Manufacturer Hypertherm Stays in Motion with Rapid7 Solutions

Challenge

James Thompson, Information Security Manager at Hypertherm, depends on security solutions that keep operations and technology running smoothly and safely in his organization's environment. Responsible for a whole spectrum of assets—including operational technology, IoT devices, and Hypertherm's own proprietary software, James sought out a single pane for visibility into the "wild west" that is the manufacturing sector.

Solution

Rapid7 InsightVM was the ideal solution for identifying, assessing, and remediating risk without the downtime associated with other tools. Hypertherm’s partnership with Rapid7 led to the adoption of InsightAppSec, Rapid7’s leading dynamic application security testing (DAST) solution.

Highlights include:

• "For a real mature vulnerability scanning management program, we started to evaluate Tenable.io and Rapid7's InsightVM... When we were demoing InsightVM, we found that we could create a kind of a dynamic blacklist. So that allowed me to build out my scanning schedules without the risk of knocking printers offline, and that was a big deal for manufacturing."
• "AppSpider* empowered the developers to help themselves. Building that tool into our web applications helps me better understand the exposure at the edge... It also empowers those developers to improve their product, to test their product, and with AppSpider, they can test on the fly."
• "[Rapid7 helps] ultimately build a complete solution and program around the correlation the products can provide... The customer success managers are really helping me paint that picture."

 *The industry-leading DAST engine behind Rapid7 AppSpider is now Rapid7 InsightAppSec.

Video Transcript

My name is James Thompson. I'm the information security manager for Hypertherm. We're a metal cutting solutions provider, so think high pressure water, plasma, laser. So you'd find us working on shipyards, oil, pipelines, or the home hobbyist on go-carts.

The manufacturing environment is challenging. I like to call it the Wild West. We don't have a lot of the regulation that a financial industry or health industry might have. So, much of our security isn't forced upon us, we choose where that balance may be, for better or for worse.

So, talking about our environment and kind of the structure of our environment, very mobile. Very mobile workforce, especially with IoT. So, many of our associates, as we like to call them, they have laptops and then we have a high percentage of that population are engineers. So, high powered CAD workstations, high virtualized infrastructure.

And a lot of manufacturing has old legacy machines. So I might have a million dollar machine out on a manufacturing floor that's still making parts, delivering value, but it's running on XP or XP Embedded, or something that's becoming very difficult to secure.

So having been able to build on the awareness, build on the business case for a real mature vulnerability scanning management program, we started to evaluate Tenable.io and Rapid7's InsightVM.

We were trying to find a way, we were manually managing a blacklist of IPs for our printers, and with various manufacturing cells always moving around the organization, someone will move a printer to a new IP range, and I might not know until I knock production back offline. So regardless of me saying you really need to tell me when you're moving these things, the reality is I'm a pain point for the business.

When we were demoing InsightVM, we found that we could create a kind of a dynamic blacklist. So that allowed me to build out my scanning schedules without the risk of knocking printers offline, and that was a big deal for manufacturing. Certainly for us.

In terms of features that we're leveraging now that are really critical to us, there's really two I would highlight. One is the dashboards. The built in dashboards allow me to step back and allow my managers, or my higher level C suite executives to see that, and ask questions without me going in deep to create these custom reports. Always regenerate a report, tweak it with every question.

They can go in live and see a live snapshot of what's going on. So when there's a new vulnerability they're like I said, "James, I saw this in the news, BlueKeep for example, how are we doing? What's our footprint? What's our exposure?" They can hop right in and see the WannaCry and the various CryptoLocker inside. There's two or three assets. Should I be concerned? What are we doing about it?

The other piece that we leverage heavily, is the DHCP scanning.

So when a new device is plugged into the network and somehow it's made it around our perimeter defenses, when it pulls that DHCP address, it scans at that point in time. Or we have it set up that if it's scanned within the last two weeks, it won't, because that's a known device plugging in and pulling DHCP.

So it's given us visibility into rogue devices connecting to the network, and given me the ability to speak with confidence that if it's on the network, I am aware of it.

We're leveraging Atlassian Jira for ticketing within the InsightVM platform. The real advantage for us there was it removed myself as a traffic cop. Looking at the various vulnerabilities, how critical they were or weren't, and making a very subjective decision on do we need to elevate these to the business or not? I now have a more quantifiable approach that will automatically create a ticket, that goes into a workflow, that gets assigned to someone for mediation. And that orchestration saves an awful lot of time, really.

We really always recognized that there was a hole in our application scanning. Whether that be web applications, or we also develop our own software for sale.

It was a new space for us. We were struggling to understand how to fill the space, so really our relationship, as it grew through InsightVM, we started asking questions, what more can Rapid7 do for us?

I need to leverage a tool that can come back and say, "You might have a sequel injection opportunity here, you might have poor authentication methodologies." So AppSpider empowered the developers to help themselves.

Building that tool into our web applications helps me better understand the exposure at the edge. So now I can better speak to the management team about how we're doing. But it also empowers those developers to improve their product, to test their product, and with AppSpider, they can test on the fly. So they'll point out their dev instance, they'll make a change, they'll run it, go, "Ooh, there could be SQL injection." They'll make a tweak, run it right there and say, "This will work", and then publish that. So they're able to really make very fast agile adjustments.

It's just about weekly interaction with Rapid7 as to how we are doing? What we are doing? Do we need to invest more here? I have an acquisition coming here I need the plan for, and then looking further down the road towards how I can bring in IDR, partner that with MDR. Can I automate more with the connect platform? Ultimately build a complete solution and program around the correlation the products can provide. Rather than me doing a best-in-breed here, a best-in-breed here, a best-in-breed here, and having three different panes of glass that somehow I've got to tie together.

And so the coaches, I'll call them coaches, customer success managers are really helping me paint that picture. So I can sleep at night and hang out and have fun and not worry about what's going on in a time zone. The 12 hours off from me working.