Scrutinizing The SCRUTINY

Register now

Christofer Hoff is taking the easy way out of analyzing and applying vulnerability assessment data at Western Corporate FCU.

Previously, when the director of Enterprise Security Services ran a scan on WesCorp's 400-server network, he would sometimes end up scrutinizing hundreds of pages of vulnerability assessment data.

"I would take mountains of data and distill it down to meaningful results so that I knew what vulnerabilities I needed to pay attention to first based on risk criticality," Hoff explained.

"For the past year at WesCorp and for the past 12 years in the field, I've been deluged by vulnerability assessment data," he continued. "I spent so much time correlating data to see what was important according to risk level that, once I was finished, I'd have to turn around and scan again."

Manual data correlation and scripting of Wescorp's network has been replaced by vulnerability assessments targeted at specified asset groups, provided since January by Web-based QualysGuard, an on-demand security audit and vulnerability management service out of Redwood Shores, Calif.

Consequently, Hoff can first quickly address the vulnerabilities identified on higher risk groups.

The $24-billion corporate can assess both its Internet- and Intranet-facing machines and discover the quickest route to securing the network. "In vulnerability assessment management, it's all about response time," he said.

"Our previous assessment process was mostly manual, working with resultant scans from vulnerability assessment tools," Hoff said. But Qualys has taken the country's largest corporate credit union to the next level.

"What we have now are vulnerability assessment management tools," he said. WesCorp uses QualysGuard Enterprise with Internet and Intranet scanners.

Hoff said he is impressed by what's to come in the next quarter-the "real power" in vulnerability management-when the web service will automatically correlate threats to asset groups.

"Threat correlation provides the actionable intelligence we require," Hoff said. "Qualys is going to be able to provide the assessment, reporting and correlation functions that allow my team to group assets by criticality or function, correlate vulnerabilities against assets that are vulnerable to the threat, isolate and provide tracked remediation of vulnerabilities, and provide meaningful metrics based upon relevant business logic."

The software will not only list potential threats and fixes, but also identify which of the 1,000-member corporate's hosts are most vulnerable to the threat-before the hosts are compromised.

Hoff said that Qualys' correlating and reporting capabilities put the firm ahead of the competition. "Other tools are good at identifying threats, but fall short on output reporting and correlation."

"Qualys' remediation agent directly assigns tickets to fix things to my network technicians. The system then tracks those fixes," he said.

In addition, a trending report tells Hoff what his overall risk index is in terms of risk production.

CUJ Resources

For info: * Wescorp FCU at* Qualys at

For reprint and licensing requests for this article, click here.