Background
CAME Group operates in 118 countries through 480 branches and licensed dealers. Operating under the Bpt, Urbaco, Parkare and GO brands, CAME Group is a key global player in the home automation, urban planning and high-security sectors, for which it offers integrated solutions for regulating and monitoring people flows and access points. Approximately 70 percent of CAME Group’s business is global. It is a company that is extremely proud of its Italian heritage and employs over 1,500 staff with sales around €250 million in 2015.
Story Summary
CAME Group (CAME) provides automation systems for residential and industrial entrances, parking lots, and access control points. With 50 branches in 40 countries all networked with its corporate headquarters in Italy, CAME was uniquely challenged to provide a network architecture that ensured both secure network access and secure endpoints. Targeted attacks by malware, such as CryptoLocker, were frequently infiltrating servers and PCs, disrupting productivity and creating unpredictable remediation costs. Traditional antivirus software was ineffective in stopping such attacks.
By deploying the Palo Alto Networks Next-Generation Security Platform with Next-Generation Firewalls, Threat Intelligence Cloud services, and Advanced Endpoint Protection, CAME successfully prevents cyberthreats from infiltrating endpoint devices and its network. Through consolidation, CAME is saving $2.5 million over three years, with an additional $250,000 in savings by eliminating remediation costs on endpoint devices. Moreover, the company now has uniform security policies enterprise-wide, with increased visibility and control over network traffic for improved bandwidth and application performance.
Putting an End to Endpoint Attacks
With business operations in 118 countries, CAME Group relies on a global network to connect employees, customers and partners 24/7 year-round – whether they’re at a desktop in one of the company’s 50 branch offices or connecting remotely while traveling. However, every time a user logs in to the corporate CRM application, shares a file via email, uses Skype with a customer, or conducts any form of communication and collaboration online, they are exposed to potential cyberthreats.
Even with the best network security in the world, all of CAME’s endpoints were still vulnerable to targeted attacks by sophisticated exploits, as well as inadvertent downloading and sharing of malicious executable files. Like many companies, CAME traditionally relied on antivirus solutions to protect its endpoint devices. But signature-based antivirus systems are no match for today’s advanced, quickly evolving threats and zero-day attacks.
In fact, CAME frequently experienced such attacks, many of which were nearly impossible to detect until serious damage was inflicted. Among the worst was CryptoLocker, which required a huge investment in time and money to eradicate – plus the added expense to recover lost data. With the number of malicious attacks constantly rising, the cost of remediation was unpredictable and wreaked havoc on CAME’s IT budget.
Massimiliano Tesser, Group CIO at CAME, explains the company’s strategy to address the situation: “We approached the issue by first considering how advanced threats could compromise our endpoints and then identifying a way to prevent them from getting in.”
CAME determined that, fundamentally, all users were vulnerable when connected to the Internet. Another problem was inadvertent exposure through removable media such as USB drives. With numerous employees traveling from one part of the world to another, CAME needed a consistent way to protect end-user devices regardless of where or how they were connecting.
“It’s a huge challenge to provide consistent endpoint protection wherever a user is working from,” notes Tesser. “We were looking for complete execution control for all computers in the company, with visibility to see where and when attacks were occurring and validation that those attacks were successfully blocked.”
CAME considered solutions from Trend Micro and Intel Security’s McAfee line, but the company ultimately chose Palo Alto Networks Traps Advanced Endpoint Protection to complement its existing Palo Alto Networks security technologies and platform.
Tesser remarks, “We chose Traps because, unlike other approaches, it can reliably prevent exploits and malware – known and unknown – across all our endpoints, no matter where in the world they are used.”
Cybersecurity From End to End
CAME deployed Traps as part of a comprehensive cybersecurity strategy built on the Palo Alto Networks Next-Generation Security Platform, which consists of Next-Generation Firewalls, Threat Intelligence Cloud services, and Advanced Endpoint Protection. The platform delivers application, user and content visibility and control, as well as protection against known and unknown cyberthreats.
Working with its trusted IT partner, NGS srl, CAME has deployed Traps to approximately 1,000 servers, PCs and laptops, with plans to protect more than 1,600 endpoint devices when fully rolled out. In addition to Traps Advanced Endpoint Protection, CAME deployed four Palo Alto Networks PA-3020 next-generation firewalls in its headquarters facility to protect production data center operations. Another 40 PA-200 and 10 PA-500 next-generation firewalls were deployed in branch offices with redundant and secure virtual private network (VPN) connections enabled for remote users. All of the Palo Alto Networks next-generation firewalls are configured with Threat Prevention and URL Filtering (PAN-DB). Palo Alto Networks Panorama provides centralized management for device configurations, uniform policy enforcement, and reporting across the entire secure network.
CAME also implemented Palo Alto Networks WildFire, which provides threat intelligence cloud services. WildFire proactively identifies and blocks the most advanced known and unknown cyberthreats, leveraging central intelligence capabilities and automatic delivery of preventive security measures. The integration of WildFire and Traps proved especially important to CAME.
“Traps was the only endpoint protection product in the market natively integrated with WildFire,” says Tesser. “This was extremely important because it enabled us to protect against zero-day attacks, which were a nightmare for us. WildFire provides dynamic analysis and continuous updates that stop even unknown threats before they compromise an endpoint device or our network. Other products start working only at a subsequent stage of malware activity, and this can lead to endpoint outages.”
Seeing Is Believing
After deploying Traps, CAME saw almost immediate results. In fact, in the early stages of rollout, Traps successfully identified and prevented an attempt by CryptoLocker to attack endpoint devices at several of the company’s branch offices.
“We could see firsthand that the Advanced Endpoint Protection was working,” Tesser affirms. “Often it’s easy to think there is no problem, but it’s because you don’t know that an attack is happening. With Traps we can see what’s going on and that malware attacks are being prevented.”
Traps provides CAME with more than assurance that its endpoint devices are protected from cyberthreats. It has also eliminated the cost of remediation, which had been a frequent and difficult-to-manage problem in the past.
“When we were attacked by CryptoLocker in the past, we not only had the cost to get back our data but also the cost for the time and resources required by our organization,” recalls Tesser. “All those costs have been eliminated by having Traps in place. As a result, we expect to save $250,000 in the next three years.”
This savings is on top of even greater cost reductions that CAME realized from deploying the complete Palo Alto Networks Next-Generation Security Platform. Previously, CAME had more than 100 Cisco firewalls, each with different capabilities. Every branch office configured and managed its own device, many using consultants, which cost the company $50,000 per branch per year. By consolidating its security infrastructure on the Palo Alto Networks security platform, CAME has been able to remove devices from its network — and expensive consultants from its payroll. This will save the company approximately $2.5 million over three years.
Uniform Control and Prevention
With the Palo Alto Networks Next-Generation Security Platform, including Next-Generation Firewalls, Threat Intelligence Cloud services, and Advanced Endpoint Protection, CAME now has end-to-end protection against cyberthreats. Thanks to improved visibility and built-in prevention capabilities, the security team can now see all traffic on the network, get real-time information on attempted intrusions, and automatically block unauthorized packets from infiltrating the network or any devices connected to it.
CAME’s ability to identify, control and manage applications and traffic also improved bandwidth availability and eliminated network latency issues. Previously, rogue traffic caused connectivity problems, especially for the call center, during the busiest times of the workday. Application availability also declined during traffic peaks. Now those concerns are a thing of the past.
“We prioritized traffic packets to ensure the availability and responsiveness of core applications,” Tesser explains. “This also freed up more bandwidth, eliminating background noise and dropped calls that frustrated our customers and employees.”
What’s more, all of the traffic flowing through the Palo Alto Networks platform is logged to Panorama, which allows CAME to perform traffic analysis, quickly investigate and respond to security incidents, and collect audit information from a single, centralized location. This also makes it easier and more efficient for CAME to integrate new branches.
“One of the things I like most about the Palo Alto Networks platform is its ability to adapt to the heterogeneous networks of the companies we acquire,” notes Tesser. “With Panorama, we can configure, manage and distribute security policies across the Palo Alto Networks platform and know that they will be applied to each branch office uniformly. That way all users, regardless of location or type of endpoint device, are consistently protected.”
Secure Infrastructure Means Secure Business
Ultimately, end-to-end security is essential for keeping CAME’s business running smoothly. Tesser points out that any vulnerability can allow malware to compromise an employee’s PC or hackers to breach the network and steal proprietary company information. This can slow or stop productivity and, in the worst of circumstances, impact revenue streams and diminish customer confidence.
“It’s very important that all employees work in a safe environment,” Tesser advises. “This requires not just network security but also Advanced Endpoint Protection. Endpoint devices are the first contact between the outside world and our company, whether it’s through a computer or a smartphone. They are all connected to our servers and exchange information, which means any vulnerabilities leave us open to attack and potential harm. That’s why, if your network is a target, you cannot do without Traps Advanced Endpoint Protection. It’s a must.”
He concludes, “Palo Alto Networks provides CAME with the most complete security for our network and all our endpoint devices. By making our infrastructure secure, we make the business itself secure.”
This case study available in: Italian.