Case Study

A Provider of Business Process Outsourcing Simplifies the Vulnerability Management of Hundreds of Client Networks.

SOURCECORP

Location: Dallas, Texas

Clients: in Financial, Government, Healthcare and Legal Services

Business: Business Process Outsourcing

Business Units: Multi-location data centers, 3,500 staff, hundreds of client companies

Recipe for Success: A leading provider of business process outsourcing solutions and specialized high-value consulting services, SOURCECORP uses AVDS for client VA/VM services.

Do you have many business units and many people involved in network security?


Here's how a business process outsourcer manages security for hundreds of clients - each with their own security needs and system architectures!

Introduction

Jeremy King is a security specialist for SOURCECORP, a provider of business process outsourcing to the financial, government, healthcare and legal industries. His company manages hundreds of isolated networks for clients.

The Challenge

Each network is governed by different IT security standards and integrity legislation. The cost of vulnerability scanning and client reporting using other VA/VM solutions proved prohibitive because of the great differences in network architecture and security requirements.

Solution

An AVDS management server and multiple local scanning servers from Beyond Security.

The Story

"Because we are a BPO organization, we manage hundreds of isolated networks, each configured to the needs of each customer. Other than a few key internal systems, there is no standard architecture for these networks. We build a solution tailored to a client’s process need," said King.

With clients in so many industries, and with so many unique processes under management, every supporting network is also governed by a unique mix of compliance and regulatory acronyms, including GLBA, HIPAA, SOX, SAS70, and PCI, to name a few.

"Our customers have the right to be pickier than the regulations themselves. They are paying us to manage their process and they want to ensure they are compliant. Since we are managing their processes, we are governed by the same regulations that our customers are governed by," said King.

To ensure that both the customers’ needs as well as the requirements of the regulations are met and reduce the cost of vulnerability scanning very strict best practices are implemented across the board along with AVDS from Beyond Security.

"Our CIO was looking for the best solution for the lowest possible cost. Because of the complexity of our networks, the other solutions were cost prohibitive because they charge on a per scan/per IP basis," said King.

In an effort to improve efficiency and provide more autonomy for each location, a number of automated scanning tools were evaluated. In the end Beyond Security’s AVDS was selected.

Customer Requirements

  • Strengthen current network security processes and procedures to protect against attacks from both external and internal threats
  • Deploy new security solutions that go beyond core-level technology to span multiple isolated networks
  • Rapidly address changing customer regulatory and compliance requirements
  • Perform monthly vulnerability assessments of hundreds of isolated networks

About AVDS

Beyond Security's AVDS performs a security mapping of an organization's network and simulates attacks originating from either the internal or the external network. Once the security mapping is complete, AVDS generates a detailed vulnerability report specifying the security breaches, along with several practical and easy-to-apply solutions to fix those vulnerabilities. The engine is updated on a regular basis for the most recent security vulnerabilities. The updates include security vulnerabilities that were discovered by the company's research and development team, as well as those discovered elsewhere.

By installing the AVDS appliance-based solution, King has a real-time view of all the networks and is able to clearly demonstrate compliance with emerging global IT security standards and integrity legislation.

Making A Business Case For AVDS

When he started his job, King used freeware scanning tools such as Nessus to conduct security scanning but quickly found that the free tools were not conducive to the management of such a large, complex environment.

"I needed a way to give control out to the various locations and let IT staff to run their own scans and maintain their own scans instead of relying on me. It had gotten so that all my time was spent measuring benchmarks and tracking resolutions of those vulnerabilities. I wasn’t being strategic," said King.

AVDS generates a detailed vulnerability report specifying the security breaches, along with recommended fixes for each of the vulnerabilities. The engine is updated on a regular basis for the most recent security vulnerabilities. The updates include security vulnerabilities that were discovered by the Beyond Security's research and development team, as well as those discovered elsewhere.

"Since we started using AVDS, my job has evolved to ensure we have the proper controls in place from a policy and procedural perspective. I work to identify gaps in our existing security, and find areas where can we improve our security to be more compliant."

The automation of scans and vulnerability reports allowed King to focus on higher value work, including security awareness training. King believes most security breaches happen by accident – improper use of technology, forgetting to encrypt sensitive data, or bypassing important controls because someone is in a hurry.

"Now I create security awareness training, consult with IT on change management and work with audit and compliance on gap resolution….so now the ROI on me as a resource is much higher because we have moved our scanning to an automated platform."

King believes automated scanning is a cornerstone for improving security.

"We now can easily justify to management the cost of upgrading. For example if we have an operating system end of life and no way to patch vulnerabilities, we either need to accept those vulnerabilities or replace the machines. This kind of data gives you a lot of leverage with management for improving your security posture."

Executive Take-Away

We asked Jeremy King, security specialist, "What advice would you give to a company that wants to proactively manage the cost of compliance?" Here are his answers:
  • When looking at all the tools on the market, it is good to compare a few tools. It is neglectful to pick a solution based simply on a name brand. By doing that you put blinders on. Be aware of new and emerging technology. Keep your eyes open. Set your bias on the sidelines.
  • Give thought to accessibility. How accessible is the system in terms of ease of use, responsiveness, automation, can you get really granular with identification of networks, is it comprehensive in its vulnerabilities, are they first to market with new vulnerabilities, what is the what from a zero day to the time it lands in the system?
  • How aggressively does the vendor manage false positives? You don’t want to chase ghosts.
  • Cost. With most brand name systems, cost increases dramatically as you add IP addresses and trend-tracking and essential reporting capabilities.
  • How much control do you have? Can you assign multiple levels of permissions? What is the security of the system itself? Obviously a vulnerability system shows vulnerabilities (which is not a good thing for someone else to have).

Click For More Info - Or A Free AVDS Eval