Cloud-first IT infrastructure

Campminder operates fully in the cloud for all their workstations and servers. They don't have any on-prem instances or an internal network. This increases Campminder’s agility, scalability, cost efficiency, and allows them to be more proactive about security. Campminder mainly uses Azure and also some AWS. They use many SaaS tools, including Okta, Slack, and Google Workspaces.

Security challenges: 

Austin Palmer, Head of Cybersecurity and Compliance, was facing several challenges and gaps in Campminder’s IT security tooling:

1. Indigestible vulnerability scanning: They were using an expensive vulnerability scanning service that just provided them with hundreds of pages on vulnerabilities, with little useful information. “It took us ages to get through the reports, with few actionable results,” Austin said.
2. No asset management: They had no visibility into their IT inventory, which was especially a problem when trying to ensure all systems were patched and when having to respond to zero-day threats.
3. No PCI DSS compliance scanning: The list of PCI DSS requirements that Campminder was subject to had increased by a factor of 10. Austin: “Since this involved a much more rigorous and comprehensive evaluation, we realized that we were going to need a tool for this.”

“We were paying an insane amount for a third-party provider to do our vulnerability scanning and monitoring and we weren't getting the benefit.”
_{‍Austin Palmer, Head of Cybersecurity and Compliance}

Tenable and Rapid7 didn’t cut it

Austin first looked at Tenable and Rapid7 to solve these challenges. Tenable generated a lot of alerts that weren’t actionable and didn’t offer any inventory or asset management. Rapid7 was at least usable, but the biggest problem was that both Tenable and Rapid7 heavily rely on installing agents which increase compute costs and reduce performance. 

Then Austin was introduced to Mondoo, and never looked back.

“One of the main reasons we stayed away from Tenable and Rapid7 and other tools like that is because they rely heavily on agents. The fewer agents I have on my boxes, the happier I am.”
_{Austin Palmer, Head of Cybersecurity and Compliance}

Solution: Mondoo

“Mondoo was a godsend for us,” said Austin. “We were immediately impressed by the demo and the fact that we could see the scan results in an easily digestible and actionable manner. Mondoo also assisted us in replacing our old ASV scanning tool, which was another capability we were looking for.”

With Mondoo, Campminder now gets:

1. Actionable findings: Clear and prioritized insights into their vulnerabilities and misconfigurations.
2. Asset management: A full inventory of all their IT assets and an easy way to search. 
3. Compliance: Continuous and fully automated PCI DSS compliance scanning.
4. Guided remediation: The ability to assign issues with all the relevant information and remediation steps, greatly reducing any back and forth and speeding up remediation times.
5. ASV scanning: External vulnerability scanning through an external provider using Mondoo.
6. Optimized security: Understand how to achieve the biggest posture improvements with the least effort, using impact scoring and blast radius.

“Mondoo was insanely helpful in meeting our PCI DSS requirements.”
_{Austin Palmer, Head of Cybersecurity and Compliance}

Implementation

Deploying Mondoo was surprisingly easy. Austin: “I love that Mondoo doesn’t require an agent on every single asset. It was really easy to connect Mondoo to our environment and instantly start scanning.”

When Campminder recently acquired another camp management application, it was easy for Austin to connect Mondoo to their environment and start scanning for vulnerabilities and misconfigurations. This meant that they were able to get the application up and running securely very quickly and significantly accelerated the time to value of their acquisition.

The ability to organize assets into workspaces within Mondoo was also very useful for Campminder. Austin: “We were able to set up a separate workspace for the new application. Since it had a very different IT infrastructure with only on-prem servers and workstations, it was extremely useful to be able to see the assets separately from our cloud assets”.

Results

With the Mondoo platform, Campminder achieved the following results:

1. Reduced misconfigurations and vulnerabilities by 50%
2. The vast majority of risks are now remediated in under 16 days.
3. Reduced manual work by 4x-5x (by no longer needing to sift through long vulnerability reports, streamlined remediation assignment, automated compliance checks).
4. Avoided the need to buy separate tools for asset management, vulnerability management, PCI compliance, and ASV scanning.

Conclusion

“Having a tool such as Mondoo is incredibly helpful, especially for small cyber teams who need to wear multiple hats,” said Austin. “I used tools such as Rapid7 at previous organizations, but it wasn’t user friendly and it was laborious to track vulnerabilities across the entire organization with no easy way to search for assets and machines.”

Austin: “What is also great about Mondoo is that we’re able to work with you on new features that we've asked for. You've always been super helpful and listened to our feedback. I’d definitely recommend Mondoo for organizations who want to save on manual work and optimize their security efforts.”