Published on 14 Mar 2013
"The IBM Security solutions have allowed us to pursue industry certifications, such as PCI and ISO 27001, as well as gain trust from our customers, which ultimately has led to greater wallet share." - Tony Spinelli, Chief Security Officer, Equifax
Managing Risk, SmartCloud - Foundation, Smarter Planet, Systems & Network Management
Working with IBM, Equifax is applying comprehensive security protection with advanced intelligence and analytics to stay ahead of threats. This work has helped Equifax remain a trusted steward of consumer and business data, as it has been for more than 100 years.
So it’s no surprise that Equifax executives have set the bar high when it comes to security, with a goal to achieve ISO 27001 certification across all its locations by 2013. To achieve this,
Equifax has undergone a ground-up security transformation, applying comprehensive protection with advanced intelligence and analytics to help staff uncover and stay ahead of threats.
● Increased revenue through greater customer trust ● Helped support ISO 27001 certification efforts ● Increased analyst efficiency through immediate access to actionable intelligence
Uncovering potential security threats before business is affected.
A global leader in information solutions, Equifax holds one of the largest stores of consumer and commercial data. So it’s no surprise that Equifax executives have set the bar high when it comes to security, with a goal to achieve ISO 27001 certification across all its locations by 2013. To achieve this, Equifax has undergone a ground-up security transformation, applying comprehensive protection with advanced intelligence and analytics to help staff uncover and stay ahead of threats. This work has helped Equifax remain a trusted steward of the world’s data—as it has been for more than 100 years.
Smarter Security: Using advanced intelligence to uncover persistent threats
Instrumented: Integrates system logs, security logs and application information into a single repository.
Interconnected: Combines historical data with near-real-time alerts to provide a big picture view of potential vulnerabilities and threats.
Intelligent: Analyzes data to uncover patterns and provide security staff with actionable information to stay ahead of both known and unknown threats.
As a global leader in information solutions, Equifax holds one of the largest stores of consumer and commercial data—income data, unemployment data, asset and wealth data, property data, credit scores, and much more. As a result, security is of paramount importance to both Equifax and the people and organizations it serves.
“We receive data from banks, utilities, and other organizations and we add analytics and information to it so our customers can make better decisions with greater confidence,” says Tony Spinelli, a security industry veteran who joined Equifax in September 2005 as chief security officer. “That data is provided to us because we’ve been a trusted steward of information for more than 113 years. With that trust, it is important that we have the best security in the world.”
Transforming security from the ground up
In late 2005, Equifax’s board of directors met with executives to discuss evolving security risks. At the time, most companies were concerned with closing vulnerabilities that hackers could exploit.
However, as criminals began to strategically target companies over a period of months, and even years, to steal data or intellectual property, Equifax executives recognized a more holistic approach was needed—one that would enable administrators to “put disparate pieces of information together” and uncover new threats from patterns of activity.
“Number one, we have to confirm that we have a strong network and that our servers have the right set of security,” says Spinelli. “Number two, we have to make certain that the applications serving our commercial and consumer entities don’t have weaknesses or vulnerabilities. Finally, we believe that security intelligence will differentiate us and allow us to proactively address a threat before a problem occurs.”
According to Spinelli, one of the goals that emerged from those 2005 conversations was a focus on exceeding ISO 27001 standards across its organizations worldwide. It was a mandate that led staff to re-examine every aspect of its security infrastructure and create a framework that could help the company stay ahead of both known and unknown threats.
Stopping Internet threats before they impact business
As part of its work, Equifax moved from a standard network detection model to an intrusion prevention framework using IBM Security Network Intrusion Prevention System software. The solution enables what Nick Nedostup, vice president of Security Operations for Equifax, calls “deep packet inspection” to identify malicious behavior and threats hidden within network traffic. Supported with intelligence on new threats from IBM® X-Force® Research and Development team, the solution helps Equifax proactively identify and prevent evolving threats.
“For almost six years, we’ve run in full intrusion prevention mode with IBM Security Network Intrusion Prevention System software and we haven’t had an instance with it stopping revenue traffic or good traffic,” says Spinelli. “It’s been a great solution for us in stopping bad traffic and it’s given us great confidence in how we operate.”
On the application side, Equifax uses IBM Security AppScan® software to uncover vulnerabilities and weaknesses across nearly 200 Internet-based applications.
“Using IBM Security AppScan software, we can effectively conduct dynamic scanning of our web applications to confirm we have all the right controls in place and that our applications are secure,” says Nedostup. “I need tools that provide best-in-breed security components, while, at the same time, are easy to use. In every case where we evaluated IBM products, they succeeded in defeating the competitors.”
Uncovering advanced persistent threats
For Equifax, maintaining the industry’s trust also required the ability to understand events in a larger context.
Nedostup explains: “We need to understand how many times an event has happened in the past, with what frequency, and by whom, so we can better determine whether the event is an anomaly or something that is posing as a persistent threat against our environment.”
To achieve this, Equifax used IBM Security QRadar® SIEM to combine historical data (system logs, security logs, application information) with real-time alerts and gain a big picture view of potential vulnerabilities and threats. The system can uncover patterns—such as unusual activity on a sensitive server—that Spinelli and Nedostup say humans are likely to miss.
“The IBM Security QRadar product has been fantastic in bringing us insight that we didn’t have previously,” says Spinelli. “It has also allowed us to gain efficiencies by providing our security analysts with actionable intelligence and information instead of having them have search through a haystack of information, trying to find something important. Together, the IBM Security solutions have allowed us to pursue industry certifications, such as PCI and ISO 27001, and gain trust from our customers, which ultimately has led to greater wallet share.”
The inside story: Getting there
What advice does Spinelli offer others who are looking to transform security within their organizations?
“The first lesson was to really involve the business—the CEO and the CEO’s direct reports,” he says. “Ask them what they want from security. Do they want a world-class security organization? Do they want to meet ISO 27001 standards? Get them involved and you might be surprised at the support you get.”
Second, he says, is to let executives know what to expect.
“One of the things that is counterintuitive about security is: If you put new security systems in and everything is getting better, you’ve completely failed,” Spinelli says. “What you should see from new security investments is a massive increase in security issues, because where you had blinders on before, you’re going to have massive visibility.”
● Increased revenue through greater customer trust
● Helped support ISO 27001 certification efforts
● Increased analyst efficiency through immediate access to actionable intelligence
● IBM® Security QRadar® SIEM
● IBM Security Network Intrusion Prevention System
● IBM Security AppScan®
For more information
For more information about Equifax, visit: www.equifax.com
© Copyright IBM Corporation 2013 IBM Corporation Software Group Route 100 Somers, NY 10589 Produced in the United States of America February 2013 IBM, the IBM logo, ibm.com, AppScan, QRadar, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. It is the user’s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party. WGC12350-USEN-00