Owned by the Transaction Services Group, Debitsuccess is a third-party payment processor with locations across the U.S., New Zealand, and Australia. Founded in 1994, Debitsuccess handles over 22 million transactions annually, worth in excess of $1 billion, for more than 1,500 businesses. As an organization that runs a DevOps infrastructure, creates and sells software to manage payment processing, and supports a call center, security and compliance are paramount to its entire business operations.
With the growing company undergoing a digital transformation, vulnerability and patch management solutions were being reviewed. According to David Kennedy, Group CIO for Transaction Services Group, and a seasoned 20-year cyber security veteran who has advised roughly 100 (critical infrastructure, financial, military, etc.) organizations, including the New Zealand Ministry of Defense, and is currently Chairman of the Advisory Board for the Future Auckland Leaders programme, “Security is not about ‘being secure’, it is about knowing how insecure you really are. We recognized that we needed enhanced visibility of our security posture and we needed a solution that could also help us meet our compliance needs.”
Another challenge that Kennedy sought to address, was to strengthen the ability to effectively prioritize which vulnerabilities to fix first.
For Ger Collins, IT Ops Manager at Debitsuccess, improved usability of a potential replacement solution also topped his team’s wish list. “We were looking at vulnerability management and patching products that enhanced productivity, functionality, and performance,” says Collins.
Making a Shortlist
The team at Debitsuccess immersed itself in research by Forrester, Gartner, SC Magazine and other publications to compile a shortlist of the top vulnerability management solutions.
“BeyondTrust’s Retina made our shortlist because it was highly-rated everywhere we looked, and other CIOs I talked with recommended it,” says Kennedy.
Retina CS is the only vulnerability management solution designed from the ground up to provide organizations with context-aware vulnerability assessment and risk analysis; while also delivering simplified patch management through integrations with Microsoft WSUS and SCCM, and other platforms.
Evaluating Industry-Leading Solutions Head-To-Head
At the outset, some of Debitsuccess’ must-haves for a new solution included:
- Strong vulnerability discovery capabilities—without being resource intensive
- Ease of use
- Intelligent visibility to help prioritize IT risk management decisions
- Risk remediation—with clear visibility and reporting into how vulnerabilities were fixed
- Ability to configure how and when remediation is done
- Integration with existing infrastructure
“But, the single most important thing you absolutely need from a vulnerability solution is that you need to be able to trust it,” asserts Kennedy. “You need to be able to put your neck on the line with it. BeyondTrust’s Retina picked up all the vulnerabilities that we were purposely putting into the system.” On top of this, Kennedy’s team appreciated that Retina uncovered vulnerabilities via a non-intensive, non-intrusive discovery mechanism, without disrupting the assets being scanned.
Debitsuccess found Retina reporting very comprehensive ,with its actionable intelligence, executive dashboards, out-of-the-box reporting, and breadth and depth of data that is completely customizable. “Retina’s ability to drill down to vulnerabilities in assets and asset classes was exceptional—and this could all be accomplished through a single console,” says Collins. “The capability to leverage CVSS scoring and other ranking methodologies that are integrated into our environment was also a big differentiator with Retina.”
Kennedy’s team could quickly make a clear business case for Retina CS by quantifying the time saved through visibility into vulnerabilities. “You could say that, ultimately, Retina’s ability to address visibility requirements drove our decision to purchase the solution,” says Kennedy. “Once you can quantify vulnerabilities, you can prioritize across your assets—and BOOM—you have a list of your biggest problems.”
Debitsuccess deployed Retina without a hitch, assisted by BeyondTrust’s Support Team. “Support really stood out and was excellent during implementation,” says Kennedy. “The BeyondTrust Support team was very fast and very capable of helping us with the implementation to maximize efficiency.”
During deployment, the team at Debitsuccess was also impressed with Retina’s seamless integration with other tools. “Retina integrated really well with WSUS and other technologies, which was a nice plus,” says Collins. “It was also easy to set up and customize reports from BeyondInsight,” adds Collins about the centralized reporting and analytics platform that unifies intelligence across BeyondTrust’s Retina (vulnerability management) and PowerBroker (privileged access management) solutions.
Simplified Patch Management & Enhanced Visibility Stand Out from The Start
Prior to deploying Retina, Debitsuccess could only patch Microsoft applications. However, with Retina, they can now cover, not only Microsoft, but also Java, Adobe, and more. Debitsuccess groups its desktops by department. Once approved in BeyondInsight, desktops are automatically patched. While servers must also be pre-approved, patches are instead manually downloaded and installed. BeyondInsight automatically generates reports per group, providing regular intelligence on where the company stands with regard to vulnerabilities and patches, as well as PCI compliance.
“Right away, we had better clarity into what vulnerabilities we have—and we now have an integrated ability to patch and remediate them and report on it in a much richer capacity, through BeyondInsight,” says Collins. “We now benefit from a more complete view of the vulnerabilities per asset class—such as assets that deal with specific data types versus those that handle development. BI [BeyondInsight] is a really cool tool with a great UI.”
Pen Testing Shows Retina Raises the Bar
In 2015, approximately one year after putting Retina into production, Debitsuccess hired outside experts to perform penetration testing on its environment to identify any weak spots and areas for improvement. “The company performing the pen test reported back to us that Debitsuccess was one of the best companies they’d seen as far as being up-to-date from a patching perspective—and a key part of that result is attributable to the BeyondTrust solution we’ve implemented,” asserts Kennedy.
An Unexpected Benefit — Driving Smarter Decisions On IT Spend
Aside from delivering on its core capabilities of helping uncover, prioritize, and remediate threats, Retina CS is paying dividends that extend beyond vulnerability management. “I’m actually using Retina to define where to spend our security budget, through trend analysis and identifying where our vulnerabilities lie,” says Kennedy. “The visibility into how those vulnerabilities and trends are being created gives me a good business sense of where to allocate resources. Leveraging that intelligence, we have shifted around some milestones and accelerated others to tighten the gaps that demanded the most attention from us. More and more, Retina is helping us answer some questions at the top level, such as, ‘how is this going to enable us to generate more revenue or get more efficient?’ It’s just so valuable for us to be able to slide around and pull some business levers based on data.”
Next Stop: BeyondTrust Powerbroker Privileged Access Management
In addition to implementing Retina across all the different businesses in Transaction Services Group to close vulnerabilities, Kennedy’s team wants to take a closer look at BeyondTrust’s PowerBroker Privileged Access Management (PAM) solution—the most comprehensive offering on the market. “We would love to take on PowerBroker,” declares Kennedy. “The ability to limit privileged access with PowerBroker could substantially reduce an organization’s remaining window of risk by another 85%.”
From an IT operations standpoint, the smart automation and administration capabilities delivered by PowerBroker vastly streamline and simplify privilege management, auditing, and reporting for IT teams. “Trying to solve least privilege manually is painful,” says Collins. “Being able to automate many of the processes can save a huge amount of time and reduce complexity—making scalability, as we grow, much more manageable.”
However, particularly appealing to Kennedy’s team is PowerBroker’s synergistic integration with Retina CS, which presents a unique value proposition by enabling organizations to further shrink risk by basing access decisions on the real-time vulnerability of an asset. “BeyondTrust has the two key elements—PAM and vulnerability management—to massively reduce cyber risk. When working in an integrated fashion, the combination of those two capabilities presents a massive potential to reduce breaches,” says Kennedy. “It’s a major step forward in cyber security and risk management.”