BUSINESS: The MCCS provides services for Marine service personnel to help them live their lives more effectively. The MCCS helps Marines run their finances, further their education, prepare for their next duty station, and delivers the goods and services they need during duty.
HEADQUARTERS: Quantico, Virginia
BUSINESS CHALLENGE: Open source vulnerability scanners did not provide the ease of management, accuracy, and insightful reporting MCCS needed to manage IT risks throughout its global network.
- Qualys Enterprise
WHY THEY CHOSE QUALYS:
- Qualys provides control of the entire vulnerability management life cycle: asset discovery, vulnerability assessments, and tracking of security fixes.
- Qualys’ SaaS delivery model reduces management overhead.
- Greater accuracy.
- Comprehensive reporting.
- Actionable vulnerability remediation information.
- Simplified compliance certification and reporting.
Mission Accomplished: Risk Mitigation
The Marine Corps Community Services Defeats Risk Management Challenges
Marine Corps Community Services (MCCS) provides members of the U.S. Marine Corps the services they need during their time in uniform—from helping them run their finances, further their education, or relocate to their next station. MCCS also provides a growing number of restaurants, clubs, and stores, including 17 main exchanges, 96 branch and convenience stores, service stations, and more than a dozen clothing stores.
"With Qualys, we know that our systems are highly secure and up to date. The service also validates that our internal security policies and regulatory mandates are enforced."
Network Services Manager,
Marine Corps Community Services
The underlying IT infrastructure needed to support all of these operations is vast. It includes more than 900 routers, 300 Windows servers, approximately 160 UNIX servers, and about 160 IBM systems that handle retail point-of-sale and inventory. To make sure this infrastructure runs smoothly, the MCCS IT department employs 76 IT managers who work in its Quantico, Virginia headquarters, as well as an additional 100 field administrators who help to maintain the USMC data centers, servers, and 5,500 workstations. "It's a big operation," says Randy L. Harris, manager, network services for the Marine Corps Community Services in Quantico.
Inaccurate, software-based scanners not effective for MCCS's global risk management efforts
Keeping those systems highly available, secure, and operating within regulatory compliance requires a sophisticated risk management program that includes deployment of traditional firewalls, anti-malware software, intrusion detection/prevention systems, tight change controls, and consistent policy enforcement. "Ensuring that each server, router, workstation, notebook, and every other networked device is configured properly and contains the latest software patches, is vital to cutting security risks," says Harris.
For some time, MCCS relied on open source vulnerability scanners to periodically assess the security of their network. Unfortunately, those scanners didn't accurately identify all of the MCCS's networked devices. They also generated too many false positives — the incorrect identification of flaws that don't actually exist—and their reports didn't provide enough detail and insight into how to fix the vulnerabilities it found. What's more, maintaining the hardware and software needed for MCCS's global network was growing awkward and costly. What MCCS required was a more effective way to not only conduct vulnerability and compliance assessments, but also to provide the operation teams with the insight and actionable information they needed to quickly remedy any security and compliance weaknesses. After a careful examination of scanners available on the market, it became clear that Qualys Enterprise from Qualys Inc., the leading provider of on-demand security risk and compliance management solutions, would cost-effectively provide the accuracy, automated assessments, and insightful reporting that MCCS sought.
Qualys is the only company that delivers security solutions through a unified Software-as-a-Service (SaaS) platform. Qualys enables organizations to strengthen their network security and conduct automated security audits to ensure compliance with policies and regulations. Of particular interest to MCCS is the fact that Qualys can be deployed within hours anywhere in the world.
SaaS-powered vulnerability & risk management delivers effective and continuous IT security and regulatory compliance
Today, with Qualys, MCCS's security and IT managers have established a continuous vulnerability management program. They can track remediation and ensure internal policy compliance through comprehensive reporting. With its broad vulnerability KnowledgeBase, which consists of thousands of unique checks, and Six-Sigma accuracy rate, Qualys supplies the most precise security checks available in the industry. The results of each Qualys security assessment are fed to the team's Windows Server Update Services (WSUS), a Microsoft tool that helps to facilitate the deployment of software updates. "We push every one of our patches out this way and our entire Windows patch cycle, which includes 160 different Windows applications, is managed by a five person administrative staff.
"This has increased our efficiency and accuracy, and saves us a whole lot of time," says Harris. Those time savings include the effectiveness of Qualys’ network discovery capabilities, its accuracy rate (very few false positives), and its ability to validate that patches have been deployed to all target systems. "With Qualys, we don't have to do much of anything except act on its reports. We don't have to chase down remediation information. And we know that our patches have been pushed out successfully. We always know that we're patched across the board," says Harris. What's more, Harris and his team can manage their global network operations centrally from the secure Web-based access that Qualys provides. "We have the network assessments segmented automatically, so that we scan every single one of our facilities during off hours, and we scan 100 percent of our network each month."
Such an automated process not only helps MCCS map its network accurately, find potentially rogue systems, misconfigured systems and at-risk systems in need of patch updates, but it also helps to facilitate, and prove compliance to both the FISMA and PCI DSS standards. "Qualys’ reporting functionality is great. It's accurate, informative, and helps save time," says Harris. "Qualys provides us everything that you expect from a security vendor, and then some," Harris says as he explains that it's not just the superior risk and compliance management technology provided through Qualys’ SaaS platform, but the quality of the company behind it. "One of the key differentiators that we appreciated was the free training we received for our personnel. Qualys held training for us for an entire a day. It cost nothing, and helped our team get up to speed quickly," he says. "Qualys’ support gives us the same quality service whenever we need it – it's exceptional."
Moving forward, MCCS aims to build even more efficiencies from its Qualys deployment. One such effort includes tight integration with its upcoming help desk software implementation. "We're looking forward to a tight bind between Qualys and Remedy so we automatically generate help desk tickets," says Harris. That assimilation certainly will help improve workflow and save time, but considering the more effective and fully automated scans, heightened level of security and regulatory compliance, such capabilities are an added bonus for Harris and his team. "We turned to Qualys to help us better manage our risk management efforts, and we've met our objective."