Recently, we interviewed Anthony Edwards, director of security operations for Hilltop Holdings, about how his financial holdings organization approaches multi-level security in a high-profile industry. Here’s what he had to say:
Q: What aspects of securing an environment in the financial services sector makes it particularly challenging compared to other industries?
A: This sector is a constant target for malicious attacks, but there is nothing really more difficult about securing our environment. We just focus on different types of information and regulatory compliance requirements. Fileless attacks such as malvertising and phishing are the most concerning attacks in our industry, and because end users are the most vulnerable aspect of any organization, I’m constantly trying to gain advanced levels of visibility into what users are doing, or removing them altogether from the threat perspective.
Q: Can you tell us about your security organizations and the different solutions you use?
A: We take a layered approach to security using an array of different technologies. We’re using the full suite for Rapid7’s products, including InsightIDR for log collection and SIEM, Managed Detection and Response (MDR) services to help us handle incident response, InsightVM for vulnerability management, and InsightConnect to automate certain processes.
Q: What are the key indicators for success for your security program?
A: I measure the time it takes to complete a process, such as handling phishing emails from detection all the way to remediation. My goal is to reduce the time it takes to perform the functions in that process because, in turn, it reduces the risk to the organization.
Q: How has your IT department changed based on the types of assets you’re seeing?
A: Since I took over at Hilltop, we’ve consolidated four different lines of business with three separate IT organizations to one organization through our shared services model. We’ve also gone from seven data centers to two. Because of this, the types of assets, applications, and systems that I was responsible for have evolved tremendously.
Through our vulnerability management program, we have naturally embedded security operations within the IT and engineering groups and using InsightVM’s remediation projects, we’re able to collaborate well with our IT counterparts so we can solve for, identify, and fix what we detect to be vulnerable or a misconfiguration.
Q: Where did you start with Rapid7’s products and why do you prefer one platform versus multiple point solutions?
A: We started with InsightVM to help scale our vulnerability management program. From there, we needed a way to increase visibility across the organization to detect things like lateral movement and file access details so we know what’s going on within our environment and can respond faster. I started to see a trend where user behavior analytics (UBA) was no longer a nice-to-have, but a need-to-have for security, which brought us to InsightIDR. At the same time, I also purchased InsightConnect to automate the functions across these solutions. Over the years, we’ve invested heavily in the Rapid7 platform.
[To see how Hilltop Holdings integrates their environment using InsightConnect, read this interview with their security analyst Michael Cochran.]
It was important that we have a single platform to operate from because navigating multiple platforms lengthens our time to detect, respond to, and contain threats, which puts our business at risk. I liked that all of Rapid7’s solutions integrate with each other because it gives us a holistic view of what’s going on and accelerates our response time.
Q: What InsightVM features do you use to keep tabs on your changing environment?
A: We utilize InsightVM to track vulnerability data across our environment. A key feature we use is remediation projects in order to track project completion. We also use dashboards and reports so we can show senior leadership where we are in the vulnerability management process, our percentage of task completion, what our exposure level is, and so on.
Since we use InsightVM alongside InsightIDR, we started deploying agents that give us root-level access to our environment, which has increased our awareness of vulnerabilities across the board. Simultaneously, our scan engines check for remote vulnerabilities.
Q: How has Rapid7 improved your approach to detecting and responding to threats?
A: The introduction of Rapid7’s InsightIDR has improved our ability to detect threats and anomalous behavior within our environment. Without InsightIDR’s agent, we’d have to deploy multiple log collecting agents and solutions to gain that level of visibility. The agent supports InsightVM as well, giving us root-level vulnerability data. It also complements our incident response efforts by giving us visibility into file and user activity, lateral movement, and infiltration functions, which have improved our capacity to respond. The agent’s ability to ingest logs from an array of solutions, including cloud solutions, gives us a broad spectrum of visibility across the entire enterprise and has facilitated our ability to execute the security program more holistically.
Q: What does the future of your security program look like, and how does InsightConnect fit into that picture?
A: The future of our security program is more integration. InsightConnect will continue to help enrich the amount of data passed between our various security solutions, even if some solutions aren’t built to natively talk to each other. InsightConnect gives us the ability to share threat intelligence, automate actions, and as a result, reduce the time to contain and remediate a threat. In the near future, I’d like to bridge the gap between our firewalls and endpoint security solution to share threat intelligence. Every security solution has a threat intelligence feed it pulls from, but they may not share that intel among each other. If we can bridge that gap using InsightConnect, we can reach a more proactive state and prevent threats from ever happening.
Q: How is automation saving your team time?
A: Before we automated our phishing remediation workflow, we were spending approximately 77 hours a week doing triage and response. By automating the entire workflow with InsightConnect, we’ve reduced that time to three minutes a week. The only time we spend on it is digesting the data that comes out of the reporting solution to make a determination if an email is malicious, spam, or legitimate so we can decide whether to take action. By automating manual and repetitive processes like these, we can reallocate their time to higher-value activities like threat hunting and proactive security measures.
Q: Is cloud infrastructure a challenge for your team?
A: As cloud-based resources like AWS, Azure, and Salesforce come into the environment, it adds a different degree of complexity. It’s our job to understand how those solutions are being utilized in our environment, what systems are communicating, who is accessing them, and where the data is going so that we can put the appropriate controls in place to protect our customer and our data.
InsightIDR has a cloud shadow IT detection functionality so we can see the cloud apps being accessed by our customer base. This has given us visibility to take action on things we weren’t aware of before. Rapid7’s product portfolio as a whole has given us a new lens on the challenges the cloud and shadow IT present so we can make business decisions as an organization as to how we want to continue to operate.
Learn more about Rapid7’s Insight Platform
Looking to achieve the same type of security automation success as Hilltop Holdings? Rapid7’s Insight Platform equips you with the visibility, analytics, and automation you need to unite your teams and amplify your efficiency. Sign up for a free trial today.