If you want to keep something secure – a network, server, or application – you need to have a way to consistently evaluate it for vulnerabilities. You need to be able to identify its weaknesses and remedy the flaws and misconfigurations that create risk. However, many businesses don't understand the real risks to their business-technology systems, or how to rid their infrastructure of them. Their applications and networks will have unpatched systems, misconfigured systems, outdated software, and other errors that can lead to a negative audit finding, or even a security breach.
The processes are similar whether you're assessing the vulnerabilities of an application, a network, an office campus, or a global or national business: the underlying infrastructure must be mapped and potential weaknesses identified, quantified, and prioritized for eventual remediation.
Operationalizing these tasks was the precise challenge faced by Cagatay Isikci, Information Security Manager of Istanbul, Turkey-based Sekerbank. For more than 50 years, Sekerbank has provided financial services, commercial, and retail banking throughout Turkey. "We needed a reliable, accurate, and repeatable way to find and remedy misconfigurations and outdated software," says Isikci.
To find the best vulnerability assessment application available, Isikci and his team established a set of criteria to grade applications or services. The bank carefully considered the independent opinions of prominent research firms in addition to its own detailed questionnaire that prospective vendors answered. Sekerbank evaluated vulnerability management systems according to their ease-of-management, ability to find vulnerabilities, false-positive rate, reporting, ticketing, and ability to remediate during the pilot deployment. Sekerbank awarded five points for each criteria.
They also turned to local security solutions provider Avanteg to help with the testing and eventual selection of the vulnerability assessment and management solution that came out on top of this extensive evaluation. "We wanted to find something that was easy to implement, update, and remedy, as well as provide good ticketing and support," Isikci says.
Why Sekerbank chose Qualys:
Ultimately, after an evaluation on a test network, Sekerbank chose Qualys Express. Qualys Express automates the life cycle of network auditing and vulnerability management, including system discovery, asset prioritization, vulnerability assessment reporting, and remediation tracking. Driven by the most comprehensive vulnerability KnowledgeBase in the industry, Qualys delivers continuous protection against security threats without the substantial cost, resource, and deployment issues associated with traditional software. As an on-demand Software-as-a-Service (SaaS), there is no infrastructure for Sekerbank to deploy or manage.
That means Qualys’ on-demand delivery enables Sekerbank to manage vulnerabilities more successfully while cutting associated costs through streamlined operations. "Qualys scored highest on all of our criteria during our testing," says Isikci. "It became very clear that Qualys was the superior service," he says.
Sertan Kolat, Information Security Services Manager at Avanteg, says that implementing Qualys Express was very straightforward. "Everything is managed from a web browser, which makes Qualys Express very easy to use," says Kolat. Avanteg provided Sekerbank with brief training on how to use Qualys Express, as well as advice on how to integrate a vulnerability management program into its organization, and now only needs to provide local support for any minor questions that may arise.
"Qualys has proved easy to implement and provides the workflow we needed to build a vulnerability management program. That's from the accurate identification of vulnerabilities in our systems to Qualys Express' comprehensive reporting," says Isikci. "The most beneficial aspect of Qualys Express, we've found, is its remediation. Some products discover vulnerabilities, but they are unable to show the precise remedy. Qualys Express provides the exact steps needed and resources to fix each vulnerability," says Isikci.
“Qualys Express has provided us the vulnerability management abilities we needed, and we look forward to building and expanding this program.”
Information Security Manager at Sekerbank
Today, Sekerbank has attained the continuous, automated, and accurate assessments it sought initially to identify and fix system vulnerabilities, and then constantly validate that those systems stay secure. "We can perform an assessment whenever we need to, and that versatility is crucial to stay secure in today's fast moving threat environment," Isikci says.
Building on that success, Sekerbank is looking forward to deploying Qualys Policy Compliance to build on its vulnerability management program. In that way, Sekerbank also will be able to collect operating system and application configuration and access control settings so it can document compliance with its corporate security policies. "Qualys Express has provided us the vulnerability management abilities we needed, and we look forward to building and expanding this program," says Isikci.