AXA UK is rolling out a web-based service to allow it to
make daily scans of 15,000 devices on its IT network for
potentially dangerous security
vulnerabilities.
The insurance company plans to use the service to improve the
security of its IT systems by identifying and prioritising patches
for the most business-critical vulnerabilities.
AXA has predicted that the service, Qualysguard, could pay for
itself more than five times over if it succeeds in preventing just
one serious virus infection.
"The justification is reduction in risk," said IT security and
contingency manager Monty Couch. "We have calculated in the past
that losing our network for one day would cost £1m, so the system
could easily make a return on investment."
The scanning service will allow AXA to prove to regulators, who are
increasingly conscious of the risks to IT systems, that it is
actively managing potential risk, said Couch.
Until now, AXA relied on penetration testing organisations carrying
out an annual check on its systems for vulnerabilities, but the
company felt it needed to test far more frequently to keep pace
with changes to the network.
The Qualys system will allow AXA to define which parts of its IT
system are most critical to the business, to identify
vulnerabilities and to deal with them quickly, said Couch. Other
less critical parts of network will be scanned less
frequently.
"I believe this could be the difference between a worm getting into
our network or not. If we can get this implemented to the highest
degree, it will protect us from automated attacks and hacking. It
will allow us to respond quickly and to understand and categorise
the risk quickly," he said.
Couch chose the Qualys technology after commissioning an evaluation
at his former employer, Standard Chartered Bank, which showed it
was effective and could be quickly installed.
"We wanted something that gives high value and was low effort to
install," he said.
Couch plans to use the management information generated by
Qualysguard to inform the board about network security.
"The way of getting security on the agenda and thus getting budget
for security is when you have a proven mechanism for demonstrating
vulnerability," he said.
Achieving buy-in
One of the main challenges in introducing the Qualysguard system
has been persuading AXA's IT security team to embrace the new
approach. "People could have viewed it as checking up on their
work, so we have put a lot of effort into trying to engage the
support groups. I think they are now seeing the benefits," said IT
security and contingency manager Monty Couch.