A Provider of Business Process Outsourcing Simplifies the Vulnerability Management of Hundreds of Client Networks.

Transcription

1 A Provider of Business Process Outsourcing Simplifies the Vulnerability Management of Hundreds of Client Networks. Does your company have many business units and many people involved in network security? SOURCECORP Location: Dallas, Texas Clients: in Financial, Government, Healthcare and Legal Services Business: Business Process Outsourcing Business Units: Multi-location data centers, 3,500 staff, hundreds of client companies Recipe for Success: A leading provider of business process outsourcing solutions and specialized high-value consulting services, SOURCECORP uses AVDS for client VA/VM services. Here's how a business process outsourcer manages security for hundreds of clients - each with their own security needs and system architectures! Introduction Jeremy King is a security specialist for SOURCECORP, a provider of business process outsourcing to the financial, government, healthcare and legal industries. His company manages hundreds of isolated networks for clients. The Challenge Each network is governed by different IT security standards and integrity legislation. The cost of vulnerability scanning and client reporting using other VA/VM solutions proved prohibitive because of the great differences in network architecture and security requirements. Solution An AVDS management server and multiple local scanning servers from Beyond Security. The Story "Because we are a BPO organization, we manage hundreds of isolated networks, each configured to the needs of each customer. Other than a few key internal systems, there is no standard architecture for these networks. We build a solution tailored to a client's process need," said King. With clients in so many industries, and with so many unique

2 processes under management, every supporting network is also governed by a unique mix of compliance and regulatory acronyms, including GLBA, HIPAA, SOX, SAS70, and PCI, to name a few. "We now have the ability to scan at any time. Regular vulnerability assessments scans are like having sonar on our own network. We always know what is going on around us." Mike Gutknecht Network Engineer Rayovac Corporation "Our customers have the right to be pickier than the regulations themselves. They are paying us to manage their process and they want to ensure they are compliant. Since we are managing their processes, we are governed by the same regulations that our customers are governed by," said King. To ensure that both the customers' needs as well as the requirements of the regulations are met and reduce the cost of vulnerability scanning very strict best practices are implemented across the board along with AVDS from Beyond Security. AVDS graphically, unobtrusively and with great detail demonstrated to me the situation of our network/firewall and web server after scanning our system with a huge range of tests. Reports were sent to me that were concise and clear and then the technical staff of Beyond Security talked me through the results of the scans, interpreting areas with which I was unfamiliar and suggesting simple and precise fixes. From the moment of my first contact with Beyond Security, I have been impressed and enjoyed their friendliness, clear talking, approach to confidentiality and technical knowledge. Paul Sheriff IT Manager City of Geraldton "Our CIO was looking for the best solution for the lowest possible cost. Because of the complexity of our networks, the other solutions were cost prohibitive because they charge on a per scan/per IP basis," said King. In an effort to improve efficiency and provide more autonomy for each location, a number of automated scanning tools were evaluated. In the end Beyond Security's AVDS was selected. Customer Requirements Strengthen current network security processes and procedures to protect against attacks from both external and internal threats Deploy new security solutions that go beyond core-level technology to span multiple isolated networks Rapidly address changing customer regulatory and compliance requirements Perform monthly vulnerability assessments of hundreds of isolated networks About AVDS Beyond Security's AVDS performs a security mapping of an organization's network and simulates attacks originating from either the internal or the external network. Once the security mapping is complete, AVDS generates a detailed vulnerability report specifying the security breaches, along with several practical and easy-to-apply solutions to fix those vulnerabilities. The engine is updated on a regular basis for the most recent security vulnerabilities. The updates include security vulnerabilities that were discovered by the Page 2 of 5

3 company's research and development team, as well as those discovered elsewhere. By installing the AVDS appliance-based solution, King has a realtime view of all the networks and is able to clearly demonstrate compliance with emerging global IT security standards and integrity legislation. The information provided in the reports is very clear and concise. It explains to engineers what the problem is, where to look for more information, and how to fix it. With these reports we can be sure after every change to the network if we are making the right change in terms of our security requirements. We tried the free services. But when we piloted AVDS, we saw zero false positives and the differential reports make Management Reporting easy. These features are huge. They allow us to focus on delivering ICT services instead of chasing down vulnerabilities. Cody Phang Head of IT for the Australian Government National Capital Authority (NCA) Making A Business Case For AVDS When he started his job, King used freeware scanning tools such as Nessus to conduct security scanning but quickly found that the free tools were not conducive to the management of such a large, complex environment. "I needed a way to give control out to the various locations and let IT staff to run their own scans and maintain their own scans instead of relying on me. It had gotten so that all my time was spent measuring benchmarks and tracking resolutions of those vulnerabilities. I wasn't being strategic," said King. AVDS generates a detailed vulnerability report specifying the security breaches, along with recommended fixes for each of the vulnerabilities. The engine is updated on a regular basis for the most recent security vulnerabilities. The updates include security vulnerabilities that were discovered by the Beyond Security's research and development team, as well as those discovered elsewhere. "Since we started using AVDS, my job has evolved to ensure we have the proper controls in place from a policy and procedural perspective. I work to identify gaps in our existing security, and find areas where can we improve our security to be more compliant." The automation of scans and vulnerability reports allowed King to focus on higher value work, including security awareness training. King believes most security breaches happen by accident - improper use of technology, forgetting to encrypt sensitive data, or bypassing important controls because someone is in a hurry. "Now I create security awareness training, consult with IT on change management and work with audit and compliance on gap resolution; so now the ROI on me as a resource is much higher because we have moved our scanning to an automated platform." Page 3 of 5

4 King believes automated scanning is a cornerstone for improving security. "We now can easily justify to management the cost of upgrading. For example if we have an operating system end of life and no way to patch vulnerabilities, we either need to accept those vulnerabilities or replace the machines. This kind of data gives you a lot of leverage with management for improving your security posture." Executive Take-Away We asked Jeremy King, security specialist, "What advice would you give to a company that wants to proactively manage the cost of compliance?" Here are his answers: When looking at all the tools on the market, it is good to compare a few tools. It is neglectful to pick a solution based simply on a name brand. By doing that you put blinders on. Be aware of new and emerging technology. Keep your eyes open. Set your bias on the sidelines. Give thought to accessibility. How accessible is the system in terms of ease of use, responsiveness, automation, can you get really granular with identification of networks, is it comprehensive in its vulnerabilities, are they first to market with new vulnerabilities, what is the what from a zero day to the time it lands in the system? How aggressively does the vendor manage false positives? You don't want to chase ghosts. Cost. With most brand name systems, cost increases dramatically as you add IP addresses and trend-tracking and essential reporting capabilities. How much control do you have? Can you assign multiple levels of permissions? What is the security of the system itself? Obviously a vulnerability system shows vulnerabilities (which is not a good thing for someone else to have) Page 4 of 5

5 Contact Information USA 1616 Anderson Road McLean, VA Stevens Creek Blvd. Cupertino, CA EMEA 105 London St. Suite 609 Reading RG1 4QD UK Asia Pacific Post Office Box 4 Mount Colah NSW 2079 Australia China 5/F South Block Tower C, Rathcom Info Tech Park, No 2 Kexueyuan South Rd. Haidian District Beijing sales@beyondsecurity.com Page 5 of 5