Thomas Murray helped a major Middle Eastern Central Securities Depository (CSD) to reduce its attack surface, build security and demonstrate resilience.

“Thomas Murray Cyber Risk has not only allowed me to significantly improve our CSD’s security posture, but also to communicate the improvements to our management, justifying budget and comparing us to other CSDs in the Middle East.”

Chief Information Security Officer, Middle Eastern CSD

The challenge

The CSD’s large IT Security team was subscribed to a range of threat intelligence feeds, which it used to monitor the CSD’s security posture. The problem? Too much data, too little quantification, too much manual work required – so that, in the end, much was left undone.

The team had little visibility over its public-facing IT infrastructure, and was unaware of the number of digital assets it was unnecessarily exposing in the public domain. It did not know what company data had been leaked to the Dark Web, and so was not able to assess the impact of employee behaviour on the company’s security.

The CSD recognised that it needed to subscribe to a threat intelligence tool; the problem, as always, was knowing which one to choose. Its main requirements were to:

  1. Monitor its attack surface for breaches, vulnerabilities and misconfigurations. It needed to receive all relevant threat intelligence feeds in a single platform.
  2. Quantify its security posture in a risk rating, so it could track and benchmark its performance.
  3. Benchmark itself against other CSDs in the region, to understand whether more investment was required to improve its security.
  4. Achieve an affordable solution that reflected the economic conditions of the market.

In the end, the CSD chose Thomas Murray because of the scope and timeliness of our data, the actionability of our risk rating, our unique benchmark of more than 140 CSDs, and highly competitive pricing.

The solution

The CISO and his team logged into the platform 252 times in the first six months of the subscription to identify security gaps, quantify risks, and build and execute a remediation action plan.

The team identified breached employee email credentials and was able to validate the findings with the employees in question, requiring them to undergo additional training and enhancing the company’s employee cybersecurity training programme more widely.

It identified a large number of redundant hosts that needed to be taken offline, as well as a variety of potentially vulnerable services, expired certificates and other vulnerabilities that were a drag on performance and represented a significant potential risk to the CSD’s data and operations.

The verdict

Thomas Murray Cyber Risk allowed the team to focus on building and executing a remediation action plan, rather than spending time manually collating and interpreting multiple complex data feeds. The CSD was able to reduce its attack surface by 48% in the first six months, increasing its cyber risk rating by 95% and moving from the bottom quartile of CSDs globally to a rating that was better than 88% of its peers.

After the first six months:

Active sessions on platform

252

Active sessions on platform

Reduction in size of public attack surface

48%

Reduction in size of public attack surface

Improvement to cyber risk rating

95%

Improvement to cyber risk rating

Better cyber risk rating than 88% of CSDs globally

88%

Better cyber risk rating than 88% of CSDs globally

Orbit Security

Orbit Security

Security ratings for enhanced attack surface management and third-party risk. Monitor for breaches and vulnerabilities that could be exploited by threat actors.

Learn more

Contact an expert

Roland Thomas

Roland Thomas

Associate Director

Phoebe Jordan , Managing Director | TPRM

Phoebe Jordan

Managing Director | TPRM