THE CHALLENGE

As a leading retailer with over 2,600 stores in Turkey and other countries, Migros prioritizes security extremely highly. The company serves over 14 million customers annually and is well aware of the impact a serious cyber attack could have on its operations, finances and reputation.
On a daily basis, Migros processes huge volumes of sensitive customer and financial data. A hybrid cloud infrastructure, use of specialist point of sale (POS) systems and web applications, plus a vast supply chain means that the company has a large, growing estate to protect. As an innovator in its industry, Migros is investing heavily in artificial intelligence and contactless payment technology. Consequently, it is keen to ensure that its intellectual property is also comprehensively protected.
To safeguard its assets, Migros employs a large in-house security team and utilizes third-party services providers to assist with vulnerability management and threat detection. However, despite the resources at its disposal, the company was struggling to obtain a holistic view of its security posture and lacked assurance that the defenses it relies upon were operating as expected. It also wanted to ensure it was doing all it could to identify and address security gaps as quickly as possible.
“Information and data security have always been a top priority for our business”, explained Elif Seven, Senior Team Lead at Migros. “However, with such a large estate to protect, maintaining a broad oversight of our security was proving to be a challenge. To mitigate risks, we leverage a wide range of security controls and it’s imperative that they provide the best possible protection at all times.
“Security assessments such as penetration testing were helping to identify potential weaknesses but did not provide the type of insights we needed to identify ways to validate and optimize our prevention and detection capabilities.”

THE SOLUTION

After evaluating a range of cybersecurity solutions, Migros identified The Picus Complete Security Control Validation Platform as the ideal tool it needed to help assess and stay on top of its security posture.
By simulating real-world cyber threats, The Picus Platform enables the business to measure the effectiveness of its security controls on a continuous basis and take swift action to address any threat coverage and visibility gaps identified.
Every day, Migros’ security teams leverage Picus’ Breach and Attack Simulation technology to conduct over 4,000 simulations and validate the performance of its network, endpoint and email controls.
At a prevention level, The Picus Platform validates that Migros’ firewalls, web application firewalls and antivirus are reliably blocking known malicious activity. Additionally, at a detection level, it tests that the company’s Security Incident and Event Management (SIEM) tool is ingesting the necessary log sources and that alerts are triggered promptly when malicious activity is identified.
Where policy gaps are observed, The Picus Platform helps to address them by supplying actionable mitigationrecommendations and by mapping threat coverage to the MITRE ATT&CK Framework.

THE RESULTS

Greater Threat Readiness
Monitoring cyber threat intelligence to identify new risks was proving highly time-consuming. With the addition of emerging threats and attack scenarios to its threat library on a daily basis by Picus Labs, The Picus Platform helps to alleviate this burden by reducing the time the Migros team needs to devote to security research and analysis.
Reduced Time to Mitigate
By supplying actionable and vendor-specific mitigation recommendations to address threat coverage and visibility gaps, The Picus Platform enables Migros’ security team to respond to risks sooner. The provision of prevention signatures and detection rules, all thoroughly tested by Picus to minimize false positives, also helps to alleviate manual prevention and detection engineering processes.
Improved Collaboration
Use of The Picus Platform has helped Migros to foster a purple teaming culture within its security operations. To aid awareness and knowledge transfer, simulationresults and mitigation insights are shared with relevant asset owners and used to drive ongoing improvements to controls and processes.
More Effective Reporting
Before using The Picus Platform, Migros’ team struggled to measure the company’s security posture. Now its team can track security scores for each of its controls and monitor changes in real-time. Integration of The Picus Platform with the company’s central reporting system enhances visibility further and ensures that senior managers across the business can stay up to date.
Greater Value from Pen Testing
By validating the efficacy of the company’s security controls to prevent and detect particular threats and attack techniques, The Picus Platform enables Migros’ security team to better scope penetration testing. This includes ensuring that the assessments it commissions from third parties are conducted in the right areas and are focused on replicating the tactics and techniques that pose the most risk.
Enhanced Compliance
As a processor of personal and financial data, Migros must comply with a range of security-related regulations and standards. The Picus Platform helps the company to prove adherence with the latest government and industry mandates, including the GDPR and the PCI DSS, by ensuring that the controls and processes it has in place are operationally effective.
"The Picus Platform is an easy to use solution that helps us ensure our defenses keep pace with evolving threats. The security scores and insights it provides help us to assess the effectiveness of our controls and identify ways to better protect our assets and customer data. The results we’ve seen, as well as the high level of support and guidance we receive from Picus’ Customer Success Team, were key factors in our decision to recently renew our license. Picus has become the right hand of our security team. I’d recommend it to all organizations that want to strengthen their cyber resilience and automate manual assessment and detection engineering processes.– Elif Seven, Senior Team Lead Migros.
At Picus Security, we help organizations to continuously validate, measure and enhance the effectiveness of their security controls so that they can more accurately assess risks and strengthen cyber resilience. As the pioneer of Breach and Attack Simulation (BAS), our Complete Security Control Validation Platform is used by security teams worldwide to proactively identify security gaps and obtain actionable insights to address them."