Live Oak Bank’s Homegrown Technology Is a Big Differentiator
Live Oak Bank is different from most banks in many respects. Started as an internet bank, Live Oak continues to operate without physical locations. The company is focused on small businesses and has domain expertise in 20+ specific verticals—such as veterinary practices, pharmacies, agriculture, healthcare, and other industries. Unlike its competitors, Live Oak bankers get deeply involved in helping customers run—and succeed in—their own businesses. Its partnership approach has resulted in a loan default rate of less than 1%—far below the industry average of 3%.
The company has embraced the cloud from the beginning. Rather than build its business on a traditional, datacenter-based banking platform, Live Oak developed its own software. Some of the company’s technology has been spun off into new software entities. Many of these fintech companies are still partnered with Live Oak Bank to create an in-the-cloud, API-driven core. Cloud technology is central to everything Live Oak does.
Thomas Hill joined Live Oak Bank six years ago as CIO. As the company grew and its homegrown technology portfolio expanded, there became a need to separate IT and security roles, so Hill assumed the CISO position. “We want our business to be fast, real-time. We want the business to be able to move and change at the speed of light,” says Hill. “My job is to make sure we can do that securely and within the bounds of all regulatory constraints.”
Empowering DevOps(Without Getting in the Way)
Steeped in the heritage of a company that creates its own software, the DevOps team is encouraged to be bold and innovative. A traditional security leader can hamper DevOps by imposing demands on them to slow down and consider security every step of the way. But Hill refuses to be an impediment to the development team. “The last thing we want to do is constrain our developers,” he says. “We want them to think outside the box and create new things, so we give them the power to spin up what they need, but in a responsible way.”
“In the old days—and I literally mean three months ago—we were scanning our environment once a month,” according to Hill. “In the back of my mind, I worried about a developer spinning off a script that builds a whole environment, builds a new stack, and they start testing things. They could be one misconfiguration away from putting all that out on the internet. We need to detect that but scanning once a month wasn’t going to do it. When you work in real-time, you need to see everything in real-time.”
This is where Orca comes into play. “We want to be able to see our whole environment—not just the devices that have an IP address, that might be accessible, and that we know about,” says Hill. “Orca is a great solution for us because we want to give developers the power to be innovative, but need to scan close to real-time without impacting the operations.”
“The IT infrastructure team is happy, too, because we’re taking a view of the total environment, setting it aside, and doing the scanning completely offline. We aren’t asking them to do anything —like install agents—to support this process,” says Hill.
“Orca told us we could have some visibility within 5 or 10 minutes andI thought, ‘There’s no way.’ Well, I was wrong. They really did it and the SideScanning doesn’t impact anything our developers are doing.”
Orca Does the Work of Several Tools in the Security Toolbox
Hill’s team did a PoC with Orca and knew within days how useful it would be. The visibility it gives the security team is unlike anything other tools can provide—even those with agents installed on devices. “I can’t understate the importance of getting visibility of the whole cloud in an offline fashion so as not to interrupt any operational and production access. Orca’s SideScanning™ method is truly innovative,” says Hill. “It takes away any friction with our IT group.”
“The most important thing for a security person is to know what is there in order to extend the right controls to the right environment. Orca gives us that full visibility so we know where to focus our energy.”
Live Oak had been using traditional industry leading vulnerability scanners for cloud assessments. Hill sees that Orca does a more complete job of scanning the cloud assets without the need for cumbersome agents. “The best practice for running agent-based tools is monthly. I’m not comfortable going that long between scans,” says Hill. With Orca, he can run it daily without any impact on production.
“We plan to replace several one-off solutions with Orca because Orca does much more than just vulnerability scanning. It looks for data loss prevention. It does virus scanning. It performs an inventory. Orca does it all, while saving us both time and money.”
Orca Facilitates Compliance with Federal Regulations for Financial Institutions
Live Oak Bank has a sprawling AWS estate. Hill says they have over a dozen orgs—each being its own AWS mini-datacenter. In addition, the bank has fintech partners that use both AWS and Azure, with Live Oak’s systems interconnecting them.
As a chartered bank, Live Oak must comply with data privacy and security regulations. Here, the FDIC, as a member of the Federal Financial Institutions Examination Council (FFIEC), issued a statement addressing the use of cloud computing services and security risk management principles in the financial services sector. “The FDIC statement letter is just guidance today, but we expect it to become a requirement soon,” says Hill. “Orca helps us convey the security posture of our cloud environments, which is extremely important for us as a bank. Our corporate risk group finds it very advantageous to have a tool like Orca to meet this need.”
Due to regulatory requirements governing financial data, Live Oak uses a hybrid-SaaS version of Orca Security, called Orca Pod. It permits the bank to keep its data in its own environment while only transferring metadata to Orca.
“When my peers ask me about Orca, I tell them, ‘If you’re in the cloud or thinking about the cloud, you need a tool like Orca that gives you the ability to be proactive. Without it, you’re just guessing.’”
Chief Information Security Officer