ThousandEyes Prioritizes the Vulnerabilities that Matter Most

Rapidly built an effective enterprise information security program with highly automated and demonstrable vulnerability management processes

If you want to understand how well your apps are performing – and be able to intelligently spot any issues that could affect the performance of your own applications or those of your cloud providers – you’re very likely to turn to network performance management provider ThousandEyes. ThousandEyes looks deep into network performance across internal, cloud-based and mobile network infrastructures to identify where traffic is being dropped, bandwidth is being constrained, or network latency is originating. Its customers include Equinix, Flextronics, Verisign and ServiceNow, as well as eBay and other members of the Fortune 500, who all trust and rely on ThousandEyes to improve the performance and availability of their business-critical applications.

For ThousandEyes, focusing on information security has been a priority from the outset. The company launched in mid-2013 and when Alexander Anoufriev, chief information security officer at ThousandEyes joined 11 months ago, he was charged with forming the information security department. “It was a small team, and everyone understands that efficiency is key,” says Anoufriev. “We have to prioritize our spending so that we are always investing where our critical needs are.”

Working toward automated, verifiable vulnerability management

When it comes to managing its own systems, visibility and insight into its network, application performance, and security are crucial to ThousandEyes. In addition to attaining exceptional governance over its own systems, customers are increasingly expecting their partners and suppliers to demonstrate a high level of attention to security.

With more concern over the security, it’s not enough that organizations do everything they can to protect their environment; they need to also demonstrate the effectiveness of their security policies and procedures to customers, partners, and external auditors. “Customers want proof that their partners and suppliers’ security is in good operating condition,” explains Anoufriev. “That’s why every time we acquire a customer, we’re proactive about demonstrating that we run security appropriately.”

ThousandEyes customers include large enterprises, medium to small businesses, and cloud service providers. Many of these organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley, and many other regulations. “These enterprises can’t acquire certain vendors until they meet their security criteria,” Anoufriev says.

Being able to substantiate a capable enterprise information security program requires having a repeatable and verifiable vulnerability management program in place. “An effective vulnerability management process is a must in today’s fast-changing environment,” says Anoufriev.

Success requires more than being able to simply issue patches to known vulnerabilities. Enterprise security teams must be able to identify vulnerabilities and prioritize those discovered based on the real business risk they pose. Anoufriev explains: “The same vulnerability in a production database server and in the IT lab most certainly poses different levels of risk and must be treated with different priorities.”

That’s why ThousandEyes needed a way to track software vulnerabilities that crept onto its systems and then rank them by the business risks they created to affected assets. “We wanted to be able to manage security as a business risk, not just a technological risk,” says Anoufriev.

After a careful market evaluation, which ended with the vetting of the top three vulnerability assessment vendors, ThousandEyes chose to deploy Qualys Vulnerability Management (VM), an integral part of Enterprise TruRisk Platform from Qualys. “Qualys VM had all of the breadth and functionality that we needed and that made us very confident in our selection,” he says.

Managing the business risks that matter

The Enterprise TruRisk Platform identifies and helps to remedy software vulnerabilities, outdated systems, and associated weaknesses that jeopardize compliance with government and industry regulations such as PCI DSS. Delivered from a highly scalable multi-tenant cloud infrastructure, Qualys delivers a suite of information security and regulatory compliance management services.

Additionally, because Qualys is cloud native, there’s no software or hardware to install and maintain. In fact, Qualys is centrally managed and all of its vulnerability data and system updates are performed in real time and are available to all customers concurrently. This cloud delivery and associated subscription model means that Qualys is affordable to organizations of all sizes that need to secure their systems.

“For me, it's very important to manage security as a business function. In information security, that means business priorities are converted into security priorities and the enterprise is managed based on a thorough risk management strategy,” Anoufriev says. “Qualys enables us to do exactly that.”

Anoufriev was able to rapidly deploy Qualys VM to help automate ThousandEyes’ vulnerability management program. Qualys VM was deployed in the middle of November, and by the first week of December, successfully automated much of its vulnerability management process, including network mapping and discovery, asset classification, vulnerability assessment, prioritization, and remediation. “It was very straightforward to get up and running,” says Anoufriev.

Currently, Anoufriev explains, ThousandEyes is conducting two weekly vulnerability scans: one external assessment of its Internet-facing devices and a separate assessment of all internally networked devices. “The external scan reveals any potential vulnerabilities that are open to the Internet, while the internal scan focuses on all internally visible vulnerabilities. The results of these scans are fed to the Qualys remediation module for prioritization and to create work tickets for the appropriate personnel to fix,” Anoufriev says.

That ability to prioritize system vulnerabilities enables Anoufriev and his team to mitigate the business risks that matter most first. The ability to effectively prioritize vulnerabilities is largely guided by the risk levels calculated by the criticality of the IT asset (as determined by ThousandEyes) and the severity of the vulnerability as assigned by Qualys VM – with the more critical assets with the most severe vulnerabilities set to be addressed first.

Swift web application vulnerability remediation

Today, any vulnerability management program needs to incorporate web application flaws as part of its regular assessment process. For this aspect of its initiative, ThousandEyes relies on Qualys Web Application Scanning (WAS). Qualys WAS provides accurate web application security assessments for improved application security and resiliency. Qualys WAS identifies web application vulnerabilities in the OWASP Top 10, such as SQL injection, cross-site scripting, URL redirection, and many other web application vulnerabilities. And, because of its rich dynamic user interface, users experience an intuitive, easy-to-use automated workflow along with an extremely low false-positive assessment rate.

“We have a number of web applications, including the production service we provide to our customers, that need to be assessed continuously,” Anoufriev explained. “In addition to manual penetration testing, we use Qualys WAS to conduct weekly scans of all of our web applications and provide the results to our development team.”

As Anoufriev explains, an effective, automated vulnerability management program is essential because systems are updated and change almost every day and enterprises have to approach their vulnerability management efforts intelligently, and not simply scan their infrastructure and attempt to remediate everything at once.

The most effective way to reduce risk is to reduce the number of highly-critical vulnerabilities on highly-valued business assets. “With Qualys, we can track our vulnerability exposure based on real-world business risk,” Anoufriev says. “I was looking for a vendor that can quickly deliver what I needed to have, and Qualys fits the bill.”