North east lincolnshire council

At a glance

More than twenty towns and villages depend on the North East Lincolnshire Council to provide essential services, from revenues and benefits to support for local businesses. But limited resources made patching software vulnerabilities across the council’s thousands of devices a daunting challenge for the council’s IT security team. Flexera’s Software Vulnerability Manager delivered seamless integration, prioritization and automation features which helped the IT security team enhance its vulnerability management. The team now has a single, comprehensive look at all vulnerabilities across all the council’s software.

The Challenge

A small security team’s limited resources limited its insight into vulnerabilities across the network

Like most public-sector bodies, North East Lincolnshire Council operates with limited resources. The council’s ICT team faces an ongoing demand to do more with less and minimize the cost of staffing while managing more than 2,500 devices. The council’s security processes also are under intense scrutiny. The ICT security team must ensure that all activity complies with Codes of Connections (CoCo) in order to connect to the Public Services Network (PSN).

It was becoming increasingly difficult for the small team to keep pace with the ever-changing threat of application vulnerabilities.

“Patch management for third-party applications such as Adobe had become virtually impossible,” recounted Liz Holmes, ICT Security & Compliance at North East Lincolnshire Council. “It was difficult to establish the extent of the software we had, what versions were in use, and how vulnerable we were. It became too difficult and onerous to demonstrate a good patching regime using manual methods such as Excel spreadsheets, but they were our only options.”

The council identified a need to improve visibility across its network and sought a solution that would enable the ICT security team to prioritize vulnerabilities based on criticality. A single tool that would integrate with the council’s existing Microsoft Windows Server Update Service (WSUS) implementation would make it faster and easier to package fixes and deployments.

On average, 30 days is all it takes for a vulnerability to be exploited; yet enterprises take an average of 186 days to fix vulnerabilities.

[SVM] has become fundamental to our patch management regime. We now have oversight that we’ve never had before. What was a complex, difficult, and time-consuming process is now more structured, prioritized and focused. We’re in a better position than we’ve ever been.

Liz Holmes ICT Security & Compliance, North East Lincolnshire Council

The Solution

SVM’s quick implementation allowed complete picture of badly needed software patches

The council chose Flexera’s Software Vulnerability Manager (formerly Corporate Software Inspector), which would improve visibility, prioritize patching, and integrate seamlessly with Microsoft WSUS.

“We trailed [SVM] for seven days and were impressed by the level of information and how simple it was to use,” said Holmes. “We were then able to use the management reporting feature to present our business case and demonstrate why we needed a security tool to address the issues we were experiencing.”

SVM was quickly implemented, integrating with the Microsoft WSUS patching solution, and enabling the council to automate Microsoft-related patches alongside a wider range of applications across the estate.

Once the implementation was complete, Holmes and her team had a comprehensive view of the applications installed on the network. As a result,

it was possible to identify which applications needed to be patched and which should be completely removed. Where patches were required, the team could use clear CVSS scores to prioritize follow-up activity, securing the most critical vulnerabilities first.

SVM also identified several different versions of the same applications. This allowed the council to consolidate disparate versions, making them easier for technical support teams to maintain.

The solution’s customizable dashboard feature made this mass of useful information easy to read and understand.

“The dashboard gives us an overview of the top ten end-of-life (EOL) applications, unpatched applications, and the most critical vulnerabilities,” Holmes said. “These are the focus of our security team meetings. We can also see the volumes reducing and minimizing the level of risk we’re exposed to. It’s encouraging for the entire team to see the impact of our efforts to secure the infrastructure.”

The Results

SVM patched all vulnerabilities

The SVM implementation has enabled the council’s ICT security team to accomplish much more with its limited resources. With complete visibility over the applications in use and their vulnerabilities, the team can take a proactive approach to application vulnerabilities and PSN CoCo compliance.

“We’re not waiting for issues to be picked up on our annual IT health checks,” reported Holmes. “We’ve become more proactive, demonstrating that we have an effective patch management regime in operation, not just a once-a-year activity.”

With SVM, the council can use the familiar WSUS interface to package deployments and apply patches faster. The team no longer needs to spend time researching and testing updates. Instead, they can concentrate on their own deployments.

We’re not waiting for issues to be picked up on our annual IT health checks. We’ve become more proactive, demonstrating that we have an effective patch management regime in operation, not just a once-a-year activity.

Liz Holmes ICT Security & Compliance, North East Lincolnshire Council

“[SVM] has become fundamental to our patch management regime,” concluded Holmes. “We now have oversight that we’ve never had before. What was a complex, difficult, and time-consuming process is now more structured, prioritized and focused. We’re in a better position than we’ve ever been.”

Stop reacting and gain control while staying secure

Learn How Get Trial

Additional Cases

Die neuesten Case Studys unserer Kunden

Type
Capability
Category