To strengthen Kuveyt Türk’s security architecture against emerging threats and make the network more resistant to cyberthreats.
Reinforce the security architecture from top to bottom with the Palo Alto Networks Security Operating Platform.
Kuveyt Türk Participation Bank A.Ş. has been operating in the field of interest-free finance since 1989. Kuveyt Türk ranks first among the participation banks in funds collected, funds provided, and asset size. It also ranks first among participation banks in gold banking and third in the entire banking sector. Kuveyt Türk has the widest range of products in gold banking and, in 2010, became the first in the Turkish banking sector to establish an R&D center.
Today, Kuveyt Türk is the only bank in Turkey with three R&D centers. Among the bank’s R&D projects, the XTM Branch Project allows videoconferencing and self-service transactions to be carried out as a world first. BOA Banking Platform, developed entirely by Turkish engineers in Kuveyt Türk R&D centers, started a new era in banking processes and will be deployed in more than 60 banks in 20 countries by the end of 2021. There’s also Turkey’s first interest-free digital banking platform, Senin Bankan (Your Bank), a public offering application module and API market platform for entrepreneurs and FinTech developers in the R&D centers.
Kuveyt Türk supports 30 initiatives in three different periods each year with the Lonca Entrepreneurship Center. In 2009, Kuveyt Türk began its digital transformation with the motto, “our route is digital, our focus is people.” As such, the bank aimed to move from product- to customer-oriented structure, from process- to experience-oriented structure, from transaction- to interaction-centered structure, and from interaction with customer demand to interaction through the customer journey.
Evolving IT risks and security threats necessitated greater security-focused investments for Kuveyt Türk Participation Bank. As different attacks cause varying degrees of damage, Kuveyt Türk sought to identify and prioritize risks to their network. Different technologies at both service provider and local levels serve this purpose.
As dealing with emerging threats had become more complex and challenging, Cüneyt Taş, unit manager for Kuveyt Türk, points out that it had become increasingly difficult to manage firewalls and some systems as well. On the other hand, Taş says, users are no longer the same. Many applications are used both in the cloud and locally, and it is necessary to know who is using these applications and whether these people are authorized. Meanwhile, it is becoming more and more complex and difficult to deal with new and emerging threats. Taş explains that the need to track SSL traffic and detect possible threats within it called for the use of Next-Generation Firewalls in Kuveyt Türk’s security architecture. Taş says, “Having achieved our goal at this point is the greatest added value for us. This perspective is now a necessity for all institutions.”
The Palo Alto Networks Approach
Operating in the financial sector requires compliance with BRSA (Banking Regulatory and Supervision Agency) regulations. In order to comply with the regulations, Kuveyt Türk structured their security organization around security infrastructure and security operations units. Taş emphasizes that a strong end-to-end architecture and Palo Alto Networks policies stand up when it comes to compliance with the principles of management, coordination, and segregation of duties for each team. He adds:
“We believed that the Palo Alto Networks Security Operating Platform was the right choice for securing our bank. However, before that, we did a thorough preliminary study of this investment and clearly explained why we needed these products to our management. As Kuveyt Türk, we have made extensive investments in this area, but we have seen that the current technology is insufficient to meet our security needs. At this point, we created a requirements document and sent it to the manufacturers. After that, we have conducted performance tests. As a result of all these, we rolled up our sleeves to position Palo Alto Networks solutions at Kuveyt Türk in early 2018. We completed this project entirely with our own technical resources with local Palo Alto Networks team. What was important for us was to bring together the product and the need. Since we analyzed our needs well and accurately, the resulting solution architecture met our expectations.”
Implementing the Second Phase
Kuveyt Türk takes a Zero Trust approach to its security, and the implementation of the Security Operating Platform® highlights the traffic analysis, realtime visibility, and predictable, analytical approach. The bank replaced all legacy firewalls and positioned Palo Alto Networks architecture in place. “This process required a difficult mapping exercise, and it was like changing the engine in a moving car as the bank was functioning 24/7. For this reason, the implementation took two years.” says Taş. He further explains the new architecture:
“All next-generation firewalls span the whole banking infrastructure. The disaster recovery center also works actively. We have an active disaster recovery center, and the coordinated progress of these two architectures is very important to us. In parallel with the increase in harms and attacks, the separation of small networks, which we call microsegmentation on the basis of roles, has created a serious burden on firewalls in recent years in terms of controlling the visibility and interactions of these roles with each other. We, as far as possible, took advantage of the capabilities of our network infrastructure and classified our role-based networks with various goals and carried them behind the firewall.
"In the first phase, we aim to further divide the networks we carry into more microsegments, and further increase the security and visibility. We use the App-ID structure extensively, and App-ID is very important for us in terms of the management and visibility of the applications. As the second phase, we plan to roll out User-ID. Since this is a living system, there will be no end to the new phases. Seventy-five percent of our traffic is SSL, and malicious cybercriminals are trying to take advantage of this SSL traffic. Therefore, it is critical to have full visibility of what is going through SSL traffic. In this respect, we are actively using the Palo Alto Networks SSL Decryption feature.”
WildFire: Powerful Multi-Method Threat Prevention
Kuveyt Türk benefits from Palo Alto Networks capabilities like Threat Prevention and URL Filtering. All processes can be easily monitored, and detailed authorizations can be made accordingly. Replacing the existing intrusion prevention system (IPS) with Palo Alto Networks IPS simplified the bank’s IT infrastructure and ease of technology management. Taş, who emphasizes “accurate and fast measurement” as the main objective of this project, explains:
“The approach WildFire uses to identify threats and apply multiple methods, such as static and dynamic analysis, machine learning, and network profiling, is beneficial. WildFire is an application that is involved in zero-day attacks and in extracting executable files especially. An executable file that you download from the internet works on this sandbox, examining the behavior if there is a malicious file and returning it with the label as the file ‘clean’ or ‘malicious.’ If you are adopting the Zero Trust principle today, you have to position a sandbox. The positioning of WildFire, Palo Alto Networks own product, was essential to us, and we actively use this solution. If there is a risk and you do not want to see it on the server—if you want to prevent it from entering the environment—we create a comfortable space for us by using WildFire to check the entire architecture and ensure there are no vulnerabilities.”
Change Tracking and Time Advantage with Panorama
Kuveyt Türk’s data center hosts 10 clusters of firewalls. Panorama™ network security management is a major support point in the central administration of these devices and configurations, control of changes, centralized collection of logs, and receipt and analysis of location-dependent or location-independent reports. In particular, ability to create meaningful reports made our lives easier when collaborating with other teams in IT. As Taş says, it becomes “a productive bridge between the two sides.” Kuveyt Türk uses Panorama in this process for reporting and cluster monitoring as well as monitoring system well-being. While reporting and help monitoring stand up in Panorama’s used features, Taş adds, “It got easier to make configuration changes with Panorama while also saving time.”
Taş proudly emphasizes that the bank is now spending less and working more efficiently, giving them more time to manage the security infrastructure. Taş says: “This brings innovative work to the forefront. Beyond the work routine, it is possible to follow various technologies and research that will take you forward on a personal and institutional basis and to have the opportunity to dwell on them. As the security team steps out of the routine, it turns to more creative works.”
“Being able to see all applications and categories of applications on the network, including SaaS applications, is a serious advantage. In addition to the threats we have prevented, we believe in the importance of sharing them within our organization helped a lot in building awareness. Besides, with this project, our rule sets decreased by 60%. We have taken turns in the direction of increased visibility on the Security Operations side. Thus, our rule sets were simplified, visibility increased, and response time was shortened by SOC teams. As a result, a contribution you make to the security here and on the security operations side positively affects the customer. When you provide end-to-end security—when you meet the needs there—you become more compliant with regulations, and you protect customer data and customer privacy better and more efficiently.”