Building a Secure and Sustainable Infrastructure

When this international manufacturer decided to optimize its vulnerability management program, it chose Qualys based on its on-demand service delivery, accuracy, and powerful API.

Founded in Manitowoc, Wisconsin, in 1902 as a shipbuilding and ship-repair company, the Manitowoc Company, Inc., has grown and diversified into the multi-industry capital goods manufacturer it is today. With more than 100 manufacturing and services facilities in 27 countries, 12,000 employees, and $4.5 billion in annual sales (2008), Manitowoc has global reach. It is recognized as one of the world's largest providers of lifting equipment for the global construction industry, including lattice-boom cranes, tower cranes, mobile telescopic cranes, and boom trucks. Manitowoc also is one of the world's leading innovators and manufacturers of commercial food service equipment serving the ice, beverage, refrigeration, food prep, and cooking needs of restaurants, convenience stores, hotels, healthcare, and institutional applications.

Maintaining the global IT infrastructure necessary for Manitowoc's business operations is vital to the company's continued success. A central part of those efforts is ensuring that its hundreds of servers and thousands of workstations are maintained within its internal IT security policy, that misconfigurations are spotted and fixed, and that outdated patch levels are made current. This, most security experts agree, will ensure that systems not only run more smoothly, but also make them resilient to attack and infiltration.

Optimizing Vulnerability and Risk Management

"We wanted to make certain we were approaching our vulnerability management program as effectively as possible," says Subash Anbu, CIO at Manitowoc. "That meant evaluating a number of vulnerability assessment solutions and then picking the one best suited for managing a global infrastructure such as ours."

What Manitowoc sought was a way to automate and enforce many of the practices for vulnerability and risk management. After looking at a number of potential options, Manitowoc chose The Qualys Security and Compliance Suite and its on-demand Software-as-a-Service (SaaS) delivery model. "When the costs and our use case was considered, Qualys was ideal and cost effective," says C.J. Koenig, IS Director at Manitowoc.

Today, Qualys Vulnerability Management (VM) automates the life cycle of network auditing and vulnerability management across Manitowoc’s enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting, and remediation tracking according to business risk. Driven by the most comprehensive vulnerability KnowledgeBase in the industry, Qualys remedies the flaws that make the latest exploits and attacks possible. As an on demand SaaS solution, there is no infrastructure for Manitowoc to deploy or manage.

By utilizing Qualys to monitor all network access points continuously and proactively, Qualys VM dramatically reduces the time Manitowoc’s security managers spend researching, scanning, and fixing network exposures and enables them to eliminate network vulnerabilities before they can be exploited.

"Qualys gives us a comprehensive view of all of our endpoints around the world," says Kevin Sonnemann, IS Security Analyst for Manitowoc. "Now we’re always aware of the security posture of our systems, and Qualys provides a way to consistently audit to make sure administrators are getting the patching done."

To vet Manitowoc's global IT infrastructure for vulnerabilities, the company has Qualys appliances deployed around the globe to evaluate the security status of each IT asset every other week. And, because Qualys’ software, security checks, and service all are centrally managed by Qualys, Sonnemann knows that each scan is identical. "The distributed nature of Qualys, and the way our scanners are deployed around the world, definitely makes it easier too. Each scanner is always the same and the security checks always up to date," he says.

To ensure that any vulnerabilities uncovered by an assessment are fixed properly, they're automatically sent to Qualys’ built-in ticketing system. Qualys’ ticketing system generates tickets based on internal policies, and tracks each vulnerability until its fix has been verified. "Qualys works with our remediation rules, and when vulnerabilities are detected, the ticket automatically is assigned to the proper person," he says.

Customized Automation

To automate additional aspects of its vulnerability management program, Sonnemann leverages the Qualys Application Programming Interface (API) to perform customized tasks. For instance, within Qualys’ ticket management system, it is possible to mark specific vulnerabilities as closed or even elect to ignore them. Such actions may be acceptable if it is found that the vulnerability poses no risk to the system, or if a patch would cause more trouble than it fixes.

Sonnemann also leverages Qualys’ API to build powerful, customized reports. "We're able to take our asset groups and business segments and break down vulnerability management performance by the number of open tickets per segment, number of resolved tickets per segment, closed/ignored tickets, and overdue tickets per segment," he says. "This truly helps us maximize performance."

Manitowoc selected Qualys to help the company manage global risk more effectively, and by all measures that decision has led to considerable success.