Back to Blog

Finovate Debuts: NopSec

Finovate Debuts is a blog series to introduce companies who demonstrated for the first time on the Finovate stage. Today’s feature is NopSec, which demonstrated its Unified VRM system at FinovateFall 2014.


NopSec is focused on making the digital world a safer place. For banks, this means getting a handle on cyber security. If you’re a bank with 60,000 hosts under management, with thousands of security vulnerabilities, you have two major issues. First, you need to identify the vulnerabilities, and second, you need to know how to fix them.
With so much much information to sort through to determine and prioritize what needs to be fixed, this can be time consuming. This is where NopSec comes in. Its SaaS-based Unified VRM provides a solution for IT professionals to manage security threats. Using Big Data, it generates a prioritized list of what security issues need to be addressed, and how to address them.

The stats
    • Founded in 2009
    • Headquartered in New York
    • Works with infrastructure both on premises and in the cloud
The experience

The NopSec Unified VRM system helps bank security experts sort through the massive amount of data about security threats, and suggests actions to protect against the threats. Its holistic approach on security can be broken down into four steps:

    1. Identify threats
    2. Explore details
    3. Discover solutions
    4. Create reports 

Step 1: Identify threats

The first step is to identify specific vulnerabilities. The dashboard below provides an overall picture of security risk and vulnerability that is easily digestible for everyone from the technical security professional to the CIO. It is divided into modules that correspond to different threats– external and internal.
Step 2: Explore details
Security analysts can drill down further into vulnerabilities by searching and filtering. The case below shows results filtered by “Top Exploited.”  Other filters, listed on the left-hand side in the graphic below, include criteria for geographic location, available patches, top trends, etc.
Once experts find the individual threats that interest them, they can view a summary description of each case. The graphs along the top provide an overall view of the risk factor, operating system, and location of each threat that matches the search criteria.
Step 3: Discover solutions
Identifying and understanding the security threats is only part of the equation. The crucial piece is solving the vulnerabilities. To do this, Unified VRM prioritizes the most dangerous and relevant threats by ranking them by importance.
Remediation recommendations are listed next to each vulnerability, along with the number of assets it affects. In the example below, the Microsoft Remote Desktop Protocol Remote Code Execution Vulnerabilities affect 134 assets, so it is ranked as the number one issue to fix. Dividing the bank’s security into manageable pieces helps security professionals know what to focus on.
In addition to simply advising remediation, the platform has a social aspect that allows for team collaboration. Users just select others they would like to involve in the conversation, and everyone has the ability to comment on the solution.
Step 4: Communicate via reports

To communicate issues and progress with everyone from executives to other technical experts, NopSec provides a reporting tool. It offers four options that tailor the information in the report to the appropriate level for different intended audiences:

    • Executive, for a high level status view
    • Technical, for a more detailed view with technical specifications
    • Full, for a complete view
    • Customized, for an overview mixed with details 
Benefit to banks
The largest benefit NopSec brings to banks is the ability to proactively secure their systems. By identifying and prioritizing major security threats that affect hundreds of assets, banks’ technical teams can spend more time solving those issues, and less time searching for the issues.
Additionally, the Unified VRM system takes the institution’s security a step above what government regulations require, since they are often times too generic and not applicable to every environment.