Apptio faced a significant challenge in managing the security risks associated with employees accessing corporate data via personal mobile devices. The use of smartphones and tablets for work purposes had increased efficiency but also introduced potential security vulnerabilities. Prior to implementing Mobilisafe, gathering information on connecting mobile devices was a tedious process that did not yield adequate results. The company lacked a comprehensive security policy for mobile device usage, which heightened the risk of data breaches and unauthorized access.

AutomationDirect, a proactive company, wanted to change the security mindset of its IT staff to stay ahead of the latest threats. The company needed to ensure that its IT security practices were robust enough to prevent both internal and external threats. Tim Lawrence, IT security analyst at AutomationDirect, recognized that administrators often prioritize getting systems up and running over security, which could lead to vulnerabilities. After attending the Black Hat convention in July 2010, Lawrence devised a long-term security strategy to address these issues. The goal was to anticipate and thwart potential hackers and eliminate internal oversights that could create inadvertent vulnerabilities. AutomationDirect was not under any immediate known security threat, but the IT security team needed to promote overall security best practices to the entire IT staff to prevent any possible worst-case scenarios.

In 2008, Bob’s Stores faced the challenge of meeting new PCI compliance standards, particularly requirement 11 of the PCI DSS, which mandated regular tests of security systems and processes through internal and external scans. The IT department, led by Nick Sorgio, Assistant Vice President and technology manager, needed a vulnerability management system to meet these standards and protect customer data. The pressure to quickly comply with these new requirements was significant, and Bob’s Stores had no existing vulnerability management system in place. This made finding a suitable tool a top business priority. Bob’s Stores conducted a comprehensive assessment of various vulnerability management vendors, ultimately selecting Rapid7 due to its ability to identify vulnerabilities across networks, operating systems, databases, web applications, and a wide range of system platforms. Rapid7 Nexpose provided the necessary vulnerability assessment scanning and monitoring capabilities to meet PCI data security standards and offered sound vulnerability management practices as part of a comprehensive security program.

Bob Jones, the Information Security Manager for the City of Corpus Christi, Texas, faced the challenge of increasing security awareness across the organization and detecting and investigating attacks more easily. The city’s infrastructure is unique, akin to about 30 separate SMBs operating under a larger parent company, each with different requirements and compliance regulations. Bob's role was multifaceted, involving duties of an analyst, engineer, and penetration tester. He had to change an embedded culture and establish credibility with the CIO and IT Director. The primary challenge was the lack of visibility into assets on the Corpus Christi network, making it difficult to accurately qualify or quantify the level of risk. Bob needed to prioritize remediation to add value and avoid placing a greater burden on the business.

Diebold needed an effective threat exposure management solution that would offer scalability and visibility. Given the pivotal role vulnerability management plays at Diebold, selecting a vulnerability management solution was an important task which the team did not undertake lightly. A main priority for them was the effectiveness of the vulnerability scanner. Diebold needed accurate, up-to-date, real-time data. Scalability was also an important factor; being a global company, they needed the ability to reach around the world without adding administrative overhead.

Securing the Essentia Health network is a complex task due to its multi-billion dollar integrated health system that spans multiple states and roughly one hundred facilities in the Midwest. The network includes fifty thousand IPs, from facilities to medical device equipment. The security team must locate and resolve high-risk vulnerabilities to safeguard patient data and other critical information. Compliance with HIPAA, HITECH, and PCI DSS adds another layer of complexity. Despite compliance, security holes such as weak credentials and improper patches were prevalent. The team needed a solution to perform thorough testing against all active systems and demonstrate risk to secure necessary resources for a vulnerability management program.

Recently, Eyelock set out on a new project: making security airtight for logical access devices. They wanted an external team to take a very close look at their security architecture to implement a design that would allow for access to computers, websites, online banking, and the like. The RFP process kicked off, and the Eyelock team began evaluating various third-party vendors. The top three qualifications were extensive experience with embedded products, a high level of security expertise, and a strong overall reputation within the industry. Through a combination of these factors, Rapid7 won out.

Before Hillsborough County acquired a vulnerability management solution, ensuring that their over 250 servers were secure and compliant proved difficult for ITS’ team of three security engineers. The County’s process was to contract with outside vendors to run periodic vulnerability assessment scans. With new security requirements increasing the need for more frequent auditing, they needed an in-house solution. The County’s security engineers required detailed reports that identified vulnerabilities to be remedied before they could pose substantial risk to the network environment. To evaluate vulnerability management solutions, ITS defined a set of technical requirements against which to measure selected vulnerability assessment scanners. The desired solution would need the ability to perform stealth scans, schedule routine scans, support multiple platforms including Windows and Linux, scan multiple platforms, applications and devices, support unauthenticated and authenticated scans, scan all systems without installing an agent, perform incremental scans, and provide future support for wireless protocols.

When Allen Basey joined MCPHS University over two and a half years ago, he was tasked with developing new security procedures and policies, including comprehensive vulnerability scanning. As the sole person dedicated to maintaining security, he needed to improve the University's overall security posture without being overburdened. Initially, he opted for Tenable's Nessus due to its low cost, but found it required manual scans and lacked critical context for prioritizing vulnerabilities. This made it difficult to get IT support teams to take action, and researching how to patch vulnerabilities consumed valuable time, leading to crucial patches being neglected.

The Nebraska Public Power District (NPPD) faced a complex compliance situation due to various regulatory mandates, including NERC CIP standards, HIPAA, and specific cyber regulations for their nuclear facility. As a publicly powered state, Nebraska's electric utilities are owned by the public, adding another layer of complexity. NPPD needed to ensure robust cybersecurity measures across its 4,000 assets spread over 19 sites, while also addressing the increasing sophistication of phishing attacks. The organization aimed to improve its overall security posture and meet compliance requirements effectively.

With a constantly growing network environment, Norwich University’s IT department found it increasingly difficult to have a clear view into all network equipment and servers—and their vulnerabilities—while still only conducting manual scans.

Permission Interactive, an e-commerce company handling sensitive customer information, faced challenges in meeting PCI compliance standards. Their existing McAfee vulnerability management solution was only helping them 'check the box' for PCI compliance without improving their overall security landscape. A full audit revealed significant gaps in security best practices and overall compliance, prompting the company to seek a more robust solution.

Identifying how many servers and systems were affected by Heartbleed and other OpenSSL vulnerabilities without having to scan every server manually. PNM Resources needed a way to quickly and accurately identify vulnerabilities across their extensive network of servers and systems. The manual process of scanning each server individually was time-consuming and inefficient, especially during critical incidents like Heartbleed. The challenge was to find a solution that could provide rapid, accurate, and comprehensive visibility into the security status of their assets, enabling timely remediation and risk reduction.

PNRHA needed to enhance its security posture to comply with Saskatchewan’s Health Information Protection Act (HIPA) and prepare for a province-wide security push. The organization lacked visibility into its security status and had no reporting or charting capabilities to demonstrate compliance. With over 100 servers, 2,500 employees, 1,500 desktops, and two major data centers, PNRHA faced significant challenges in managing and securing its extensive IT infrastructure. The security team, led by Senior Security Analyst Jarvis Meier, needed a solution that could scale with the organization’s growth and provide comprehensive security management.

Most security professionals are strapped for time. In the world of independent consultants, time is even more precious, as their clients prefer engagements to be brief while still yielding business value. Just ask Kevin Beaver, an independent information security consultant with more than 25 years of experience in IT. As the founder of Atlanta-based Principle Logic, LLC, Kevin specializes in performing independent information security assessments for Fortune 1000 companies, nonprofits, and government agencies, among others. For the better part of Kevin’s career, his focus has been on security. “When I graduated high school, computers were the next big thing,” he laughs. “I remember when the concept of people accessing your network first started getting attention.” Fast forward a few years, and he’s now the author of Hacking for Dummies – one of the best-selling books on information security testing that’s currently in its fourth edition.

As Stein Mart extended its IT infrastructure, it developed a security framework to protect it. But it lacked a comprehensive system for scanning and analyzing its security posture. The IT security team initially experimented with freeware that gathered and consolidated security data. However, the biggest problem was taking all the consolidated data and doing something with it. Stein Mart needed a better way to analyze the data, so that they could understand the risks and vulnerabilities in their current security posture and remediate them. Along with Security Audit Analyst Ambar Batista, Beckworth determined that Stein Mart needed an easy-to-use vulnerability and analysis solution with capabilities such as scanning, consolidating, and analyzing data across a multivendor, multiplatform IT infrastructure, scheduling scans on a regular basis, creating comprehensive reports that rank specific risks and vulnerabilities by criticality, suggesting remediation steps, interacting with an existing third-party trouble-ticketing system, and supporting remote scanning at every store.

University of Mary Washington needed to prove their compliance with PCI DSS and state security requirements. The IT department needed to help safeguard its extensive computing infrastructure.

Weill Cornell Medical College, located separate from the main university campus, serves as an academic medical center requiring HIPAA compliance. They have complex IT security needs and needed a solution to prioritize and protect from threats as well as grow with the college.

WildTangent, an online games service company, faced significant security challenges due to its bring-your-own-device (BYOD) policy. The company had a highly mobile and geographically dispersed workforce, which necessitated the use of personal mobile devices for work purposes. While this approach increased productivity and employee satisfaction, it also introduced security risks. The initial mobile device management (MDM) solution implemented by WildTangent was difficult to configure, had a non-intuitive user interface, and required frequent manual updates. Additionally, not all features were available on every mobile platform, making it an inefficient solution for the company's needs.

Acosta has a highly mobile, geographically distributed workforce. They needed an efficient way to gain actionable insight into user behavior, effectively identify when a user’s account may have been compromised, and shorten the time needed for investigation of security incidents. The company’s large remote workforce and high degree of travel create a complex security environment, necessitating vigilant detection of compromised credentials and unusual user behavior. The challenge is further compounded by the need to manage user risk in a distributed work environment where employees frequently perform in-store marketing evaluations using mobile devices.

As a Managed Security Service Provider, S3 needs to offer clients a security portfolio with the best tools and provide great value, all while maintaining a trusting relationship with the vendor. With attackers becoming more sophisticated, IT environments growing increasingly complex, and a shortage of skilled cybersecurity professionals, it’s no wonder that businesses are increasingly turning to Managed Security Service Providers (MSSPs) to ensure their security program stays current with industry best practices. The MSSP relationship offers a cost-efficient way to mitigate risk, combat threats, and keep pace with compliance regulations.

In a non-profit organization, cost-effectiveness is essential. The USNA Alumni Association & Foundation needed to build a security architecture to protect personal information of alumni. Ken Kurz, the Director of Information Services, faced the challenge of managing an infrastructure that supports 70,000 living alumni without leveraging government resources. The primary concern was to ensure the security of personal information while operating within the constraints of a non-profit budget. Ken's extensive background in information assurance and high-level security engineering made him well-suited for the task, but the challenge remained significant due to the unique constraints of the non-profit sector.

Carnegie Mellon University needed a vulnerability management solution that would scan its assets broadly and offer centralized control for close monitoring and analysis of security threats, as well as the ability to create and export customized reports.

When Eric Nooden joined Redflex as Information Security Specialist, he found many out-of-date server operating systems. Because system stability was a priority with Redflex proprietary solutions, no one wanted to risk outages. The systems administrators were nervous about patching servers, fearing they might break them. The Redflex team had multilayer security in place, with firewalls, anti-virus software, and other technologies, but no dedicated security personnel to manage them. The undermanaged security posture was more reactive than proactive, and Nooden joined Redflex to change that. Additionally, because Redflex passes financial transactions to processing institutions, its systems must pass SAS 70 audits and comply with data protection standards such as Payment Card Industry Data Security Standard (PCI DSS) to avoid fines.

Shackerah, the primary user of Rapid7 Nexpose at the American Chemical Society (ACS), faced challenges in ensuring security holes were quickly plugged and handling PCI DSS compliance requirements. Initially using Qualys, the ACS team sought a new solution due to dissatisfaction with customer service. They needed a vulnerability management solution with robust reporting features, comprehensive vulnerability coverage, and excellent customer support.

Søren Hansen, the IT Security Manager at Chr. Hansen, faced significant challenges in gaining visibility into user activities on the network and detecting intrusions. The company needed a solution that could alert them to suspicious network activity and streamline incident investigations. The primary challenge was to find a tool that could provide detailed insights into anomalous behavior, such as stolen credentials and lateral movement, without overwhelming the team with excessive alerts. Additionally, the solution needed to be easy to deploy and manage, without requiring additional agents on endpoints.

When Microsoft undertook an extensive evaluation of Web Application Vulnerability scanning solutions on the market, the company’s Cloud and Enterprise Security Services team knew it would be no small task. Microsoft wanted to build a world-class, scalable Web App Vulnerability scanning service that would serve all of their different service teams in building secure applications. With the technology landscape rapidly evolving, Microsoft foresaw that the homegrown solution it had previously relied upon for application security would soon struggle to keep pace with modern applications with rich, dynamic clients and numerous APIs on the back-end. So the team undertook an extensive, thorough evaluation that spanned several months and settled on AppSpider as one of its Web App Vulnerability Scanners, based in large part on the product’s roadmap towards being able to handle complex application ecosystems that have rich clients and RESTful APIs.

The University of Salzburg faced the challenge of ensuring optimal performance and minimizing risk across its campus networks. With approximately 18,000 students and 3,000 staff across 30 locations, the university needed a robust solution to manage its IT and security infrastructure. The IT and security teams needed to collaborate effectively to prioritize and remediate issues based on the organization's needs. The university required a solution that could provide actionable insights, higher accuracy in identifying vulnerabilities, and better visibility into risk.

In a large university like Virginia Tech, IT security is a major issue. The Office of IT Security conducted a self-assessment of their compliance with the PCI standards and found they needed a commercial scanner with capabilities beyond Nessus.

Wiltshire Council, a unitary council established in 2009, faced the challenge of managing and protecting the personal information of its residents. With over 5,000 employees and more than 350 diverse services, the council needed an efficient and effective IT service to support, maintain, and provide strategic advice. Annual penetration tests were part of the compliance mandates, and the council needed a solution that could run pen tests all year round. Additionally, the council required a vulnerability management solution that could provide detailed and actionable reporting to help remediate risks in the environment.