Success Story

Protecting a $9.5bn Enterprise with Seamless, Automated Remediation

Cintas replaces manual patching tasks with risk-based, automated prioritization and remediation from Qualys Enterprise TruRisk Platform

Facilities

45k

Employees

International

Website

Executive Summary

To strengthen its security posture against the backdrop of increasing cyber risks from cybercriminals and state-backed threat actors, Cintas augmented its Qualys VMDR® solution with Qualys Patch Management, Qualys TruRisk™ and Qualys CyberSecurity Asset Management. The new solutions enable Cintas to patch the most severe threats automatically within less than 24 hours, delivering a cyber risk reduction of 61%.

Headquartered in Cincinnati, OH, Cintas Corporation provides highly specialized business services. The company’s offering includes corporate identity uniform programs, entrance mats, restroom cleaning and supplies, tile and carpet cleaning, promotional products, first aid, safety, fire protection products and services.

Customer Environment

Hybrid cloud infrastructure, including 1,200+ servers

23,000 end-user devices

Distributed workforce, including 15,000 on-the-road (fleet)

Enterprise planning and customer/vendor management applications

Business Background

Cintas Corporation helps more than one million businesses of all types and sizes keep facilities and employees clean, safe, and looking their best. Every day, employees across Cintas Corporation rely on the organization’s digital tools—including mission-critical business systems—to deliver outstanding customer services. All organizations face attacks on their external and internal services and infrastructure. To shrink the potential attack surface, Cintas looked for a way to accelerate the patching process for thousands of assets.

Business Challenges

Cintas must protect a large estate of on-premises and cloud assets—including the IT platforms supporting the organization’s enterprise applications

Limited visibility of uncatalogued and end-of-life assets across the environment reduced the company’s ability to apply patching policies consistently

Remediating high and critical vulnerabilities took more than a month, increasing risk exposure

Teams were inundated with daily patching tasks, making it difficult to prioritize emerging threats such as zero-day exploits

Separate point solutions for cloud and on-premises assets prevented Cintas from adopting a unified approach to vulnerability management

We’ve relied on Qualys VMDR to support our vulnerability management process for many years with great success—but manually patching our systems using our previous tool took a tremendous amount of time. To mitigate that risk, our CISO asked us to find a way to patch the most serious vulnerabilities within just 24 hours.
Thomas SchefflerSecurity Operations Manager, Cintas Corporation

The Solution

To achieve its vulnerability management objectives, Cintas extended its Qualys solution by implementing Qualys Patch Management, Qualys TruRisk and Qualys CyberSecurity Asset Management (CSAM).

“When Qualys demonstrated the capabilities of the Patch Management, we realized straight away that we’d found the answer to our remediation challenges,” recalls Scheffler. “With Qualys Patch Management, we can leverage our existing Qualys Cloud Agent deployments to automatically patch our endpoints and verify that the installation completed successfully.”

By incorporating real-time threat intelligence from Qualys TruRisk, Cintas can aggregate multiple risk signals to prioritize its remediation work, enabling it to focus its patching efforts on the most serious threats. With Qualys CSAM for external attack surface management, Cintas enjoys 360-degree visibility of all assets, and the ability to drill down to investigate potential security gaps.

Using dynamic tagging in the Qualys TruRisk Platform, we can tag our assets based on automated business rules. This empowers us to measure and quantify our cyber risk by asset group—and present that information clearly to our asset owners and decision-makers.
Thomas SchefflerSecurity Operations Manager, Cintas Corporation

Qualys Difference

End-to-end platform for applying risk-based vulnerability management that includes asset and patch management for on-premises as well as cloud assets

Enables security teams to prioritize and complete remediation work according to real-world risk factors

Replaces manual, time-consuming remediation activities with streamlined, automated patching

Measures and quantifies cyber risk by asset group and clearly presents the insights to all stakeholders

Reveals previously unknown threats, such as end-of-life and uncatalogued assets

The Business

Benefits

Empowers Cintas to detect new vulnerabilities in four hours or less, helping it safeguard mission-critical business systems in a rapidly evolving cyber threat landscape

Delivers a ~300% increase in the visibility of internet-facing assets, including fine-grained data on risk exposure

Cuts mean time to remediate vulnerabilities from up to two months to just seven days—an 87% reduction

Enables the company to remediate high and critical vulnerabilities in less than 24 hours and respond immediately to emerging threats such as zero-days

Cuts overall cyber risk by 61%, contributing to double-digit cyber insurance cost-savings

Enables Executive leadership to have timely and accurate risk-based organizational telemetry available to communicate to the key stakeholders.

Qualys CSAM is a critical solution for Cintas because it allows us to see the most critical external-facing assets that threat actors will go after. CSAM also makes it easy to track and decommission end-of-life assets, which is a powerful way to strengthen our overall security posture.
Thomas SchefflerSecurity Operations Manager, Cintas Corporation