How a Fortune 500 Company Reduced Attack Surface by using Expanse

Fortune 100 Financial Services Company Reduces Attack Surface

Shelby Carpenter

By Shelby Carpenter, Product Marketing Manager 07.10.2019

LINKEDIN

Problem

Like most large financial institutions, this Fortune 100 financial services company has a complex network. From M&A activity to cloud development to securing critical suppliers, it was challenging for the company to identify and monitor all of its Internet-connected assets. And without a complete and accurate IT asset inventory, it was even more challenging to secure those assets. 

Solution

The company uses Expanse as its central source of truth for all assets connected to the public Internet. With automatic discovery and monitoring of its Internet-connected assets, its IT operations and security teams can more effectively monitor for exposures and reduce the company’s attack surface

Outcome

Working with Expanse, the company identified and removed a previously unknown remote desktop protocol (RDP) server exposed on the public Internet. It also eliminated more than 20 critical exposures and reduced the number of publicly accessible services from more than 1,200 to 175. These actions eliminated potential entry points for attackers and improved the company’s cybersecurity posture. 

Complex Networks Require Global Visibility 

The Fortune 100 financial services company is a veritable giant in its industry. It’s one of the United States’ 10 largest banks, and it generated more than $25 billion in revenue and held nearly $250 billion in loans in 2018. 

One big contributor to the company’s success has been its business development strategy, which has resulted in a number of high-profile acquisitions over the past decade. But this business expansion meant that IT and security teams had to grapple with a new challenge: integrating the networks and technologies of its new subsidiaries. With thousands of new Internet-connected assets to integrate and manage the lifecycles for, they knew it could be all too easy for some assets to get missed. And without a complete, accurate, and current Internet asset inventory, they couldn’t be sure they were securing all of their assets appropriately.

Reducing Exposures in the Cloud and Beyond

The company partnered with Expanse to tackle this challenge head-on. The company began using Expanse Expander to discover, monitor, and track all of its Internet-connected assets, including IP addresses, domains, and certificates. It also uses Expanse Behavior to monitor for any risky or out-of-policy communications, like banned communications to OFAC-designated countries, cryptocurrency mining, and use of Tor or peer-to-peer sharing services. When the security team gets an alert from Behavior, they are able to remediate the issue almost immediately and put in place systemic changes that would prevent the problematic behavior from surfacing again in the same place. 

Using the Cloud Module of Expander, the security team discovered a previously unknown system that exposed a remote desktop protocol server on the public Internet. The RDP server in question connected to automatic blinds at the headquarters building of an acquired company. The Fortune 100 financial services company had taken ownership of the building during the acquisition, but due to complex financial terms of the deal, was prevented from getting global visibility into all building subsystems, even post-acquisition.

Building control systems are common attack vectors because they often aren’t under active management by IT or IT security teams, but rather by facilities or operations teams that routinely lack cybersecurity expertise. The discovery of this RDP exposure was only possible because of Expanse’s Internet-wide visibility and ability to correctly attribute Internet-facing assets back to the company.

Apart from this RDP exposure, the company has remediated more than 20 critical exposures with the help of Expanse, including 16 audio and video teleconferencing systems, and eliminated or replaced hundreds of non-compliant certificates in its Internet-facing infrastructure. The company has also reduced the number of its publicly accessible services on the Internet from more than 1,200 to 175, greatly reducing its overall attack surface.

With a significantly smaller attack surface and automatic discovery and monitoring of new Internet-connected assets and exposures, the company is able to carry forward its mission of delivering the best possible financial products and services to customers.