Nestlé Unified Vulnerability Management Approach

Angelo Punuriero (Nestlé, IT), Jenifer Jimenez (Nestlé, ES), Martin Karel (Nestlé, ES) Angelo Punturiero is an Italian native who has recently moved to the enchanting city of Barcelona. He proudly serves as a Vulnerability Management Senior Specialist in the Nestle’ CSOC Vulnerability Management team. With a deep passion for cybersecurity and the art of fine cuisine, he has improved he's skills through years of experience at renowned IT consulting firms. This professional journey has led him to Nestle’, where he coordinates the process that determines the Corporate Rating of the daily published CVEs, ensuring that the appropriate stakeholders are promptly informed of any imminent risks. Additionally, he actively engages in matters related to Cloud Security and contributes to projects involving Generative AI in the realm of cybersecurity. Jenifer Jiménez, native of Spain, is currently working as a Senior Vulnerability Management Specialist at Nestlé Global Services in Barcelona. She is vulnerability management orchestration platform lead architect. Prior to her current role, she was part of the team providing security services to global Hewlett-Packard customers, as well as managing the development of security platforms for the CSIRT at CaixaBank. With a deep passion for her work and a commitment to staying at the forefront of industry trends, she strive to make a positive impact in the field of cybersecurity. Her dedication to securing critical systems and her love for salsa dancing and family bring a unique blend of expertise and personal fulfillment to her life. Martin Karel, a native of Slovakia, is currently leading the Nestlé global vulnerability management and offensive security team based in Spain. He has been a part of the Global CSOC since its establishment in 2016 and has played a crucial role in various key projects, including incident response, security monitoring, and the centralization and automation of vulnerability management processes. Prior to his current role, Martin led similar projects at HP Enterprise and SEAT, a car manufacturer within the VW group. In his leisure time, he is passionate about ballroom dancing and values spending quality time with his two daughters. --- Nestlé and similar organizations encounter numerous challenges in Vulnerability Management. These include managing large and diverse environments, accommodating various technologies with distinct requirements, navigating complex ownership structures, coordinating multiple security teams and tools, and adapting to constant change. To address these challenges, my team and I have made it our mission to create a comprehensive platform that integrates the most practical approaches for each specific environment. By doing so, we aim to increase automation, enhance situational awareness, and unlock a multitude of use cases and reporting capabilities. In addition to consolidating results from different traditional vulnerability scanning tools and penetration tests, we recognize the importance of analyzing vulnerabilities that are disclosed by vendors but may not be detected by scanners. We have implemented a crucial activity that involves automatically categorizing non-critical vulnerabilities and communicating them to the respective patching teams, aligning with their specific patching schedules. For critical vulnerabilities, we have established a more aggressive remediation process. This process is closely integrated with the scanner findings, which helps to address challenges related to ownership, tracking, and SLA calculations. By linking these components together, we are able to streamline vulnerability management and ensure efficient resolution of identified issues and overall visibility.