How a DAX company dealt with 1 million vulnerabilities​

This case study reports on the experience of a DAX company that was able to remove a large mountain of vulnerabilities through clearly prioritized cyber fitness workouts. Without the use of additional security experts
The image shows a person standing on an arrowed-shaped way pointing forward, surrounded by more arrowed-shaped ways but all in different and random directions. The imgae is attached to a blog article titled: Comprehensive Guide to Implementing a Vulnerability Management Process. This guide explains the process step by step, helps understand the basics of vulnerability management, establish a team, identify and assess vulnerabilities, and develop a remediation plan.
Includes assistance for your ROI calculation
Outlook

This case study describes the experience of a DAX company that was able to eliminate a large mountain of vulnerabilities through clearly prioritized Cyber Ffitness Workouts, without the need for additional security experts.

Learn how the company did not despair of a million vulnerabilities from scanners such as Qualys, Nessus and Rapid7, but instead shed light on them through prioritization.

You will also learn about the underlying business case, which saves several EUR 100,000 per year.

  1. 1 Million vulnerabilities. What now?
  2. Reduce Hackability Score by 24% with just 4 Cyber Fitness Workouts
  3. The business case with clear ROI
The situation of the Autobahn customer in the beginning
1 million vulnerabilities would overwhelm any IT team

Our story begins in the security team of a leading DAX corporation. The corporation relies on a well-known vulnerability scanner to detect security issues in internal and external production networks.

The scanner detects 1 million vulnerabilities. As a result, the IT admins who are supposed to fix the vulnerabilities feel overwhelmed. The effort seems not feasible and neither the security teams nor the admins know where to find the time and knowledge needed to effectively prioritize and remediate such a large number of vulnerabilities.

The solution
Consolidating and prioritizing security vulnerabilities in Cyber Fitness Workout

Instead of solving 1 million vulnerabilities one by one, the team opted for a platform that groups and prioritizes scan results into easy-to-implement steps to address the root causes – rather than analyzing each vulnerability individually.

Autobahn Security takes scan results, groups and de-duplicates them, and runs them through our prioritization engine. From these results, we calculate the Hackability Score and provide step-by-step instructions – our Cyber Fitness Workouts – to improve the score within the Cyber Fitness Journey.

The team has been using Autobahn Security for two years now and was able to demonstrate measurable and significant progress in IT security with a handful of remediation actions in the first month.

The top 4 Cyber Fitness Workouts reduced the Hackability Score by 24%

Based on the scan results, Autobahn identified critical issues such as forgotten middleware patching and hardening gaps around Red Hat Linux. In total, the resilience of 720 IT systems, each missing up to dozens of patches or hardening settings, was improved in the first month. This improvement was achieved with just three Cyber Fitness Workouts, each addressing a bundle of systems and issues at once.

The external scan also showed clear potential for improvement. With a single Workout from Autobahn – patching a web server implementation in an externally accessible network – the Hackability Score went down by 11%.

The total of 4 Cyber Fitness Workouts in the first month lowered Hackability by 24%
After the top 10 Cyber Fitness Workouts, the Hackability Score was already enhanced by 46%

Having trouble assessing and prioritizing cybersecurity gaps?

There’s a better way. Run the hundreds of thousands of vulnerabilities discovered by Qualys, Nessus, Rapid7 and other vulnerability assessment tools through Autobahn Security’s aggregation and prioritization engine. Intelligently transform an overwhelming list of to-dos into a few Workouts that are user-friendly, easy to follow, and peer-reviewed. Cyber Fitness Workouts are designed to be executed by non-security experts, so your remediation plan scales better.

Figure shows how 964,024 vulnerabilities were discovered through scan engine, then they were eliminated, enriches and reclassified by Autobahn Security, and then mapped into 79 cyber fitness workouts. The Top 4 Cyber Fitness Workouts alone reduced the Hackability Score By approx. 24% The Top 10 Cyber Fitness Workouts overall reduced Hackability Score by approximately 46%.
964,024 vulnerabilities discovered throgh scan engine and turned into simple Cyber Fitness Workouts
How your IT team easily applies prioritized solutions

Simply scanning your IT assets and identifying security risks does not make your organization secure.

Successful remediation depends on a good risk prioritization plan that considers the impact of remediation on your organization’s security posture. Autobahn Security’s prioritization system ranks vulnerabilities based on how easy they are to exploit from a hacker’s perspective.

That’s when Autobahn Security’s Cyber Fitness Workouts come into play. These intuitive step-by-step guides show you how to fix the most important vulnerabilities – and are written so you can send them to IT leaders to implement on their own.

Figure 1.An example of a Cyber Fitness Workout in the Autobahn Security platform. Each Workout provides an overview of the effort it requires - and how much each Workout will impact your organization's Hackability.
Figure 1. An example of a Cyber Fitness Workout in the Autobahn Security platform. Each Workout provides an overview of the effort it requires – and how much each Workout will impact your organization’s Hackability.

Although the spectrum of possible attacks is broad, you can often fix multiple vulnerabilities by installing a single patch or changing a few settings. The Cyber Fitness Workouts developed by Autobahn Security explain how you can do just that: what specific steps are critical to making your organization more secure.

To illustrate, a patching Workout often includes a step that shows you where to get the latest stable software version. In addition, the workout may tell you what system requirements to consider when updating – or how to create a backup. Workouts also give tips on how to automate updates – or roll back updates – and give the correct order for updating certain components.

Figure 2.An example of the steps included in a Cyber Fitness Workout on the Autobahn platform. Each tutorial is written in a way that is understandable (and actionable) for non-security experts
Figure 2. An example of the steps included in a Cyber Fitness Workout on the Autobahn platform. Each tutorial is written in a way that is understandable (and actionable) for non-security experts

The platform is designed to make your IT team’s job as easy as possible: Equipped with the necessary fixes, all they have to do is apply the solutions provided.

Plus, you can easily send tasks to a ticketing system to track remediation progress. Each Cyber Fitness Workout reduces your Hackability Score and continuously improves the security posture.

Figure 3.Another example of the steps included in a Cyber Fitness Workout on the Autobahn platform. Each Workout is detailed and written in a way that is understandable (and actionable) even for non-security experts.
Figure 3. Another example of the steps included in a Cyber Fitness Workout on the Autobahn platform. Each Workout is detailed and written in a way that is understandable (and actionable) even for non-security experts.

5+1 things to know about cyber fitness workouts

Business Case: EUR 270.000 annual savings for large to medium-sized companies

Effective security measures can achieve two financial goals.:

  1. Reduced manual effort: Clear prioritization and easy-to-understand Cyber Fitness Workouts eliminate manual (and often monotonous) process steps. Existing capacity is used more wisely. This is the focus of the Return of Investment calculation on the following pages.
  2. Lower cost resulting from hacking incidents: the number and costs of hacking incidents vary greatly between companies. Therefore, we do not even attempt an estimate with average values.

However, these data points should help you with your individual estimation.:

  • According to Forrester, the average company with $2 billion in revenue experiences 2.5 data breaches per year
  • According to Forrester, a significant data breach costs EUR 610,000
  • IBM calculates the average total cost of the additional loss of reputation at EUR 1.4 million
Calculation method
The ROI calculation is based on a large to mid-sized companies.

The basis of our calculations is the average created by 10 of our customers from the manufacturing, technology, utilities and finance industries.

The average results in an organization with:

  • IT-Systems (IPs): 1.170
  • Employees: 7.500
  • of which is Security Team: 17,5
  • Turn over: 3 Billion EUR
Efficiency gains in Security and IT operations

By reducing the manual effort required to prioritize vulnerabilities and create remediation policies, Autobahn Security achieves significant budget savings.

[table id=3 /]

Automated prioritization pays off within 5.5 months

Finding security experts isn’t easy; neither is providing them with interesting work. Automatic vulnerability prioritization eliminates monotonous manual steps, allowing hacking experts to focus on more interesting topics like pentesting, red-teaming, and blue-teaming.

The time savings alone will pay off the annual licensing cost for automation with the first 5.5 months. Add to that your individual savings from fewer security incidents.

[table id=2 /]

Figure 4: Time to Value Chart
Figure 4: Time to Value Chart
Key Figures
  • 3,805 – Hours saved for your security experts
  • > €200,000 – Annual savings through automation
  • 30% – average Hackability reduction after 90 days
  • Thereby individual risk reduction due to fewer incidents
How you get started and what you can expect from us within just 1 week
  • Learn the most important aspects of the SaaS platform
  • We start the first vulnerability scan together
  • You will get the first package of prioritized Cyber Fitness Workouts
  • Together with our Cyber Fitness Coach you will discuss the results and work on the Cyber Fitness Workouts

We are available for a personal consultation

During the initial consultation, one of our Cyber Fitness Coaches will discuss your individual challenges, give you a brief product overview, and discuss possible next steps.

You will of course also get free and non-binding test access to the platform.