Instead of just having assorted tools and conducting scans—which could result in taking action in an inconsistent fashion—Broadridge wanted to implement a comprehensive vulnerability management program. Following its spin-off from Automatic Data Processing in 2007, Broadridge’s Information Security team started over in outlining their goals and developing their requirements for a vulnerability management program.
Broadridge then set out to find a solution to help them implement this program. They evaluated multiple solutions before concluding that Tenable Network Security’s SecurityCenter was the best fit. Tenable matched up best with Broadridge’s requirements and provided additional compelling features such as passive vulnerability scanning, correlation capabilities, and outstanding management reporting.
Tenable has helped Broadridge make their vulnerability management program a reality. Tenable helps translate vulnerabilities into risk metrics, has SIM-like correlation functions (without the price of a SIM), and is scalable and flexible. Going forward, Broadridge will be using Tenable for other purposes, including patch and configuration audits
Case Study: Maturing a Vulnerability Management Program
As of mid-2008, when Jonathan Klein joined Broadridge, the company used a collection of tools for scanning. There was no centralized process or program for managing vulnerabilities.
“We had a lot of tools, and some process, but we weren’t getting everything out of our vulnerability management program that we could have.”
Broadridge made the decision to wipe the slate clean and create a vulnerability management program that would meet both its current security and business needs and adequately prepare Broadridge for the future as those needs continue to evolve.
They envisioned a vulnerability management program that would:
- Identify the company’s vulnerabilities. This includes network vulnerabilities, database vulnerabilities, application vulnerabilities, and more.
- Quantify the risks to the business associated with each vulnerability. By quantifying the business risks from each vulnerability, these risks could be reported to the business. The business would then use this quantification to decide on priorities and which vulnerabilities to remediate.
- Remediate vulnerabilities. The idea behind creating a comprehensive vulnerability management program wasn’t just to identify vulnerabilities and quantify risks; it was also to remediate important vulnerabilities to secure the business.
Starting over meant defining new processes as well as examining different technology and toolsets that were currently available. While budget was a prime consideration, Broadridge decided to find the best solutions to develop the vulnerability management program they envisioned.
Part of starting over and developing a comprehensive vulnerability management program meant developing a set of criteria for vulnerability solutions. Among the key criteria:
- The ability to scan a heterogeneous network
- Ease of upgrades
- The GUI
- Integration with existing workflow and ticketing
- The vulnerability database
- Scan scheduling
- Reporting capabilities
- Testing capabilities
- The licensing model and total costs
- Scalability and the degree of flexibility to expand
- Ability to customize aspects of the solution
- Tool integration
- Role-based access control
After having established their criteria, Broadridge evaluated solutions from several other leading solution providers (including Tenable).
After this evaluation, Broadridge selected Tenable Network Security. In addition to matching up better on the core criteria, Tenable also had several other features that Broadridge found compelling. These included:
- Passive vulnerability scanning and monitoring. The passive nature of Tenable’s scanning provides real-time information and the ability to see new and important information without disruption production operations. This is a desirable aspect for Broadridge.
- Log analysis and correlation. Broadridge had plans to implement a SIM in the future, but did not have budget at this time to do so. Unlike the other solutions evaluated, Tenable provided many of the most important capabilities of a SIM, namely log analysis and correlation—at a significant savings. For example, Tenable can read events identified by Sourcefire and can correlate them with vulnerabilities.
“The technology [Tenable] performs many functions that SIMs can perform at a fraction of the cost. We deployed a low-cost SIM and saved the company significant dollars.”
- 3D reporting. Tenable has great visual reporting capabilities that allow the creation of simple and compelling reports for management.
Implementing Tenable . . . and Seeing Immediate Benefits
Broadridge initially bought Tenable’s SecurityCenter for distributed management of Nessus. They followed that by lab testing Tenable’s Passive Vulnerability Scanner and Log Correlation Engine. In the initial testing, implementation was easy and fast, and Tenable provided great support.
Over the next year, Broadridge plans to put one or two scanners, utilizing Nessus and the Passive Vulnerability scanners, in eight of the company’s data centers.
In just a short period of time, Broadridge has watched its vulnerability management program take effect, and has seen immediate benefits from Tenable. These benefits include:
- Enabling execution of the vulnerability management program. Tenable makes it possible for Broadridge to execute the comprehensive vulnerability management program that they envisioned. This entails identifying vulnerabilities, translating them into risks, communicating the risks to management and the business, remediating key vulnerabilities, and monitoring the status —in a highly efficient way.
- Gathering valuable information, without disrupting the business. Tenable’s passive monitoring provides valuable real-time information, providing better situational intelligence without disrupting the organization.
“We are seeing a lot of interesting traffic that will help us better identify assets and risks.”
- Developing risk metrics. Using Tenable has allowed Broadridge to translate vulnerabilities into risks and develop quantifiable risk metrics that can be used by management.
- Reporting capabilities. Tenable’s reporting capabilities enable vulnerabilities to be identified and quickly communicated to the right level in the organization. Reporting allows for prioritization of which vulnerabilities to remediate, and on what time frame.
- Satisfying customers. Many of Broadridge’s clients require proof of vulnerability testing. Use of Tenable solutions enables Broadridge to easily and effectively satisfy this requirement.
- Providing great flexibility. Nessus and the Passive Vulnerability Scanner provide the ability for users to write custom scripts or modify Tenable-provided scripts. This flexibility is extremely useful. In addition, Tenable is highly scalable, providing Broadridge with great flexibility as the company and security program expand.
In the future, Broadridge will be expanding the number of data centers where Tenable solutions are deployed and the number of hosts that are actively scanned from 8,000 to more than 12,000 and continue to deploy passive vulnerability scanners.
Broadridge will also be using Tenable to assist with patch and configuration audits. As Broadridge implements more secure coding practices, they will be pushing tools to developers to conduct scans before code goes into production.