John Vander Velde, Superior National Bank CIO
- SaaS deployment in under 30 minutes without adding staff.
- Visibility into all network activity including service provider activity and a baseline of “normal” to align with defense controls.
- Risk and threat coverage for Office 365.
With the banking industry under continuous pressure to defend against those with malicious intent while keeping up with an ever-changing regulatory environment, Superior National Bank CIO, John Vander Velde, knew he needed to do something to stay ahead of the curve.
Information security being more advanced or modern than others, whether with people, products, or technologies, is not something one might associate with an over 130-year-old community bank in the Upper Peninsula and Southeast Michigan. But Vander Velde, who is an early adopter of cloud computing and associated technologies, believes staying ahead of the bad guys and even being in front of what is required from a regulatory perspective is an obligation.
Not only did Superior National Bank acquire Cybersecurity Consulting firm, Practical Security Solutions, a cybersecurity advisory service customized based on an organization’s needs, but Vander Velde went looking for a better way to secure the network connecting the Bank’s corporate headquarters, 11 locations and its 250+ employees who have rapidly adapted to remote work. The mission: expand Superior National Bank’s existing cybersecurity program to proactively defend against fraud and those intent on stealing customer and financial data. The biggest pain point, Vander Velde explains, was the lack of visibility into what was happening on the bank’s network due to the rapid adoption of cloud computing and remote working. Having little understanding of what constituted “normal” activity in this new world, how could the bank’s small IT and cyber team monitor for unusual behavior or potentially malicious activity, let alone detect and neutralize an attack like ransomware?
Old Way, New Way
Vander Velde said the team knew there were a lot of tried-and-true tools available for monitoring network traffic, but they required a high degree of sophistication and resources to manage. In addition to identifying risks and threats, visibility was essential, whether for seeing new and changing network connected devices, data transfers over the network, or patches and software updates.
Multiple tools could have monitored the logs, systems, and traffic over the network, but that was the old way and required a lot of manual work. Newer AI and other automation technologies could monitor processes and offer risk and threat detection. “Why would we want to do things the old way with onsite appliances tapping network traffic, and the team manually monitoring logs and devices, when we could take advantage of AI technology and machine learning that could operate in real-time and help us meet our network visibility and defense goals?” said Vander Velde.
“Many tools provide Office 365 controls, but they don't have the SaaS AI or machine learning to actually find threats, just rules and templates. CyGlass gave us the visibility we needed, and we can just turn it on.”
Vander Velde knew that real-time behavioral threat detection and response systems for the network (NDR) that worked at enterprise scale were expensive and complex. He did not have the team, budget, nor the ability to purchase and deploy NDR tools and the required onsite hardware.
“And that’s where CyGlass really hit the mark,” Vander Velde says.
CyGlass is a network detection and response solution that operates as a SaaS in an AWS cloud environment. The CyGlass Network Defense as a Service (NDaaS) collects data including NetFlow, Syslog, AD Logs, Microsoft 365 Logs, and transmits to an AI engine. Using a combination of unsupervised machine and self-learning AI, the CyGlass engine continuously learns “normal” activity from the flows of data ingested, setting baselines of what is considered “normal” across the bank’s network and cloud traffic.
With “normal” activity defined, the AI engine continuously watches for anomalies. To define which anomalies are risks and threats, the AI outputs are integrated with a rules engine, which teams can use to define process and intelligence based risks and threats like unsecured ports, or ransomware IOCs. The policy engine is also used to define regulatory compliance controls which is critical for financial service companies.
“What struck everyone is how we’re reading the data in real-time in our environment,” says Vander Velde. “Now that we are monitoring activity, we are seeing all activity, for example; risky web activity, all of our software update patches being sent out through various agents, new applications, and new ports being used. We can see everything that comes through the network, and we can research what is happening. Viewing this activity on our network has been a major ‘aha’ moment,” he says.
Deployed in 30 Minutes
By connecting to its existing technologies, CyGlass NDaas was up and running in about 30 minutes.
“We got a baseline of what’s “normal” fairly quickly and were able to align it with our defensive process and controls with rules. From a few prioritized alerts it was able to see critical threats easily. Then we really kicked the tires and found some things that opened our eyes a bit. Nothing that was malicious, but we found several applications that needed hardening,” says Vander Velde.
One revelation came when some potential malware was detected on an endpoint and mitigated by the bank’s virus protection. CyGlass picked up the same attack and was able to tell the Bank where it originated from so, we could blacklist those IP addresses and protect all our other endpoints.
Another exciting moment occurred when the team realized they would be able to monitor all their Microsoft365 traffic and get visibility into that. Many tools provide Microsoft365 controls, but they do not have the AI or machine learning to find threats, just rules and templates. CyGlass gave the Superior National Bank team the visibility we needed, and we can just turn it on.
Managing the Service Provider and more
Banks are required to manage third-party risk from their service providers, and Vander Velde says there are quite a large number of regulations from a vendor management perspective. When service providers have unfettered access to networks it’s an added level of risk.
Previously, the Bank’s team could review active directory logs from its MSP but had no visibility into what the provider was doing in real-time. With CyGlass, the team knows when software is being pushed over the network for installation, and has complete visibility into Patch Tuesdays, or essentially any activity the ISP has undertaken.
Vander Velde said he is keenly aware of his fiduciary duty to know what occurs or has occurred on his network. As an example, his team employs several tools for virus protection and malware defense that routinely identify and stop activity as expected. In one incident some malware was caught at an endpoint and CyGlass identified the related network traffic that occurred including the originating website. This allowed the team to be more proactive in blocking risky sites before problems could arise downstream.
Solid Base For The Future
Vander Velde says that CyGlass NDaaS is delivering the network visibility ahead of his expectations, and in a way that is easy and affordable. The physical hardware to monitor the networks of each branch alone, he estimates, would have cost around $20,000 each. He reports that CyGlass algorithms are adjusting to changing operations and will become more accurate over time. The CyGlass technology promises to be particularly effective in detecting and identifying the behavioral patterns of ransomware attacks, should they become a reality.
Overall, Vander Velde says, “running such advanced network defense technology without having to add any staff is where the rubber meets the road for any CIO. It’s not just efficiency now but efficiency as we grow. As the Bank grows, CyGlass will keep getting better at doing what it needs to do.”