Republic Services, an industry leader in U.S. recycling and non-hazardous solid waste disposal, chose Bishop Fox’s Cosmos (formerly CAST) service to gain visibility into their attack surface and to discover, analyze, and investigate security risks as they emerge in order to prevent attacks and data breaches.

While their attack surface is relatively small, Republic Services must ensure the privacy of consumers and business customers across approximately 40 states. As a Fortune 500 company and a utility service, they knew they needed to ensure that their company handled data responsibly beyond just satisfying compliance needs. They needed to go an extra step to have constant visibility and a thorough understanding of where threats and risks might crop up on their perimeter.

"Bishop Fox's [Cosmos] service scales significantly better than other options in the market. [Cosmos] gives me more relevant, meaningful, and actionable information and I'm not waiting for the output of a pen test before I can act.”

— Shaun Marion, Vice President and Chief Information Security Officer at Republic Services

As they moved to the cloud – namely Amazon Web Services (AWS) and underwent rapid changes in their IT environment and business operations, the continuous testing Cosmos offered was the depth of information the Republic Services security team needed to secure their organization and their customers effectively.

Visibility Into the Full Attack Surface, Including the Unknowns

"We knew we needed something beyond just another scanning solution. [Cosmos] offered us attack surface discovery. The service showed us about the things we weren't even aware of. We didn't have to provide a list of IP addresses to scan; to the contrary, they discovered our attack surface for us and began scanning immediately."

— Shaun Marion, Vice President and Chief Information Security Officer at Republic Services

Republic Services relied on Cosmos' automated discovery process to help them quickly build out their new asset inventory, while also discovering subdomains and one-off webpages that were created outside of the security auditing processes. Those previously unknown subdomains could easily pose a threat to an organization. With those unknown assets discovered and mapped out, Republic Services could either take them offline or add them to their asset inventory so they can protect them appropriately.

Tracking Emerging Threats and Preventing Attacks in Real Time

With new threats published daily, it can be a nearly impossible task for security teams to manually monitor whether they are affected by a new vulnerability (CVE). Republic Services wanted to be able to quickly determine whether they had these new vulnerabilities on their attack surface – on known assets or hidden away in the unknowns – and what the potential impact would be on their business if they did have them. With Cosmos automatically scanning for these emerging threats and a team of humans analyzing what impact an attack would have on their operations, Republic Services had full visibility into their risk profile.

As most of these emerging threats didn’t actually impact Republic Services, they were able to ignore the noise of a near-constant stream of new CVEs and focus where it mattered. The Cosmos team regularly notified the Republic Services team of each emerging high-impact CVE and then cross-referenced the new vulnerability with the mapped assets to filter out the noise of an ever-changing threat landscape. The Republic Services security team had peace of mind knowing that the Cosmos technology and team were monitoring for all vulnerabilities and could see a running list of attack surface notifications in both the Cosmos Portal and chat platform.

Improving Overall Security and Augmenting the Team

Security teams are often inundated with bigger risks and disasters that require their immediate attention, so low impact risks may fall through the cracks. Republic Services aimed to get ahead of that cycle and tackle even minor issues before they had the possibility of creating bigger problems down the line. With Cosmos, they were able to see these issues within the portal and access guidance from Cosmos experts on how to harden their defenses – often with little effort.

"The Bishop Fox team became an extension of our team. The day-to-day processes were managed as if our [Cosmos] partners had become part of our team – they'd go through issues and discuss how to handle what they'd discovered. It was a refreshing change from the norm. They focused on solutions and worked with us as a true partner."

— Shaun Marion, Vice President and Chief Information Security Officer at Republic Services

One finding that the Cosmos team walked Republic Services through was a server monitor for an application that was publicly exposed on the Internet. In this case, the monitor didn’t need to be exposed in order to operate in the way they needed. Republic Services immediately took the affected software offline and protected it within their internal networks to remediate the risk.

Continuous Testing for Proactive Security

"Overall, we've been really pleased not just with the continuous testing of [Cosmos], but the incredibly high caliber of talent from the team. The team thinks creatively and follows any threads for things that don't look quite right. As a result, they uncover many risks that other teams and technologies would have missed."

— Shaun Marion, Vice President and Chief Information Security Officer at Republic Services

Republic Services will continue to partner with Bishop Fox using the Cosmos service to ensure their data is safe and their applications are secure as they continue their transition to the cloud and acquire new companies. Cosmos' automated, continuous testing will map any new infrastructure, the Cosmos team will work alongside Republic Services’ security team to support them daily, and the holistic, comprehensive view of the attack surface will continue to provide a strong foundation to the security of the company.

About Republic Services

Republic Services, Inc. is an industry leader in U.S. recycling and non-hazardous solid waste disposal. Through its subsidiaries, Republic’s collection companies, transfer stations, recycling centers, landfills and environmental services provide effective solutions to make responsible recycling and waste disposal effortless for its customers across the country. Its 36,000 employees are committed to providing a superior experience while fostering a sustainable Blue Planet® for future generations to enjoy a cleaner, safer and healthier world.