BAI Security Eyes Threat Prioritization as Competitive Differentiator
Last updated on: September 6, 2020
BAI Security, a nationally-recognized security consultancy specializing in highly regulated industries, sees a big opportunity to further differentiate itself: threat prioritization.
Helping its customers pinpoint which vulnerabilities they must remediate right away is a natural expansion of the security auditing and compliance services it provides, such as breach risk, compromise and comprehensive IT security assessments.
“A lot of our competitors are just providing the vulnerability details without a lot of prioritization based on real world exploit activity,” says Michael Bruck, President and CTO of BAI Security.
At best, many security consultancies offer rudimentary prioritization analysis that, while better than nothing, still leaves customers with a lot of manual risk analysis on their hands. “So many organizations have dozens if not hundreds or thousands of ‘level 4’ and ‘level 5’ vulnerabilities,” Bruck says. “For IT departments with limited resources, tackling that is a huge challenge.”
What often ends up happening is that IT departments get overwhelmed by the number of potentially critical vulnerabilities. “They don’t know where to start,” he says.
This is a challenge faced by most enterprises today. Thousands of new vulnerabilities are disclosed every year, and IT departments can’t aspire to fix all them on a timely basis. Instead, they must identify the ones that represent the highest risk for an organization, but doing this is very difficult if you try to do it manually or with a sub-par tool.
“Being able to show real world exploitability on particular vulnerabilities is really helpful,” Bruck says. “That’s definitely something that’s going to be more and more important going forward.”
Qualys Also Saw This Need Among Enterprises
Earlier this year, Qualys released Threat Protection, an app designed to help organizations manage vulnerability and threat disclosure overload by automating the large-scale and continuous data analysis that the process demands.
Threat Protection was added in September as an option to Qualys Consultant, which has been an integral part of BAI Security’s toolset for more than 10 years.
Bruck’s team has been busy getting familiar with Threat Protection and has plans to soon start using it in customer engagements.
“Threat Protection will be extremely important to us because we’ll be able to provide real threat intelligence along with the vulnerabilities we’re reporting, which will be unique without the use of a third-party product add on,” Bruck says.
He also foresees Threat Protection, which is part of the Qualys Cloud Platform’s integrated security and compliance suite, providing BAI Security with a market advantage. “It will give us an extra edge that a lot of our competitors won’t match,” he says.
Getting a competitive advantage has always been a big reason why BAI Security has used Qualys Consultant for so long.
From the start, BAI Security has valued the breadth, flexibility, accuracy, depth and speed of Qualys’ vulnerability detection technology, which Bruck considers among the best and most advanced in the market.
“The number of different types of systems and platforms you can authenticate into with Qualys to provide a more in depth level of scanning is quite a bit better than any available scanner product we see in the marketplace,” he says.
It happens frequently that when a new customer hires BAI Security, they’ll be surprised at the number of vulnerabilities it detects using Qualys Consultant. “Our reports often have two or three times the number of vulnerabilities they detected with other tools,” he says.
The company also appreciates the ease with which it can export Qualys scan data to complementary third-party products as necessary for further analysis.
This, coupled with the comprehensiveness of the Qualys scan data, allows BAI Security to put together highly detailed and customized reports for its clients, which are mostly in finance, healthcare, public sector and insurance, Bruck says.
Meanwhile, the ability to place Qualys virtual scanners that can be managed remotely on customer networks gives BAI Security great agility when serving its customers.
The firm is looking forward to also deploying Qualys Cloud Agents as its clients have to monitor the security and compliance of more and more mobile devices that are intermittently connected to the corporate network and spend most of their time off premises. These lightweight software agents can go into a variety of assets, such as on-premises servers, virtual machines, cloud apps and endpoint devices, where they continuously monitor for changes and assess their security and compliance status. Cloud Agents transmit back to the Qualys back end what they detect for analysis and classification.
The New Era of Qualys Consultant
Qualys recently added two new packages to the Consultant suite, which now offers multiple comprehensive security assessment tools in a centralized console.
Qualys Consultant is designed for the “traveling” individual consultant who performs security assessments on site at customer premises. This package lets consultants install a scanner on their laptops, which they can then plug into the customer’s network to perform vulnerability and PCI compliance assessment services. The local laptop scanner provides the same accuracy, cloud-based reporting and actionable results of the Qualys Cloud Platform.
Meanwhile, Qualys Consultant Professional includes a centralized cloud-based console and flexible scanner options. With it, teams of consultants can perform remote or local vulnerability and PCI scanning, scheduling, reporting and remediation services, all from the Qualys Cloud Platform, making work across multiple client environments easy and efficient.
In addition to Threat Protection, other optional components for Qualys Consultant include Security Assessment Questionnaire (SAQ) for vendor risk management, Web Application Scanning (WAS) for detection of web app vulnerabilities and website misconfigurations, and Policy Compliance (PC) for automated security configuration assessments.