Catskill Hudson Bank

Financial organizations are on the forefront of cybersecurity, being trusted with sensitive data while also being attractive targets for attackers. Catskill Hudson Bank made it a top priority to build one of the most secure networks in the industry.  Their goals included:

• Flawless compliance audits
• Trustworthy vulnerability scanning
• Stable, repeatable operations
• Customized  and easy-to-understand reporting

About the Catskill Hudson Bank

Catskill Hudson is a community bank with a world class vision. Founded in 1993, Catskill Hudson has evolved into a technology-focused financial institution serving their business and consumer customers to help them thrive and grow. Headquartered in Kingston, New York, the bank serves the Catskills, the Hudson Valley, and the Capital District. The bank is subject to regulatory examinations from the Federal Deposit Insurance Corporation (FDIC) and New York State Department of Financial Services (NYSDFS), along with adherence to regulations and standards from the Federal Financial Institutions Examinations Council (FFIEC), Gramm-Leach Bliley Act or the Financial Modernization Act of 1999 (GLBA), and the Payment Card Industry Data Security Standard (PCI DSS).

The Problem

Ted Tomita, Senior Vice President and Chief Technology Officer, has a goal of “building the most advanced banking network on the planet.” He teamed up with Time Warner Cable Business Class to build a unique, state of the art network that is fast, resilient, redundant and secure. And when it came to securing his network attached devices and applications, Tomita needed a partner who could provide the highest level of vulnerability protection, reliable compliance auditing, and customizable reporting. The financial industry is on the forefront of cybersecurity, dealing with multiple compliance requirements, breach and hacking threats, spear phishing, and social engineering attacks. Tomita explains, “We store a lot of very sensitive data that we can’t allow to leak out; we need an extremely secure network like no other.”

The Tenable Solution

In 2015, Tomita faced a difficult situation. Using previously purchased third party security software, he and his staff of four security professionals were running compliance testing for a stringent GLBA audit but were noticing false positives in the report that would nullify their results. Under a tight compliance deadline, Tomita contacted Tenable for assistance. In just eight days, Tenable set up Catskill Hudson with a Tenable.sc™ server, running a GLBA solution created by Tenable engineers and providing clean reports. Their GLBA audit resulted in flawless scores, thanks to Tenable.sc. That trial convinced Tomita that Tenable was the security company he wanted to partner with.

Tenable has since addressed three major issues for Catskill Hudson:

Gamifying vulnerability scanning and patch management to improve team performance

Vulnerability management and patching are cornerstones of any good security program. The Catskill Hudson security analysts are compulsive scanners, scanning something nearly every minute of each day – tools, devices, software, applications. In fact, to motivate his team to improve network security, Tomita created a game of vulnerability management. He challenged his staff to find and fix as many vulnerabilities as possible, earning points for every vulnerability they remediated. For a year, the security analysts checked the nightly scans, patched during the day, and reran the scans to validate their fixes. Each morning, as the vulnerability score dropped, Tomita tallied up the points and recognized their accomplishments.  Tenable.sc was easy to use and the team was very excited about the challenge.

“Tenable.sc has become the voice of truth for our network, providing an additional layer of insight to hold ourselves accountable and to validate the success of our security program to 
our board of directors.”

When Catskill Hudson started regular scanning and patching, Tomita noticed a major discrepancy. “Our other patch management tools would tell us that the network was fine and that we were fully patched, but Tenable.sc would tell us that we were missing a patch. Invariably, when we researched the issue, Tenable.sc was right – it became the voice of truth for our network,” explained Tomita. And when Catskill Hudson systems were audited, the auditors were impressed that they were using Nessus® and Tenable.sc, providing validation and insight that the auditors trusted. 

Compliance auditing with confidence

Catskill Hudson must comply with multiple requirements from PCI, FFIEC, GLBA, FDIC, and NYSDFS. The Tenable.sc dashboards and Nessus audits make compliance audits routine. With so many requirements, Tomita sets up scans to address the most stringent regulations driven by the interagency standards from the FFIEC. Resolving an issue for FFIEC standards often also resolves a PCI issue. So they scan against the FFIEC requirements to guarantee compliance at all levels.

Catskill Hudson uses a third party PCI Approved Scanning Vendor (ASV) for their annual PCI compliance validation assessment. But since waiting up to a year for their vendor to reveal potential problems is a bad practice, they do their own PCI scans monthly to find any PII (personally identifiable information) issues that should be addressed immediately. By running Tenable’s policy audits on a monthly basis, there are no surprises when the auditors come in for the annual assessment. Catskill Hudson routinely receives off-the-chart scores on the official validation tests.

Easily customized reports

As with most banks, Catskill Hudson has numerous in-house reporting requirements for the Board of Directors, executive leadership and the IT steering committee. Each group receives a different report with details relevant to their business needs. “Tenable.sc makes reporting a lot easier,” says Kevin S. McLaren, Executive Vice President and Chief Operating Officer. In fact, all the reports that Catskill Hudson uses are Tenable reports because “they’re a lot easier to read than the reports from our other security tools.” The team creates custom reports that include components from different Tenable dashboards and reports. And visual presentation is just as important; the Tenable.sc reports are perfect for presenting technical information to a non-technical audience, in that audience’s own business language.

The Results

Tomita characterizes Tenable.sc as “the voice of truth for our network, providing an additional layer of insight to hold ourselves accountable and to validate the success of our security program to our board of directors.”

Several key advantages that Tenable brings to Catskill Hudson include:

• Stability – Tenable.sc has been very reliable for Catskill Hudson. “When you run an 8 hour scan, you don’t want it to fail after 7 hours. The stability of Tenable.sc is unparalleled.”
• Support – From pre-sales demonstrations, through trials, to ongoing customer support, Tenable is with a customer every step of the way. Technical support is just a phone call or message away.
• Sales professionals – Tenable sales professionals are knowledgeable and responsive, understanding Tenable products as well as customer business needs.
• Name recognition – Compliance audits run smoothly. Auditors know Tenable and trust Nessus scans.

Next Steps

This year, Catskill Hudson plans to move up to Tenable.sc Continuous View™ as a comprehensive security solution, including log correlation, event management and continuous monitoring for a “live view” of their security posture at any given moment.

Tomita summarizes his thoughts: “I set the bar extremely high and Tenable helped us achieve our goal of building one of the most advanced networks in the banking industry.”