Managing risk and vulnerabilities in a business context


Published on

Cyber attacks have a direct impact on the bottom line, yet most organizations lack the visibility and understanding to manage IT risk from the business perspective. This presentation is from a webcast where a panel of experts examined how to shift from viewing IT risk in bits and bytes to having an impact on critical applications in the data center.

- Learn why and how more organizations are beginning to move ownership of IT risk to the business
- Understand how to aggregate and score vulnerabilities associated with data center applications and their associated physical or virtual servers
- Learn about the integration between Qualys and AlgoSec that enables business stakeholders to “own the risk”

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing risk and vulnerabilities in a business context

  1. 1. Managing Risk and Vulnerabilities in a Business Context
  2. 2. Corey Bodzin VP of Product Management Qualys Nimmy Reichenberg VP of Strategy AlgoSec Kevin Beaver CISSP Principle Logic, LLC
  3. 3. Tennyson would be impressed… • NVD 60,865 CVEs since 1999 • 7,322 published in 2013 alone • 385 Severity 5’s published by Qualys in 2013 • 4 iDefense Exclusive Zero-Day vulnerabilities in just February alone!
  4. 4. “Risk and the accountability for risk acceptance are — and should be — owned by the business units creating and managing those risks.” - Paul Proctor, VP, Distinguished Analyst
  5. 5. Severity Threat Path Analysis Asset Tagging CriƟcal ≠ Important Assume everything is “Hackable” VERY difficult to maintain with pace of change
  6. 6. By server/ device 22% By network segment 30% By business application 48% What is your ideal method for prioritizing network vulnerabilities? Source: Examining the Impact of Security Management on the Business, AlgoSec, Oct 2013
  7. 7. The Impact of the Cloud and SDN on IT Risk and Policy Management
  8. 8. Integration between Qualys and AlgoSec
  9. 9. QualysGuard Integrated Suite of Security & Compliance Solutions *In Beta Vulnerability Management Policy Compliance Customizable Questionnaires PCI DSS Web Application Scanning Malware Detection Web Application Firewall Web Application Log Analysis Continuous Monitoring * ** Asset Management * *
  10. 10. Qualys Drives Visibility VMware ESX and ESXi Physical Scanners Browser Plugins Mobile Agents Virtual Scanners Hypervisor IaaS/PaaS Perimeter Scanners
  11. 11. Analysis Drives Action Who is the owner? What business processes does it support? Are there regulatory requirements? Who is the last logged on user? Is there customer data present? What is the SLA for patching? Physical Scanners Mobile Agents
  12. 12. Firewall Analyzer Security Policy Analysis & Audit FireFlow Security Policy Change Automation BusinessFlow Business Application Connectivity MgmtBusiness Applications Security Infrastructure Application Owners AlgoSec Security Management Suite SecurityNetwork Operations AlgoSec Security Management Suite
  13. 13. Next Steps and Q&A Security Policy Management in the Data Center for Dummies: Available at Read Kevin’s Books, blogs and columns at and Follow Kevin’s musings on Twittter at @kevinbeaver Request an Evaluation of the AlgoSec Suite: Visit us at QualysGuard Free Trial For future webcasts visit us at
  14. 14. Managing Risk and Vulnerabilities in a Business Context