The following is a guest blog by Aflac, a Qualys VMDR customer, on their recent experience completing a Proof of Concept project for the newly release VMDR 2.0 with Qualys TruRisk.
Aflac Inc. (NYSE: AFL) is an insurance leader and the largest provider of supplemental insurance in the United States. Founded in 1955, we provide financial protection to more than 50 million people worldwide.
How Aflac is Using Qualys
Aflac selected Qualys VMDR in 2021 with the major objective of accelerating vulnerability management and compliance.
Since that time, we have realized measurable value from the solution. Some of the results include:
- Deploying the Qualys Cloud Agent to 50,000 IT endpoints across our global environment
- Slashing reporting tasks from weeks to minutes
- Enabling a 24/7 infrastructure view with real-time data
- Positioning the company for future expansion with high scalability
- Reducing critical and high-severity vulnerabilities by 55%
What Triggered the Proof of Concept?
As we gained maturity with Qualys VMDR 1.0, stakeholders noted four recurring challenges.
First, we recognized a need to quantify cyber risk for two audiences: our Board of Directors as well as internal security and IT teams. Second, while CVSS ratings are useful, we needed better prioritization – preferably by business risk posed to our specific environment. This would help close any gaps between our IT and Security teams to reduce risk, which was our third goal. Finally, there was a fourth objective we share with all enterprises our size, which is to find our blind spots before attackers do.
Features in Qualys VMDR 2.0 with TruRisk address all of these challenges, so we decided to engage in a Proof of Concept to see how the new risk-based service performed in Aflac’s global environment.
What Have We Learned from the PoC?
Aflac has gleaned several practical benefits during our two-month Proof of Concept using Qualys VMDR 2.0 with TruRisk. These include:
- Aflac Risk Score – a dashboard instantly visualizes our global risk posture based on risk to the business. Results can be tailored for the audience, such as board members versus security practitioners
- Prioritize the unprioritized – identified CVEs we would have never prioritized with our CVSS algorithm-based approach since they were classified as medium or low severity vulnerabilities
- Focus on what matters most – TruRisk starts our focus on the critical CVSS CVEs and further prioritizes those based on Qualys Detection Score (QDS)
- Transparency is a game changer – with limited resources for remediation, we value earlier justification for newly prioritized vulnerabilities
- Move away from manual processes – VMDR 2.0’s API integration with ServiceNow ITSM helps us truly close the gap between IT and security
Our Next Steps
The Proof of Concept has validated feature claims by Qualys and quickly resulted in valuable new benefits for Aflac. Having VMDR 2.0 with TruRisk is really helping us identify the most critical risks for our specific business, in our unique environment. The automation it enables is making our teams more efficient, focusing a lot less on managing spreadsheets and more time and effort on higher-value work like penetration testing, identifying blind spots, and taking steps to reduce risk.
Going forward, we’re looking at TruRisk to help enable cybersecurity leaderboards. These will help incentivize business units to measure risks across their peers and reduce overall risks. Automation with ServiceNow ITSM will free up resources to refocus security posture management. Eventually we plan to consolidate threat intelligence tools by leveraging Qualys threat intelligence to reduce licensing costs from redundant threat intelligence tools.
Read more about how Aflac uses Qualys: see the case study.