The Client
Since its inception, doxo has been on a mission to simplify and reduce the anxiety of staying on top of bills, empowering consumers to improve their financial health. As the largest nationwide bill payment network, doxo’s products and services help over eight million people break free from bill burden and accomplish their financial goals.
The background
Maintaining a strong security posture has always been critical to doxo's business, and much of that responsibility falls on Michael Bradshaw. As the Director of Technical Operations, Bradshaw leads the technical operations team at doxo. Working closely with the engineering organization, his team is responsible for supporting the infrastructure and securing the platform.
While doxo had relied on Halo Security, formerly TrustedSite Security, to help them achieve PCI compliance for many years before Bradshaw joined the team at doxo, he saw an opportunity to increase their visibility into the company's security posture with the full Halo Security attack surface management platform.
The goals
Bradshaw was intrigued by the new Halo Security services that include asset discovery and firewall and website monitoring. With many internet-exposed assets across platforms, he wanted to ensure the team was "looking at all of our public-facing endpoints." But more than just knowing what was out there, he wanted to "make sure what we thought was the case was actually the case."
The solution
With the improved discovery service, the doxo team was able to easily identify their internet-facing assets in the platform and begin scanning those for risks. With those results, Bradshaw was able to quickly get to work.
Using Halo Security’s risk ratings and prioritization, Bradshaw and his team were able to focus on the most important findings first. "We focused quite a lot on resolving the things that were immediately apparent and higher priority when we first turned this on." After that phase, they were able to monitor the system less frequently, "just to see if there's anything new that's cropped up."
And with scheduled, automatic scanning, Halo Security helps doxo detect changes and act quickly, increasing peace-of-mind that nothing new has popped up. "You're going to get alerted if a new SSH port is discovered," Bradshaw said.
Reducing complexity and false positives
Bradshaw has had experience with many vulnerability scanners and sees clearly how Halo Security helps doxo avoid many common challenges. When it comes to self-managed vulnerability scanners, Bradshaw says, "you have to make sure you're updating definitions and plugins and weeding out all the false positives. And there are usually a ton of false positives that come with those… A product like this basically takes all of that out of your hands. The things that it's recording are actual issues that should be addressed."
If the issues Halo Security finds are deemed acceptable or expected by the team, Bradshaw can easily acknowledge it in the platform. "You don't have to worry about it coming back every scan."
A partner in external security
The support team at Halo Security works closely with Bradshaw and his team. "The support I think is one of the best parts of this product," Bradshaw said. With quarterly security reviews, he can regularly address issues, discuss goals, and ensure he's getting the most out of the platform.
"Those are always really valuable, going through and looking at what some of the issues are, digging more into those, and talking about things we could do to resolve them. It's usually the same person every time as well. So they've got a history with our account. That's been super useful for us."
Outside of the security review, "the response from support on the times that we have reported something has been really good as well.
