Risk Reduction: RightNow Technologies Finds a Better Way

Leading on-demand customer relationship management company RightNow Technologies upgrades its vulnerability management initiative to reduce risk more effectively and build customer loyalty.

RightNow Technologies, Inc. knows how to manage relationships. The company's on-demand customer experience software is used to help improve the customer service of more than 1,900 other organizations worldwide. Its CRM solutions manage all types of customer interactions, whether they're through phone, e-mail, Web, or Internet chat. And the company's intelligent and patented knowledge base provides extremely accurate customer interaction management for its users' customer service, sales, and marketing initiatives.

RightNow Technologies has been very successful in recent years because the company ensures that its customers get the best information they need to make intelligent decisions the very moment they need it. And that's exactly the type of actionable information RightNow demanded for its own information security efforts.

RightNow Requires Better Efficiency Than That Provided by Open Source Tools

To conduct its internal vulnerability assessments, Ben Nelson, RightNow Technologies' chief information security officer and his team had relied on a handful of open source vulnerability scanners, but they found that the vulnerability databases of these open-source scanners often were not up to date. This meant that they would have to spend valuable extra time to spot vulnerabilities that could put their systems at risk of attack.

In addition, these scanners provided no automated way to generate accurate reports that detailed the entire vulnerability management lifecycle—that is, from the date a vulnerability is discovered to the time that it's validated as fixed. Since this is critical to managing organizational risk, Nelson needed to find an easier way to create reports suitable for both technicians and business managers. Moreover, the existing scanners provided little, if any, helpful advice on how to resolve the problems they found, which forced the staff to conduct additional and time-consuming remediation research.

"We had all these open source tools that would find vulnerabilities, but they wouldn't present their findings in an easy-to-read way—or explain appropriate fixes," says Nelson. To make matters worse, the number of false positives—when a scanner spots and reports a vulnerability that really doesn't exist—was high. These false positives also proved time-consuming, as they forced security managers to investigate false leads.

RightNow Evaluates Top Five Commercial Vulnerability Scanners

For a company that takes security so seriously, RightNow required better efficiency. To find a solution, Nelson and his team set out to evaluate the top five commercial vulnerability scanners. Initially, the commercial tools proved disappointing, too. "None of them seemed to do everything that we needed," he says. "While they provided one-time scan and reporting functionality, only a few provided a way to track vulnerability remediation workflow. And the reports they generated often were lacking. For the price, they weren't doing everything I thought they should have been doing."

Fortunately, one vulnerability assessment tool did meet Nelson's criteria. After extensive evaluation, RightNow selected Qualys Vulnerability Management (VM). Qualys VM automates the vulnerability management lifecycle for organizations of all sizes. Through its Software-as-a-Service (SaaS) delivery model, Qualys provides RightNow with detailed network discovery and mapping, asset prioritization, vulnerability assessment reporting, and the remediation tracking it needed to manage risk more effectively. Powered by the most comprehensive vulnerability KnowledgeBase in the industry, Qualys VM spots and helps to remedy the software flaws and system misconfigurations that make many exploits and attacks successful.

"Qualys was the only vendor that provided the complete 360-degree cycle of discovery, remediation, tracking, and reporting in one service," says Nelson. "Qualys gives us the complete view we need."

Previous to Qualys, Nelson and his team had to manually schedule scans for its systems, which today include about 2,700 host systems and networked devices. "Qualys’ on demand model makes scheduling automated scans very easy. Now, scans happen in a timely and painless manner," he says.

Looking Inward

After hardening its perimeter with Qualys, RightNow then turned its attention to its internal networks. For this, RightNow deployed additional appliances in-house so that periodic scans of its internal systems could be completed. As part of its operations, RightNow has long segmented its internal systems into various groups, depending on the geographic location of the customer. "That way, we can manage these systems at the times that are most convenient for the customer," says Nelson.

Fortunately, Qualys VM's ability to group networked assets made it possible for RightNow to organize its IT assets for assessment without having to change the way it currently organizes and manages its assets. "The Qualys grouping feature has been key for us to assess and mitigate system vulnerabilities without having to change the way we already were working with our systems," Nelson says.

When Nelson and his team began assessing the internal infrastructure, they uncovered a number of systems that needed to be hardened further. The most common condition that needed to be remedied involved systems that had services left on that no longer were needed. "There's no reason to have services available if you're not using them; Qualys really helped us to clean that up," he says.

Around the same time that RightNow began its internal vulnerability assessment program, it also started to standardize internal server and endpoint configurations before its deployment. This would put security policies and appropriate configurations in place before live deployment. "We used a lot of the output from the internal scanning in Qualys to develop the standards for those gold images," Nelson says.

Payment Card Industry Data Security Standard (PCI DSS) Compliance

As another service for its customers, RightNow provides a PCI DSS certified cloud as an extension of its SaaS RightNow CX Cloud. According to Nelson, with the RightNow PCI Certified Cloud, customers can be certain that all implementations meet PCI DSS compliance and are independently assessed and certified by a Qualified Security Assessor (QSA). While RightNow doesn't process any credit card transactions, many of its customers must manage credit card information as part of their after-sales support processes.

For those scans, RightNow relies on the Qualys PCI Compliance module. Qualys PCI works much the same as Qualys VM, only streamlined for compliance to the payment industry standard. Also, as part of requirements to maintain its current Level 1 PCI DSS compliant status, RightNow must have an annual independent QSA audit. "One of the first things the auditor asks to see is our quarterly PCI scan results from Qualys," says Nelson.

Security Due Diligence Builds Customer Trust

Substantiating organizational information security due diligence to partners, customers, and suppliers has become the norm—a necessity of doing business. Today's increasingly regulated business environment, and the heightened awareness of information security breaches, is causing more businesses to ask their partners and suppliers tough probing questions about how they keep their systems secure and compliant. "Providing this level of information has really become table stakes for mission critical cloud vendors," says Nelson.

That's one of the primary reasons why RightNow relies on Qualys every day to find new and potentially high-profile software vulnerabilities. Nelson says Qualys has made it much easier for the company to keep its information security level high. And Qualys’ easy-to-read reports have made it more convenient to share the high level of its IT security status with customers. "That actually has helped us to win new business. We can now show our customers that we're doing our due diligence. That's something you just can't put a value on," he says.