Managing Risk and Vulnerabilities

in a Business Context

Corey BodzinVP of Product Management

Qualys

Nimmy ReichenbergVP of Strategy

AlgoSec

Kevin BeaverCISSP

Principle Logic, LLC

Tennyson would be impressed…

• NVD 60,865 CVEs since 1999

• 7,322 published in 2013 alone

• 385 Severity 5’s published by Qualys in 2013

• 4 iDefense Exclusive Zero-Day vulnerabilities in

just February alone!

“Risk and the accountability for risk

acceptance are — and should be —

owned by the business units creating

and managing those risks.”- Paul Proctor, VP, Distinguished Analyst

Severity Threat Path Analysis Asset Tagging

Cri!cal ≠ ImportantAssume everything is

“Hackable”

VERY difficult to maintain

with pace of change

Byserver/device22%

By network segment

30%

By business application

48%

What is your ideal method for prioritizing network vulnerabilities?

Source: Examining the Impact of Security

Management on the Business, AlgoSec, Oct 2013

The Impact of the Cloud and SDN

on IT Risk and Policy Management

Integration between

Qualys and AlgoSec

QualysGuard Integrated Suite

of Security & Compliance Solutions

*In Beta

Vulnerability

Management

Policy

Compliance

Customizable

QuestionnairesPCI

DSS

Web Application

Scanning

Malware

DetectionWeb Application

FirewallWeb Application

Log Analysis

Continuous

Monitoring

* **

Asset

Management

* *

Qualys Drives Visibility

VMware ESX and ESXi

Physical Scanners

BrowserPlugins

MobileAgents

VirtualScanners

Hypervisor

IaaS/PaaS

PerimeterScanners

Analysis Drives Action

Who is the owner?What business processes does it support?Are there regulatory requirements?

Who is the last logged on user?Is there customer data present?What is the SLA for patching?

Physical Scanners

MobileAgents

Firewall Analyzer

Security Policy

Analysis & Audit

FireFlow

Security Policy

Change Automation

BusinessFlow

Business Application

Connectivity MgmtBusiness Applications

Security Infrastructure

Application Owners

AlgoSec Security Management Suite

SecurityNetwork Operations

AlgoSec Security Management Suite

Next Steps and Q&A

Security Policy

Management in the

Data Center for

Dummies:

Available at

www.algosec.com

Read Kevin’s Books, blogs and

columns at

www.principlelogic.com/resources

and blog.algosec.com/author/kbeaver

Follow Kevin’s musings on

Twittter at @kevinbeaverRequest an Evaluation of the

AlgoSec Suite:

www.algosec.com/eval

Visit us at

www.qualys.com

QualysGuard Free Trial

www.qualys.com/trials

For future webcasts visit us at

www.qualys.com/webcasts

Managing Risk and Vulnerabilities

in a Business Context