First Horizon Bank makes cybersecurity efficient, cost effective and business operations more secure

Summary

First Horizon Bank is using a portfolio of CyberArk products to transform its Identity Security posture. The end result is the bank has fine-tuned business processes, saved time, money, resources, and significantly improved confidence in its cybersecurity.

Company profile

First Horizon is a leading regional financial services company, dedicated to helping clients, communities and associates unlock their full potential. Headquartered in Memphis, TN, the bank operates in 12 states across the southern United States with around 417 high street branches. The company offers commercial, private banking, consumer, small business, wealth and trust management, retail brokerage, capital markets, fixed income and mortgage banking services.

Employees: 7,500

Challenges

First Horizon Bank is no stranger to risk. It was founded in 1864 in Memphis, Tennessee during the final stages of the American Civil War, when the United States was figuring out how to be united again. The bank took a leap of faith presenting itself as a trusted financial partner during those volatile times, and now 160 years later, it’s a thriving regional bank with a new set of risks as it begins to move into the cloud.

Like many organizations and financial companies in particular, First Horizon Bank continues to face a number of different cybersecurity threats such as phishing, rogue states and malware attacks. In the past, First Horizon Bank had relied on basic, manual tools and processes. For example, a spreadsheet was used to issue passwords on a temporary, 48-hour cycle when a developer needed access to a system. However, this was not secure because passwords were shared, and it was time-consuming since developers had to ask for a new password every time they needed one.

These threats spurred the bank to act and look for a stronger security solution. The change was driven by Joel Pace, Senior IT Analyst. He has been at First Horizon Bank for 17 years, having joined straight out of college. “We understand the importance of protecting our customers and business and that attackers are continuously innovating,” explained Pace. “We work to achieve and exceed industry best practices and meet, if not exceed, regulatory requirements. While I believe some companies look to pass audits, our aim is to stay ahead of them.”

Pace started at the help desk at First Horizon. His talents were quickly realized, and he was asked to spearhead the bank’s investigation into identity protection. “When I was tasked to look into privileged access, I fell in love with it,” shared Pace. “At the time I did not quite realize the significance of identity security but when I got involved with CyberArk, it opened my eyes to the importance of it. That gave me purpose to stay ahead of the hackers and attackers. Now I am a full-time PAM admin and I love it.”

First Horizon realized that to build an effective security defense, identity would need to be the lynchpin of its cybersecurity strategy. “Identity is the new perimeter with around 80% of modern-day breaches involving stolen credentials,” said Pace. “Identity is critical to securing any company, especially financial institutions. Threats, hackers and even internal incidents are all trying to get to the crown jewels. The way to do that is with identities, even if it starts with a low-ranking account.”

Pace recalled that like most financial institutions, First Horizon Bank has been cautious to adopt new technologies like the cloud. The bank’s IT infrastructure is mainly on-premises; however, the bank is starting to leverage cloud technology.

Solutions

First Horizon Bank evaluated several providers, but the decision to use CyberArk was guided by a leading IT research and advisory provider recommending the friendly interface and multiple features that CyberArk offers. For example, CyberArk integrates with more platforms, such as web apps, Windows services, and application services, than other solutions.

The bank first started using the CyberArk Privileged Access Manager (PAM) Self-Hosted back in 2013 as a simple solution for developers to access production servers instead of storing passwords on a spreadsheet. Access was given based on the application so that users could only see the servers they needed to access. The developers never need to know or see the passwords. Instead, a session to the endpoint is brokered through CyberArk all while the session is audited and recorded. Since then, the bank has grown its CyberArk Identity Security Platform to include CyberArk Endpoint Privilege Manager (EPM) and CyberArk Secrets Manager Credential Providers. First Horizon, with support from CyberArk Design and Deployment Services, did the implementation.

CyberArk PAM Self-Hosted vaults and rotates more than 16,000 credentials. One huge success for the bank is that none of its domain, server or workstation admins have privileged access for day-to-day accounts. All Unix user credentials are even managed with Privileged Session Manager (PSM for SSH) in CyberArk. Furthermore, machines used by developers are also protected by CyberArk EPM. Leveraging CyberArk EPM to enforce role-specific least privilege across endpoints has been an effective and efficient way for the bank to prevent credential theft and session hijacking, limit lateral and vertical movement and avoid ransomware.

By removing hard-coded credentials CyberArk Secrets Manager Credential Providers secures hundreds of thousands of API banking connections and transactions, such as a First Horizon customer generating a wire transfer. To consistently achieve high transaction volumes with very high levels of reliability and security, the bank uses CyberArk Secrets Manager’s dual account mechanism to rotate the credentials.

Results

“All of the steps we have taken to onboard CyberArk are about making the bank, our staff and our customers more secure and making it a lot harder for someone to target the bank and get privileged credentials. Our privileged accounts are in a much better place than before. We are rotating passwords frequently and we have stopped hundreds of non-privileged accounts from having privileged access. In most cases, users do not even know their passwords because the sessions are brokered and authenticated automatically by CyberArk.”
– Joel Pace, Senior IT Analyst, First Horizon Bank

Some of the key benefits of CyberArk include credential segmentation, frequent password rotation and preventing the spread of attacks like malware using Privileged Session Manager. Credential boundaries means that accounts with admin access to workstations cannot access servers. Additionally, accounts with server access cannot access domain controllers. If someone steals credentials for a workstation admin, it cannot escalate to a server. Where users such as domain admins need access to a wide range of systems and applications, CyberArk ensures they have separate credentials for each network boundary.

Likewise, CyberArk has made processes faster and more efficient, such as removing the need to manually rotate passwords. For example, a user may have an account for accessing 50 Windows services across 25 servers. Before when the password changed, it had to be changed manually 50 times. Now CyberArk does this automatically. This is just one example of many instances where CyberArk has increased efficiency, reducing processing time significantly, while still improving security. Having experience working on IT service desk himself, Pace was really happy to see another example of how CyberArk Endpoint Privilege Manager enabled automatic elevation of applications that are needed by different departments for work on day-to-day basis – all while enforcing least privilege on endpoints. Users now don’t need to be administrators to perform a common task and they don’t need to involve IT to do that either – the elevation is performed automatically, transparently and based on policy. It’s a win-win situation for users, security and IT Service Desk.

“It is hard to quantify but First Horizon has definitely gained cost savings and a lot of risk reduction since using CyberArk,” disclosed Pace. “The operational efficiencies and achieved risk reduction by automating password changes and having one enterprise tool, instead of each user storing passwords, is a huge cost savings and best practice. Then there is cost avoidance from not suffering a major breach which CyberArk continuously helps us achieve.”

Moreover, CyberArk helps the bank meet regulation and auditing requirements. As its regulatory bellwether, First Horizon is exceeding the NIST Cybersecurity Framework for understanding, managing and reducing cybersecurity risk. NIST is overseen by the National Institute of Standards and Technology at the U.S. Department of Commerce.

“CyberArk is one of the most critical pieces to cybersecurity at First Horizon Bank,” concluded Pace. “That is reflected in the fact that our senior management is highly involved with what is happening with CyberArk. During a major event where we thought we were going to be bought by another company, we narrowed down our cybersecurity focus to six key projects and privileged access management was one of them.”

Key benefits

• Implements least privilege across all high-risk access
• Protects endpoints against credential theft, lateral and vertical movement and ransomware
• Centrally manages privileged access for over 16,000 accounts
• Hundreds of thousands of API banking connections and transactions protected by removing hard-coded credentials