Customer Story

Abri Housing

Leading housing provider Abri, partners with BlueFort to discover a complete view of its attack surface, and implement a continuous threat exposure management (CTEM) program with automated validation and testing.
Abri is one of the largest housing associations in the south of England. It builds, owns, looks after and sells homes that people can afford. This includes homes for affordable and social rent, as well as homes to buy through Shared Ownership and Help to Buy. Directly tackling the problem of a lack of affordable homes in the UK, Abri currently has 35,000 homes and 80,000 residents living in them.

Key challenges

  • Lack of visibility over IT estate with legacy vulnerability management approach missing hidden assets, misconfigurations and vulnerabilities.
  • Legacy hardware inherited during recent merger running outdated applications.

Overview of the situation

The social housing sector is in a state of major flux, and like many organisations, is facing many challenges all at once. While mergers have long been a feature of the social housing sector, there’s been a significant uptick in recent years, with housing providers looking to take advantage of economies of scale, increase efficiencies, and encourage administrative savings in the business.

Abri Homes was formed out of the merging of Radian Homes and Yarlington Homes in October 2020. As a result of the merger, Abri inherited a second IT infrastructure, which included a significant amount of legacy hardware running outdated applications. 

As part of the work and services Abri provides, it holds a lot of sensitive information about its customers—data that must be protected in order for Abri to meet its legal and regulatory compliance requirements.

Quote marks

“We just ran a scan. It found everything within an incredibly short amount of time and highlighted some of the historical data that needed to be deleted. It was a huge time saver. It’s basically like having an extra member of your team! The platform is very powerful, very intuitive and easy to use. Partnering with BlueFort was absolutely the right decision for us.”

Ian Butcher, IT Security Manager at Abri Housing

Deploying a continuous threat exposure management (CTEM) program based on discovery and validation of Abri’s complete attack surface

BlueFort views an organisation’s IT estate through the lens of its continuous discovery, validation and control methodology. This is closely aligned to the NIST framework and Gartner’s Continuous Threat Exposure Management (CTEM) program, which recommends organisations establish regular repeatable cycles to establish consistent, actionable security posture remediation plans, that are easily understood at both a business operations and a technical level.

The initial challenge that BlueFort’s consultants helped Ian Butcher, IT Security Manager at Abri Housing meet, focused on the discovery pillar in the methodology. This meant identifying what assets the organisation had, where they resided, what its security state was, and, importantly for compliance purposes, what urgent remediations needed to be made.

Like many organisations, the true scope of Abri Housing’s attack surface exceeded its legacy vulnerability management approach, so clearly establishing and defining the organisation’s attack surface was also a critical first step; as this represents the most vulnerable entry points potential threat actors might look to exploit.

The discovery process identified all of the IT assets that make up the organisation’s attack surface—even ones that were not currently known or initially visible—uncovering hidden assets, misconfigurations and vulnerabilities.

To put effective controls in place, Ian’s team needed to have a 24/7 understanding of the total IT infrastructure, in order to identify potential and actual weaknesses in Abri Housing’s security posture.

Automated penetration testing and immediate vulnerability remediation

BlueFort recommended an automated penetration testing platform to automate testing across all attack surface layers, by safely emulating insider and outsider attacks. Much more than simply testing security controls, BlueFort’s solution delivers a real-time, hands-on experience, that can assist IT security teams in deciding where to focus their efforts next.

The initial scan identified all assets and vulnerabilities that needed to be immediately remediated, in order for Abri to meet its regulatory obligations. 

Abri Housing is now widely using BlueFort’s platform to ensure it has up-to-date validation of its entire security program at a moment’s notice, including security policies, password configurations and critical assets. The primary report used is the black box penetration test, which determines the vulnerabilities that are exploitable from outside of Abri Housing’s network.

Validating and verifying threats facing the organisation, based on the identified and prioritised points of weakness provides a complete, detailed, and realistic view of Abri Housing’s security posture. Validation is about confirming whether there is potential for threat actors to exploit vulnerabilities by analysing all potential attack vectors, based on the tools, techniques, and procedures (TTPs) an attacker might use. It tests readiness for the latest advanced threats, to provide a reliable view of the impact of exploiting each potential weakness. Security assessments are no longer a static annual exercise, but a continuous part of Abri Housing’s cybersecurity posture.      

Drawing continuous value from Evolve

Ian and his team now work with BlueFort through its Evolve program – a cyber services platform that provides flexible and on-demand access to skills and expertise. BlueFort’s industry experts have gone through the vetting, testing, and curation of exciting new technologies, to help organisations cut through the noise of the cybersecurity market, deliver proactive cyber market research and provide enhanced support.

With BlueFort’s automated security penetration testing under control—continuously testing and validating Abri Housing’s security infrastructure—Ian works alongside BlueFort’s consultants to action the threat validation information and remediation recommendations it delivers; focusing on implementing effective controls for the most impactful vulnerabilities facing the organisation as they arise.

See how BlueFort can help you simplify your cybersecurity