Mission Accomplished: Risk Mitigation

For some time, MCCS relied on open source vulnerability scanners to periodically assess the security of their network. Unfortunately, those scanners didn't accurately identify all of the MCCS's networked devices. They also generated too many false positives — the incorrect identification of flaws that don't actually exist—and their reports didn't provide enough detail and insight into how to fix the vulnerabilities it found. What's more, maintaining the hardware and software needed for MCCS's global network was growing awkward and costly. What MCCS required was a more effective way to not only conduct vulnerability and compliance assessments, but also to provide the operation teams with the insight and actionable information they needed to quickly remedy any security and compliance weaknesses. After a careful examination of scanners available on the market, it became clear that Qualys Enterprise from Qualys Inc., the leading provider of on-demand security risk and compliance management solutions, would cost-effectively provide the accuracy, automated assessments, and insightful reporting that MCCS sought.

Qualys is the only company that delivers security solutions through a unified Software-as-a-Service (SaaS) platform. Qualys enables organizations to strengthen their network security and conduct automated security audits to ensure compliance with policies and regulations. Of particular interest to MCCS is the fact that Qualys can be deployed within hours anywhere in the world.

“With Qualys, we know that our systems are highly secure and up to date. The service also validates that our internal security policies and regulatory mandates are enforced.”

Randy Harris

Network Services Manager, Marine Corps Community Services

SaaS-powered vulnerability & risk management delivers effective and continuous IT security and regulatory compliance

Today, with Qualys, MCCS's security and IT managers have established a continuous vulnerability management program. They can track remediation and ensure internal policy compliance through comprehensive reporting. With its broad vulnerability KnowledgeBase, which consists of thousands of unique checks, and Six-Sigma accuracy rate, Qualys supplies the most precise security checks available in the industry. The results of each Qualys security assessment are fed to the team's Windows Server Update Services (WSUS), a Microsoft tool that helps to facilitate the deployment of software updates. "We push every one of our patches out this way and our entire Windows patch cycle, which includes 160 different Windows applications, is managed by a five person administrative staff. This has increased our efficiency and accuracy, and saves us a whole lot of time," says Harris. Those time savings include the effectiveness of Qualys’ network discovery capabilities, its accuracy rate (very few false positives), and its ability to validate that patches have been deployed to all target systems. "With Qualys, we don't have to do much of anything except act on its reports. We don't have to chase down remediation information. And we know that our patches have been pushed out successfully. We always know that we're patched across the board," says Harris. What's more, Harris and his team can manage their global network operations centrally from the secure Web-based access that Qualys provides. "We have the network assessments segmented automatically, so that we scan every single one of our facilities during off hours, and we scan 100 percent of our network each month."

Such an automated process not only helps MCCS map its network accurately, find potentially rogue systems, misconfigured systems and at-risk systems in need of patch updates, but it also helps to facilitate, and prove compliance to both the FISMA and PCI DSS standards. "Qualys’ reporting functionality is great. It's accurate, informative, and helps save time," says Harris. "Qualys provides us everything that you expect from a security vendor, and then some," Harris says as he explains that it's not just the superior risk and compliance management technology provided through Qualys’ SaaS platform, but the quality of the company behind it. "One of the key differentiators that we appreciated was the free training we received for our personnel. Qualys held training for us for an entire a day. It cost nothing, and helped our team get up to speed quickly," he says. "Qualys’ support gives us the same quality service whenever we need it – it's exceptional."

Moving forward, MCCS aims to build even more efficiencies from its Qualys deployment. One such effort includes tight integration with its upcoming help desk software implementation. "We're looking forward to a tight bind between Qualys and Remedy so we automatically generate help desk tickets," says Harris. That assimilation certainly will help improve workflow and save time, but considering the more effective and fully automated scans, heightened level of security and regulatory compliance, such capabilities are an added bonus for Harris and his team. "We turned to Qualys to help us better manage our risk management efforts, and we've met our objective."