CUNA Mutual Group teams up with NetSPI to better secure their IT infrastructure
Mark Glass
+
CUNA Mutual Group is a worldwide provider of insurance, lending, retirement planning, and asset management services for credit unions and their members.
The Challenge
The Solution
Based upon the strong initial success with the NetSPI consultants on the PCI project, and after the company had completed a second round of due diligence on NetSPI’s overall capabilities and reputation, CUNA Mutual Group decided to augment its security assessment/vulnerability program by aggressively expanding its existing service agreement with NetSPI. In addition to the original PCI compliance work started under the initial NetSPI agreement, the final security services agreement between CUNA Mutual Group and NetSPI includes regular ongoing penetration testing, application code reviews and the affiliated reporting and risk assessment consultations naturally associated with each of those individual tasks. As to the expanded contract, the customer put it this way, “We use NetSPI in more places, for more things, now more than ever.”
-
Penetration Testing (PTaaS) -
Financial Services, Insurance -
1k-5k -
Wisconsin, United States -
cunamutual.com
Keys for Managing Risk
Vulnerability Assessments
Early on, CUNA Mutual Group recognized that effectively managing the security risks to their IT infrastructure required routine vulnerability assessments and penetration testing services to discover, assess, prioritize and mitigate both internal and external threats to their environment. This included manual code reviews and the testing of critical environments.
Following a disciplined methodology More in-depth assessments require far less time for CUNA Mutual Group
Because NetSPI isn’t tied to any particular tools or tool vendors, the company has been able to develop an engagement methodology that ensures consistent, extremely in-depth, highly-effective vulnerability assessments for each and every one of its clients – project after project. To ensure the consistent use of this proven methodology by every one of NetSPI’s expert consultants on each and every engagement, the methodology is disciplined through the use of NetSPI’s industry leading vulnerability management and correlation technology. The use of the platform results in the most comprehensive testing and customer-centric reporting in the industry. Furthermore, by utilizing the platform, NetSPI’s consultants are also maximizing the efficiency of their testing efforts for CUNA Mutual Group. NetSPI teams spend the majority of all available work time focused directly on identifying, verifying and prioritizing vulnerabilities. This has resulted in more in-depth assessments in far less time for CUNA Mutual Group.
“While you may not like receiving some of the findings in the reports produced by NetSPI, you won’t be disappointed with the NetSPI team, their process, and the end results. Above and beyond the reporting, I found the NetSPI team easy to communicate with, and I was able to talk to them to pull out contextual information that is typically extremely difficult to capture in any report.”
Documentation and Reporting Clearly documented findings with prioritized suggestions
An absolute requirement of any well-managed vulnerability assessment program is thorough, consistent documentation, and the reports generated by NetSPI for CUNA Mutual have proven to be perfect for the group’s uses. For example, any time that penetration tests and vulnerability assessments are completed by NetSPI for CUNA Mutual Group, all of the findings for each engagement are clearly documented in a consistent/consumable approach, including a detailed “statement of opinion” with prioritized suggestions appropriate to and in full alignment with CUNA’s business mission. And to the delight of their sales and marketing teams, the unique NetSPI statements of opinion have also proven helpful in providing tangible evidence of the company’s due diligence in ensuring their clients’ sensitive information is secure. As CUNA Mutual Group’s PCI partner, NetSPI provides PCI-related reporting which can be handed over to the internal governance team and external auditors for review and acceptance.
Targeted Security Assessments Testing business-critical web applications
At the same time that they were performing their network security assessments with NetSPI, CUNA Mutual Group was also performing targeted application security tests with another code review vendor. Due to a large number of false positive findings, NetSPI was asked to take on that vendor’s role within the overall security program. In particular, the NetSPI team was tasked with doing manual code reviews and pentesting of software that delivers business-critical web services. NetSPI’s code reviews for CUNA Mutual Group, which are performed within the same overall methodology as the rest of NetSPI’s services, have been proven to produce far fewer false positives than the previous code review vendor.
Trusted Advisor – NetSPI NetSPI’s approach results in a long term relationships
NetSPI has quickly grown to become the true vulnerability assessment partner and trusted advisor that CUNA Mutual Group was seeking. NetSPI has become a full and active part of the CUNA team under an extended multi-year agreement – which falls outside of CUNA Mutual Group’s normal business practice of swapping out certain third-party security providers after no more than two years under contract.
A Big Tool Box Helps NetSPI uses the most effective tools in each situation
NetSPI utilizes proprietary, open source, and commercially available tools to best meet the needs of each engagement. NetSPI’s security consultants are comfortable and competent using a wide variety of open source, proprietary and commercially available tools that best meet the unique needs of each engagement. With the recognition that effective penetration testing programs involve much more than the use of a single tool looking for “known” vulnerabilities, NetSPI utilizes the right tool for the right technology and situation. This approach, coupled with broad security knowledge, extensive field experience and deep technical expertise, allows NetSPI’s penetration testing professionals to more effectively evaluate environments and applications for vulnerabilities, and provide the feedback and guidance to remediate effectively.
“Fewer false positives has meant less time wasted on CUNA’s side to validate/deny each item identified, which is why we brought NetSPI in as a replacement to the incumbent code review provider… In addition, we found that NetSPI’s written reports on their work helped make our software development engineers that much better at writing code.”
Explore More Success Stories
Quantum Health: Redefining Benefits Navigation with Proactive Engagement and Cost Savings
Information Security Officer
By simulating real-world ransomware attacks, NetSPI Detective Controls Testing delivered 11x ROI and strengthened ransomware defenses for Quantum Health.
Everywhen Partners with NetSPI to Elevate TLPT Standards and Build Unparalleled Trust
CISO, Everywhen
“NetSPI Red Team consultant’s transparency, attention to detail, and commitment to building strong relationships make them feel like an integral part of your internal team, not just an external vendor.”
EAB Global improves attack surface security within 15 seconds using NetSPI Attack Surface Visibility Solutions
CISO, EAB Global
“NetSPI Attack Surface Visibility has saved EAB Global time, money, and helped us mature our program by helping answer questions faster and more accurately.”