At Regina International Airport, everything that has a network cable, wireless signal, or power cord is something Sean McKim, Manager of Technology, cares about. As Canada’s 15th busiest airport – with over 1,700 IP addresses on the corporate side and fluctuating numbers of visitors moving though the airport every single day – that’s a lot of technology to look after.
McKim works with a team of technicians to maintain, manage, and implement technology systems throughout the airport. Everything falls under this umbrella, from common use systems shared by the various airlines, passenger experience options like on-site Wi-Fi, public address systems, baggage systems, and all traditional IT.
All of this technology is relatively segmented, McKim says – and it was that segmentation that led him to giving Horizon3.ai’s autonomous pentesting product, NodeZero, a try.
“You think things are segmented and that they can’t talk to one another, but through scanning and using toolsets like NodeZero, we determined where we have leakage and interaction between networks,” says McKim. As soon as he started using NodeZero, he was surprised to see indications where workstations could connect if they wanted to with other segments.
“NodeZero let me do a review of our settings and firewall. Not only did it identify vulnerabilities – it also provided proof showing that they were potentially exploitable and this was incredibly helpful,” he says.
Pentesting Without Engaging a Third Party
The ability to run some form of penetration testing without engaging a third party was a huge benefit, McKim notes. “We did a pentest back in 2018, contracting with a team to do that, and it cost about as much as NodeZero’s annual fee,” he says.
In a stroke of serendipity, he was investigating options to run a new pentest this year when a representative of Horizon3.ai reached out.
“Using NodeZero you can run those pentests as frequently and often as you want without adding additional costs or engaging with a third party. I can also structure and segment the test how I see fit,” he says. “A big part of using NodeZero is taking away that third party and making it so you’re not just getting one pentest a year, but as often as you need them.”
Now, every month he runs a series of tests on specific segments and compares those results with previous iterations of those tests.
He had been doing vulnerability assessments monthly using other products such as Tenable, which was helpful, but the question always arose – sure, an exploit was found, but is it something that we need to worry about right now?
“The nice addition from Horizon3.ai is not only finding the vulnerability, but correlating it with the potential reality for an intentional or accidental cyber incident to happen that could make it worse,” says McKim. “We had a vulnerability scanner, but NodeZero marries up whether those vulnerabilities are exploitable.”
NodeZero’s context scoring that allows users to see the context and provides criticality or prioritization based on the context is an important benefit as well, McKim notes.
“I’ve worked in environments where you get a vulnerability scan and you’re handed a report – and if you ask the question, do I need to care about this, the answer is ‘we don’t do that, we just find the vulnerabilities,’” he says. “You never want that to happen in front of another member of management.”
McKim reports directly to the CEO, with whom he has a great deal of trust and support. After showing him a few features of NodeZero, he had his full trust to carry forward. With that support, McKim’s been able to use NodeZero to help other teams with prioritization and engagement.
“If I’m working with a third party or someone in our supply chain and need to address something that I don’t manage myself, I can say: ‘This is the exploit, and this is what I need you to do and how soon I need it to happen’, all because NodeZero is structured the way it is,” says McKim.
Closing the Gaps, Identifying Upgrades
Running NodeZero also helped to prioritize what equipment or systems needed to be upgraded or replaced.
“We were able to identify equipment that had been sitting for a long time with a web server running on it, for example,” says McKim. “Do we need that web server? Is there a plan for replacing it? Or is there a new application or option we should consider, such as moving it to the cloud?”
This was important not only from a cybersecurity perspective, but also from one of digital transformation. It helped with the decision-making process for identifying weak points that needed to be replaced, and then developing plans to do so and projecting that out.
“Without a plan in place, some of these things run the risk of sitting there until something happens that causes an issue, and then it’s panic mode to replace or repair it,” he says. “NodeZero has been helpful in finding locations that don’t need servers running on them, or others where firmware updates don’t cut it anymore and need new hardware.”
Transition and planning with operational tech replacement has been a big help with providing proof to the folks who manage budgets about where, when, and how the money needs to be spent to make sure their cybersecurity profile is at its best.
“It’s helpful with prioritization,” says McKim.
The Benefits of Portability
NodeZero’s portability has also made McKim’s work easier. As the only person focused on cybersecurity in the organization, efficiency and ease of use is key to getting everything done in a given day.
“I can take the virtual machine running NodeZero and put it on different segments through our virtual infrastructure,” he says. “It’s part of why I found the leakage between segments – with NodeZero I can isolate it, put that virtual machine on a segment, run the product and then scan to get the results.”
Portability, ease of use, and speed came in handy when staff and cycles were limited because of the pandemic.
“It doesn’t take a long time, and there’s an ease of running the tests and reviewing to determine what may need to be changed,” he says. “Plus, it shows the proof and methodology for anyone who wants to dig into more details to find how the product did what it did to get those results.”
McKim hopes to not always be a one-man cybersecurity show, and the ease of use with NodeZero gives him confidence he could onboard a colleague very rapidly to use it.
“That it makes it so straightforward to run and interpret the reports means the fact that I’m alone isn’t as high a risk – ideally I have someone to back me up and the nice thing about it is when we’re at that point, it’ll be easy to orient them,” he says. “With NodeZero, it’s: ‘Here’s how we run this; Here’s how we configure it; Here’s the flow chart; and here’s the things to fix. If I hire someone or bring in additional support, it’ll be very easy to support them.”
Speaking of support, the Horizon3.ai team has been a great partnership thus far, McKim says.
“I appreciate being able to interact with them on a level where they help determine what the real answer or fix is,” he says. “It’s a rare experience with a partner.”
Doing more with fewer resources, faster and more efficiently – NodeZero has been a great help in McKim’s day-to-day workflow.
“The ease of use is very appreciated and will be more so when there’s someone else here as well,” he says. It offers the ability to do a pentester’s job without having an on-staff pentester.
“I don’t need the suite of tools to run the pentests independently – I have the skill to do so but not the time to do it myself,” he says. “And I don’t lose sleep because I have the assurances of what I’m able to with NodeZero. I can say to myself, I can do this when I have a change window, when otherwise I’d be here saying I don’t know what I don’t know. That’s where NodeZero Helps, knowing your environment and having a 360-degree view.”