A leading international provider of gas, electricity, and telecommunications looked to Nucleus Security for vulnerability management after struggling to maintain visibility into software vulnerabilities using an open-source tool combined with customized scripts.
Cybersecurity acts as an advisory function there to discover threats, articulate risk, and help the business units make decisions based on risk appetite. It is tough for anyone to believe they are secure when they have 29,400 critical/high vulnerabilities (CVSS) in your environment, and we needed a way to demonstrate to the business that we are continually improving our security posture.
They also were struggling with how to gain visibility and work collaboratively with internally developed applications across the different business units they provide advisory cybersecurity services for.
SEE FOR YOURSELF.
The time and effort associated with maintaining integrations with the homegrown open-source tool required dedicated resources and integrations would continuously break, resulting in an unreliable solution with too much overhead. Custom development was required to get the open-source vulnerability management solution to work resulting in the need to maintain reams of custom code. The custom code broke often, becoming incredibly costly to maintain. Half a full-time resource was allocated to code maintenance alone, but even this was not enough to maintain a working vulnerability management solution.
The business also set expectations that security operations would continue to get more efficient year over year adopting solutions that would drive efficiency and not require additional resources. The model of building and maintaining an open-source vulnerability management solution just wasn’t sustainable. Therefore, they began evaluating commercial solutions when they discovered Nucleus
Wondering if you should build in-house or work with Nucleus?
Cybersecurity champions, security architects, and technology leadership knew they needed to streamline their vulnerability management program and looked to Nucleus for help. By providing access to Nucleus across the business, the cybersecurity and technology teams now were enabled with visibility into application assets and vulnerabilities in a way that was never possible before. Nucleus integrated quickly into their existing technology stack including their GitHub source code repositories, software composition management tool Dependebot and Static Application Security Testing tool CodeQL.
They then layered in business context of their assets and with embedded threat intel from Mandiant, Nucleus empowered the team to prioritize and fix vulnerabilities as opposed to being overwhelmed by them. The company’s portfolio of large applications has thousands of vulnerabilities, but with Nucleus’s threat intel context they know which ones are being exploited in the wild and worthy of their attention.
SEE NUCLEUS IN ACTION!
100% Reduction in widely Exploitable Vulnerabilities in weeks
In weeks, they saw a 100% reduction in widely exploitable vulnerabilities as identified by Mandiant’s embedded threat intelligence. In fact, by prioritizing 40 widely exploited vulnerabilities within Nucleus, they went from 40 to 0 in weeks which significantly reduced the organization’s risk and was an easily demonstratable success to share with their leadership teams.
Shifting Left in the Software Development Lifecycle
Initially, a top-down approach to vulnerability management brought in data with an application repository full of vulnerabilities which was completely disconnected without context from the business. Giving teams visibility into vulnerability risk earlier in the SDLC with Nucleus, helped tremendously. Through integration with developer’s native tools including Jira, the security team is now able to share vulnerabilities with the developer teams and work collaboratively to remediate critical software vulnerabilities fast.
Enabling the Business with Visibility into Risk
Internal business units now have visibility into vulnerability management coverage and can make their own decisions-based context of their own business unit. Having the business context or if a vulnerability is weaponizable pushes decision making out. Organizations are always under pressure now they have the context to make decisions on what to prioritize.
Expanding Coverage Beyond Software Development
With vulnerability coverage across the organization’s software application stack, they can now focus on expanding vulnerability management coverage across all their assets. They started incorporating pentest results into the Nucleus platform which allows them to easily gain visibility into identified risk and delegate remediation to the right stakeholders. They plan to expand the use of Nucleus to include broader network coverage using the integration with Qualys to quickly gain access to network assets and vulnerabilities associated with them. This will give the organization full visibility across all assets and vulnerabilities so they can easily make the right business decisions regarding organization risk and vulnerability management.