CEMEX is the world’s largest building materials supplier and third largest cement producer. Headquartered in Monterrey, Mexico, CEMEX has operations extending around the world, with production facilities in 50 countries in North America, the Caribbean, South America, Europe, Asia, and Africa. The company has approximately 60,000 employees worldwide and 25,000 desktops. An information security team of four is responsible for keeping the company’s systems and data secure.
Manual vulnerability scanning too time-consuming and complex
In the past, CEMEX scanned its systems for vulnerabilities using open source tools such as Nmap and NESSUS. “I spent hours pouring over the data from these tools,” says Jesus Torrecillas, an information security consultant at CEMEX and well-known international speaker on information security. “The information produced was so complex and had so many false positives; it was extremely difficult to sift through the data and figure out what remediation steps to take.”
In addition, because CEMEX has many customers in the United States, the company felt that it should strive for compliance with Sarbanes-Oxley and ISO 27002. Consequently, the company began looking for a better solution to keep it systems secure with up-to-date patches and in compliance.
Reliable, extended visibility across the network
After looking at a number of vulnerability assessment solutions, CEMEX purchased two McAfee Vulnerability Manager appliances installing one at headquarters, in Monterrey, Mexico, and the other in Madrid, Spain. The company intends to extend the McAfee solution to other major CEMEX sites worldwide as well.
The Threat Correlation Model in Vulnerability Manager particularly impressed CEMEX. “No other vendors offered a comparable capability,” says Torrecillas. Vulnerability Manager automatically and continually scans devices on the CEMEX network, matching up-to-the-minute threat information continuously supplied by McAfee Labs with detailed information on each device. McAfee Labs, the world’s leading security research organization, has more than 400 researchers worldwide working around the clock to find and prevent security threats.
Prioritization, flexibility, and speed
A key attribute of McAfee Vulnerability Manager was its ability to present actionable intelligence to help CEMEX quickly prioritize vulnerabilities. For instance, using the solution’s Threat Correlation Module, Torrecillas can view a number that ranks risk for every asset on the network. This number is a weighted indicator of threat significance based on an asset criticality rating he defined, the threat impact value assigned by McAfee Labs, and other factors. This information makes it much easier for Torrecillas to prioritize threat response so that the most important systems are protected first.
McAfee Vulnerability Manager is for busy people. It saves me hours each week. With it, I can have a life outside work. My family thanks McAfee.Jesus Torrecillas
Information Security Consultant CEMEX
Vulnerability Manager enables CEMEX to quickly and accurately discover, assess, and prioritize vulnerabilities—much faster and more comprehensively than anything it tried before. “Microsoft will tell me that I need to patch my systems, so I will push out patches to all my systems and, as far as Microsoft is concerned, all is well,” explains Torrecillas. “However, a Vulnerability Manager scan will show me that not all the systems are actually patched and give me a list of the ones that need attention. Vulnerability Manager is more reliable than Microsoft.”
Quick remediation and easy-to-use reports
When Vulnerability Manager reports back the findings of its scans, Torrecillas knows exactly what to do next. “Vulnerability Manager’s helpful graphics and easy-to-use reports enable me to see at a glance what our security exposure is and which systems need to be addressed first,” says Torrecillas. “But it doesn’t stop there. The solution also spells out what steps to take to remediate any issues.”
Furthermore, built-in and customizable reporting functionality also makes it quick and easy for the company to produce meaningful reports for CEMEX executives as well as internal and external auditors.
Significant time savings from functionality and reduction of false positives
All of this easy-to-use functionality adds up to huge time savings along with reducing the number of false positives—systems that appear to be out of compliance but in reality are not—in vulnerability scan results. With its previous scanning tools, CEMEX had to comb through hundreds of false positives, wasting hours of valuable time. With Vulnerability Manager, however, the number of false positives has been slashed by 80 percent.
“McAfee Vulnerability Manager is for busy people,” says Torrecillas. “It saves me hours each week. With it, I can have a life outside work. My family thanks McAfee.”
Protecting critical business data and intellectual property
To prevent loss of critical data—such as business plans, chemical formulas, and financial data— particularly from hackers in countries like China— CEMEX is turning to McAfee as well. The company is currently piloting a data security solution that incorporates McAfee Host Data Loss Prevention (Host DLP) and McAfee Data Protection Suite for Rights Management (DRM), and McAfee ePolicy Orchestrator® (ePO™), a central management console that will also integrate with Vulnerability Manager. Host DLP and DRM will automatically protect sensitive data without user interaction and block unsecured data from leaving the enterprise. McAfee ePO will streamline security management, from pushing out data policies to CEMEX endpoints, to tracking, auditing, and reporting on access to sensitive data, and reporting on system vulnerabilities.
A happy customer
Torrecillas is extremely happy with McAfee and looks forward to using additional McAfee solutions in the future. “McAfee has allowed me to easily control the assessment of vulnerabilities and will soon help with data protection,” says Torrecillas. “I look forward to the day when I will be able to rely on McAfee to optimize our security environment.”