2. Scanning Coverage. This isn’t as much about scale (which is also important), but more about the ability to scan for all types of assets as part of an audit. The industry evolved past desktops and servers long ago, and amazingly, not all security vendors have followed suit in their coverage. What does today’s dynamic enterprise need to be able to audit? Everything, really. This also required an approach where network based scanning is complemented by host-based scanning for the mobile assets that your organization relies on.Thankfully, the PCI audit was just looking at the payment system itself, but the auditors did file a notice with company that they felt they had little operational security control over their ‘non-standard’ assets, such as virtual servers and applications and mobile assets which traveled in and out of the perimeter with frequency. eEye’s ability to perform both network and host based scanning addressed this concern as well as our unique (unique as in “only solution in the industry”) offering for scanning virtual applications was able to almost double the coverage of their existing vulnerability tools. By doubling that coverage, though, did we just bury them under a mountain of data? Thankfully, no. Keep reading to see how we help our customers avoid being lost in “security big data”. 3. Actionable reports and intelligence. One of the contributing reasons for our prospect turning to eEye for help in becoming compliant with their PCI requirements was the lack of visibility they had into what was really going on within their network . Tactically, we were able to help them change that by increasing the accuracy of their scans, as well as the breadth of coverage for their new and emerging technologies. Strategically, we were able to help them by providing them with Retina Insight for actionable reporting and analysis on their security posture. Interestingly enough, due to the lack of visibility with their prior tools, the “laundry list” approach to fixing vulnerabilities had created a negative culture internally with regards to vulnerability tracking and remediation. The data was too hard to find and extract. With Retina Insight, the company can now easily identify risk, quantify its potential impact to operations and act accordingly, all within the Retina CS suite. As I mentioned, this action plan was designed for an organization who had previously failed their PCI audit, but I think we can all agree that these basic tenets of vulnerability and threat management can be applied to a wide range of organizations, regardless of their regulatory burdens or industry. I’d love to hear your thoughts. Use the comments section below to share your opinions, or even your own stories of dealing with regulatory audits like PCI. We’d love to hear them.
Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.