Manulife Outsources VM Scanning

By John Wagley

01 October 2011

Print Issue: October 2011

A GROWING NUMBER of organizations are using vulnerability management (VM) solutions to scan their networks for weaknesses and assist with updating and remediation processes. One way organizations have been doing this is with an in-the-cloud VM solution from Qualys.

An example is Manulife Financial, which is based in Canada and has offices across North America, Europe, and Asia. Manulife had already been doing VM scanning even before it started using Qualys earlier this year, but its approach had been disjointed and decentralized, according to Steve Hurley, Manulife’s director of global information security risk management, who spoke on the topic at a recent Gartner security summit in Washington, D.C.

The company relied on local IT directors to run VM scans and to report back to the central office, said Hurley. Each office had different software, which also meant that Hurley was spending too much time fixing and maintaining its VM solutions.

Hurley said he wanted a solution that could be run in a more consistent manner across the company’s offices and that could create standardized, easy-to-understand reporting.

The company chose a handful of IT professionals to research a new solution, and the team examined three main options. One option was to have an in-house solution, which would involve building off the company’s existing VM capabilities. The second was an open source solution, and the third was the in-the-cloud option from Qualys. One reason Manulife decided to look at Qualys was that it had been given positive reviews by several consulting firms, said Hurley.

One downside to both the in-house and the open source solutions was that both would require Manulife to purchase additional hardware and to spend considerable time training in-house staff, he said. And with the open source solution in particular, the company wasn’t exactly “sure what to expect.”

As an in-the-cloud solution, Qualys would require lower expenditures on hardware and labor. The vendor promised at least 99 percent uptime and offered advanced reporting capabilities that could benefit IT managers and higher-level executives. Qualys also offered comprehensive scanning. In addition to scanning network devices such as firewalls, routers, and computers, it could do Web application scanning, for example.

Getting started with Qualys was relatively simple, Hurley said. The process involved providing Qualys with information, including ranges of Internet Protocol addresses needed for the scanning process. One of the most time-consuming aspects of implementation was showing IT managers how to use the system and what their responsibilities would be in terms of scanning, reporting, and remediation.

Early in the process, it became clear how important it was for Manulife to have a strong sense of its “network assets,” Hurley said. That presented a challenge. It can be hard for organizations, particularly decentralized ones, to know about all their devices, he said. Manulife IT directors spent considerable time using software solutions to generate a comprehensive picture of devices on the network.

Scanning the network for vulnerabilities is only the first step, however. Qualys has also proven useful in helping IT managers follow up on remediating vulnerabilities, Hurley says. Identified weaknesses are often accompanied by links and other data that can help IT managers implement patches and updates.

The service has delivered on its promise of reliability. “We haven’t noticed any significant issues” regarding service so far, Hurley said. And when needed, customer service has been highly responsive, he added, facilitated by a 24-hour, seven-day-a-week helpdesk.