Fukuoka Hibiki Shinkin Bank

Benefits of Tenable Adoption

• Improved visualization of Active Directory
• Organization of dormant accounts and ease of configuration management and control

Interviewees

Fukuoka Hibiki Shinkin Bank:

Mr. Atsushi Yoshida, Executive Officer, General Manager of Systems Department & Head of DX Promotion Office
Mr. Masayuki Miyaji, Senior Analyst, Systems Department

Concern over misconfiguration risks in Active Directory

Q: Can you tell us about your cybersecurity program at Fukuoka Hibiki Shinkin Bank? For example, do you implement your program according to the Guideline for Cybersecurity in the Financial Sector, as set out by the Ministry of Finance in October 2024?

Mr. Yoshida: We were already working on cyber hygiene as an important aspect of cybersecurity before the Ministry of Finance’s guideline was published. As we are entrusted with our customers’ assets, we consider maintaining cyber hygiene to be a prerequisite for our operation. Especially with many customers using our online services, IT security is important to protect our network, cloud environment and identity. We have also been referring to the guideline since its publication in order to implement our security measures.

Q: Can you tell us how you came to adopt Tenable Identity Exposure? What were the challenges you wished to resolve?

Mr. Yoshida: As we configured Active Directory ourselves, we had some concerns about potential vulnerabilities and misconfiguration. We had penetration tests done, but only once a year, so we felt there was a need to increase its frequency. There was a case in the past, where one of the tests flagged a configuration issue in Active Directory. Human errors are inevitable, so we also need to take steps to prevent misconfiguration.

Q: What kind of risks did you think you would be exposed to if those challenges were left unaddressed?

Mr. Yoshida: As attackers target financial institutions to achieve various objectives, we understood that if those challenges were left unaddressed we would be at risk of being breached. Once our network is compromised, ransomware could be introduced, which could lead to huge damage such as data breach and even our system being completely hijacked. This was a serious challenge, as it would affect our reputation as a financial institution.

Build and operation capabilities were available in-house, which enabled independent deployment

Q: As you selected a solution to resolve those challenges, what requirements did you set?

Mr. Yoshida: We always look for the very latest security products. When we felt we needed to protect Active Directory, one of the system integrators associated with Tenable suggested Tenable Identity Exposure as an effective tool for the purpose.

Q: The Ministry of Finance’s guideline also states that steps should be taken to protect Active Directory. Was it your intention to adhere to the guideline?

Mr. Yoshida: We had already set a policy for securing Active Directory before the guideline was published. Its publication and the decision to adopt Tenable happened almost simultaneously, which was good timing. We might be diligent in applying patches like Windows Update, but if security issues were present in the configuration, Active Directory could be taken over by an attacker. So we were aware that some kind of measure was necessary in order to meet the requirements of the Ministry of Finance’s guideline.

Q: So a Tenable product was suggested; what was the key factor that made you decide to go for Tenable Identity Exposure?

Mr. Yoshida: The biggest reason was that Tenable was the only product that could configure and continuously monitor Active Directory. Furthermore, the product is agentless, which was an advantage in reducing deployment and management costs. We also purchased Tenable Cloud Security together with Tenable Identity Exposure to enforce security for our cloud services. Therefore we have in our sight that in future we may leverage Tenable One, to manage everything centrally from a cyber exposure management platform.

Q: Did your deployment go smoothly with Tenable Identity Exposure?

Mr. Miyaji: Yes, its deployment was simple. Build and configuration tasks were completed in one day. We basically manage system build and operation management in-house, so we had our own team to deploy the product. I imagine that if we had introduced a similar product from a different company, it would have taken at least a month, with the necessary PoC, discussions, etc., in the course of deployment.

Q: I understand that you have been making efforts to establish in-house capabilities for some time. These days there are many organizations who employ external managed service providers; can you tell me the reason why you think in-house capabilities are important?

Mr. Yoshida: You could say that it’s a kind of corporate culture. We have a history of doing everything in-house, from computer configuration to system development. As that is the way we generally do things, we have some resistance to outsourcing. Our teams have a thorough knowledge of our network and security, so outsourcing introduces an element of uncertainty that detailed development and operation may become invisible to us.

Q: Setting and fine-tuning the system after deployment; did that go without any problem?

Mr. Miyaji: It was easy anyways, but as we attended the hands-on seminar for Tenable Identity Exposure, we were able to build the system without a hitch.

Q: What was that seminar like? Any requests?

Mr. Miyaji: It was very detailed and easy to follow. We attended it almost at the same time as the product was being deployed. We were able to get detailed explanations of Active Directory security with demonstrations. However, the product has numerous functions, with a wide range of findings it can detect, such that a few hours were not enough. It would have been even better if the seminar had been expanded to cover all aspects, over several sessions, if that was at all possible.

Approximately 200 dormant accounts were found, configuration checks were simple to do

Q: What are the benefits of having Tenable? What changes have you noticed before and after deployment?

Mr. Miyaji: We are now able to look at the dashboard and find risky situations in an instant. For example, we were able to visualize dormant accounts which we were not aware of before. As our system has been in use for nearly twenty years, we found approximately 200 dormant accounts on the Tenable Identity Exposure console, and we were able to delete unnecessary accounts immediately. We were also able to monitor changes in objects in real time, for example, with group policy settings. We did have security measures for Active Directory before, but with the deployment of Tenable, we are now able to use quantifiable scores to visualize its security level overall, which I believe contributes immensely toward reducing security risk.

Q: Do you have any concerns or anything you are unhappy with?

Mr. Miyaji: I have nothing major that I am dissatisfied with. I suppose that, while system admins like myself and our team can see from the console that the right configurations are in place, for management, a reporting function with an easy-to-understand format will make it even better.

Q: What is the console like? Is it easy to use?

Mr. Miyaji: The console is localized, intuitive and very user-friendly. In addition, threats are ranked according to their severity, which makes it easy to determine which should be dealt with as a priority. This has improved our operational efficiency.

Q: Can you tell us about your future plans for security and human resources?

Mr. Miyaji: There is no end to the provision of cybersecurity. As new attack vectors emerge in rapid succession, we hope to equip our organization with the latest countermeasures that are suitable for us. Therefore, although the fundamental policy and framework for security remain unchanged, we ensure that we are always flexible. In terms of human resources, for example, where we have a team of three at the moment, we will need to increase our headcount, and I hope to train newcomers in-house, mainly, with the help of our partners.

Q: You told me you have decided to deploy Tenable Cloud Security. What benefits do you expect to get from the product?

Mr. Yoshida: As we scale up the use of cloud resources, I believe the product will be useful in managing risk in the cloud. At present, we use mainly Microsoft 365, but we are exploring the use of Microsoft Azure, AWS and Salesforce. We hope to be able to visualize what is going on in the cloud and eliminate misconfigurations caused by human error, as well as secure our workloads, identities, data and more. It will be most helpful if you could share your advice for best practice.