BUSINESS: Consulting firm that specializes in scientific, engineering, and security technologies.
SCOPE & SIZE: 315+ employees
BUSINESS CHALLENGE: Automate and streamline vulnerability management processes wherever possible to cut costs while achieving adequate levels of security and regulatory compliance.
OPERATIONAL HURDLE: Tight staffing along with growth in size, scope, and dependence on business-technology systems.
- Qualys Vulnerability Management
WHY THEY CHOSE QUALYS:
- Discover and prioritize all network assets.
- Qualys helps us meet our mission to ensure the efficiency of business operations by maintaining a resilient, flexible and secure network.
- Proactively identify and fix security vulnerabilities.
- Manage and reduce business risk.
- Ensure compliance with laws, regulations, and corporate security policies.
IT Security Posture Reinforced
By moving away from ad hoc vulnerability assessments toward an automated and sustainable vulnerability and risk management program, this defense consulting firm is able to reduce and manage the risks to its IT systems more effectively
Ideal Innovations, Inc., (I-3) is an Arlington, Virginia-based consulting firm that specializes in scientific, engineering, and security technologies designed to protect lives, enhance survivability, and enable more efficient operations. Technologies within I-3's domain include biometrics, forensics analysis, IED defeat solutions, engineering services, database and software development, training, and advanced armor systems.
Since its founding in 1998, I-3 has grown from two employees to more than 300, with personnel also located in West Virginia, Texas, and overseas in both Iraq and Afghanistan. Along with that growth in size and scope, I-3's dependence on business-technology systems has grown. And the reality is that small and mid-sized businesses today, such as I-3, are faced with daunting security pressures. While they face the same threats and vulnerabilities as large companies, they often lack dedicated security teams to fight the risks. That's why small and mid-sized businesses must automate and streamline processes wherever possible to cut costs while also achieving adequate security and regulatory compliance.
That's the challenge John deGruyter, senior network security engineer at I-3, had to meet. As I-3's business grew, so did it’s need to better manage the vulnerabilities on its IT infrastructure. "And as our network was growing, the nature of the threats were evolving from targeting the servers to targeting client side applications," says deGruyter.
Vulnerability Management Reaps Clear ROI
One of the most, if not the most, efficient ways to attain security and regulatory compliance is by putting into place an effective, continuous vulnerability management program. According to a report published last year by the research firm Aberdeen Group, some companies reach a 91 percent return on their vulnerability management investment. According to the research, identifying, prioritizing, and remediating vulnerabilities — and periodically repeating the process — considerably decreases the time spent spotting and patching software flaws and misconfigurations, while also reducing data breach and loss incidents.
"While we were testing Qualys, a serious client-side vulnerability had just come out. The day after the vulnerability was announced, Qualys was able to detect it."
Senior Network Security Engineer,
For its vulnerability management efforts, I-3 had been relying on a set of various commercial and open source tools to keep its systems secure. But, as the number of systems and physical locations grew, so did the vulnerability management burdens: tracking new vulnerabilities, determining what vulnerabilities matter most to which systems, and keeping the vulnerability databases of multiple tools up to date. To improve efficiency, I-3 elected to try Qualys Vulnerability Management (VM).
"While we were testing Qualys, a serious client-side vulnerability had just come out. The day after the vulnerability was announced, Qualys VM was able to detect it," explains deGruyter. "Qualys’ expedient response time was significant for us as we looked for ways to better protect our end users," he says.
"Another of the strengths of Qualys that immediately stuck out was the ability to securely run scans on our other locations. Our previous scanner required much more maintenance and required us to log in to multiple locations," he adds. "It would sometimes take 10 minutes for the vulnerability scanner to download the latest updates and be ready to scan. Qualys is fast. Just logon, select what you want to scan, and go," says deGruyter.
Automating the Vulnerability Management Life Cycle
For I-3, Qualys VM now automates all steps of its vulnerability management life cycle, allowing it to strengthen the security of its networks and conduct automated vulnerability assessments that ensure compliance with the internal corporate policies that keep its systems secure. As an on-demand solution, Qualys can be deployed in a matter of hours anywhere in the world, and then provide an immediate view of an organization’s security and compliance posture. Qualys is the widest deployed security on-demand solution in the world, performing more that 500 million IP audits annually.
As called for by industry best practices, Qualys VM gives organizations control over their entire vulnerability management life cycle:
- Discovery of all assets across the network and identification of host details, including operating system and open services.
- Asset Prioritization to manage the network by categorizing assets into groups or business units and assigning business value to those asset groups based on their criticality to the business operation.
- Assessment to determine the baseline risk profile so the focus is on eliminating risks based on asset value, and to identify security vulnerabilities on regular, automated schedules.
- Reporting that measures the level of business risk associated with assets and correlated with security policies. This makes it possible to trend the overall security posture over time.
- Remediation through the prioritization of vulnerabilities according to business and/or regulatory risk.
- Verification to validate that vulnerabilities have been mended and now are protected from Internet-borne and other threats.
In these ways, Qualys VM is helping I-3 to manage vulnerabilities better and reduce risk based on business value. Additionally, Qualys VM's ability to provide flexible asset prioritization and asset grouping gives I-3 the ability to fix the highest priority vulnerabilities first, based on asset value and security policies. "With asset classification and prioritization, it is easier to tell which systems need to be patched first," explains deGruyter. "By grouping assets by business value, Qualys helps us to be much more efficient," he adds.
Today, with help from Qualys VM, I-3 can ensure that its systems are hardened in the most cost-effective and quickest way possible. "Qualys provides the accuracy and flexibility we need" says deGruyter. "And by being able to comprehensively detect more client-side vulnerabilities, we are able to reduce risk and strengthen our overall security posture," he says.