Trace Id is missing
October 18, 2022

ING uses Microsoft Security solutions to reimagine banking for a digital audience

ING’s global presence and historical growth has propelled it into the top 50 banks of Europe, but that achievement created a need for efficiency improvements for its operational teams. The bank’s corporate IT team struggled to coordinate IT departments operating independently around the globe. That lack of unity hampered the progressive corporate IT team’s commitment to staying ahead of cyberthreats and ensuring compliance in a heavily regulated space. But now, it’s leading the charge toward a consolidated, well-coordinated IT landscape with a comprehensive rollout of Microsoft Security solutions. Those initiatives are paying big dividends—greater efficiency and ease for IT security teams coupled with greater visibility throughout the estate for a more easily managed, future-ready security posture.

ING

“We consider it a game-changer that Microsoft 365 Defender combines signals for threat hunting because it connects data from the identity and endpoint perspectives to pinpoint truly malicious events.”

Krzysztof Kuźnik, Product Owner, ING

If the challenges posed by diverse technical environments, global regulations, and an evolving cyberthreat landscape were currency, ING might be an even bigger financial institution than it already is. The bank is a significant player in the international banking industry, ranked eleventh on the Insider Intelligence list of the top 50 biggest European banks in 2022. ING owes its growth to the combination of progressive technology with traditional financial sector practices. That’s why it turned to Microsoft Security solutions for a centralized and consolidated approach to protecting its digital assets across private, public, and multicloud environments in what had traditionally been a fragmented landscape.

Building on the past to create future success

The orange lion that symbolizes ING evokes a proud history, with the oldest business in its portfolio tracing its origins to 1762. Symbolizing the Netherlands through both its orange color and the country’s lion emblem, present-day ING itself rose from a merger between two prominent Netherlands companies—a bank and an insurance company—in 1991. Since then, ING has grown into one of the world’s leading digital banks, with more than 57,000 employees serving over 38 million customers in more than 40 countries.

From the beginning, the company has prioritized innovation, introducing customer-empowering advances like branchless banking and mobile banking applications. “Internally, we refer to ourselves as an IT company with a banking license,” says Przemyslaw Wolek, Global Tribe Lead for IT Security at ING. Wolek and his team of 300 engineers cope with the legacy of multiple mergers and acquisitions that have shaped present-day ING. The team regards itself as an enabler of a more agile, effective organization overall. “Consolidation lies at the heart of our strategy for ING,” continues Wolek. “Unifying infrastructure is a no-brainer. Most significantly, we want to unify business processes so that we can truly be one company, sharing technical components as much as possible.”

Over the past 10 years, ING’s corporate IT team has systematically centralized the bank’s IT estate, combining most of its on-premises datacenters in a private cloud, removing legacy applications, migrating user accounts into a single instance of Azure Active Directory, and standardizing applications. Additionally, ING is in the process of replacing ArcSight with Microsoft Sentinel.

The COVID-19 pandemic fueled the bank’s need for an accelerated digital transformation rollout. In addition to the shift toward hybrid work, ING realized that customers were also becoming more reliant on digital interaction. “We understand that traditional banking is no longer a thing—we need to be fully digital, fast, and immediately available for our customers, wherever they are,” says Wolek. “Today’s customers want banking services to be flawlessly delivered on any platform.” That anywhere, anytime demand pointed ING clearly to the cloud.

Creating a unified, multicloud estate with Microsoft Security solutions

ING uses Microsoft Azure, Oracle Cloud, and Google Cloud Platform to manage its compute, security, and data analytics needs. From the lens of security, Microsoft Defender for Cloud provides a single pane of glass view into ING’s multicloud environment, which is achieved by using Azure Arc to capture all the logs and signals from its platforms. Microsoft Sentinel then analyzes the logs and signals, enabling the company’s security analysts to review and respond to potential threats quickly and proactively.

The bank is now preparing to adopt a more future-proof software as a service (SaaS) solution. “We’re embracing an SaaS-based security vision,” says Wolek. “Microsoft is very strong in that area, and we believe that Microsoft Security solutions offer a lot of value out of the box.” ING regards Microsoft Sentinel as the ringmaster solution it can use to coordinate data streams from its diverse clouds. “We’ve made Microsoft Sentinel our primary source for analytics,” explains engineer Piotr Pociecha, Product Owner at ING. “Compared with our previous on-premises SIEM, Microsoft Sentinel isn’t only fast to set up and seamless to use—it’s very scalable.”

Adds Krzysztof Kuźnik, Product Owner at ING, “We want our analysts to spend most of their time on the Microsoft Sentinel console. We appreciate the Microsoft Sentinel product team’s support in addressing our challenges with security orchestration, automation, and risk.” He regards Microsoft Sentinel capabilities as a further refinement to manage the thousands of security events per second that ING ingests. “We can heighten detection efficiency by streaming data from multiple systems to a data integration layer we create within Azure Databricks,” explains Kuźnik. “That layer ‘reads’ those alerts and creates supervised machine learning models. The results from those models then become incidents in Microsoft Sentinel.”

Building consolidated and layered security with the Microsoft Defender suite

Having engaged with Microsoft for an endpoint protection solution prior to the pandemic, ING expedited the rollout of its extended detection and response (XDR) strategy, starting with Microsoft Defender for Endpoint. Comparing that project with his experience rolling out a monitoring solution like those previously used, which required intense engineering effort, Wolek was excited about the contrast. “Right out of the box, Microsoft Defender for Endpoint detected events without a lot of involvement from our engineers and fulfilled our expectations completely,” he recalls. “We greatly enhanced our agility, too, with the speed of consumption we get now that our engineers have the flexibility to add ING-specific intelligence to the solution.”

It doesn’t stop with endpoints. ING takes advantage of the full scope of Microsoft 365 Defender, including email protection. The team can now better recognize phishing attempts and block them right from the start, building on its own intelligence by using query data to identify additional risks. The effectiveness of having a centralized environment frustrated red teams. “The visibility we have with Microsoft 365 Defender is key to protecting our assets,” notes Kuźnik. “Our red teams accused us of cheating—they thought we’d found a way to access their strategies.”

For fellow engineer Pociecha, the flow of telemetry in Microsoft 365 Defender across asset types is vital in identifying potential attackers, and the visibility it provides is critical to the bank’s emphasis on proactive cybersecurity defense. “A single layer of detection isn’t strong enough and is prone to some level of false positive,” recounts Kuźnik. “If we see activity from just an endpoint, it might be malicious, it might not be. On the other hand, Microsoft 365 Defender correlates signals across endpoints, email, documents, identity, apps, and more, so if we see a file was downloaded from an endpoint and emailed to someone outside of our organization, it’s a strong sign of malicious activity.”

“Our entire estate is covered because of the telemetry we receive across Microsoft 365,” says Pociecha. “It’s all available through a single pane of glass, and that has been critical to raising proactiveness and improving our security posture.”

Adds Kuźnik, “We consider it a game-changer that Microsoft 365 Defender combines signals for threat hunting because it connects data from the identity and endpoint perspectives to pinpoint truly malicious events.” He feels that the bank has virtually eliminated phishing as an attack vector. “The ability to investigate a file highlighted by a Defender for Endpoint alert with the file prevalence capability—my favorite—makes it easy to understand where the file was seen in the organization. We haven’t had a solution like this before.” Kuźnik’s enthusiasm for the XDR solution relates to how it can be used for multistage incidents. Monitoring endpoints alone can create a high number of false positives, he explains, but the combined data flowing from the entire Defender suite is a powerful cybersecurity defense differentiator.

Investing in the future: What’s next for ING

As ING moves forward with its consolidation and cloud strategy, improving its large private cloud estate and compliance remains top of mind. Running a hybrid cloud environment in a global landscape calls for simplification, which ING missed when it relied on McAfee’s data loss prevention solution. With its intense focus to meet every regulatory requirement, ING is testing Microsoft Purview Data Loss Prevention to ensure that the team can define and review different policies. The team is also looking to deploy Microsoft Purview Compliance Manager in early 2023. “With Compliance Manager, we get easy monitoring and easy implementation, and it fully coordinates with our Microsoft 365 estate and all of our Microsoft Defender solutions,” says Wolek. Finally, ING is evaluating the scalability and capabilities of Microsoft Defender for Servers to monitor and protect the thousands of servers in its private cloud environment.

In a business where security is nonnegotiable, ING’s choice is clear. “We can’t compromise on security—it has to be bolted on,” concludes Wolek. “Our technology of choice today is Microsoft. It interacts nicely with our environment and offers the roadmap that we can follow to optimize our effectiveness.”

Find out more about ING on Twitter, Facebook, and LinkedIn.

“Right out of the box, Microsoft Defender for Endpoint detected events without a lot of involvement from our engineers and fulfilled our expectations completely.”

Przemyslaw Wolek, Global Tribe Lead for IT Security, ING

Take the next step

Fuel innovation with Microsoft

Talk to an expert about custom solutions

Let us help you create customized solutions and achieve your unique business goals.

Drive results with proven solutions

Achieve more with the products and solutions that helped our customers reach their goals.

Follow Microsoft