Wyndham Hotels Slices Its Risk Score In Half With the Rapid7 Platform

The Challenge

With customers and staff across the planet, Wyndham has identified two main attack vectors – their sprawling website and a multitude of business applications that keep their global operations up and running.

Wyndham’s corporate workforce, which includes IT, marketing, brand operations and the customer relations call centers, has been gradually embracing remote work for several years. Most corporate users work remotely on Mondays and Fridays. So making sure all desktops and laptops at home are secure is critical.

The Solution

Wyndham has been using Rapid7 for over a decade and continues to implement more tools on the Rapid7 platform, utilizing InsightAppSec, InsightIDR and InsightVM to secure 3500 corporate users, 150 applications and more than 1 million loyalty members. Having one central platform for all of Wyndham’s security needs has paid off in spades. “The Rapid7 platform has made a difference as far as our ability to have this wide casting net and visibility,” stated Joseph Gothelf, Vice President for Cybersecurity.

Gothelf oversees 11 team members responsible for incident response, vulnerability management, application security, threat intelligence, SOC and firewall management.

Securing Critical Applications

“We use over 150 different applications today which includes a mix of security, IT and general business applications,” Gothelf shared. “We’re always looking at how we can better secure those applications that we don’t necessarily have much control over. And how we can keep better tabs on who and why and when they’re being used.”

Wyndham has been all-in on InsightAppSec, which provides Dynamic Application Security Testing (DAST), for about five years. “We left a competitor to implement InsightAppSec and bring things closer together in the Rapid7 world,” he explained. “We’re running scans twice a month or monthly for some of our web apps, and sending those reports to our internal customers.” Our internal security teams as well as application owners receive these reports on a regular basis.

So Long, Spreadsheets, Hello IVM Dashboards

Wyndham implemented Rapid7 InsightVM to gain visibility into on-prem IT environments and remote endpoints as well as clarity into how those vulnerabilities translate into risk. “The agents provide real-time data,” shared Gothelf. “We make tremendous use of the InsightVM dashboards for vulnerability management and our internal customers expect reports on a regular basis. But, we were a spreadsheet organization for many, many years; the whole vulnerability management program hinged on a spreadsheet,” he continued.

Gothelf determined to make their security operations more efficient. “We cleaned up all of our tags, our asset groups, and we said everything is going to be in a dashboard. If you want to know how an asset’s doing, you’ve got to login to view it. We’re not doing spreadsheets anymore,” he chuckled. “We have a team that exclusively uses dashboards today. And, when we mentioned that we’re going to start exporting some of that data to Jira because we also have teams that work exclusively in Jira, the team came back and said, Absolutely not. We want to be in Rapid7. The patching teams love that they can easily see where the riskiest and most severe gaps exist, which are easily seen with various snapin dashboards.”

The dashboards are making a difference. Gothelf shares the impact InsightVM dashboards had on their management of Log4j. “That was the fastest I’ve ever seen us remediate 100% of the organization over a holiday period, at Christmas. We had several machines impacted and we had them all remediated within 30 days. I’ve never seen us work that fast before. But again, that was Rapid7. That was us dashboarding. We were 100% reliant on Rapid7 and we got the job done.” Today, dashboards are used by our internal security teams as well as our desktop and infrastructure management teams, who are ultimately responsible for patching. This helps with prioritizing the areas that require the most attention from the teams.

“If we have EDR and we have Rapid7 on an endpoint, we’re good. And that’s the impression that we make across the board as far as deployments go,” stated Gothelf. Perhaps best of all, Gothelf loves that signing with Rapid7 doesn’t require them to drop other platforms they’ve grown accustomed to. Wyndham also uses another SIEM platform and for many years they were at their ingest limit. “And so, we started to ingest stuff into IDR, things like our web-proxy data and identity management logs.

Success with a Single Pane

“Having everything in one spot, one login, one place certainly helps with the day-to-day work that’s going on, especially for the teams that are cross-platform,” beamed Gothelf. And of course, Gothelf says that you can’t overstate the importance of one point of contact in terms of time saved and simplicity either.

“It’s a lot fewer vendors that we have to be on the phone with. We’ve certainly been called over the last 10 years from competitors looking for us to move our operation, but really, we don’t want to leave Rapid7,” he shared. “We feel like we have such a good thing going with Rapid7. “We’ve got the entire Rapid7 team on our regular calls, because it’s a cross-platform today with InsightAppSec and vulnerability management, all of our SOC people, and all of our IR people, all together.”

The Results are Real

Rapid7’s Real Risk Score provides an actionable, granular score from 1-1000 based on the likeliness of an attacker exploiting the vulnerability in a real attack. The score takes into account CVSS scores, malware exposure, exploit exposure and ease of use, and vulnerability age. According to Gothelf, his team pays close attention to it and has used it to make real strides in their security posture. As of February 2023, Wyndham’s total Rapid7 risk score was reduced by 50% across the board and individual teams had achieved reductions as high as 80%.

“That was a huge success, everyone is feeling better,” beamed Gothelf. We’re across the board very happy with everything that Rapid7 is delivering today”.