How Ben Bachmann, VP of Group Information Security at Ströer, Uncovers and Secures Hidden Digital Assets with CyCognito

When Benjamin Bachmann became the Vice President of Group Information Security at Ströer, two years ago, he encountered a significant challenge: the company lacked a comprehensive understanding of its external-facing assets. Ströer is a leading German media conglomerate with diverse operations spanning over 100 subsidiaries, each managing its own IT department, complicating the task of managing cybersecurity across such a diversified portfolio. This complexity posed not just an IT challenge but a strategic business concern that demanded a solution beyond traditional tools and methodologies. I recently sat down with him to learn more about the complexities of managing a sprawling digital landscape. 

Ben’s main hurdle was the absence of visibility into the company’s digital assets. “When I started, no one monitored our digital assets. It was just a guesstimate,” he admits. Highlighting the exposure risks this posed in leaving the company vulnerable to cyber threats. Ströer’s vast enterprise includes outdoor advertising, digital media, dialogue marketing, e-commerce, and digital as a service (DaaS), among others. This broad spectrum of operations presented unique security challenges that required a solution that could provide comprehensive visibility and vulnerability management across its expansive digital landscape.

CyCognito aligned perfectly with Ströer’s complex structure. Its user-friendly interface and powerful search capabilities were exactly what he needed. “It’s really nice that you have some really huge search capabilities, so you don’t have to learn any new language or click 1,000 times to navigate,” he says. 

Ben notes that the impact was immediate. He realized they had more assets and vulnerabilities than they initially thought, but we were able to start remediating those vulnerabilities quickly. Onboarding was quick and easy, which was critical for him to start addressing their security gaps. 

Within a few weeks of deployment, Ben’s team was able to remediate many of these vulnerabilities, significantly reducing the company’s risk exposure. “We saw immediately that we had more assets than we thought we had, and we saw a lot of vulnerabilities we needed to remediate,” he states.

CyCognito enables his security team to uncover hidden assets and vulnerabilities that had previously gone undetected. “CyCognito was a game-changer for us, providing the visibility we needed into our digital assets and allowing us to manage security effectively,” he says. The automatic discovery of assets helped Ströer avoid costly penetration tests and, more importantly, potential security threats. “We cannot afford to pen test every website we own every few weeks or months,” he says. “CyCognito helped us a lot because we have a really good continuous understanding of what our defense looks like.”

“What was really interesting was to see the amount of cross-site scripting and other web application vulnerabilities we had in websites we own that have not been used by attackers as far as we know,” he says. “And those have been fixed.”

Within the first six months of running CyCognito, Ben’s security team mitigated a number of vulnerabilities. “Most companies had some shadow servers that no one was administering anymore,” he says. “It was quite nice to see them from the outside and take action. We shut down some websites as well.”

Although Ben has seen the number of hidden vulnerabilities cut in half when new companies are acquired, new services are launched, or a product or company is integrated, he has noticed an increase in the company’s digital footprint, but can quickly spot that trend and take corrective action.

CyCognito has fundamentally shifted Ben’s approach to be more proactive. It’s not just about discovering and fixing vulnerabilities; it’s about continuously monitoring Ströer’s digital landscape. This continuous insight allows his team to catch and remediate issues much faster. Additionally, it’s made his team and subsidiaries more operationally efficient. He can now easily inform a subsidiary about its expanding digital footprint, and in turn, receive clear instructions on how to address vulnerabilities. “On my end, we save a lot of time because I can just click into the platform and tell one of the companies ‘your Internet footprint is larger,” he says. “And our subsidiaries probably save time as well because CyCognito delivers quite nice instructions on how to fix vulnerabilities, for instance, or how to validate if it’s really there.”

His team monitors around 40,000 assets through CyCognito, which includes not just our websites but also assets hosted on cloud services like Amazon Web Services, Microsoft Azure, and Google Cloud. CyCognito has become an essential tool for Ben, his team, and subsidiaries, enabling them to maintain a strong cybersecurity posture across its entire digital landscape.

“Everyone in the company is positive about CyCognito and is interested in having a good risk level,” he says.

Ben urges CISOs not to rest on known defenses or periodic manual testing alone. The digital landscape is always evolving, and threats are constantly emerging. Investing in a platform like CyCognito that allows for automatic and continuous scanning and testing of both known and unknown assets, is crucial. “CyCognito is worth every cent we pay, and it helps me sleep better because I know we’re checking our internet-facing assets on a regular basis,” he concluded.

Key Results

• Gained continuous visibility into all 40,000 assets in their external attack surface for the first time including subsidiaries and joint ventures
• Discovered previously hidden vulnerabilities, which improved the company’s security posture, and helped the company avoid excessive pen tests
• Reduced external attack surface footprint by shutting down shadow servers and unmanaged websites
• Enabled more than 50 subsidiaries to perform independent monitoring with the centralized CyCognito platform, reducing remediation time
• Gained comprehensive reporting used to inform the Board of Directors of subsidiary risk levels and improvements

Read the full story here.