Equitable Bank (EQB) takes its reputation as Canada’s Challenger Bank very seriously. Determined to outstrip its current place as the nation’s eighth-largest bank, the company zealously guards data security but also works hard to preserve the agility it needs to innovate quickly. When a Mandiant Red Team cybersecurity test revealed weaknesses in its security defenses, EQB took action. It replaced two security information and event management solutions with Microsoft Sentinel and deployed Microsoft 365 Defender solutions to cover endpoints, identities, and cloud apps. After experiencing startlingly improved results from its second test a year later, EQB knows it’s on the right track. Its Microsoft deployments—and its innovative spirit—continue.
“The difference we achieved in security after installing Microsoft 365 Defender and Microsoft Sentinel was very affirming for the team. We had 16 detections compared to 1 the year before, and each of those detections sparked investigations by our security operations team.”
Andrew Vezina, Vice President and Chief Information Security Officer, Equitable Bank
Equitable Bank (EQB) leaves nothing to chance as it plots its upward trajectory. Living up to its title as Canada’s Challenger Bank, the company was named the #1 Bank in Canada on the 2021 and 2022 Forbes list of the world’s best banks. EQB seeks to drive change in Canadian banking to enrich people’s lives, and this mission comes down to one thing: trust. That’s why EQB anchors the agility and innovation it needs to challenge traditional banking with the security enhancement it achieved with Microsoft 365 E5 security solutions. These include Microsoft Defender for Endpoint to monitor its servers and workstations, Microsoft Defender for Identity to find vulnerabilities in its users and previous environment, and Microsoft Defender for Cloud Apps to protect applications such as Microsoft Teams. It protects both its Azure and on-premises environments with Microsoft Sentinel, creating a unified, easily managed environment—a contrast with its previous multivendor security environment. Most importantly, the new approach proved its merit over the previous iteration when EQB challenged its security posture with a Mandiant Red Team test, improving on the previous system’s discouraging result with 16 detections and thwarting lateral infiltration.
Sustaining the magic—safely
Andrew Vezina regards his role as Vice President and Chief Information Security Officer at Equitable Bank as one of enabling the company’s ambitions. “Customer trust is essential to our success and our future growth,” he insists. “Our security team’s goal is to protect this trust and preserve our ability to grow and achieve our goals.”
On the other side of the growth equation, EQB’s Technology teams innovate at pace, moving ahead of competitors with a development speed that’s atypical in the industry. “As we build on and improve systems, our security team wants to sustain the magic—the fast decision making, fast development, and fast product releases that we prize at EQB,” says Vezina. “We design all of our capabilities to avoid the friction and slowdowns imposed by security teams in other organizations.” He emphasizes the key principle his team follows to walk that line: continual learning and improvement.
Simplifying across the landscape through vendor consolidations
As part of the company’s continual improvement activities in late 2020, Vezina’s impetus to simplify vendors uncovered multiple security vendors supplying overlapping functionality, and it still needed a fully capable endpoint detection and response (EDR) solution. “We had three security-oriented endpoint agents, and when we began to consider a fourth agent to implement an EDR platform, we realized that Defender for Endpoint could supply all that functionality,” he recalls. “We replaced them all, deploying Defender to all of our servers and workstations and avoiding an EDR purchase.”
That single move transformed technology management for EQB. “Now that we have Defender for Endpoint, we follow the roadmap, life cycle, and release cycle for one solution rather than four,” says Vezina. His team applied the same strategy to its security information and event management (SIEM) solutions. EQB previously protected its on-premises systems with one SIEM and its cloud environment with a different SIEM product. Apart from the complexity, the team wanted to improve the 55 percent secure score for servers sending logs to the SIEMs. Its best efforts lifted security to only the 70s. In June 2021, the team implemented Microsoft Sentinel for on-premises log sources, replacing the on-premises SIEM solution, and following this success, the team also replaced the cloud SIEM solution in December 2021. “Our server logging shot up to the ninetieth percentile shortly after we migrated to Microsoft Sentinel,” says Vezina. “With our Azure environment and Microsoft Sentinel, it’s easier to connect and manage log data, and it’s much simpler to use.” The company has migrated 70 percent of its workloads to Azure and plans to be a 100 percent cloud-based bank by 2026. “We plan to be fully in the cloud—the first bank in Canada to accomplish this,” adds Vezina.
Challenging cybersecurity defenses with a Mandiant Red Team simulation
Vezina wasn’t about to wait for a cybersecurity attack to assess the effectiveness of EQB’s cybersecurity. In the fall of 2020, his team arranged a Mandiant Red Team attack simulation to help his team understand and remedy the bank’s vulnerabilities, asking the red team to find and exfiltrate a set of personal data. The red team couldn’t breach perimeter protections, and its phishing attempts failed, so the simulation shifted to an assumed compromise where EQB provided an initial foothold in the environment. From there, lateral movement was achieved, moving through multiple steps to establish a secondary foothold in EQB’s systems, an achievement that would give a real-life cyberattacker exactly the position needed to carry out malicious objectives. That simulation prompted only one detection from the security tools that the EQB’s security operations center (SOC) was using at the time. “It was a wake-up call for our team,” recalls Vezina. “And the only detection that came up looked like a false positive to our SOC.”
A year of extensive cybersecurity renovation followed. The team replaced both SIEMs with Microsoft Sentinel and deployed Defender for Endpoint, Defender for Cloud Apps, and Defender for Identity to bring extended detection and response (XDR) capabilities to integrate and automate threat detection and response across endpoints, apps, and identities. It also began implementing Zero Trust policies. Vezina reorganized the security team to have a dedicated group for detection and response. Then in fall 2021, Vezina invited the Mandiant Red Team for a return engagement. This time, the team’s objectives were expanded beyond simply stealing data to include installing malware. The results were dramatically different.
Turning the tables with Microsoft SIEM plus XDR
The Mandiant Red Team attacked the EQB perimeter without success and likewise failed to access the bank’s data through phishing employees. This time, as the simulation transitioned to an assumed compromise, Vezina provided two workstations as an initial foothold for the red team. An EQB team member who was helping with the simulation installed a file from the red team that created an entry point on both workstations. The first workstation to be tested was used by an employee who had transitioned to the bank’s new Zero Trust architecture, accessing EQB applications exclusively via the internet with strong authentication and authorization and no access to EQB’s internal network. After one day of persistent attack by the Mandiant Red Team, the malicious actors couldn’t move laterally into any other system and were limited to being able to access some data on that user’s workstation.
The second workstation presented the red team with a completely different situation: an employee who works in the previous architecture accessing EQB applications via the corporate network both when working from home and from the EQB office. Within hours, the team gained access to other devices and identities. While the system was infiltrated, the happy news lay in the number of detections coming in from all the Microsoft Security solutions deployed throughout the environment, especially given that the full Microsoft Security solution wouldn’t be fully installed until late 2022. The EQB security team was highly proactive, making the most of the visibility that its XDR tools offered. “The difference we achieved in security after installing Microsoft 365 Defender and Microsoft Sentinel was very affirming for the team,” says Vezina. “We had 16 detections compared to 1 the year before, and each of those detections sparked investigations by our security operations team, who hotly pursued the Mandiant Red Team.”
Seven of the detections came from Defender for Identity. “Defender for Identity outperformed our expectations,” recalls Vezina. “It detected multiple red team attacks against our on-premises identities during our simulation. We could follow much of the attack progress on the Defender for Identity portal. There was no noise and no false positives.” Through Defender for Identity, the team was able to detect alerts, including suspected exposures, suspicious system owner and user activity, and suspicious communication over DNS servers. The team had several alerts from Defender for Endpoint, installed principally on EQB servers at the time, and two from Microsoft Sentinel and Defender for Cloud Apps, then only in the early stages of deployment. Now working on combining its SIEM rules with events, the team has been adding more Defender for Endpoint and Defender for Cloud Apps capabilities throughout 2022, and it will also expand EQB security with Microsoft 365 E5 insider risk management capabilities.
The 2021 red team tests validated the path that Vezina and his security operations team have set, but he’s adamant that the journey is by no means over. The EQB team will continue to learn and improve its practices and extend its Microsoft Security tooling while continuing its cloud migration. “The security improvements we achieved with our Microsoft tooling validated our confidence that we’re on the right track,” concludes Vezina. “We’ll continue to test and improve, and we’ll give red teams bigger challenges in the future.”
Find out more about Equitable Bank on Twitter, Facebook, and LinkedIn.
“The security improvements we achieved with our Microsoft tooling validated our confidence that we’re on the right track. We’ll continue to test and improve, and we’ll give red teams bigger challenges in the future.”
Andrew Vezina, Vice President and Chief Information Security Officer, Equitable Bank
Follow Microsoft