Cyber attacks have a direct impact on the bottom line, yet most organizations lack the visibility and understanding to manage IT risk from the business perspective. This presentation is from a webcast where a panel of experts examined how to shift from viewing IT risk in bits and bytes to having an impact on critical applications in the data center. - Learn why and how more organizations are beginning to move ownership of IT risk to the business - Understand how to aggregate and score vulnerabilities associated with data center applications and their associated physical or virtual servers - Learn about the integration between Qualys and AlgoSec that enables business stakeholders to “own the risk”

1. Managing Risk and Vulnerabilities
in a Business Context

2. Corey Bodzin
VP of Product Management
Qualys
Nimmy Reichenberg
VP of Strategy
AlgoSec
Kevin Beaver
CISSP
Principle Logic, LLC

3. Tennyson would be impressed…
• NVD 60,865 CVEs since 1999
• 7,322 published in 2013 alone
• 385 Severity 5’s published by Qualys in 2013
• 4 iDefense Exclusive Zero-Day vulnerabilities in
just February alone!

4. “Risk and the accountability for risk
acceptance are — and should be —
owned by the business units creating
and managing those risks.”
- Paul Proctor, VP, Distinguished Analyst

5. Severity Threat Path Analysis Asset Tagging
CriƟcal ≠ Important
Assume everything is
“Hackable”
VERY difficult to maintain
with pace of change

6. By
server/
device
22%
By network
segment
30%
By business
application
48%
What is your ideal method for prioritizing
network vulnerabilities?
Source: Examining the Impact of Security
Management on the Business, AlgoSec, Oct 2013

7. The Impact of the Cloud and SDN
on IT Risk and Policy Management

8. Integration between
Qualys and AlgoSec

9. QualysGuard Integrated Suite
of Security & Compliance Solutions
*In Beta
Vulnerability
Management
Policy
Compliance
Customizable
Questionnaires
PCI
DSS
Web Application
Scanning
Malware
Detection
Web Application
Firewall
Web Application
Log Analysis
Continuous
Monitoring
* **
Asset
Management
* *

10. Qualys Drives Visibility
VMware ESX and ESXi
Physical
Scanners
Browser
Plugins
Mobile
Agents
Virtual
Scanners
Hypervisor
IaaS/PaaS
Perimeter
Scanners

11. Analysis Drives Action
Who is the owner?
What business processes does it support?
Are there regulatory requirements?
Who is the last logged on user?
Is there customer data present?
What is the SLA for patching?
Physical
Scanners
Mobile
Agents

12. Firewall
Analyzer
Security Policy
Analysis & Audit
FireFlow
Security Policy
Change Automation
BusinessFlow
Business Application
Connectivity MgmtBusiness
Applications
Security
Infrastructure
Application Owners
AlgoSec Security Management Suite
SecurityNetwork Operations
AlgoSec Security Management Suite

13. Next Steps and Q&A
Security Policy
Management in the
Data Center for
Dummies:
Available at
www.algosec.com
Read Kevin’s Books, blogs and
columns at
www.principlelogic.com/resources
and
blog.algosec.com/author/kbeaver
Follow Kevin’s musings on
Twittter at @kevinbeaver
Request an Evaluation of the
AlgoSec Suite:
www.algosec.com/eval
Visit us at
www.qualys.com
QualysGuard Free Trial
www.qualys.com/trials
For future webcasts visit us at
www.qualys.com/webcasts

14. Managing Risk and Vulnerabilities
in a Business Context