AXA rolls out scanner to prioritise patches

AXA UK is rolling out a web-based service to allow it to make daily scans of 15,000 devices on its IT network for potentially...

AXA UK is rolling out a web-based service to allow it to make daily scans of 15,000 devices on its IT network for potentially dangerous security vulnerabilities.

The insurance company plans to use the service to improve the security of its IT systems by identifying and prioritising patches for the most business-critical vulnerabilities.

AXA has predicted that the service, Qualysguard, could pay for itself more than five times over if it succeeds in preventing just one serious virus infection.

"The justification is reduction in risk," said IT security and contingency manager Monty Couch. "We have calculated in the past that losing our network for one day would cost £1m, so the system could easily make a return on investment."

The scanning service will allow AXA to prove to regulators, who are increasingly conscious of the risks to IT systems, that it is actively managing potential risk, said Couch.

Until now, AXA relied on penetration testing organisations carrying out an annual check on its systems for vulnerabilities, but the company felt it needed to test far more frequently to keep pace with changes to the network.

The Qualys system will allow AXA to define which parts of its IT system are most critical to the business, to identify vulnerabilities and to deal with them quickly, said Couch. Other less critical parts of network will be scanned less frequently.

"I believe this could be the difference between a worm getting into our network or not. If we can get this implemented to the highest degree, it will protect us from automated attacks and hacking. It will allow us to respond quickly and to understand and categorise the risk quickly," he said.

Couch chose the Qualys technology after commissioning an evaluation at his former employer, Standard Chartered Bank, which showed it was effective and could be quickly installed.

"We wanted something that gives high value and was low effort to install," he said.

Couch plans to use the management information generated by Qualysguard to inform the board about network security.

"The way of getting security on the agenda and thus getting budget for security is when you have a proven mechanism for demonstrating vulnerability," he said.

Achieving buy-in

One of the main challenges in introducing the Qualysguard system has been persuading AXA's IT security team to embrace the new approach. "People could have viewed it as checking up on their work, so we have put a lot of effort into trying to engage the support groups. I think they are now seeing the benefits," said IT security and contingency manager Monty Couch.

Read more on IT risk management