How Mandiant helped a global enterprise manufacturer shift focus from 250k+ vulnerabilities to the 7 that matter most using Nucleus
The Partner
Mandiant, now part of Google Cloud, is recognized by enterprises, governments, and law enforcement agencies worldwide as a market leader in threat intelligence and expertise gained on the frontlines of cyber security. To make organizations confident in their readiness to defend against and respond to cyber threats, Mandiant scales its intelligence and expertise through automated solutions. Embedded within the Nucleus unified vulnerability management platform, Mandiant Threat Intelligence identifies the most relevant security risks with context on malicious actors and exploitability. At the same time, Nucleus operationalizes and unifies all assets and vulnerability data for fast (and precise) remediation. For this case study, we spent time with Caleb Hoch, Principal Security Consultant with Mandiant, to better understand the positive impact the adoption of Nucleus, Mandiant Threat Intelligence, and Mandiant Consulting has had on an enterprise customer.
The Customer
- A U.S.-based global manufacturing company with 3,500 assets across 20+ applications
- No dedicated vulnerability management team; 2-3 person dedicated security team
- Uses Mandiant as a security consultant guiding all vulnerability management efforts and the overall security strategy and leadership
- Technology Stack: Qualys, M365, Microsoft Teams, ServiceNow, Power BI.S
The Need
With no dedicated vulnerability management team and no set of standards or policies in place to ensure consistent scanning and vulnerability prioritization and triage, the customer needed a solution to gain complete visibility into their assets and vulnerabilities across the org. It also needed an effective way to get a handle on the significantly large number of vulnerabilities they were attempting to tackle each week (to no avail) manually. Mandiant, often being called upon to manage or establish a vulnerability management program within enterprises, needed a solution that gives a complete view into where vulnerabilities exist across an org and which are truly critical for that business, then accelerates the remediation of those.
The Challenge
One of the biggest detriments to a successful vulnerability management program is no visibility into your assets and vulnerabilities – and that’s precisely why the organization began working with Mandiant. Like many other sophisticated organizations, the investment in an effective vulnerability management program had been minimal. It was common to discover that the org’s security practices were relatively immature, and no vulnerability management process existed, despite setting up a scanner instance 7-8 years prior. Like many large-scale organizations today, this customer had inconsistent vulnerability scanning (and remediation) and spent most of its time firefighting against vulnerabilities that popped up in the news and caught the attention of their C-Level executives, resulting in lots of frenzied triaging and ineffective collaboration to determine if their organization was in fact vulnerable.
Relying on basic CSV exports to manage their vulnerabilities, their vulnerability management efforts included an overwhelming amount of manual copy-and-paste work with uncertain progress. With no formal process for scanning, they were stuck manually reviewing CVEs when new vulnerabilities popped up. With hundreds of thousands of vulnerabilities to check weekly, this translated to lots of triage and activity with little context or guidance. There was also no great way to see what was happening across their environment, let alone dial in to which vulnerabilities existed in their system that were truly critical to their business. There was no easy way to see what the customer was actually vulnerable to.
But before shifting to a modern intelligence-led vulnerability management program, the customer needed clear visibility over their assets. One of the first things that Mandiant did after coming on board was to migrate the customer to a combo of a vulnerability scanner they could use and Nucleus Security to replace their previous vulnerability scanner, as well as implement updated scanning, vulnerability prioritizing, and triage. The result was 256,000 vulnerabilities uncovered in their new solution.
When you have 256,000 vulnerabilities, where do you start? Take all the CVSS 10s and work your way down? Focus on critical/highs first? When you do that, you miss most of the most critical vulnerabilities which may be rated lower but pose a much greater threat to your organization.
From there, the next step was to work with Nucleus and the power of Mandiant’s Threat Intelligence.
The Solution
After integrating with Mandiant Threat Intelligence and risk-based vulnerability management in Nucleus, this customer quickly moved from informal processes and needing help knowing where to start, to fully understanding (and addressing) their vulnerability situation.
Through intelligence-led vulnerability management informed by Mandiant Threat Intelligence embedded in Nucleus, and the business context plus vulnerability and asset data operationalized in Nucleus, this customer moved from no one understanding what to fix (and why) to everyone understanding what to fix (and why) within 1-2 weeks.
To fully onboard, deploy and configure Nucleus, it took about 40-man hours once the initial ingests of vulnerabilities occurred. This process included setting up the Nucleus agent, getting data into Nucleus, getting all the assets grouped, and setting up the automation rules for vulnerability findings for fast and accurate prioritization and remediation.
After implementation was complete, within hours, Nucleus took the 256,000 vulnerabilities identified by the vulnerability scanner and combined the business context customizable in Nucleus with the threat intel provided by Mandiant (i.e., Mandiant Ease of Attack, Mandiant Risk Rating, Exploit Rating, and Exploit in the World). The customer had 7 confirmed critical threats to hyper-focus on first.
The Nucleus platform shows more than just a CVSS score, making it easy to refer to Mandiant exploitation data, attack paths, and Mandiant's ease of attack without logging into multiple tools.
Nucleus could also easily integrate with the customer’s existing technology stack allowing the customer to quickly pivot between tools to communicate and effectively handle the politics of vulnerability management with the 100+ integrations available in Nucleus. This also included the ability to build additional reporting dashboards that plug into Nucleus’ API, making popular data visualization tools easy to use alongside Nucleus.
For this customer, another key value of the Nucleus unified vulnerability management platform is quickly understanding vulnerability metrics and trends, such as the number of total vulnerabilities in an environment at a given time and why they are there in the first place. They also value the ease of use and simplified search functionality — you don’t have to be a SQL expert to query successfully in Nucleus.
Technical teams think Nucleus is great because they can easily see why things are seen as critical beyond CVSS scores, and the upper leadership teams love Nucleus because of the reporting capabilities and the things we've been able to show them via the Power BI integration, which helps them track total vulnerability counts, risk severity, and scores.
Today, the customer understands which vulnerabilities are most critical for their business and uses a written set of standards and policies for updated scanning and vulnerability prioritization and triage. The customer has also migrated to a Nucleus and third-party vulnerability scanner combo, quickly seeing more value and significant cost savings over their previous product set. Additionally, the Mandiant Consulting group continues to expand its use of Nucleus to transform and mature customer vulnerability management processes and programs.
From no formal processes to all vulnerabilities prioritized based on threat intelligence and defined processes within Nucleus, in weeks.
The Outcomes
A More Mature Vulnerability Management Program in a Short Period of Time
By enabling Mandiant to rapidly build intelligent processes around this customer’s existing tech, the customer matured their vulnerability management programs and approaches very quickly, taking the organization from immaturity to maturity in weeks. Nucleus helps customers quickly stand up and mature their vulnerability management through Nucleus’ technical capabilities, such as automation, prioritization, SLAs, ticket creation, and more.
Understanding the "How" behind Vulnerability Threat Intelligence
By leveraging Mandiant’s threat intelligence, Nucleus helped this customer operationalize their threat intelligence by answering how to use vulnerability threat intelligence successfully. With Nucleus, customers can see all their vulnerabilities on a per instance, per vulnerability basis, tied to intelligence, within a short period of time.
Clear Visibility into Prioritization, Integrated with Business Context
Nucleus brings everything together and helps aggregate, analyze, and correlate all vulnerability and asset data. From the start, with no formal processes, all vulnerabilities are prioritized and tied to threat intelligence within Nucleus. The customer can easily see where the risk is and find the reasons particular vulnerabilities are prioritized, including why an attack path is easy to exploit and if a particular vulnerability is being exploited in the wild. With Nucleus, customers can quickly move beyond simply scanning each month.
Working Faster and Smarter with Automation
Before, the customer used manual CSV exports to manage their vulnerability prioritization. Now, with Nucleus’ automated ticketing and automation rules, they can quickly build and write intuitive rules that send the right information tot he right teams where they are already communicating. This ensures that they are getting tot he right vulnerabilities faster and saves time, as they can gain insight into everything in a single view, speeding up their vulnerability triage and remediation process