QualysGuard delivers streamlined security and compliance for Oracle Global IT

“QualysGuard's easy-to-use and intuitive web interface, and granular access controls combined with Qualys' no cost training, enabled Oracle GIT Security to extend the vulnerability assessments, as a self-service, to other security organizations within the company. It allows us to accelerate rollout of the scans, improved security awareness without increasing headcount, or risk to the assets and data”
-Sr. Security Manager Oracle's GIT Security Engineering Team

Accurate, Scalable Vulnerability Management

Finding, prioritising, and then eliminating the software vulnerabilities that place business technology systems at risk to attack, and of falling out of regulatory compliance, is a significant and complex operation. Oracle's IT infrastructure spans the globe, and encompasses multiple data centres, thousands of servers, more than 200 firewalls, 100 load-balancers, and tens of thousands of endpoints. Such diversity required Oracle GIT Security, to find a way to scale and streamline its vulnerability management processes. Oracle GIT needed a solution that was scalable, easy to manage, and accurate. In addition, because much of the information that Oracle GIT manages is proprietary, the company operates under tight privacy mandates.

Accuracy of assessment scans is crucial. Small errors in any report can multiply the amount of time that security analysts must spend vetting false-positives from actual vulnerabilities in the company's infrastructure. Leonid Stavnitser, senior manager for Oracle's GIT security engineering team, explained that for each scan conducted, an analyst could take two hours to review and cleanse the report of errors. "Inaccurate reports add significantly to the actual total cost of ownership of assessment solutions," he explained.

In order to find the most accurate and secure way to identify and fix vulnerabilities, Stavnitser and his team ran many of the market-leading vulnerability assessment scanners through a series of tests. The first analysis consisted of a blind test in which the evaluation team knew nothing more than the target IP addresses. For the second analysis, the evaluation team was provided details regarding the operating system, applications, and other facts concerning the targeted environment. The goal: to understand how each vulnerability management tool performed when it came to accuracy, ease of use, and remedial capabilities.

An Accurate, Secure Solution Prevails

After extensive testing, Leonid and his team found the vulnerability and compliance management solution QualysGuard Enterprise, from Qualys to be an effective solution, for the several important reasons:

• Automated on demand security and vulnerability audits
• Accurate vulnerability and configuration scans, according to Oracle's in-house testing.
• Easy to deploy, manage, and operate.
• QualysGuard scales to millions of scans per month, and provides Oracle assurance that vulnerability information remains confidential.
• QualysGuard's PCI DSS capabilities mean that Oracle can conduct compliance scans for its internal hosting operations.

Executive dashboard from QualysGuard Enterprise Vulnerability Management

Streamlined Security

With QualysGuard Enterprise, Oracle GIT Security can monitor the company's global vulnerability management process, track remediation, and validate policy compliance. With its comprehensive vulnerability Knowledge Base, which consists of thousands of unique checks, and a six-sigma accuracy rate, QualysGuard provided the precision Oracle GIT Security sought. Now, Oracle GIT Security has streamlined control of its vulnerability management life cycle starting with asset discovery, extending to vulnerability assessments and tracking of security fixes.

Faster Time to Remediation, Effective Regulatory Compliance

The high accuracy rate and remedial information provided by QualysGuard significantly reduces the amount of time analysts spend identifying and classifying vulnerabilities throughout Oracle's complex IT network. So any time wasted analyzing false positives, or other faulty report information, grows extremely costly over the course of a year. Stavnitser estimates that traditional server or desktop-based scanners would cost his team an additional 2,000 work hours annually, if it tried to perform the same number of scans it's able to conduct with QualysGuard. "We just wouldn't be able to scale our vulnerability assessment services," he says.

Oracle GIT has also leveraged the fact that QualysGuard is fully PCI DSS certified. Some of Oracle On Demand's hosted clients are merchants that process credit card information for online sales-and they need to be able to demonstrate that they're PCI DSS compliant. One of the key PCI DSS requirements is that a quarterly scan be completed, using an approved assessment tool. "Qualys is one of the vulnerability management solutions certified for PCI DSS compliance. Therefore, by having Qualys in-house, we save ourselves plenty of aggravation and expense because we don't need to go to a third-party vendor and provide access to our network to conduct the required PCI quarterly scans. We do that ourselves!" Stavnitser says. "QualysGuard helps us to make sure that our network is secure and that our systems, and those of our customers, are hardened as well."

Want to Learn More?

To find out more about QualysGuard and how it can help your company achieve its network security and policy compliance goals, visit www.qualys.com/products/qg_suite.

You can also try QualysGuard with a 14-day Free Trial that requires no install and includes 24x7 technical support. To request yours, please visit: www.qualys.com.