De-risking in Practice: How Qualys Customers are Driving Value in Their Organizations

Thomas Nuth

As the threat landscape continues to grow in complexity, it has become more important than ever for the modern enterprise to measure, communicate, and eliminate cyber risk with efficiency.

What does that mean in practice? Over the last two days, during the 2023 Qualys Security Conference (QSC) taking place in Orlando, Florida, November 6-9, 2023, Qualys speakers and customers have been demonstrating the impact that embracing this mindset can have when it comes to solving complex cybersecurity challenges. Whether the focus is narrow in scope (such as web apps on embedded devices) or broad (such as cyber risk reporting at an executive level), QSC attendees have seen firsthand how a risk-based approach to asset, attack surface, vulnerability management, threat remediation, and more can be leveraged as a business enabler with measurable results.

Here are a few stories from the last two days:

Cintas: Consolidating the approach with Risk-Based Vulnerability Management

For Cintas Security Operations Manager Tom Scheffler, visualizing and securing a distributed network spanning 13 distribution centers and over 47,000 employees is no small task. As a $10 billion company full of acquired businesses and over 11,000 distribution routes, accurate asset management, risk-based vulnerability management, and tooling consolidation was a central reason for Cintas in choosing Qualys as their partner.  

 “By eliminating point solutions, we can unify asset intelligence from everywhere in Cintas and measure cyber risk by asset group. This allows us to communicate risk effectively within our organization, and it helps our teams prioritize their work,” Scheffler said.

Prior to Qualys, security teams were inundated with risk alerts and daily patching tasks coming from disjointed security and IT asset management tools. Prioritizing vulnerabilities was an arduous task, compounded by an extensive network of external, internet-facing assets. As a result, Cintas did not have a reliable means of measuring or reducing cyber risk, and cyber risk insurance premiums skyrocketed as a result.  

VMDR with TruRisk aggregation and interpretation of disparate risk signals in one unified dashboard.

By adding CSAM to VMDR, Cintas now has 100% coverage of its external attack surface (including mergers, acquisitions, and subsidiaries). In fact, Cintas has seen a 300% increase in the visibility of internet-facing assets. With Patch Management built natively into the platform, Scheffler said that Cintas has reduced MTTR from 2 months to 8 days for critical vulnerabilities and a double-digit reduction in cyber insurance costs.

“We like the term ‘risk-based approach’ because it allows us to show stakeholders where the greatest risks to Cintas are, and then we can align our resources to eliminate that risk,” according to Scheffler.

Positive Business Impact of Qualys for Cintas:

  • 300% increase in the visibility of internet-facing assets.
  • Reduced MTTR from 2 months to 8 days for critical vulnerabilities
  • Double-digit reduction in cyber insurance costs

Associated British Foods: Improving visibility and standardizing communication of cyber risk

While it’s clear that a major theme from QSC Orlando is measuring, communicating, and eliminating cyber risk efficiently, that can be easier said than done when 132,000 employees are operating across 53 countries. This is the case for Associated British Foods, which previously managed cyber risk and compliance from over 300 homegrown dashboards, with disjointed data leading to inefficient work.

Tom Copeland (Head of Governance, Risk and Compliance & Sr IT Security Manager) and his team made it a mission to unify vulnerability management along with cyber risk and compliance reporting using Qualys VMDR with TruRisk.

“We needed a platform that could scale across geolocations to translate risk insights in a common dashboard. VMDR with TruRisk not only provides flexibility across business units with a tagging system, but also provides consistent cyber risk measurement so we can scale remediation and compliance efforts,” said Copeland.

Over the last few years, Associated British Foods has gone from disjointed and ad hoc security/compliance efforts to achieve:

  • Consistent and actionable cyber risk metrics with TruRisk across BUs
  • Asset tagging across the org to reflect risk and remediation
  • Improved user permission hygiene with processes to disable and delete inactive accounts
  • External site scanning to add/remove sites and maintain compliance with Web Application Scanning
  • Consolidated cyber risk over 300 dashboards into three primary templates for Management, SecOps, and IT Ops
Three-step process for reduced cyber risk and cyber risk posture improvement for Associated British Foods

Today, Associated British Foods can measure risk with VMDR and TruRisk, communicate risk with streamlined reporting and dashboards, and eliminate risk with defined workflows within a single platform. Even better, Qualys TruRisk is driving risk standardization across the organization, which is continuing to improve its risk posture over time in a measurable way.

Positive Business Impact of Qualys for Associated British Foods:

  • 30% Improvement in operational efficiency​ through automated remediation
  • 60,000 client vulnerabilities ​patched over 48hrs​
  • Reduced mean-time-to-discover (MTTD) vulnerabilities to under 4 hours

Vertiv: Scanning embedded devices with Web Application Scanning (WAS)

In the past, we’ve documented Vertiv’s use case for the Enterprise TruRisk Platform to gain 100% visibility across the attack surface. Yesterday, Director of Product Security Jeremy Block provided an overview of a more specific challenge: securing embedded devices.

Vertiv manufactures many devices that run a web server and application for UI and system integration. Embedded devices running web applications are susceptible to many of the same attacks as typical web apps but are often more limited when it comes to remediation efforts.

Block identified Qualys Web Application Scanning (WAS) as a vehicle for runtime testing against embedded devices and as a path to prioritize risks and misconfigurations based on OWASP Top 10, CWSS, and CVSS.

“It has increased the efficiency of our engineering teams and allowed them to eliminate risks that our customers used to find in their own AppSec programs,” Block said. “It has increased our customers’ trust in Vertiv and decreased the total cost of security issues on our end.”

Positive Business Impact of Qualys for Vertiv:

  • 100% Asset Visibility
  • 4-hour mean-time-to-respond (MTTR) to known vulnerabilities
  • Key Performance Indicators (KPIs) linking security risk posture to financial impact

IDB Bank: Driving business value with attack surface management.

When VP of Application Security Beatrice Sirchis looked at the constantly evolving technology landscape for IDB Bank, she saw an opportunity.

“Like most businesses, our environment was becoming so complex, we really needed to look at cyber security as a business enabler,” Sirchis explained. “We need to defend against cyber risk and meet stringent security standards for banking, but it can’t slow down the business. I needed an edge to continuously maintain visibility of cyber risk as the environment changes.”  

That opportunity led her to the Enterprise TruRisk™ Platform, and specifically to Qualys CSAM. With CSAM, Beatrice knew she could leverage additional discovery methods to uncover blind spots in her inventory, track, and plan mitigation of EoL/EoS software, and add security agents such as CrowdStrike and Splunk wherever they were missing. She could also build dashboards for Key Risk Indicators (KRIs) to provide transparency to internal auditors and compliance officers.

“We use quite a few applications with outdated versions of Java and .NET,” Sirchis explained. “We need to know exactly where those applications are, the potential risks to the business, and when they must be updated.”

For IDB Bank, the cherry on top is the CMDB integration with ServiceNow. By tagging CSAM assets and syncing with ServiceNow, Sirchis and her team have automated ticket assignments for almost every remediation instance. The end result is a 95% reduction in MTTR.

Qualys CSAM allows my team to be an enabling factor in IDB Bank’s technology advantages. We can move quickly and stay on the cutting edge while maintaining a complete view of cyber risk,” Sirchis added.

Positive Business Impact of Qualys for IDB Bank:

  • 3-12-month ability to plan for operating system and software end-of-life (EOL) and end-of-service (EOS), greatly reducing software supply chain risk
  • 200% improvement in the mean-time-to-discover (MTTD) vulnerabilities
  • 95% reduction in the mean-time-to-respond (MTTR)
  • Key Performance Indicators (KPIs) linking security risk posture to financial impact
The Qualys Enterprise TruRisk Platform

These are just a few of the countless use cases that were on display from Qualys customers at the Qualys Security Conference. From securing the attack surface to detecting and prioritizing vulnerabilities to streamlining remediation, Qualys customers continue to stay ahead of the most critical risks to their businesses.

How can the Enterprise TruRisk Platform de-risk your business? Start a 30-day free trial today!

Share your Comments


Your email address will not be published. Required fields are marked *