scans, let’s examine the compelling case of Fifth Third Bancorp, a diversified financial services company operating across multiple states in the United States.

The Challenge: Manual Vulnerability Scanning Shortcomings

Fifth Third Bancorp, with its extensive network of 1,167 full-service banking centers spread across ten states, faced significant challenges in maintaining a robust security posture. Their manual vulnerability scanning process was proving to be a major bottleneck in their cybersecurity efforts. The existing system had several critical shortcomings:

  1. Lack of Visibility: The manual scans failed to provide a comprehensive view of the bank’s vast infrastructure, leaving potential vulnerabilities undetected.

  2. Inaccurate Results: The scans often produced unreliable results, making it difficult for the security team to prioritize and effectively address real threats.

  3. No Progress Tracking: The system did not offer a way to track vulnerability management progress over time, hindering the bank’s ability to measure and improve its security posture.

  4. Resource Drain: Fifth Third was spending considerable resources on expensive third-party vulnerability assessments, which were not only costly but also time-consuming.

These issues were not just operational hurdles; they posed significant risks to the bank’s overall security and compliance with industry regulations. As a payment processor, Fifth Third had substantial security responsibilities to its merchants and needed to report compliance directly to major credit card companies. The stakes were high, and a more efficient and accurate solution was desperately needed.

The Search for a Solution

Recognizing the critical nature of these challenges, Fifth Third Bancorp embarked on a comprehensive evaluation of almost every major vulnerability scanner on the market. Their goal was clear: find a more accurate and cost-effective vulnerability management and auditing solution that could handle the scale and complexity of their network.

After rigorous testing and comparison, Qualys emerged as the clear front-runner. Brian L. Klenke, CISSP, Manager of Information Security Vulnerability Management Team at Fifth Third Bancorp, explained their choice: “What sold us on Qualys is its security-as-a-service model. We don’t have teams of people just sitting around, and we’re very conservative with our resources and how they’re deployed. Qualys provides a service that doesn’t add to our current headcount levels to deploy it.”

Implementing Qualys: A Game-Changer

The implementation of Qualys brought about a paradigm shift in Fifth Third’s vulnerability management approach. Here’s how Qualys addressed the bank’s key challenges:

  1. Improved Accuracy: Qualys provided significantly more precise vulnerability detection compared to its previous manual scanning methods. This accuracy was crucial in identifying real threats and reducing false positives.

  2. Cost Reduction: By leveraging Qualys’s automated solution, the bank was able to decrease its reliance on expensive third-party vulnerability assessments substantially. This not only reduced costs but also allowed for more frequent and comprehensive scans.

  3. Centralized Security Posture: Fifth Third Bancorp established a centralized database of its security status, allowing for better oversight and management. This centralized view was instrumental in providing a holistic picture of the bank’s security landscape.

  4. Minimal System Impact: Unlike other scanners that negatively impacted servers and services during scans, Qualys proved to be the least disruptive to Fifth Third’s systems. This was a critical factor, as it allowed for more frequent scans without compromising the bank’s operational efficiency.

  5. Ease of Use: The Qualys solution was found to be the most user-friendly among the options evaluated. This ease of use facilitated quicker adoption and more effective utilization of the tool across the organization.

Scaling Up: The Qualys Deployment

Today, Fifth Third has deployed twenty Qualys appliances that audit more than 30,000 specific IP addresses throughout their internal and external infrastructure. This extensive coverage ensures that no part of their network goes unchecked. Through the automated capabilities provided by Qualys, the bank has been able to establish continuous internal and external network audits, a significant improvement over their previous manual processes.

Enhanced Reporting and Compliance

One of the most significant improvements came in the form of enhanced reporting capabilities. Klenke noted, “We can break down reporting by machine types, business units, or any other way we need.” This flexibility in reporting has been crucial for both internal management and external compliance requirements.

As a payment processor, Fifth Third’s ability to demonstrate compliance with industry standards is paramount. Klenke explained, “Because Qualys is a certified PCI scanning vendor, any reports we get from Qualys’ PCI templates can be provided to our auditors as evidence that our systems comply.” This streamlined compliance reporting has saved the bank considerable time and resources.

Future Innovations: Automation and Integration

Building on this success, Fifth Third Bank is now exploring additional ways to leverage Qualys to further streamline its operations and enhance security. One key initiative is the use of Qualys’ API to automate report distribution to IT managers, systems administrators, and other relevant stakeholders. This automation is expected to significantly improve the efficiency of their vulnerability management process.

Furthermore, the bank is planning to integrate Qualys’ vulnerability audit data with its security event management software. This integration will allow for real-time correlation of vulnerability information with intrusion detection alerts. Klenke anticipates that this will “significantly tone down the number of events our IDS triggers. When we’re not vulnerable to an exploit or certain probe, we don’t want to be alerted about it. The accuracy of Qualys’ information will enable us to focus our efforts on real-world risks.”

Conclusion: A Transformed Security Posture

The implementation of Qualys has transformed Fifth Third Bancorp’s approach to vulnerability management. By moving from manual, inaccurate, and resource-intensive processes to an automated, precise, and efficient system, the bank has significantly enhanced its security posture.

Key outcomes of implementing Qualys included:

  • Drastically improved accuracy in vulnerability detection

  • Substantial cost reduction in security assessments

  • Establishment of a centralized and comprehensive security database

  • Minimal disruption to existing systems during scans

  • Enhanced ease of use, leading to better adoption and utilization

This case study vividly demonstrates how adopting an automated, cloud-based vulnerability management solution can significantly enhance an organization’s security posture while also improving operational efficiency and reducing costs. For financial institutions and other organizations dealing with sensitive data and complex networks, the lessons from Fifth Third Bancorp’s experience with Qualys offer valuable insights into the power of modern vulnerability scanning solutions.

As cyber threats continue to evolve, the proactive approach taken by Fifth Third Bancorp serves as a model for organizations seeking to strengthen their cybersecurity defenses in an increasingly digital world.

Winton
Previous

SOC 2 Readiness Assessments: Paving the Way for Compliance Success
Next

Certifications and Beyond: Finding the Right Balance for Cybersecurity Success