Customer story:

General auto finance company expands vulnerability program to encompass identity risks

CUSTOMER STORY

GENERAL AUTO FINANCE COMPANY EXPANDS VULNERABILITY PROGRAM TO ENCOMPASS IDENTITY RISKS

CHALLENGES

Incorporating identity risks into their vulnerability management program

Legacy applications can’t be feasibly supported by their Privileged Account Management (PAM) solution

Lack of continuous visibility into their privileged identity risks

SOLUTIONS

Deployed Illusive to regularly scan for identity risk

Incorporated results into existing vulnerability management and remediation

RESULTS

New awareness of substantial identity risks

Immediate improvement in risk posture

More comprehensive vulnerability program now addresses the #1 attack vector

THE ILLUSIVE TOOL HAS OPENED UP NEW INSIGHTS. WITHOUT IT WE KNEW WE SHOULD LOOK INTO THESE IDENTITY RISKS, BUT WE JUST DIDN’T HAVE A WAY TO DO IT.”

AVP IT Vulnerabilities

The company

A global provider of auto finance solutions. Working with consumers and auto dealers, they offer retail financing and lease programs, as well as commercial lending products to dealers to help them finance and grow their businesses.

IF YOU HAVE A LARGE, ON PREMISE INFRASTRUCTURE, WHERE YOU’VE BEEN USING ACTIVE DIRECTORY FOR YEARS, THERE ARE DECISIONS MADE LONG AGO, THE FORGOTTEN LANDSCAPE, WHERE VULNERABILITIES OFTEN EXIST. THERE’S LOTSOF TECHNICAL DEBT. ALSO, CLOUD MIGRATION AND M&A ACTIVITY INTRODUCE COMPLEXITY.”

SVP Global Cybersecurity Strategy & Operations

The challenge

The company has a large and diverse IT infrastructure, and challenges with legacy applications. Although they’ve implemented a Privileged Access Management (PAM) solution, it didn’t protect many legacy applications – especially ones that were too costly to upgrade or were scheduled to be decommissioned. There were also service accounts and exception administrative accounts that couldn’t be vaulted. The result was that the company couldn’t fully control privileged credentials and identities, or even have good visibility into potential identity risks. This was true for both IT administrators and also regular users.

The solution

The company saw Illusive as a major expansion of their comprehensive vulnerability management strategy. Traditionally, the company’s approach to vulnerability management had beenm focused on common vulnerability and exposure (CVE) and common weakness enumeration (CWE). But they were aware that configuration missteps were also creating many potential risks, so they had started tracking those as well – basically anything in their environment that caused cybersecurity risk, regardless of whether or not it had an associated CVE. Using the ISO 7-layer model as a guide, they reviewed their automated risk assessment approach to make sure it covered their entire IT environment – and identity risk management was the missing capability.

Driven by this realization, the companym implemented the Illusive solution for identity risk management at the start of 2021. Illusive integrates with the company’s Active Directory (AD) infrastructure, and it also scans each endpoint regularly to produce a repository of identity risk findings, which the company retrieves using Illusive’s API. The IT security team reviews these findings and meets with the IT vulnerability remediation team regularly, where together they execute and track risk-reducing changes to their environment. It’s a collaborative effort and they do their best to work as a partner to IT.

Associated with their vulnerability remediation efforts are SLAs that vary depending on the level of criticality, so that more critical items are highly prioritized.

The results

Immediately after implementation, the company could see improvements in their risk posture. After using Illusive for over a year now, the company typically sees several new critical issues a week, and they resolve them quickly. It’s generally people not thinking rather than something malicious, just someone making a mistake or being in too much of a hurry.

Asked what they’d do without Illusive, their team is somewhat stumped, given they don’t know any other way to get the kind of identity insights, especially into endpoints, that Illusive provides.

“M&A is a great case – doing a scan before and after integration. With Illusive I can tell how clean their environment is, and the amount of technical debt.”

Based on the successes I’ve had, and knowing our direction, I would recommend this to everybody from a vulnerability standpoint. Being able to visualize everything – both traditional vulnerabilities and identity vulnerabilities and misconfigurations –that’s where this tool comes in.”

“It only takes one identity vulnerability, just one, to bring your entire environment down. Any way I can shine another light on something like that adds value, particularly when you can see the risk and be able to reduce it over time. There are hundreds of thousands of doors that are now locked – that’s huge.”

SVP Global Cybersecurity Strategy & Operations.