Project Description

Visualizing Vulnerability Scans & IT Risk Remediation

A Technology Services Case Study

Leverage Corporation Onspring Customer

OVERVIEW

Soon after adopting Onspring to manage IT assets, contracts, and vendors for their global customer base, Leverage Corporation, a CTO-as-a-Service provider,  needed a reporting engine to manage the intake from commercial vulnerability scans. 

Reporting in Onspring needed to provide their team with meaningful visualizations of data with actionable insights. Norman Harber, the CEO, led the creation of a custom-built application in Onspring to launch their new vulnerability management service with customers—all completely designed and created by their own internal team with no dev or IT resources. 

Profile

Company:
Leverage Corporation

Industry:
Technology Services & Advising

Solutions:

The tools Onspring provides really helps us understand our customers better and provide more value back.

 Norman Harber, CEO

For privacy reasons Vimeo needs your permission to be loaded.
I Accept

Challenge

Leverage Corporation chose to focus on vulnerability and risk management as part of their technology service offering with customers.

Vulnerability management reviews the technological threats to your network, to your overall web presence, and to your overall technology stack as an organization. Leverage Corp was responsible for identifying potential vulnerabilities for customers and remediating them based on certain levels of risk.

They were utilizing commercial software tools to run vulnerability scans against our customer’s networks and organizations. The scan results would come back from those vulnerability scanning tools with very large, concatenated Excel files.

Vulnerability Scanners used with Onspring

Lingering Questions from Vulnerability Scans

  • Where are the vulnerabilities? 
  • Where are my gaps? 
  • What do I need to remediate? 
  • How do I need to remediate? 

It was hard to understand this data and dashboard it into something meaningful, mostly because the vulnerability scanning tools are designed to serve full-time analysts, who do nothing but focus on the data sets and aren’t interested in graphs, charts, numbers – the visualization of information.

The difference here was that Leverage Corp and their customers, who are the executives in their organizations reviewing the data, don’t want to read through a very long spreadsheet.

CEO Norman Harber said, “how do we solve this problem?” They quickly begin to dive into the Onspring platform and created a custom application from the ground up.

Solution

CEO Norman Harber and his team started by sitting down to map out the requirements process before customizing Onspring on their own with a brand-new application to ingest hundreds of thousands of rows of data and visualize the meaning.

Their new vulnerability management application in Onspring ingests all critical value scores, severities, data points–anything from IP addresses, down to location.

Not only that, but the new vulnerability management application helped them understand how those results compare to national situations or other vulnerabilities that have been recognized in the mainstream as critical.

All Vulnerabilities by Type

All Vulnerabilities by Vulnerabiltiy

Keep in mind, not every vulnerability has the same level of risk. It is important to understand what vulnerabilities are, how to visualize them, and what remediation you must take.

Staying ahead of the curve in this game is a daily process, so you must always be viewing these dashboards, and ingesting data on a regular basis to understand what the threat landscape looks like for you and your organization.

The customized application Leverage Corp built-in Onspring for vulnerability management looks at all types of scans and compartmentalizes where the risks are, how quickly they need to be remediated, and how. 

Managing Vendors to Remediate Vulnerability

More importantly, Onspring enabled Leverage Corporation to work with its customers and their vendors to remediate vulnerabilities.

Security is all about layers. You can have 25 layers, or you can have two layers. You may only need two layers to be compliant, but your internal folks want five. 

The more layers you have, the more complex this gets, but having all those results in determining your own layers will help you assess what your risks are and help you put in place a management program to manage those vulnerabilities and roll out remediations on a regular, and scheduled basis without just doing things with no plan. 

A very simple, straightforward approach to outstanding vulnerabilities that need resolution or remediation.

All Vulnerabilities by Type

Leverage Corp uses Onspring to track risk associated with vulnerabilities, and more importantly, to track risk acceptance from customers, because they need to understand what their risks are and what it means to their business. 

“It’s important to have a full process and plan behind your vulnerability management. If you don’t, you’re just plugging holes in the dam without knowing what’s going to pop up.” Norman Harber, CEO

Tracking Vulnerabilities & Planning for the Future

Understanding what’s outstanding and what needs to be remediated on any given day is a really important part of the process.

The custom application Leverage Corp built in Onspring tracks vulnerabilities by account, by status, and over time because it is critical to know what those vulnerabilities are through across different customers, not just one customer. They’re looking for commonalities across multiple customers that could be experiencing the same vulnerability.

Because not all organizations patch, upgrade and plug their network at the same time, Onspring allows Leverage Corp to see into customers, both globally and individually, and over time, so they can compare vulnerability across 98% of their customer base.

Resulting data visualized: 

  • Details on vulnerability type
  • Quick alerts for vulnerability priority based on criticality value score
  • Determine what the threat is and what device it resides on
  • Determine action plan, if any, to remediate
  • Task external providers with documents to execute on secure environments
  • Provides auditors with great information
  • Think ‘insurance policy time’ when reviewing historicals

Onspring also allows Leverage Corp to show a timeline for audit purposes. Their customers who follow regulations, like the SEC, for example, will need to show that over time they have remediated several vulnerabilities in the network to remain SEC-compliant.

For Leverage Corp it has been a tremendous journey, with Onspring serving as a critical partner to help to grow the company exponentially.