by Arun Shankar

Bankmed scales competency in cybersecurity along with customer services

Jul 06, 2021

Deploying applications for security vulnerability detection and remediation protection has given Lebanon-based Bankmed confidence to move up the customer services ladder as well.

bassel assah
Credit: Bassel Assah

The Bankmed Group faced its first cybersecurity challenge in 2008, when it decided to modernise and add multiple banking channels to its operations. From that point on until today, the bank has found that every major IT project on its digital transformation journey — whether it be implementing a new core banking application or launching a new web service — brings with it a different set of cybersecurity challenges that require a refresh of its security applications and practices.

The Bankmed Group was established in 1944 in Lebanon and is a leading bank in in the country, with 50 local branches. It has a presence in UAE, Saudi Arabia, Iraq, Cyprus and Switzerland. Bankmed provides a range of banking services and uses multiple banking channels as well.

Bankmed follows a strict banking compliance requirement, known as the Banking Secrecy Law. This emphasises the role of cybersecurity and protection of all types of customer data.

While data protection is an obvious priority for financial organisations, Bankmed’s history of deploying new services illustrates how enterprises in all sectors need to  match new customer offerings with appropriate security applications.

Bankmed added its digital banking channels and expanded its online operations for the first time in 2008. Before the bank could open its digital banking services for customers, it had to ensure its internal and external networks were free of vulnerabilities and hardened against threat attacks.

“We aimed to perform an inventory of all IP-connected assets on our networks, allowing us to identify and close up any potential attack surfaces,” according to Bassel Assah, Head of Infosec and Business Continuity at Bankmed, 

Cloud setup eases Bankmed’s security journey

Qualys Vulnerability Management and Qualys Web Application Scanning were amongst the first solutions that Bankmed brought into its information security operations. Its setup through a cloud platform played an integral role in selecting the Qualys Platform at the time. It was a one-stop solution for everything the bank required back then, including scanning and management tests, Assah points out.

“The Qualys Cloud Platform offered intelligence and reporting capabilities in one secure, web-based portal, eliminating the need to spend time manually generating individual reports and emailing them to other application and system owners across the business,” Assah says.

Qualys Vulnerability Management scanned all IT assets and generated its reports. For Assah and his team embarking on their digital banking journey between 2008 and 2012, this type of vulnerability scanning was a first for them.

Once Bankmed started scanning their environment, they realised the importance of detecting all types of vulnerabilities, points out Hadi Jaafarawi, Managing Director, Middle East at Qualys. “They reached out to integrate other Qualys products so that they can look at vulnerabilities from a risk-based approach.”

The second solution, Qualys Web Application Scanning, helped in carrying out deep exhaustive scans of the Bankmed website. The solution allowed Bankmed to detect the OWASP Top 10 risks, such as SQL injection, XSS, broken authentication, and misconfigurations. These are the basic security vulnerabilities that need to be remediated before launching any Internet application.

Amongst the top use cases of the Qualys Web Application Scanning was the ability to scan APIs that connected mobile devices, databases and internet applications.

With these two applications from the Qualys Cloud Platform, Bankmed was able to go live in 2012 with its digital, mobile and omni-channel banking offerings.

Over the last 10-plus years, Assah and the team at Bankmed have crossed multiple milestones. Bankmed releases a new application every year as part of the bank’s digital journey, which is tested for vulnerabilities before launch. Qualys was also used for IT asset vulnerability testing when Bankmed acquired a new data centre.

How Bankmed meets compliance requirements

As part of the PCI-DSS compliance requirements, Qualys scans both the external and internal environment, and the report is used during the audit submission. Bankmed also used Qualys to meet the requirements for  GDPR and SWIFT CSP (the customer service program for the SWIFT international banking alliance).

In the current IT environment at Bankmed, Qualys Web Application Scanning and Qualys Vulnerability Management also work in conjunction with each other. As a combination they can detect vulnerabilities in built-in applications and poorly configured ports, amongst others. Qualys Vulnerability Management also lists the vulnerabilities in the order of severity and helps to prioritise remediation for Bankmed.

One of the latest technology challenges that Bankmed faced was in 2018 and 2019, when it decided to move ahead from digital banking into the next generation of data-driven banking. Bankmed accelerated an initiative to move to a fresh core banking platform, including new web applications for digital banking services.

Once the decision was made to go ahead, there were a number of challenges that needed to be surpassed. There was the upgrade of the data centre, servers and networking equipment, as well as new technologies for online banking, mobile banking, email and web applications. Along with the new core banking application, there was a change in the operating system and database, as well.

The new infrastructure and the applications needed to be scanned and security hardened and there was a limited timeframe to launch the new core banking system.

Another reality check for Bankmed was the nature of threat actors it would face when it expanded its digital footprint into next generation web applications and data-driven banking, with the new core banking system.

Over the last 10 years, the cybersecurity attack vectors have changed. The attacks that Bankmed faced in 2008 and 2009 were very different from those that the new core banking system would be exposed to in 2018 and 2019. Bankmed had to ensure everything it was doing was up to date and that it had the right tools and knowledge to tackle those challenges.

“To launch the new core banking system and web applications within just 12 months, we had to rapidly scan, pen test and harden an entirely new datacentre architecture,” Assah says.

Bankmed decided to use a risk-based approach in reference to its core and perimeter asset inventory. It invested in new security controls, new configurations and a new security operation centre. But from its past experience the most important risk mitigating factor was to have the right tools in place to measure and validate the steps taken to improve cybersecurity.

The Qualys platform was used again to validate the Bankmed network, identify the risks, and protect the core and perimeter assets. Bankmed was now progressing towards building a mature information security program.

“When a Qualys scan of the new core banking platform revealed a large number of vulnerabilities, we knew that we needed to cut the time and effort required to prioritise, remediate and monitor the environment to meet the go-live target,” adds Assah.

To manage this phase of its progression into data-driven banking, Bankmed now uses Qualys Threat Protection, Qualys Policy Compliance, Qualys Continuous Monitoring, in addition to its previous two solutions.

Qualys Threat Protection was a game-changing solution for Bankmed since it provided an intelligence feed. The solution helped Bankmed to focus on which assets and vulnerabilities to tackle on a daily basis. The most critical assets for Bankmed are servers facing the Internet, since those are always under attack and always need to be safe every single moment of the time.

Automation helps make security more efficient

Qualys Threat Protection has helped to prioritise remediation by Bankmed. It helps to focus on critical and high vulnerabilities, versus medium and low ones. With this solution, Bankmed leverages automation to rank its vulnerabilities by severity, assigns teams to fix them, and tracks their progress.

Qualys Continuous Monitoring helps Bankmed discover and monitor external assets. Any assets published on the Internet are the most vulnerable since they are the gateway into the Bankmed network. The solution helps to monitor expiring certificates and misconfigurations and such alerts can be customised. The solution helps the Bankmed team to automatically scan for new vulnerabilities on external-facing servers, enabling a proactive approach to emerging threats.

With these solutions in play as well as all the new applications, infrastructure and datacentre, Bankmed still faced the challenge of how to secure and harden the critical infrastructure in a timely manner. It has been a full infrastructure change as well as implementation of new technologies. There have been calendar milestones to be met and the process of hardening the servers was taking longer than expected.

With its next solution, Qualys Policy Compliance, the pace of server hardening picked up for Bankmed. They were able to correctly identify the hardening criteria and configurations for servers and built a golden copy of each of the servers.

Qualys Policy Compliance has ensured Bankmed’s core banking system is configured for maximum resilience against cyberattacks, and meets SWIFT and PCI: DSS compliance requirements on a quarterly and annual basis.

Using all the five solutions from the Qualys Platform, Bankmed was able to complete the switch over to the new core banking solution and data-driven online and mobile services in the second half 2020.

“Qualys’ solutions helped us to narrow down the list of vulnerabilities to the most critical and most exploitable threats,” says Assah. On the top of his recommendation is the ease-of-use in accessing information from the solutions. “We get the data on each threat and how to resolve it in one place, which makes for an extremely efficient remediation process.”