Long-term cooperation of OTP Bank – one of the leading financial institutions of Ukraine, with Check Point – a provider of comprehensive security solutions, allowed the bank to modernize and significantly improve the multilevel system of IT systems protection, quickly adapt to “new realities” and confidently look to the future. Secure digital services for customers.
The history of the Ukrainian OTP Bank dates back almost a quarter of a century – the financial institution was established in 1998 and began operating under the name Raiffeisenbank Ukraine, which was acquired in 2006 by the Hungarian OTP Bank. The new owner is the largest bank in Hungary, with a market share of about 25%. In turn, OTP Bank is one of the ten leading financial institutions in Ukraine. According to the decision of the NBU, from 2019, it is included in the list of systemically important banks of our country.
OTP Bank is a universal bank with a full range of services for corporate and private clients. It is currently the core of the financial group, which also includes an asset management company and a leasing company. The financial institution has a network of 85 branches across the country, serving more than 1 million retail customers.
OTP Bank has a reputation for a reliable structure that offers consumers European quality services in the Ukrainian market. Including due to the constant introduction of new digital services and the development of electronic banking.
In 2017, in the process of digital business transformation, in parallel with online banking services. Through mobile downtime, OTP Bank launched several projects to modernize the protection of information systems. The precondition was the moral and technical obsolescence of the existing means of security of the corporate network. Before that, the institution used the Cisco ASA solution, which belonged to the previous generation of firewalls and was deprived of several important features of the next-generation firewall systems. In addition, at that time, the bank did not have plans to counter zero-day attacks.
When a business begins to use information technology to interact with customers, especially in financial transactions, IT must be based on technology to counter modern attacks, protect the system from unauthorized access and ensure the confidentiality of bank data and users.
The choice of the new solution was preceded by a thorough analysis of the market, including based on tests by the independent NSS Labs, to determine the list of leading vendors, which four applicants later shortlisted. The main focus of the selection was on the system’s ability to detect and block malware and 0-day exploits in network traffic.
The bank’s staff conducted testing to assess the effectiveness of protection and such important factors as the complexity of the solution, ease of administration, the possibility of integration with existing systems in the bank. To do this, the bank’s experts have developed several test malware exploits that simulate the most common techniques of penetration and spread on the network. Priority was also given to the pre-prevention method for detecting and blocking malware before post-prevention. These are slightly different approaches to antivirus data flow analysis. In one case, you can prevent content from passing into the middle of the network until it is complete. Instead, an alternative approach assumes that the content enters the network and then, according to the results of post-analysis, it is blocked if a threat is identified.
The Check Point solution showed the best results in detecting and disposing of malware test kits. This was the main factor in deciding in his favor. Even though the bank previously had no experience with products from this developer.
From the beginning of the implementation until today, the project has been supported by the company “WORLD IT,” which has the status of CCSP (Check Point Certified Support Provider). Three specialists took part on the part of the integrator; on the part of the bank, a separate project team of IS, IT, and business specialists was formed to implement the decision, taking into account the bank’s Internet access node was replaced.
The fact that the project was carried out on a real working infrastructure of the bank led to very strict conditions of its implementation – migration from the existing security system to the cluster Check Point Security Gateway 5600 took place in a very dense maintenance window – only 45 minutes because the bank could not afford to allow a long simple system. This is because even when it is night in Ukraine, somewhere in another part of the world, there are bank customers who use its services.
The project was implemented in close cooperation of the integrator’s specialists with the bank’s network infrastructure and information security departments. This allowed not only to fully use and use the capabilities of the Check Point solution but also to expand them somewhat. Because later, several requests from OTP Bank were also processed to add the necessary functions to the customer in the vendor’s products.
The bank adheres to the principle “for an employee to be effective; he must be trained.” Therefore, at the initial stage, the integrator conducted basic training of the bank’s specialists in his laboratory, and they acquired the remaining skills during the project. This approach allowed to effectively implement the Check Point solution in a working, large, and complex bank system.
The implementation of the Check Point complex took place in stages; first of all, the protection of the network perimeter was implemented, and access policies were set up, both inside the bank and outside. NGFW Check Point was later integrated with the bank’s existing SIEM system to automate typical attacks, such as network scans or attempted intrusions using known attack methods.
Then decided to activate the emulation of files in the “sandbox” to protect against targeted attacks and “zero-day” attacks. The inspection included all files that the bank’s employees downloaded via the web or received by e-mail. Subsequently, the patented CPU level detection technology used on all CheckBlast-type Check Point devices repeatedly made it possible to detect dangerous attacks at an early stage.
The third stage of building a protection complex is the application of Check Point Endpoint Security on employees’ workstations. This is an important stage of the project, as the bank’s employees are located throughout Ukraine and actively use laptops for mobility. The main task of Endpoint Security is to provide the same level of protection for employees who are outside the corporate network, and especially when the device is offline.
The project had a high level of complexity because the Check Point solution integrated with the operating banking systems, which have very strict service quality indicators. Any delays in the analysis of network traffic were unacceptable. Sometimes it was necessary to conduct independent research to clarify the features of the functioning of information systems in terms of work through the firewall, the ability to inspect traffic, and its impact on the quality of service.
We had to set tasks for information systems development teams, overcoming natural resistance and unwillingness to change anything. Many compatibility issues were also resolved, such as the SandBlast Agent with the software used in the bank,” said Dmytro Yanishevsky, Head of Information Security at OTP Bank.
The key feature and even the “highlight” of the project were the integration mechanisms with the bank’s infrastructure, the implementation of support for the role model of access to Internet resources, integration with banking PKI. But such out-of-the-box solutions do not work or only work with a basic set of features. The greatest effect is achieved through integration with existing infrastructure solutions, the SIEM system. Which, for example, allowed to automate the process of incident handling.
“It is possible to note also difficulties – projects of such scale cannot pass smoothly. In the implementation process, questions arose that required clarifications and non-obvious answers, which needed additional time, “Dmytro Yanishevsky also noted.
Speaking about the composition of the decision – the bank chose the on-prem scheme – taking into account the fact that the main infrastructure of the institution is also located in its own data centers. The implemented solution included a fault-tolerant cluster of next-generation Check Point 7000 NGTX firewalls, a 0-day attack protection device Check Point TE1000, SandBlast Agent endpoint protection agents, a proxy server, a Mobile Agent access point for mobile users. The system is fully integrated with the mail server and other infrastructure elements of the corporate network. A little later, the bank introduced a secure application for working on mobile phones, Capsule Workspace.
“It should be noted that implementing a less powerful solution (5600 series) was at the start of the project. But due to the need to provide remote mass work last year, the bank decided to migrate to the 7000 series under the trade-in program “, – adds Dmytro Yanishevsky. All this allowed the bank to adopt the “new reality” during COVID-19 quickly.
Thus, the protection of the bank’s network infrastructure is brought to a qualitatively new level. The introduction of CheckPoint technologies has allowed building multilevel tiered protection, complementing other solutions and information security systems operated in the bank. Due to this, today, OTP Bank has one of the most advanced protection systems among Ukrainian banks.
But the development of the system does not stop. The immediate tasks are related to developing the functionality of the Capsule Workspace application and securing access to the bank’s resources. There are also plans to test a new solution in Check Point’s portfolio – Cloud Guard AppSec. It is designed to protect web applications, and APIs used to communicate between the client application and the server, including protection against attacks and fraud targeting mobile applications and online banking.