Crédit Mutuel Arkéa relies on collective intelligence and CrowdSec to block malicious IPs

To protect their systems from malicious Internet traffic, the bancassurance group Crédit Mutuel Arkéa has deployed CrowdSec's solution. They now benefit from real-time cyber threat information sharing, thanks to the collective intelligence capabilities of the platform.

Crédit Mutuel Arkéa is the second largest federal branch of the Crédit Mutuel group. It comprises the regional banks in Brittany and the South-West of France, as well as more than thirty specialized subsidiaries. The group serves over 5 million customers and employs more than 11,000 people. Wishing to lighten the load on their incident response team, the company deployed CrowdSec's intrusion prevention solution in 2022, contributing to an overall cyber security improvement.

In 2021, the CERT of Crédit Mutuel Arkéa was looking for a solution to automatically block IPs associated with abnormal behavior, especially on authentication services, the most frequently attacked. The team had just started a proof of concept with CrowdSec's intrusion prevention tool when a vulnerability identified in Apache Log4J sent the cybersecurity world into a tizzy. "We set up a crisis unit," recalls Guillaume Roussel, the company's Operations Manager in charge of IS security at Crédit Mutuel.

At this point, CrowdSec offered them an anti-Log4J scenario, which the team quickly deployed. Within 48 hours, it was implemented on the entire information system, allowing it to contain the vulnerability.

Improvement of security at all levels

Following this incident, the decision was made to industrialize the solution. It was installed both on the group's internal bare metal platform and on its private cloud, with scripts to automatically embed the tool in each new web service deployed on the latter. With conclusive results. “We have eliminated between 40% and 50% of the background noise," says Guillaume Roussel. For the incident response team, which employs ten people, he estimates the time saved at about 2 FTEs (full-time equivalent). The tool has also significantly reduced the load on the servers in terms of CPU and RAM.

"The default scenarios already work very well, but we have also made some adjustments, for example, to whitelist some IP addresses or to temporarily unblock a few misconfigured applications that were making repeated calls," explains the manager. The anomalies that were found were passed on to the development teams. This enabled us to improve the code in the spirit of DevSecOps. Another anecdote: pen testers were also blocked by the tool. "This pushed them to look for more advanced attacks, contributing to further strengthening cybersecurity in a global way.

Compared to a WAF (web application firewall), the solution also proved to be less cumbersome to set up. "The tool is simple enough that it doesn't need to involve the business teams," Guillaume Roussel points out. Another advantage is that the blocking time is managed automatically. "This avoids ending up with IPs blocked for years without being remembered while serving as a warning to attackers, who will be blocked again if they try to attack again."

CTI interfaced with SIEM 

The Crédit Mutuel Arkéa team particularly appreciates the collaborative and community dimension of CrowdSec. Via its CTI (cyber threat intelligence) portal, all users share real-time information on attackers, such as malicious IPs and attack trends. "The great strength of the solution is this intelligence on the typology of attackers. The portal allows us to anticipate and forecast certain events. We can even go further by establishing typologies of attacks for our sector with the other financial players," says the manager. The Security Information and Event Management System (SIEM) interfaces with the solution to query CTI data. The team wants to extend their usage of CrowdSec, by retrieving logs enriched by CrowdSec to make various correlations within the SIEM.

Since its deployment, the CrowdSec solution has had other opportunities to prove itself, notably by blocking waves of brute force attacks on the group's subsidiaries. Guillaume Roussel: "It's a bit like a Fail2Ban on steroids". Today, the team continues to write new scenarios, particularly to build more business-oriented models with detection approaches specific to different applications. “We are also planning to use the solution to detect cross-functional attacks within its information system.”