BUSINESS: International Online marketplace
SIZE: 13,000+ Employees
BUSINESS CHALLENGE: Ensuring network security across eBay and networks owned by business partners.
OPERATIONAL CHALLENGE: To efficiently manage data generated by eBay’s servers and by those in partner networks in order to audit policies and identify any possible security issues.
- Qualys Enterprise
WHY THEY CHOSE QUALYS:
- Provides default standard for security.
- Easy web interface for management of all security data.
- Automated on demand audits accurately pinpoint vulnerabilities and provide fixes.
- Easy to use on eBay and partner networks
- Faster, simpler, cheaper security
eBay, Inc. — Securing the World’s Online Marketplace with Qualys
eBay, Inc. is the largest and most popular marketplace on the Internet, allowing members to buy and sell almost anything. Launched in 1995, about 147 million people now use eBay. An estimated 430,000 people in the United States make all or most of their living by selling on eBay. eBay’s online payment service, called PayPal, enables transactions nearly anywhere in the world. eBay proclaims trust between buyers and sellers as the key to the success of the marketplace. To standardize network security auditing and remediation processes for both internal and partner networks, eBay conducted an extensive evaluation of vulnerability management tools. eBay selected the on demand Qualys solution for vulnerability management.
On Demand Service Model Made Deployment of Qualys ‘Painless’
The sheer scale of network infrastructure for eBay requires an effective vulnerability management solution, according to Chris Lalonde, Senior Manager of Information Security in eBay's Audit & Investigations group. "Our environment changes quickly so we needed a solution that would automatically find the most recent vulnerabilities without requiring constant research by staffers," says Lalonde. His group is responsible for auditing security across all eBay platforms and partner networks. The group is part of a larger secruity-focused organization.
eBay also sought a practical way to audit the network security of business partners, and to help them quickly remediate vulnerabilities. Since most of the partner companies have smaller networks and correspondingly fewer IT resources, eBay required an automated solution that would make vulnerability assessment of third-party infrastructures very easy. Efficient management of the security data was a major issue. “Security data management is one of the most difficult challenges we deal with when managing large networks,” Lalonde says.
“Qualys has made the job of auditing our network much easier. We used to have to dig through results and do a lot of manual analysis to get meaningful reports, and those were inconsistent. Qualys takes care of that nightmare.”
Senior Manager, Information Security,
eBay conducted an evaluation of Qualys and other top security scanning products. Lalonde’s group avoided considering test results by industry magazines until after conclusion of its own evaluation. “We didn’t want those to cloud our view,” says Lalonde. “The results felt right.” Those results led eBay to purchase Qualys Enterprise for perimeter scanning and more than a dozen Qualys Scanner Appliances for auditing vulnerabilities on network segments inside the corporate firewall and on partner networks.
Automated Reports Give eBay Executives a Clear Picture of Enterprise and Partner Network Security
The automation built into Qualys immediately allowed eBay to do vulnerability assessments on demand, including rapid scans for the most recent vulnerabilities anywhere in its own network and in partner networks. The payoff for Audit & Investigations was instant reporting synthesized across the global enterprise.
"Reporting is one of the things we like best about Qualys," says LaLonde. "We used to have to dig through results and do a lot of manual analysis to get meaningful reports, and those were inconsistent. Qualys takes care of that nightmare. The interface was a huge selling point." eBay uses the reports in a couple of ways. The first is for immediate feedback to the Security Operations group, which uses the data for remediation. LaLonde says Qualys automatically feeds alerts of vulnerabilities into the company's trouble ticket application. Managers use those reports to supervise repair teams, including automatic creation of a service-level agreement and links to patches and other guidance for remediation. Post-remediation scans verify that the repairs are working.
Qualys reports also build metrics into eBay’s security program. “We use Qualys as a way to paint a picture of security and feed it to our executives” says Lalonde. “The reports give senior executives a concise, real-time view into eBay’s security risks and measure change in those risks as we implement security measures.” The reports also serve as data for budgeting security resources.
Qualys Sets Default Standard for Security Across eBay and Partner Networks
Lalonde says one of the most difficult challenges from a security manager’s perspective is building standards around security. “Qualys allows us to have a baseline standard for security,” he says. Qualys’ capabilities are especially useful for auditing network security at partner companies and helping them remediate vulnerabilities. “Using Qualys to audit security of partner networks is much simpler, faster and less expensive than other options,” Lalonde says.
Audit reports also help provide a paper trail for compliance with regulations. “Vulnerability management reports from Qualys help give outside auditors the knowledge that we’re being proactive and taking security problems seriously,” says Lalonde. In addition to reporting, Qualys also simplifies vulnerability management processes at eBay. The role-based authorization feature of Qualys allows eBay to compartmentalize responsibility for specific engineers allowing them to scan and view reports for specific IPs, such as the infrastructure in the Asia/Pacific region.
Lalonde says he is pleased with results provided by the Qualys solution. “Qualys has made the job of auditing our network much easier,” says Lalonde. He says security specialists can now focus on the issues of remediation and measuring the state of eBay’s network security.