INDUSTRY: Media & Entertainment
BUSINESS: Headquartered in Leeds, England, Sky Betting & Gaming is a tech and digital company that has grown to become one of the market leaders in the UK betting and gaming space.
SIZE: 1,600 employees
BUSINESS CHALLENGE: Operating in a highly regulated industry, data protection is a key requirement for Sky Betting & Gaming—but spreadsheet-based approaches to vulnerability management meant remediation was slow, time-consuming and labor-intensive.
SOLUTION: Qualys VMDR® with integrated apps for asset identification and management, vulnerability management, threat detection and prioritization and response; Qualys Web Application Scanning.
Sky Betting & Gaming strives to understand what players want and give it to them in new and exciting ways. As part of its commitment to innovation, the company has embraced a fail-fast approach to systems design—leveraging cutting-edge technology to build compelling customer experiences.
Operating in a heavily regulated industry, compliance and information security are key focus areas for Sky Betting & Gaming. To guard against reputational and regulatory risks, the company places a heavy emphasis on preventative security. The objective is to identify risks throughout the estate and work proactively to shrink the attack surface.
Glenn Pegden, Security Vulnerability Manager at Sky Betting & Gaming, says: “In recent years, the velocity of our work has dramatically increased. Cyber-attackers are more nimble and more sophisticated, which means it's no longer acceptable to set service-level agreements [SLAs] of 90, 60 or even 30 days for many vulnerability management tasks. However, it's all but impossible to accelerate these processes while relying on large, complicated spreadsheets to keep track of open vulnerabilities.”
The company operates a complex estate that includes Linux and Windows platforms, VMware virtual machines and Kubernetes clusters, and AWS, Azure and Google Cloud Platform environments. To ramp up its vulnerability management process, Sky Betting & Gaming realized it first needed to gain an accurate overview of all assets and system owners across its estate.
Why Sky Betting & Gaming chose Qualys:
“First, we rationalized six separate configuration management databases [CMDBs] down to just one,” explains Pegden. “At the time, the General Data Protection Regulation [GDPR] was coming into effect. As the business prepared for the new requirements, we seized the opportunity to ask all teams to populate the new CMDB with up-to-date system ownership information. In total, we have around 8,000 assets in our two production data centers, and around 1,000 assets across office and cloud locations.”
Pegden continues: “Thanks to our efforts with the new CMDB, we succeeded in creating a single source of truth about IT assets and owners. However, we had limited insight into the relative severity of vulnerabilities across these systems making it difficult to act quickly on the most pressing threats. To solve that challenge, we looked for a way to enable risk-based prioritization.”
For many years, Sky Betting & Gaming had relied on the Enterprise TruRisk Platform for small-scale vulnerability scanning. Based on its positive experiences with the solution, the company adopted Qualys VMDR® with integrated apps for asset identification and management, vulnerability management, threat detection and prioritization and response.
“One of the key reasons we chose Qualys is the flexibility of their solution,” comments Pegden. “As well as providing in-depth insight into vulnerabilities across our on-premises and cloud assets, the Qualys solution allows us to extract this data via secure APIs. This is extremely valuable for Sky Betting & Gaming, as it allows us to build powerful automated workflows to manage the detection, prioritization and remediation process from end to end.”
Today, Sky Betting & Gaming performs regular vulnerability scans using VMDR. Vulnerabilities are automatically raised as tickets in the company’s Jira system and assigned a severity rating based on metadata from the company’s CMDB. Once the relevant system owner has patched the solution and the next VMDR scan confirms that the vulnerability is remediated, the workflow closes the Jira project automatically—dramatically reducing the manual effort required for the majority of vulnerability management activities.
“We’ve been so impressed by the capabilities of VMDR that we’re now gradually shifting from custom-built analytics to the solution’s built-in reporting capabilities,” says Pegden. “The combination of trusted vulnerability data from Qualys, well-defined groups of system owners, and automated patching tools means we’ve dramatically reduced the time required to shut down threats. In fact, much of our estate is patched automatically within hours of detecting a vulnerability.”
Building on the success of its work with VMDR, Sky Betting & Gaming is expanding its use of Qualys solutions. The company is deploying Qualys Cloud Agents to enable real-time visibility of threats and remediation tasks, and harnessing Qualys Web Application Scanning to augment its approach to AppSec.
Pegden comments: “We’ve driven a far-reaching transformation of our security culture, and one consequence of that change is that our system owners are keen to demonstrate that they are patching their systems quickly. By deploying Cloud Agents to their machines, our system owners get instant confirmation that they have closed a vulnerability—and the agents are so lightweight that there’s no performance impact at all.”
He adds: “Qualys Web Application Scanning has become very popular among our development community. By integrating the solution into Jenkins, we’ve enabled our teams to take a proactive role in AppSec and get warnings of potential issues early in the development process.”
By replacing manual spreadsheet-based tracking with end-to-end automation for vulnerability management, Sky Betting & Gaming can save time and focus on more complex cybersecurity activities.
“VMDR is a core component of our automated vulnerability management workflow,” confirms Pegden. “We’ve gone from endless, overwhelming lists of vulnerabilities to a seamless process for prioritizing and patching. Today, 99% of our remediation work is handled automatically, which means we can spend our time investigating the edge cases.
“Thanks to the efficiencies we’ve gained with Qualys, we can keep our headcount flat, even as the IT landscape continues to grow. For example, I can manage 10,000 assets today in less time than it took me to manage 2,300 assets five years ago.”
By embedding a culture of security throughout the organization, Sky Betting & Gaming is driving down remediation time.
Pegden elaborates: “In the past, security was often perceived as a blocker: now, we’re seen as valued advisors. We’ve made risk the ultimate responsibility of our system owners—and thanks to Qualys, they trust the vulnerability data we share with them and act on it quickly.”
Many teams within Sky Betting & Gaming now set SLAs for remediation that are 30 days or less, and the company can address the most urgent threats within hours.
“As soon as news of a zero-day breaks, we can immediately understand our exposure and meet with our system owners and come up with a plan,” says Pegden. “The Log4Shell exploit is the perfect example of how smoothly the process works for us now. Using Qualys Cloud Agents, we were able to see the vulnerabilities dropping off our dashboard in real time as our teams patched their systems.”
“Qualys is an immeasurable benefit to Sky Betting & Gaming, and VMDR has been at the heart of my role for the last five years.”
Security Vulnerability Manager, Sky Betting & Gaming
Looking ahead, Sky Betting & Gaming plans to leverage additional Qualys capabilities, including Qualys Severity Scoring and Cloud Security Assessment.
“Our IT landscape continues to grow and evolve, and Qualys is right at the leading edge with us in terms of security capabilities,” concludes Pegden. “Qualys is an immeasurable benefit to Sky Betting & Gaming, and VMDR has been at the heart of my role for the last five years. We couldn’t imagine driving our vulnerability management activities using anything else, and we look forward to working with Qualys for years to come.”