InformationWeek 500: How MassMutual Got Its Security Data Under Control - InformationWeek
Business & Finance
12:30 PM

InformationWeek 500: How MassMutual Got Its Security Data Under Control

Application framework automatically pulls risk and security-related information from various security systems, letting insurer quickly respond to threats while also cutting costs.

Early last year, MassMutual deployed security management software--Archer Technologies SmartSuite Framework--to help its security staff quickly assess and prioritize risks. "We needed something to aggregate information, to bring data into one source," says Mandy Andress, the company's assistant VP of information security. The information being aggregated ranged from data related to security and compliance requirements to vulnerability assessments provided by Qualys' managed security services and data on server configuration settings from NetIQ's Security Management software.

SmartSuite lets companies create applications and databases that automate the storage and management of security-related information. Companies such as MassMutual use this information to assess compliance with government regulations, like the 1999 Gramm-Leach-Bliley Financial Modernization Act, which lays out rules for protecting consumers' personal financial information. SmartSuite also can be used to classify data according to its sensitivity and track change requests to firewall policies.

With the SmartSuite Framework, MassMutual has built what Andress describes as a "risk-touring engine" that assesses applications and systems, taking into consideration factors such as operating systems, programming languages, Internet exposure, and known vulnerabilities. It creates an aggregate risk score for each app and system that the company uses to determine which risks need to be addressed first. The system assigns security problems, such as a virus outbreak or an unauthorized user attempting to access a database, a weighted value that's also calculated into the risk score. It produces bar graphs, pie charts, and other visual displays from these scores to help managers make sense of the data and formulate a security strategy. When Bonsall or his team wants more detail, they click on the charts to see what factors went into assigning a particular score.

MassMutual has configured the framework to identify high-level risks and issue alerts to its security assurance team, which has three workers assigned to evaluate risks to determine actions needed to address them. One such alert recently was triggered by an unpatched server. Further investigation revealed that although it was running one of the company's management programs, it was an older system that MassMutual wouldn't be using for much longer, so it didn't need to be patched.

Look At Big Picture MassMutual integrated multiple-risk data sources to get a more holistic view of threats.
Offload By automating risk assessment, it could respond faster to critical threats.
Make Use Of existing resources Insurer leveraged internal systems of record for key items such as application and server asset listings.
Be Prepared MassMutual found it needed to provide detailed remediation options with the initial communication of an identified risk.
After its first year in operation, the risk assessment framework's ability to aggregate information about vulnerabilities and threats has led to configuration changes that improved efficiency, Andress says. Analysis that previously required months of research can be done in minutes and in much greater detail, leading to a 97.5% cost reduction in the risk analysis process, she says. But the cost savings were ancillary, she adds. "We didn't implement the Archer system specifically to save money."

The system does provide as much as 75% cost savings when MassMutual adds new sources of risk data because the process of adapting to them takes weeks rather than months. "We made sure we would be able to easily adapt to changing threats," Andress says. She sees security problems in the future mostly coming from existing threats that find new channels--such as the Web or wireless networks--into IT environments.

One of the most recent threats: toolkits that help criminals create multivector threats, Bonsall says. "The pace of this is quickening," he notes, "and the threats are more lethal than they were before." This means MassMutual, like most companies, has less time to fix an increasing number of software vulnerabilities. In such a situation, knowledge truly is power.

Return to the 2007 InformationWeek 500 homepage

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll