Security risks might not change, but the priorities of threats to an organization do. First Advantage found help, reports Greg Masters.
Security threats and risks have not really changed in the three years Isabelle Theisen has been CSO with First Advantage, a leading risk mitigation and business solutions provider headquartered in Poway, Calif., northeast of San Diego. Actually, she says, over her career as a security professional, general security threats and risks have been rather consistent over time. What does change, however, is the priority of these threats and risks on an organization. For instance, she says there have always been risks linked to outsourcing and third-party connections, but these risks were not always considered top priorities. Nowadays, most organizations consider these risks very high, thereby demanding extra due diligence.
“We'll always have malicious code aimed at exploiting application and system vulnerabilities, Theisen says. “The technologies and processes may change, but it is likely that the concepts to protect our information assets will remain the same – albeit become more effective over time.”
Theisen (right) does not work for the IT department, but for the COO. Her security risk management department consists of 11 staff, including her and the Asia-Pacific team. Because it has several IT departments in the company, she says the IT teams are quite diverse. All told, First Advantage has approximately 500 IT staff, and the company has 4,500 employees spread throughout the U.S., Canada, Europe and the Asia-Pacific region.
One of the major challenges Theisen faces is to ‘see' what the company has or doesn't have in its network, systems and applications. “Ignorance is not a security measure,” she says.
“A technical solution like Qualys provides us with a real-time scorecard of vulnerabilities existing in our IT environment, and then allows us take immediate measures against these vulnerabilities based on risks.”
More specifically, the Qualys solution has allowed First Advantage to perform a regular inventory of its systems, which, Theisen says, “may be a challenge for highly decentralized organizations like ours.” In addition, it identifies vulnerabilities on First Advantage systems. This can be a very time-consuming activity to perform without an automated solution, she adds.
Also, the Qualys tool helps First Advantage assess these vulnerabilities based on specific risks. That is, it allows the IT staff to prioritize the remediation action items in “buckets,” starting with high-risks action items – instead of trying to resolve everything at once.
“With Qualys, we are able to assess vulnerabilities following a two-tier approach: vulnerabilities are assigned an ‘inherent' risk based on the operating system vendors' suggested risk rankings, and vulnerabilities are assigned a ‘customized' risk based on the relevancy of the vulnerability for the company and the criticality of the systems impacted,” she says.
Qualys has enabled First Advantage to send the high-risk remediation action items directly to its ticketing system, therefore eliminating one manual step from the First Advantage security staff. She also points to the fact that all scans and remediation work are documented for audit purposes regularly performed by company auditors, customers and regulators.
“Qualys has always been an integral component within our security risk management program for our high- and medium-risk computer systems (we have implemented a methodology to calculate the risks of our systems),” she says. “With Qualys, we have a ‘living' baseline of security levels for our systems across multiple locations with minimal time and labor from the security department and IT department.”
Wolfgang Kandek (left), CTO of Qualys, says First Advantage is a QualysGuard Enterprise customer. “They use the product for vulnerability management and policy compliance, as well as PCI. They conduct regular scans with the product to stay ahead of threats and manage compliance initiatives on time.”
Kandek points out that what distinguishes this solution from the competition is that in one suite First Advantage gets to do VM and compliance scanning. “They are also testing our web application scanning application. The SaaS model, which is unique to Qualys, is a big driver to First Advantage.”
To assess possible solutions, Theisen says that the director of security operations conducted all the tests with his team. The final decision was a collaborative decision after full review of the tests, costs, features, etc. “A comparative analysis was done with several tools. However, since all of us had already used Qualys with strong positive experience, it was a fairly easy decision to choose Qualys,” she says. In contention were tools from nCircle, Nessus, eEye Retina and Foundston.
To make its decision, First Advantage considered several criteria: previous experience, support, maintenance, features (such as flexibility), the console, reporting capabilities, staff expertise, and a future roadmap of the product with opportunities to link up with other tools, such as TrustWave and Altiris.
Deployment went smoothly, she says. “Qualys is easy to deploy and very hands-on with deployment. We didn't encounter any problems. The appliance-based model makes implementation incredibly easily and efficient. Ample training is also provided on an ongoing basis as new users and locations are brought on board.”
The centralized web-based model makes the solution simple to manage by pushing standard policies from one portal, she adds. The appliance model also alleviates the need for supporting any servers or other systems to run scans.
In regards to how the tool aids in compliance requirements, Theisen says Qualys has always been rather proactive to ensure its technology meets new and current data protection regulations. “For us, meeting PCI requirements will be very important next year as the credit bureaus will start using the new PCI requirements to gauge our levels of protection for consumer and credit data. The good news is that our security risk management program has already integrated many of the PCI requirements, including regular scanning of our networks, applications and systems, using Qualys and AppScan.”
Another plus for the First Advantage implementation is that the Qualys distributed model allow the global company the flexibility to scan environments without necessarily placing an appliance physically at a particular location. First Advantage also leverages its MPLS network to perform scans at various locations. To date, the solution covers over 80 percent of the locations in the company, with the ultimate goal to attain 100 percent coverage. Some internal infrastructure changes must take place prior to reaching this goal, she says.
When asked what new threats First Advantage is facing, Theisen explains that aside from an unstable economy, the company has not identified any new threats. “Our current security risk management program includes a long list of threats and risks, including insider threats, third-parties' access, malicious code, identity theft, etc. Our SRM program allows us to keep up-to-date with threats and risks applicable to our company. We find ourselves adjusting our risks regularly as the business and IT evolve, but threats generally remain the same.
Theisen says she looks forward to continue working with Qualys because of their innovative roadmap regarding their product. “They listen to their customers and take proactive actions to integrate new features. In addition, their team is top notch – from their salespeople to their engineers. I wish I received the same level of support and service from all my vendors,” she says.
Qualys offers 24/7 technical support as part of its licensing model. “First Advantage is a pretty happy customer,” Qualys' Kandek says. As part of its SaaS model, all updates are transparent to customers, he adds. “We do daily signature updates to all the scanners, monthly scan engine updates, and quarterly feature updates to the application.”
First Advantage sees the QualysGuard solution as one of the primary technologies in their compliance and risk management framework, he says.
Greg Masters is managing editor of SC Magazine. He can be reached at [email protected].