Modine Manufacturing Company’s motto is “Always Innovating. Always Improving.” And this extends to its approach to cybersecurity. A global leader in thermal management technology and solutions, Modine is headquartered in Racine, Wisconsin (USA), with operations in North America, South America, Europe and Asia. Modine designs, engineers, tests and manufactures products for a wide range of applications and markets and the company “is at work in practically every corner of the world, inside the things you see every day”.
Modine is proactive about protecting its digital assets and those of its customers. “Our global IT security mission is to seamlessly protect our people, products, processes and data from cybersecurity threats,” said Andrew Detloff, Manager of Global IT Security. “We do that by integrating security controls and practices into Modine systems, products and processes in a way that enables our employees, contractors and customers to easily do the right thing regarding cybersecurity.”
Modine has a small security team with a large mission and as the business grew so did the risks. Detloff’s three-person security team quickly went from monitoring a few hundred event sources to a few thousand. Modine needed a partner that could help them improve upon various parts of their security program. This meant addressing both proactive and reactive security needs. A strategic goal like that calls for a strategic partner, one with multiple centers of product and service excellence.
Modine Manufacturing found their strategic partner in Rapid7. Today, the company relies on a combination of Rapid7 managed services and cloud-based software to improve their security program. This includes InsightAppSec for scanning customer-facing and internally developed apps, ManagedVM (MVM) to offload vulnerability risk scanning and management operations, Rapid7 MDR’s SOC experts to detect and respond to threats using the InsightIDR solution, and InsightConnect’s SOAR capabilities to automate and tie it all together.
“Where Rapid7 is heading, they’re not just looking at endpoints or users, but they’re combining that with network detection capabilities and other data sources to give a better, broader picture of the many different ways someone can attack us,” explained Dettlof. “They give us correlated and contextualized data.” Detloff further noted that having a single lightweight agent that is leveraged both by InsightIDR and InsightVM has proven to be valuable, providing a lot of capability with a minimal impact on the system.
Stopping Threats Early and Fast
Modine regularly performs full scans on its systems and networks around the globe, which enables the Security team to quickly assess, prioritize and patch systems before an attacker can exploit a vulnerability. “With MDR we no longer have to worry about finding the needle in the haystack, because the Rapid7 SOC goes through everything and lets us know the key alerts we need to worry about,” stated Detloff. “When a recent zero-day threat emerged, the Rapid7 team notified us about it the night before. The next day we saw it on the news, and thought, This is what we’re paying for - a team of experts who contain incidents so we can sleep easy at night.”
Without the MDR service, Detloff notes that his 3-person security team would have to sift through approximately 16,000 possible alerts a day. “The Rapid7 team pares this to about five validated incidents a day. Five we can handle. We also have the ability to isolate endpoints and enable/disable users until an incident is resolved.”
“The Rapid7 team saves us a ton of time, giving us accurate information instead of us having to investigate each alert to try and figure it out,” added Detloff. “One day our Rapid7 Security Advisor reached out about an end user in another region who was running a suspicious script. It turned out the user had an infected USB drive that was trying to execute a malicious script. Our Rapid7 team captured all the activity and stopped anything bad from happening.”
“The industry standard dwell time is anywhere between 90-207 days to find something once it’s in your environment,” continued Detloff. “The one incident we considered major was identified by the Rapid7 MDR in less than one hour, we responded in less than two hours and it was remediated in less than 48 hours. That incident alone paid for this year’s MDR service.”
Expanding Security Coverage Without Adding Headcount
”Without Rapid7’s managed service for detection and response, I would anticipate needing at least four or five more people to provide comparable coverage”, stated Detloff. “On the vulnerability management side, I’d estimate we would need at least two additional people, and that would only be staff who could identify what needed to be fixed, not even handling the remediation side.” On the MDR side, Detloff estimates that he would need to increase his staff by four to five people.
“Rapid7’s MDR people have expertise that I can’t find anywhere else. I also like that the remediation side of the agent and the automation side have the ability to disable and enable users. The integration both on the MDR and InsightConnect sides also appeals to us.”
Freeing-up Time To Focus on the Program
“I love what I do for a living. I like to dig into individual incidents when I can. But I don’t have the time to do that if all I’m doing is sifting through events all day. With Rapid7’s MDR, I can be more strategic. I can focus on the entire security program, not just detection and response.”
“I was on a lake ice fishing last winter when a significant security incident happened,” continued Detloff. “I got on the phone with my security analyst and Rapid7. We were able to remote in, see the incident, and make a decision. I responded from the middle of a lake in Wisconsin! Before we had MDR I would have had to rush home to deal with it.”
Addressing the Challenge of Phishing
“One of our most critical security challenges is phishing,” noted Detloff. “80 percent of breaches originate as phishing emails. We receive roughly 40 user reports of suspect emails a day that have to be analyzed, and about five of these typically need to be remediated.” With InsightConnect, Detloff’s small team can focus on the five instead of the 40. “We built a workflow that pulls in the email, runs all the links and attachments past a couple of different threat intelligence sources and gives us a determination of whether it’s benign, known malicious or suspicious,” explained Detloff.
“All we need to do is click a button to confirm if it’s malicious, and InsightConnect will strip it out of Microsoft Exchange for us. This took a process that used to take 30-40 minutes per email down to a few minutes each.” Modine is also in the process of moving to a new email gateway to improve their email filtering and plans to use InsightConnect’s integration with the service to further automate their phishing remediation.
Testing Application Security on a Routine Basis
Modine uses InsightAppSec to dynamically scan applications. “We have internally developed applications that are customer-facing, and those are the biggest ones we need to make sure are protected. Our developers are really looking forward to being able to get the OWASP report based on how their application is doing.
As for the future, Modine will continue to feed in both the event sources and the indicators and expand their use of the agents and the alerting system they have in place and add automation. “Automation is going to be crucial to our small team.”