VSR Financial Services Achieves Enhanced Security Through Automated Vulnerability Management

This full-service securities broker/dealer more effectively protects its 80,000 client accounts with automated vulnerability discovery and remediation.

Whether securing one server, or several dozen, it is vital that small businesses be able to quickly fix the vulnerabilities that place their systems in jeopardy. Because of their IT staffing constraints, they need tools that immediately discover and map all of their networked devices, endpoints, and servers – so that rogue assets don't slip by. And they need technology that can not only identify security flaws, but also prioritize these vulnerabilities for swift remediation.

For these reasons, in addition to increasing regulatory pressures, more small and mid-sized enterprises seek security solutions that help them to enhance their security efforts by putting in place effective and sustainable vulnerability and risk management programs. In this way, small and mid-sized enterprises can quantify their security progress and proactively maintain the confidentiality, integrity, and availability of their IT systems and sensitive customer information. That certainly was the goal for Overland Park, Kansas–based VSR Financial Services, Inc., a full-service securities broker/dealer.

Traditional Vulnerability Scanners Prove 'Arcane'

A short time ago, VSR Financial decided it was time to move away from ad hoc security efforts to a more automated, accurate, and demonstrable way to maintain the security of the systems its 300 registered agents rely on to service more than 80,000 client accounts. At all times, both availability and security are high priority. "We have always taken security seriously. We patch and pay close attention to new threats," says Doug Spaw, network engineer at VSR Financial. "But we needed a more efficient approach," he says.

As is the case of most mid-sized businesses, the responsibilities of VSR Financial's IT team are spread across the organization—server deployments, messaging, network performance, troubleshooting, maintenance, and security. To be certain that core applications perform optimally—e-mail, databases, financial and brokerage applications—everyone plays his/her role and shares responsibilities. That means every second of the day counts, and there's no time for cumbersome, inaccurate security technologies and vulnerability scanners.

"The simple fact is that the tools we were using to scan for vulnerabilities were arcane," says Spaw. Unfortunately, that's a problem that plagues many businesses as they try to keep their networks and systems secure. Most of the traditional vulnerability scanners on the market today require a surprising amount of time to set up and maintain. They can be difficult to keep up to date and fail to provide accurate results. In fact, they often waste administrators' time by alerting too many false-positives (vulnerabilities that don't actually exist), or worse: they'll altogether miss vulnerabilities that do exist, thereby creating a false sense of security.

"The reports we were getting weren't clear, and also required too much time to interpret," says Spaw. "We wanted to find a vulnerability scanner that not only was accurate, but was easier to maintain and support," he says—"something that helps to keep us secure while also saving time."

The Solution: Qualys Express

That search ended when VSR Financial found Qualys Express. Qualys Express, delivered as an on-demand Web service (Software-as-a-Service) is a fully automated solution that identifies security vulnerabilities, tracks remediation processes, and helps to ensure regulatory compliance. Driven by the most comprehensive vulnerability KnowledgeBase in the security industry, Qualys delivers continuous protection against the latest worms and security threats without the substantial cost, resource demands, and deployment hassles associated with traditional software scanners. All of this made Qualys Express the ideal solution for VSR Financial. "We selected Qualys because of the simplicity of its SaaS model. You set it up, and it just works," says Spaw.

Today, Spaw relies on Qualys Express to scan more than 128 IP addresses, which include internal servers and systems as well as all of the company's Internet-facing devices. "The reports from these assessments are very detailed, which helps us to resolve any issues we find quickly," says Spaw.

It's not uncommon to hear such feedback on the accuracy and the reporting capabilities of Qualys. The Executive Dashboard, which provides a real-time illustration of risk, is ideal for small and mid-sized businesses. And its detailed reports provide the best, verified, remediation information available. The reporting capabilities are well-suited for technicians, business managers, and auditors, with automated trending and differential reports easily exported to HTML, MHT, PDF, CSV, and XML formats.

Today, those capabilities will go a long way not only to keep VSR Financial's systems secure, but also help it prepare for possible future regulations that will affect the broker/dealer industry. While banks and many other types of financial institutions currently are subject to state and federal IT security regulations, that's not the case for securities brokers—yet. "We wanted to secure our systems more efficiently, as well as prepare for new regulations. Qualys has helped us with both objectives," Spaw says.