Every 10 seconds, someone falls victim to a cybercrime. To fight back against cybercriminals, NortonLifeLock (NLOK) builds solutions and services that help to protect devices, online privacy, identity, and home and family needs.
For NLOK, protecting its 80 million users around the world starts with securing its own business systems. The company operates a large and complex IT environment, comprising thousands of endpoint devices across the world, as well as multiple public and private cloud platforms.
“Everything we do with our team aligns with four key objectives. The first objective is to continue improving our understanding of our attack surface whether that's cloud or on premises, second is to detect and predict against emerging cyber threats, which often means zero days,” said Maryann Horst, Sr. Principal Vulnerability Management, Global Cyber Security at NLOK. “Next, if we are affected by an emerging threat, we constantly strive to accelerate our response and recovery time in addressing that threat. And because what NLOK does at its core is security, we also seek to move beyond regulatory compliance towards true security and doing what is right.”
Horst says to help the company’s “customers make their connected lives safer, it’s crucial that we safeguard our employees, systems and data.” More recently, NLOK has “moved an increasing number of our business systems to cloud platforms such as AWS, Azure and Google Cloud Platform,” she says. “While the cloud creates new opportunities to increase agility and bring offerings to market faster, it also creates new challenges from an information security perspective.”
Why they chose Qualys CloudView:
NLOK continually assesses and enhances its approach to security and governance, embracing strategies such as defense in depth to mitigate the threat of security breaches. As its cloud workloads grew, the company realized that its existing approaches to cloud security would be unable to meet its long-term objectives.
“In the past, we used a cloud security tool to map our network security groups and network rules in AWS and Azure, and visualize the connections between them in diagram form,” Horst continues. “If you only have a few accounts, these diagrams can make it relatively easy to understand the relationships between public cloud assets and resources. However, NLOK has hundreds of accounts across multiple cloud vendors, which made it extremely difficult to get the information we were targeting. In addition, the previous tool required frequent and time-consuming supervision—diverting our resources away from value-added security activities.”
To gain deeper insight into its attack surface and accelerate its response to emerging threats, NLOK looked for a new solution for public cloud security.
“Many of the cloud controls we measure in our environments aren’t currently mandated by our regulators. However, we see that it’s vital to lead by example and adopt best practices to protect our employees and customers,” Horst says.
“The key requirements when evaluating a tool is that it help us understand how our cloud accounts are configured and that it’s easy to configure and simple to operate,” says Horst.
That means the tool itself needed to have a good UI, be simple to understand, allow easy access to training, and be simple to configure on the backend by the people that run cloud accounts. “Let me tell you, people are not excited when you're trying to roll out a security tool on their accounts, and they're even less excited about it if it's finicky, and it takes a lot of work to configure on their end,” Horst explains. “Of course, it also needs to be reliable, and provide actionable insights.”
Initially, NLOK was mesmerized by the cool visualizations a previous vendor showcased. Although the tool provided a lot of neat features, the company didn't end up using many of them due to their unreasonable complexity. “What’s worse, we had a full-time employee that had to babysit the tool.” says Horst.
NLOK has had a much different experience with Qualys. They rely on Enterprise TruRisk Platform Apps to gain insights into its on-premises systems and extract timely, actionable insights into potential threats. NLOK harnesses Qualys VMDR® to help it detect, manage and respond to vulnerabilities in its IT endpoints. Using a combination of virtual-appliance scanning, Qualys Web Application Scanning, and lightweight Qualys Cloud Agents, the company gains fine-grained data to help prioritize and remediate vulnerabilities rapidly.
Based on its positive experiences with the Enterprise TruRisk Platform, NLOK decided to build on its success by replacing its previous Cloud Security Posture Management (CSPM) solution with Qualys CloudView: a cloud-based solution that enables enterprises to detect, monitor and remediate misconfigurations and non-standard deployments across multiple cloud platforms.
The Qualys CSPM solution met several key requirements for NLOK. As well as being simple to configure and operate, Qualys CloudView offers rapid and reliable access to actionable insights—enabling the company to quickly understand its exposure across hundreds of accounts on multiple cloud platforms. “When you use CloudView and you follow the user guide, it just works,” says Horst. “There are no errors, and you can discover things and assess against them.”
The solution is also highly extensible, with APIs that allow NLOK to integrate Qualys CloudView with tools from other vendors.
“Around the time the licenses for our old tool came up for renewal, Qualys launched CloudView—and we quickly realized the service had the potential to transform our approach to public-cloud security,” recalls Horst. “As well as being easy to set up, Qualys CloudView consolidates data captured from all our Qualys apps into a single dashboard offering us a 360-degree view of our on-premises and cloud environments.”
NLOK onboarded its public cloud accounts to CloudView and configured the solution to benchmark its environment against Center for Internet Security (CIS) controls at four-hour intervals. Using Qualys APIs, NLOK built an integration with the company’s Jira and ServiceNow issue-tracking system to automatically send remediation tickets to the relevant system owners, with a deadline based on the severity of each issue: medium, high, or critical.
“Qualys CloudView allows us to manage the remediation of potential threats on our cloud platforms in the same automated way that we use VMDR to protect our IT endpoints,” comments Horst. “Although our initial goal in selecting Qualys CloudView was to ensure our AWS and Azure environments met the required security controls, the discovery and asset inventory capabilities of CloudView have proven to be just as beneficial for the business.”
Today, NLOK uses Qualys CloudView to gain deep insights across its public-cloud environments, and the service now covers 100% of the company’s AWS, GCP and Azure accounts. Moreover, Qualys CloudView offers deep, near-real time insight into NLOK's cloud asset inventory, enabling the company to significantly reduce MTTR (mean time to resolution) and address security issues faster than ever.
"When a new critical vulnerability is announced, one of the first things we need to do is confirm whether it affects us and understand our potential exposure,” explains Horst. “With our previous CSPM tool, it was very difficult to get a clear view of which technologies were in use across our hundreds of cloud accounts. Since we switched to Qualys CloudView, that’s all changed.”
By building an automated workflow for cloud security reporting using Qualys CloudView and Jira, NLOK is reducing the cost and complexity of protecting its environments.
“Our previous CSPM tool required hours of intensive management and maintenance, and even with that significant investment of time and effort, we still often encountered technical issues,” says Horst. “Qualys CloudView just runs and runs—we hardly ever need to touch it. We're saving one full-time employee equivalent per year by replacing manual processes with an automated workflow. As a result, we can redeploy our resources to value-added security activities, which helps us better protect the business and our customers.”
“When a Zero day is published and teams start coming together to figure out whether or not we’re affected, not only is my team’s asset inventory only four hours old,” says Horst, “doesn't consist of a bunch of outdated pasted together Excel sheets.”
Horst’s team has achieved the original intent to address misconfiguration in the cloud, she says, and it has “had this unanticipated benefit of expanding our understanding of our cloud assets as well as the data always being only a few hours old.”
Looking ahead, NLOK intends to further leverage the Enterprise TruRisk Platform to enhance the speed of its threat detection and remediation capabilities.
“The cloud is only going to become more important to NLOK in the coming years, and Qualys CloudView is allowing us to shrink the attack surface as our use of AWS, GCP and Azure grows,” says Horst.
“Qualys CloudView is an excellent service. It’s so easy and intuitive that non-technical users can work with it, while offering powerful capabilities to extract the most important insights from large volumes of data.”
Sr. Principal Vulnerability Management,
Global Cyber Security, NortonLifeLock
“We think Qualys CloudView is an excellent service. It’s so easy and intuitive that non-technical users can work with it while offering powerful capabilities to extract the most important insights from large volumes of data,” she says. “One of the best things about working with Qualys is that they build solutions that perform exactly as advertised. We look forward to working with them to keep improving our security capabilities.”