McAfee Vulnerability Manager remediates system vulnerabilities and mitigates risks at CSU, Chico

At California State University, Chico, (CSU, Chico), popularly known as “Chico State,” the Information Security Office (ISEC) is tasked with protecting the university’s more than 500 servers, databases, and applications across 15 different operating systems. Like all universities and corporations, CSU, Chico’s network faces daily security threats that can lead to disruption in operations, loss of critical data, or worse. Back in March 2005, for instance, CSU, Chico made national headlines when a campus server was illegally accessed by computer hackers, compromising information on 59,000 people.

Needed: priority-based risk management at department and campus level
In 2006, vulnerability assessments were limited to centrally managed servers using Nessus, an open source vulnerability scanning application maintained by Tenable Network Security. Nessus provided basic port scanning, operating system and application fingerprinting, and basic reporting. It had serious limitations, however. For instance, it did not allow for automatic scan scheduling or custom reporting.

Nessus also provided little information for risk management and strategic planning. “While every system, vulnerability, and threat competes for our server administrators’ attention, they are not equally important,” says Jason Musselman, information security analyst in the CSU, Chico Information Security Office. “Our resources to deal with vulnerabilities and threats will always be limited, so we needed a way to prioritize risks, taking into account the importance of the system, severity of the vulnerability, and criticality of the threat.”

Although CSU, Chico needed to be able to centrally administer vulnerability scanning policies and run periodic campus-wide scans, it also needed to empower its 75 server administrators to schedule their own scans and remediate vulnerabilities. Furthermore, because the majority of these server administrators are not trained IT professionals, any new solution had to be easy to use and provide assistance in remediating vulnerabilities. In short, the university’s goal was to implement a comprehensive, enterprise vulnerability management system (VMS) across all 500 CSU, Chico servers—not just centrally managed ones—that would be managed primarily by server administrators.

Eight critical VMS requirements
As it began its search for a VMS, CSU, Chico had eight key selection criteria. The solution needed to provide: automatic asset inventory, asset prioritization, a comprehensive operating system and application vulnerability database, remediation steps, role-based administration, multi-level reporting, trend analysis, and flexible scan scheduling. After a four-month evaluation of the top three solutions, CSU, Chico selected McAfee Vulnerability Manager.

“McAfee Vulnerability Manager outperformed the other solutions, particularly in trend analysis and reporting,” says Musselman. “With the number of vulnerabilities on computer systems continuing to increase, we felt that built-in techniques and reporting to aggregate information and streamline the decision-making process was essential.”

Using McAfee Vulnerability Manager also gives CSU, Chico a common security risk management platform. The university has relied on McAfee anti-virus and anti-spyware technology for several years to protect 2,000 faculty and staff desktops. Now CSU, Chico leverages the McAfee ePolicy Orchestrator® (ePO™) management console to not only manage the anti-virus and anti-spyware solutions, but to ensure the integrity of its server asset inventory in Vulnerability Manager as well.

"By enabling a priority-based approach to managing our network security risk, McAfee Vulnerability Manager has enabled CSU, Chico to significantly mitigate risk and improve our overall security risk posture."

Jason Musselman
Technical Security Analyst, CSU, Chico

Increased risk visibility at all levels
“Before we implemented McAfee Vulnerability Manager, we had no way of knowing how vulnerable or secure our servers really were,” Musselman says. “Now we do. Using the Vulnerability Manager executive dashboard, the server administrator, system owner, or auditor can view the security status of a system at any time.” McAfee Vulnerability Manager administrators and executive users can track key statistics, compare departments, and even check on individual platforms to ensure that risk exposure is minimized and systems are in compliance.

Faster time to remediation and risk mitigation
With the McAfee Vulnerability Manager Threat Correlation Module, CSU, Chico’s up-to-theminute threat intelligence feeds from McAfee Avert® Labs include a risk rating that correlates the emerging threats with asset and vulnerability information already gathered from the university’s systems by the vulnerability appliances. “The threat correlation information helps us pinpoint vulnerable systems and target our response to where it matters most. This allows us to manage or eliminate threats often before others have even heard about them,” says Musselman.

When vulnerabilities are discovered, McAfee Vulnerability Manager also provides clear steps that CSU, Chico server administrators need to take to remediate them and mitigate risk. For instance, unpatched systems are identified and prioritized so critical flaws may be immediately addressed. With this information, server administrators can assess, remediate, and audit campus information systems much faster.

Time savings for server administrators and IT management
With the Nessus scanning application, server administrators had to manually kick off scans. CSU, Chico had to hire a part-time technician simply to scan all the centrally managed servers. Prior to implementing Vulnerability Manager, aggregating scan data was nearly an impossible task, requiring hours of painstaking work; now all it takes is the click of a mouse.

With McAfee Vulnerability Manager, administrators spend less time scheduling vulnerability scans, as well as less time analyzing vulnerabilities, researching remediation steps, and producing reports for management. Less time is spent collating data into relevant metrics, gathering reports, and analyzing exceptions.

Improved risk analysis and decision making
The Vulnerability Manager Threat Correlation Module enables both ISEC and server administrators to identify and analyze historical trends that aide in decision making. For instance, if trend analysis from systems scans shows that a vulnerability issue is occurring repeatedly on a certain system, the server administrator can use that information to ask the system vendor to help fix the problem.

Not long after implementing McAfee Vulnerability Manager, trend analysis of perimeter scans showed a vulnerability in the way that many server administrators were using the remote desktop protocol to perform administrative functions on their servers from off campus. Knowing this, ISEC opted to block that form of access and require the server administrators to use a Virtual Private Network connection—a much more secure means of remote access.

Result: improved security risk posture
“By enabling a priority-based approach to managing our server security risk, Vulnerability Manager has enabled CSU, Chico to significantly mitigate risk and improve our overall security risk posture,” adds Musselman. On the servers managed by Vulnerability Manager, 1,739 vulnerabilities were eliminated in the first six months after implementation. Since pilot testing, CSU, Chico has rolled out Vulnerability Manager to 60 percent of its servers. Even with only 60 percent managed by Vulnerability Manager, the university’s overall FoundScore, (a security risk rating that compares key aspects of the network infrastructure against IT best practices to assess overall network security health), has increased from 58 to 78—or 34 percent.