Case Study: How a Global Bank Seized Control of Network Access
Challenge
A leading enterprise financial institution was having issues with rogue device detection. Specifically, they were unable to locate rogue devices quickly across their vast network. Further, they had difficulty understanding their full asset inventory. Previous attempts to solve the problem failed, which isn’t uncommon for financial institutions of this size. In enterprise organizations, finding efficient solutions to big problems is often time consuming and has to circumvent organizational challenges. But it was one rogue device that spurred the company to take action and fix the problem once and for all.
“One rogue device was plugged in by an internal team during a test. It was detected but they weren’t able to locate it. Rightfully, this caused alarm among the security team. It was, in a way, the last straw,” said Philip James, GMI’s Director of Architecture and Integration. “This organization knew that one breach, caused by one attacker, via one rogue device, could wreak havoc on customers and compromise the entire organization.”
GMI, in conjunction with Cisco, worked with the client to create a reliable rogue device detection program throughout the organization. The bank was extremely worried about people (customers and employees) getting hardware devices on the network and hackers getting into their operations from those devices. For a bank with thousands of locations, the risk was extremely high for a bad actor to simply walk into a branch, plug in a device, and attack the entire system from there.
1.2 Million Endpoints
The project was one of the largest Cisco ISE 802.1X implementations, scaling to 1.2 milion endpoints across all 5,800 banking centers and corporate offices globally for one of the world’s biggest financial enterprises.
SOLUTION
Cisco recommended GMI to help the institution solve this challenge due to the company’s specific expertise working with 802.1X, a Cisco product. James led the project with a team comprised of security experts from GMI, the client, and Cisco. “We worked in phases to integrate network access control tool Cisco ISE 802.1X across the global network. It wasn’t easy or fast.”
Phase 1
Set out to accomplish basic network authentication. In an enterprise, this can be extremely complex. In this case, there were 25,000 network switches with 1M endpoints. It took nearly 2 years to complete this phase.
Phase 2
was to add in some features for authentication. “In Phase 2, we started to restrict what specific types of devices could receive various levels of authentication. We established differentiated access.” This helped the bank start to properly and quickly identify and locate rogue devices.
Phase 3
was about preparing for the future, and moving all of this into next generation technology. Integrating Cisco ISE enabled new security features that will safeguard the institution for years to come.
“At the end of the project, every computer and endpoint associated with the bank and all of its financial services brands was known, easy to locate, and was assigned proper network access. In total, there were 1.2 million endpoints globally across all 5,800 banking centers and corporate offices.”
OUTCOME
Finding rogue devices had become a major problem for the client, mostly due to their size. Today, the meantime to discover a rogue device is less than 15 minutes. Anything that doesn’t belong or hasn’t been authenticated within that time frame is shut out. “It’s a multi-generational program,” James said. “And it’s built to carry this institution for years to come. They are significantly more secure than they were 4 years ago when we started this project with Cisco.”
