INDUSTRY: Food Manufacturing
BUSINESS: Premier provider of consumer-preferred, niche snack food brands and snack food solutions in North America.
SIZE: 5,000+ employees
BUSINESS CHALLENGE: Lance Inc. had utilized a managed security services provider to help the company mitigate IT risks and protect its systems from attack. Unfortunately, the provider failed to meet expectations. Lance’s IT team needed to find a more effective way to protect its infrastructure.
- Qualys Vulnerability Management
WHY THEY CHOSE QUALYS:
- Ability to quickly, easily and accurately identify vulnerabilities
- Automated life cycle of network auditing and vulnerability management across the enterprise
- Discovery and mapping, asset prioritization, reporting and remediation tracking according to business risk
- Ability to remedy flaws that make the latest exploits and attacks possible
Lance Develops Its Own Vulnerability Management Program
Not satisfied with the performance of its security services provider, this national provider of baked goods turned to Qualys Vulnerability Management to rein in control of IT risks.
If you've ever had the munchies and set out in search of a snack, chances are you came across treats – sandwich crackers, nuts, cookies, popcorn, and cakes – from Charlotte, NC-based snack food manufacturer Lance, Inc., now known as Synder's-Lance, Inc. While many of the ways Lance has run its business certainly have changed in the past 100 years, the founders definitely didn't have to concern themselves with the risks of connecting business-technology systems to the Internet and all of the associated IT security concerns. However, with an IT infrastructure that consists of several hundred servers, and several thousand endpoints, those risks don’t go unnoticed by the company's IT team.
"With Qualys, we now have an entire set of processes for performing assessments on all of our servers. We continually assess all of our critical systems and, unlike before, we now know exactly where we stand when it comes to IT risk."
IT Risk Manager at Lance Inc.
To manage IT threats, for a number of years, Lance utilized a managed security services provider. Unfortunately, the provider failed to live up to Lance’s expectations and the company needed to find a more effective way to protect all of its IT assets. After considering its options, for increased control and visibility, Lance decided it would bring its security operations in-house. To succeed, the IT team would have to assemble a vulnerability management program that was as automated as possible and designed to continuously identify IT assets and network changes, and to find systems in need of patching, software, and configuration updates.
To ensure that the company identified the best vulnerability assessment applications it could, the IT risk management team created a list of criteria that any tool they selected had to provide: accuracy, ease-of-management, and the ability to control the intensity of network assessments, explains John Marks, IT Risk Manager at Lance.
Real-World Evaluation, Surprising Results
As part of its market evaluation, Lance's IT team took a number of commercially available vulnerability scanners and conducted several live assessments on segments of its network. Marks and his team created custom scans to better identify which scanners would be best at accurately spotting vulnerabilities. The results were startling. Some of the scanners incorrectly identified large numbers of false positives – vulnerabilities that, in reality, did not exist. Perhaps even more distressing, many assessment tools completely missed vulnerabilities that could have placed systems in jeopardy of attack. "We discovered that our results were not unique; other companies we spoke with had similar horror stories about false positives and difficulties in performing customized scans," Marks explains.
When their testing was complete, only one network assessment solution set itself apart: Qualys Vulnerability Management (VM). "We conducted scans with Qualys versus competitors, and we would quantify the results against our data. We actually could find additional items that the other scanner failed to pick up," he says. "I liked the fact that Qualys was telling us about vulnerabilities that nobody else could see."
After the exceptional performance in the evaluation, Lance purchased Qualys VM. Today, Qualys VM automates the life cycle of network auditing and vulnerability management across Lance’s enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting, and remediation tracking according to business risk. Driven by the most comprehensive vulnerability KnowledgeBase in the industry, Qualys VM helps Lance to remedy the flaws that make the latest exploits and attacks possible. As an on-demand SaaS solution, there is no additional infrastructure for Lance to deploy or manage.
Vulnerability Management: Pinpoint accuracy, actionable results
Today, Qualys provides the automation and customization Marks sought. "We now can control how intensely the scan will impact the server. This way, we always know that we won't inadvertently bring a system to its knees," Marks says. Also, Qualys VM, unlike many of its competitors, does not require software agents to be installed on each of the systems that it will evaluate and manage.
Within several weeks of deploying Qualys VM, Marks was able to put into place the procedures the company needed to mitigate system risks and successfully harden its network. "We are taking the process of building our internal vulnerability management program very seriously," he says. Currently, Marks utilizes Qualys VM to conduct its scan and then dispatch reports to the various network and system owners for system updating and remediation.
"We've run into a number of instances when the technicians didn't believe that we actually had found a vulnerability. We called Qualys support and it helped to pinpoint what we were seeing. We then were able to provide our technicians the exact data and validation they needed to prove that we needed a fix," he explains. "We've consistently found that when we call Qualys’ technical support, we get timely and accurate feedback. They don't send us into some kind of phone prison and never provide replies to questions, like many vendors."
While Marks appreciates the workflow and reporting, the operations teams appreciate the accuracy of the results that they've grown to trust and the actionable remediative information they've come to depend on. "That is simply a wonderful aspect of Qualys – the ability to drill down into source knowledge bases to identify all the solutions available," he says.
Not satisfied with the results of its security services provider, Lance became determined to rein in control over its own vulnerability management efforts. And through its use of Qualys, the company was able to achieve just that. "With Qualys, we now have an entire set of processes for performing assessments on all of our servers," Marks says. "We continually assess all of our critical systems and, unlike before, we now know exactly where we stand when it comes to IT risk."