As the VP and ISO at Northern Bank and Trust outside of Boston, Jim Bowker is focused on finding security tools that give him the biggest bang for their buck. Rapid7’s vulnerability management solution, Nexpose, has become a critical part of his security stack; it enables him and his team to run monthly scans, identify critical vulnerabilities, and prioritize remediation. Additionally, his team turns to Nexpose every time there is a breaking news vulnerability disclosed, from WannaCry to Apache Struts.
My name's Jim Bowker. I'm the Vice President and Information Security Officer at Northern Bank and Trust, a small community bank just north of Boston.Show more Show less
We're a small company, so there's only so much we have in terms of resources both for manpower and then also as well as money to buy tools. While everybody would love to have everything, we really had to focus on, okay, what will give us the biggest bang for the buck. What are some of the things that we can do that reduce the risk as much as possible for the least cost. One of the big items for us was using Nexpose. This gives us the ability to run scans every single month. We can take a look where we are, find the vulnerabilities, identify which ones are the most critical, and as we prioritize them, then just start knocking them out one by one.
It also gives us the ability to more quickly react to different situations, so when a news story breaks about whatever the newest latest and greatest is, whether it was the incident with WannaCry or the recent concerns with Apache Struts, we could easily go back and say, okay, well let's make sure that we're covered for that. Do we have any machines that are vulnerable? If we do, are any of them Internet facing? What's the fix? Let's go and figure it out, test it, roll it out, and get everybody a date as to when the problem will be fixed.
As soon as we realized that there was a problem that started evolving, the first thing we did is, okay we need to identify the class, the size, the number of assets which were affected. Given that we had already been using Nexpose and we were comfortable with it, it was fairly simple to say, okay I'm going to scan for all of these. I'm going to create a dynamic asset group that has all of the affected assets in it, prioritize them, figure out which ones are outside, which ones are inside. We used tags so we could split them apart that way, and then divided into teams. Okay, you guys need to start taking care of these machines, get them patched, get them tested, make sure they're okay, check in with me, let us know when it's done, we'll re-scan them.
So there were a lot of event-specific things that were going on at that level, but the part that got translated up to executive management was me saying, okay this affected some of our assets, there were 36 assets that were affected. We tested out the fix, we have it in place, it's been pushed out to 20. There's 16 left at this point, most of those are going to get taken care of during tonight's maintenance window. The next day I could say, okay out of the 36 we now have 32 fixed. There's four left, three of them we're going to isolate those systems and disconnect them until they can be remediated. We now have 35 out of 36 fixed. That last one you can't get to. We have a short-term plan to replace that system. And, finally, I was able to go back to senior management, say okay, we're in great shape. Out of all 36 that we found, all of them have been fixed. This is how many hours it took us to get there.
It's a simple, easily communicated message, and what made it easy for us to get to that point where we could give them the little piece of information that they needed, was having a tool like Nexpose in the background so that we could adequately and accurately see where we were for that vulnerability.