International Power Company Vastly Reduces Widely Exploitable Vulnerabilities in Weeks

• Leading International provider of gas, electricity and telecommunications
• 4,500 Employees
• $10 Billion in Revenue
• Struggled to gain visibility into vulnerabilities across business units
• Interview: Enterprise Cybersecurity Leader

• A leading international provider of gas, electricity and telecommunications, with 4,500 employees and $10 billion in revenue, was seeking a tool to gain visibility into vulnerabilities across business units.
• Cybersecurity acts as an advisory function there to discover threats, articulate risk, and help the business units make decisions based on risk appetite.
• We needed a way to demonstrate to the business that we are continually improving our security posture.
• In weeks, they saw a 100% reduction in widely exploitable vulnerabilities as identified by Mandiant’s embedded threat intelligence.

“ It is tough for anyone to believe they are secure when they have 29,400 critical/high vulnerabilities (CVSS) in your environment.”

– Cybersecurity Leader

A leading international provider of gas, electricity, and telecommunications looked to Nucleus Security for vulnerability management after struggling to maintain visibility into software vulnerabilities using an open-source tool combined with customized scripts.   

Cybersecurity acts as an advisory function there to discover threats, articulate risk, and help the business units make decisions based on risk appetite. It is tough for anyone to believe they are secure when they have 29,400 critical/high vulnerabilities (CVSS) in your environment, and we needed a way to demonstrate to the business that we are continually improving our security posture. 

We needed a way to demonstrate to the business that we are continually improving our security posture.

– Cybersecurity Leader

They also were struggling with how to gain visibility and work collaboratively with internally developed applications across the different business units they provide advisory cybersecurity services for.

The time and effort associated with maintaining integrations with the homegrown open-source tool required dedicated resources and integrations would continuously break, resulting in an unreliable solution with too much overhead.  Custom development was required to get the open-source vulnerability management solution to work resulting in the need to maintain reams of custom code. The custom code broke often, becoming incredibly costly to maintain. Half a full-time resource was allocated to code maintenance alone, but even this was not enough to maintain a working vulnerability management solution. 

“Custom development was required to get the open-source vulnerability management solution to work resulting in the need to maintain reams of custom code. The custom code broke often, becoming incredibly costly to maintain.”

– Cybersecurity Leader

The business also set expectations that security operations would continue to get more efficient year over year adopting solutions that would drive efficiency and not require additional resources. The model of building and maintaining an open-source vulnerability management solution just wasn’t sustainable. Therefore, they began evaluating commercial solutions when they discovered Nucleus.

Cybersecurity champions, security architects, and technology leadership knew they needed to streamline their vulnerability management program and looked to Nucleus for help. By providing access to Nucleus across the business, the cybersecurity and technology teams now were enabled with visibility into application assets and vulnerabilities in a way that was never possible before. Nucleus integrated quickly into their existing technology stack including their GitHub source code repositories, software composition management tool Dependebot and Static Application Security Testing tool CodeQL. 

“Helping get remediation on the right vulnerabilities is hard, but in a noticeably brief time we were able to get our widely exploitable vulnerabilities to zero with Nucleus’s seamless connectors and embedded threat intel from Mandiant.”

– Cybersecurity Leader

They then layered in business context of their assets and with embedded threat intel from Mandiant, Nucleus empowered the team to prioritize and fix vulnerabilities as opposed to being overwhelmed by them. The company’s portfolio of large applications has thousands of vulnerabilities, but with Nucleus’s threat intel context they know which ones are being exploited in the wild and worthy of their attention. 

“The threat intel integration gave our team visibility on what critical risks to prioritize that we would not have known otherwise and the fact that it’s included with our Nucleus subscription is amazing. All our stake holders are incredibly happy!”

– Cybersecurity Leader