Regional Bank Implements Risk-Based Vulnerability Management with Attaxion

PART 1

The Challenge

As an institution operating in a heavily regulated industry, the bank strives to maintain compliance with various industry standards and regulatory requirements, such as the Gramm-Leach-Bliley Act and Payment Card Industry Data Security Standard (PCI DSS). However, its vast and fragmented IT infrastructure — comprising core banking systems, loan origination systems, payment processing platforms, and other critical systems — offers a unique combination of risks. Having unknown vulnerable assets or failing to prioritize business-critical systems (and many systems are critical to different branches of their business) could result in non-compliance or expose the bank to threat actors. On top of this, the infrastructure security team is short-handed, making it even more challenging to keep an eye on everything. 

The main cybersecurity challenges the bank faced were:

• Limited visibility of its external attack surface: The bank’s diverse and fragmented IT infrastructure made it difficult to catalog all external assets, with shadow IT assets potentially compromising its compliance efforts. Relying on manual asset inventory didn’t scale and wasn’t effective.

• Preparation for penetration testing: Compliance mandates annual penetration testing, requiring the bank’s undermanned security team to make extensive preparations, which include analyzing the attack surface from an attacker’s perspective. In addition, the high cost and time-consuming nature of pentesting often limited its scope, leaving other systems untested and less protected. The team needed to automate this process as much as possible to prepare for penetration tests and maintain the systems that are not in scope for pentesting in a secure state.

• Implementing efficient vulnerability management: While the bank proactively addressed vulnerabilities as they were detected, it sought to optimize its strategy and ensure it not only complied with industry regulations but also protected its systems and users from potential attacks by mitigating high-impact vulnerabilities actively exploited in the wild. Traditional vulnerability management doesn’t consider exploitability and the usage of the vulnerabilities in actual attacks in the wild, only focusing on the severity. Nor does it consider the business context and criticality of the vulnerable asset.

The bank’s Head of Infrastructure Security knew she had to act before any compliance issues could arise or threat actors could find a way to exploit their siloed systems.

“Our vast and distributed IT infrastructure was making it difficult to gain a clear and consistent view of our external attack surface that we desperately need. Having just one asset we don’t know about could lead to serious compliance issues. Attaxion gave us the complete picture we needed to maintain control.” – Head of Infrastructure Security at the Regional Bank

PART 2

The Solution

The bank decided to transition from traditional vulnerability management to risk-based vulnerability management with automatic asset discovery to effectively cover their entire web-facing infrastructure and prioritize vulnerabilities based on exploitability. They chose the Attaxion EASM platform to provide the necessary data and enable RBVM. Specifically, Attaxion helped the bank:

• Build and maintain a comprehensive inventory: Using its varied cyber reconnaissance techniques, Attaxion enabled the bank to identify and secure previously unknown assets that were putting it at risk of non-compliance. Some of these assets were not in scope for penetration tests, so they would’ve remained shadow IT even after the yearly pentesting exercise. 

• Prioritize exploitable vulnerabilities: Attaxion goes beyond traditional CVSS-based risk scoring and provides the bank with an actionable understanding of the likelihood of real-world exploitation, factoring EPSS and CISA KEV data into the vulnerability prioritization process. This allows the bank to prioritize vulnerabilities based on business risks rather than severity and maintain a stronger security posture.

• Enhance regulatory compliance: Complete visibility into their external attack surface gave the bank more confidence in their regulatory compliance, as they could identify and protect more assets. This comprehensive view helped  the bank’s security team prepare for the mandatory penetration testing activities, which had previously overwhelmed them.

PART 3

The Results

The bank’s adoption of Attaxion and risk-based vulnerability management resulted in measurable improvements:

• Increased the volume of identified and secured assets by 4%, significantly expanding visibility into their attack surface.
• Allowed the infrastructure security team to prioritize vulnerabilities that are exploited in the wild, reducing exposure to real threats. 
• As a result, mean time to remediation (MTTR) for exploitable vulnerabilities was reduced by about 20%.

With Attaxion, the bank transformed its vulnerability management approach, achieving a proactive and risk-based security strategy that optimizes compliance and keeps pace with the evolving threat landscape.

Key Takeaways

• The bank faced significant challenges due to fragmented IT systems, including limited visibility into its external attack surface, difficulty maintaining regulatory compliance, and inefficient vulnerability management.

• The bank used Attaxion to gain complete visibility into its external attack surface, prioritize vulnerabilities based on exploitability, and gain more confidence in its compliance efforts.

• As a result, the bank increased asset visibility and protection and reduced the time to address critical vulnerabilities, enabling itself to continuously meet regulatory requirements and proactively mitigate cyber risks.