Attacks against financial institutions are sophisticated and getting worse. Staying on top of these changes can seem like an impossible task, given the increasing complexity of attack vectors and growing industry regulations.

Troy Wunderlich, VP, Director of Operational Risk of Washington Trust Bank, remarks “I think future cybersecurity oversight will focus more on the management process and less on checking the boxes on security tools deployment. Regulators and industry experts realize that there are enough technical solutions out there to consolidate information and data from our networks to provide real-time alerting. Now, there is a real need and requirement to demonstrate that you can manage your information security and that you have adequate reporting coming out of your cybersecurity program that can be used to demonstrate to senior leadership, the Board and to regulators that you have your arms around this from a management standpoint. We’ve got to continue to build out tools and processes to stay ahead of the game and to stay up on what’s happening.”

Troy's forward-thinking approach led him to look for a new type of Cybersecurity Management (CsM).


Washington Trust was actively looking at various security cyber options to see what was available in the market. They were looking for a way to build management processes around cybersecurity.

“DefenseStorm consolidates technical tools for monitoring your network and remediating incidents with builtin management processes that are linked to your policies. And I can report in real-time to my board and to regulators on how secure our network is. The ability to get good reports that are meaningful to management is something that DefenseStorm brings to the table that we just didn’t have.”

Top concerns that led to selecting DefenseStorm:

  • Management Reporting
    By having real-time comprehensive reporting that demonstrates how WA Trust's alerting capabilities link to their policies and that they are managing alerts and incidents in a timely fashion is something that they want their Board of Directors to engage with, because it's more believable than just telling them to trust that the IT security team is doing the right things.
  • Policy Compliance
    By linking every alert to a policy, WA Trust is able to measure the effectiveness of their policies and controls, as well as what policies are being violated and how frequently they are happening. This data can be used to justify additional employee training or even a policy modification.
  • Optics Across the Network
    Troy Wunderlich, Director of Risk Management at Washington Trust, states, "We had some tools before, but those tools were independent of each other, so different things might trigger different alerts. With DefenseStorm we can correlate everything together and determine what's an incident versus what's a false positive that doesn't require attention. We can filter out so the analysts can focus on the true incidents that need to be remediated and not waste time on things that are not a real issue for us."

Q&A with the WA Trust Bank team

Troy Wunderlich
VP, Director of Operational Risk

Brian Kinsley
IT Security Lead


I think the first ‘ah-ha’ moment, in terms of doing something we couldn’t do before, was getting information about the number of alerts and the amount of incidents that we have coming from our systems. It was kind of a wakeup call when you see the amount of data and information coming off of your alerting systems.

The biggest interaction change we’ve had between management and our technical security team is that because management now has visibility into Alerting and Incident Management, we are able to ask very intelligent questions about what we’re alerting on, why we are alerting on them and why we have a certain severity level on those alerts. It became a very management-focused process, not just a technical process, once we got visibility into what is happening.

Brian: I would say the main change is that the prior system we used was something that we ran inhouse and it required more maintenance to keep that tool running and tuned. We’re spending less time keeping the tool maintained and upgraded, so now we can just focus on building new alerts and researching threats, logs and events.


It demonstrates to management, the board and to regulators that the policies on information security that we have are adequate. Now, we can prove that our policies are being managed and we can demonstrate to ourselves that they’re being managed in the way that we need them to be done right now.


Brian: Having tickets centralized in DefenseStorm as a “1-stop shop” that analysts can get the alert email is valuable. They can go into the system, perform the search and then also track the history. And from the management side, they can also see the status, the SLA, if we complied with all of our policies or if we missed anything. Before, it was done with a separate ticketing system and then it was tracked through email that was sent to the entire team. Then, whoever saw it would grab the ticket, and hopefully they would reply. There wasn’t a central place to find all the tickets or research what was out there to help us.

It helps us to handle the challenges around being secure is by giving us the ability to correlate together different events that might turn into something more significant. So that helps our analysts in evaluating something that’s occurring, when we’re not sure yet what it is. And then turning that into an incident, remediating that, and management’s ability to monitor the activity and the remediation process to ensure that we’re reacting to things quickly to get them taken care of and keeping us secure. It’s helping our analysts to become more efficient.


I appreciate the ability for myself, as the manager, and for our CFO to go into the tool and view a dashboard where we can see what are the events that have occurred, what are the incidents that are being worked, which ones have been remediation and which ones still need to be remediated, who’s working on that and what’s their progress.

We get executive summary information out of the tool that we will use, but also then take to our various committees and our audit board to let them know how this tool is helping us to address our consistent security concerns or incidents that have occurred.

All of our systems in the past were all reporting independently. Now that they’re all reporting into one consolidated system with very good management reporting, we’re able to get much better visibility into what we have to manage and how we have to manage it, plus becoming more efficient, eliminating duplications. Being able to tie that to your policies and then manage to those service levels – that’s the part that no one else can do right now. And that’s where we’re making the most progress.


Brian: My favorite thing is the very responsive nature of the product. I can type in a query and have results back instantly, like Google, where before there were more hardware limitations. I also like ThreatMatch because it provides automatic hits back. When there is an FBI flash alert, DefenseStorm will give me a hit back without doing anything, which definitely saves 5-10 min per search.

My favorite feature of the system is the ability to get management reporting that tells me the number of incidents that we’ve had, the criticality of those incidents and how our team has been able to dispose of and rectify those. The time frame in which DefenseStorm has been able to do that and provide reports on a comprehensive and regular basis has helped give us the comfort that our cybersecurity is being managed correctly.

I like the dashboard. I like how it brings things together because we have a lot of various systems with events and logs that are feeding into DefenseStorm, so that correlation and having one tool to go to and manage the whole security process is one of the biggest benefits that I see. We’re not trying to bring in separate things and manually try to correlate or report on that, it’s all within the tool. We see one view, one picture of everything that’s happening.


I think some technical engineers and security people will think that DefenseStorm will just duplicate what they already have, which could be solutions that consolidate alerting data. But what those technologists need to realize is that management needs systems that bring those things together to report and demonstrate that our technicians are doing what they’re supposed to be doing and doing it in a critically timely fashion, because timely responses to alerts and incidents are what could make or break a security event.

You prepare as best you can by putting in as many layers of protection and security as possible to prevent breaches from occurring, and then by being prepared with a tool like DefenseStorm, where you can quickly respond and remediate anything that occurs to minimize your exposure and the potential loss or harm to customers.

Brian: The product itself is very streamlined and it has a skilled team behind it that is very knowledgable and experienced in security and banking, which I think is a huge value add. So far, it’s been a great product.

Download the case study
Washington Trust Bank

Washington Trust Bank is the oldest and largest privately-held commercial bank in the Northwest, with nearly 750 employees and more than 40 financial centers and offices in Washington, Idaho and Oregon. Since purchasing the bank in 1919, the Stanton family continues to lead Washington Trust Bank with integrity and commitment— driven by the same goal today as when Washington Trust first opened its doors in 1902.