Lehigh University (LU) is a private research university in Bethlehem, Pennsylvania. The university was established in 1865, and serves around 8,000 students.
The Challenge
The security team recognized that its vulnerability and exposure assessment process was not effective in prioritizing risk, which negatively impacted interaction with the teams responsible for implementing the fixes. The team identified several related issues that stood in the way of taking a more proactive approach to the university’s technology risk posture: primarily manual assessment of vulnerability contributed to protracted mean time to remediation from notification the team couldn’t consistently correlate security findings with the asset it was detected to perform risk assessments – in particular, critical findings on Internet accessible systems. Because of inconsistent prioritization outcomes, it was challenging to maintain a collaborative approach to interacting with the teams responsible for implementing the fixes – extending the risk exposure window.
In the absence of correlation and contextualization of asset profiles and vulnerability findings, the team would sometimes request a fix to a system that was not Internet exposed – undermining the willingness to collaborate on implementing fixes.
In addition, the team was looking to reduce spend on multiple detection tools without compromising findings coverage.
Challenges
- Maintain a proactive approach to security posture
- Minimize risk exposure window by reducing time between notification and remediation
- Incorporate asset risk context to drive prioritization of security findings
Results
- Reduced time spent on assessment by 80% with findings consolidation and deduplication across tools
- Facilitated 40% decrease in tool costs, with consolidation and retirement of overlapping tools
- Reduced time spent on fix workflows by as much as 80% through ownership assignment and ticketing integrations