UpGuard helps Colorado State University identify vulnerabilities and threats across its attack surface and mitigate the risks associated with third-party vendors and service providers.

65+

Vendors continuously monitored by the UpGuard platform

19,000+

Digital assets continuously monitored

70+

Risk vectors continuously monitored

In the snippet below, Steve Lovaas, CISO at Colorado State University, explores the importance of having an automated solution to identify common vulnerabilities and threats to your attack surface and determine their potential impact on your business.

For large higher education institutions, effective cybersecurity is an ongoing battle of working between disparate IT systems, managing a never-ending litany of assets, and keeping student data safe from vendor-related security risks. These were some of the challenges faced by Colorado State University, and CISO Steve Lovaas needed a smarter, more automated solution to focus his team's limited resources on the risks that mattered most.

The customer

Colorado State University (CSU) is a public research university in Fort Collins, Colorado. It offers over 200 academic programs across eight colleges, including Natural Sciences, Engineering, Business, and Liberal Arts.

Challenge 1: Managing a never-ending attack surface

To provide services to students, faculty, and researchers, Colorado State University and other higher education institutions manage hundreds to thousands of domains and IP addresses.

graphic displaying the average number of domains by unversity rank

The university’s decentralized IT structure further complicated this challenge. With many departments historically running their own systems, the result was a large, fragmented attack surface comprising numerous public-facing IP addresses and applications that were not centrally managed.

“What we end up with is a lot of public-facing IPs and domains, applications that we don't necessarily run centrally. And so multiply a typical organizational footprint by the number of distributed IT units and you've got a recipe for a pretty large attack surface to keep track of.”

- Steve Lovaas, CISO (Colorado State University)

The solution: Automated attack surface monitoring

The first step to solving this problem was establishing a comprehensive asset inventory. By using UpGuard as an automated approach to monitor their attack surface, Steve's security team can strategically identify opportunities for reducing the attack surface, such as finding and flagging unmaintained pages or abandoned end-of-life applications.

“Having an automated way to look at the attack surface is a great way with things like Unmaintained Pages or End of Life applications that may just have been abandoned.”

- Steve Lovaas, CISO (Colorado State University)

The impact: Complete visibility across the entire digital footprint

With comprehensive attack surface visibility achieved, Steve and his team could focus their efforts on optimizing their remediation process, which was easily achieved, thanks to UpGuard's automated flagging feature. Now, the security team uses the platform's findings to simply notify departmental IT managers about a flagged asset, which has proven to be a highly effective way to reduce risk quickly.

“When those get flagged, it gives me the chance to just shoot a quick message to one of the departmental IT managers and say, Is it something we ought to get rid of? This would be a low-hanging piece of fruit to increase our security.
They're usually pretty responsive to that kind of approach.”

- Steve Lovaas, CISO (Colorado State University)

Challenge 2: Managing existing and new vulnerabilities

Steve's security team constantly faced a growing body of vulnerabilities, ranging from older yet still exploitable issues to new, pressing zero-day threats. The primary challenge was resource allocation: determining how to balance the need to address old, known issues while maintaining the agility to pivot and respond to critical new threats promptly.

“It's a challenge to deal with cleaning up all of the old stuff, and then also, you know, when it's time to jump for a zero day, being able to pivot very quickly.”

- Steve Lovaas, CISO (Colorado State University)

The solution: Identifying high-risk assets

With the asset inventory established, the solution was to utilize UpGuard to automatically correlate this data with real-time vulnerability feeds. This allowed the team to pinpoint the specific "points of intervention"—those few assets running software with "known exploitable vulnerabilities"—and effectively triage new zero-day threats as they emerged.

“It's pretty critical to have some idea of what's actually running on your network, so that when a zero day comes, you know whether to burn time out on it, or just shrug and move on.”

- Steve Lovaas, CISO (Colorado State University)

The Impact: More efficient risk remediation

The primary impact of this risk-based approach with UpGuard was a significant increase in efficiency and substantial time savings. By being able to identify which assets were truly high-risk instantly, the team could avoid wasting resources on irrelevant threats and confidently focus on the vulnerabilities that posed a genuine risk to the University.

“Vulnerabilities just keep coming, so some sort of formal or informal sense of what you have... that'll save you a lot of time.”

- Steve Lovaas, CISO (Colorado State University)

Challenge 3: Mitigating third-party risks

Third-party risk management (TPRM) is a growing issue across the higher education sector, not only in terms of security risks but also in terms of audits, compliance, and board mandates.

While audits and board mandates increased the responsibility for vendor oversight, the security team faced an uphill battle in conducting full risk assessments on a vast number of vendors.

“It’s an incredibly tall order to do full risk management on all of our vendors, including the Microsofts and Amazons of the world.”

- Steve Lovaas, CISO (Colorado State University)

graphic displaying the risk rating of unviversities vs. vendors

The solution: An end-to-end questionnaire and assessment workflow

UpGuard provides Colorado State University and other higher education users access to an industry-leading library of vendor security questionnaires, including the Higher Education Community Vendor Assessment Tool (HECVAT).

“Vendors, especially those who want to work with the higher education sector, have seen the writing on the wall and have decided that security questionnaires are necessary to show institutions they are happy to comply with security procedures.”

- Steve Lovaas, CISO (Colorado State University)

The Impact: Scalable Vendor Risk Management

UpGuard streamlines the security questionnaire process by eliminating manual work and using automation to gain deeper insights into a vendor’s security posture. Users can access questionnaire templates tailored to industry regulations and security risks, or create their own questionnaires from scratch. These features allow security teams to scale their questionnaire process by as much as 10x.

“Third-party risk management has become crucial for student learning at home and the online education market. They’re outside the moat, so to speak. No longer protected by the castle walls. You need to figure out how you're going to manage the risks associated with individuals interacting with applications and vendors."