Compliance Combines with Vulnerability Scanning to Create Aegify

Two security firms, the established Rapid7 vulnerability manager and eGestalt, a cloud-based compliance management provider, have signed an OEM deal that will do something for the IT security industry that hasn’t been done before: a combination security and compliance posture management offering called Aegify SPM.
The SPM stands for Security Posture Management, and eGestalt of Santa Clara defines SPM as “the art and science of monitoring and managing business security status by orchestrating process, people, and technological resources to achieve security objectives.”
SPM is about identifying IT assets, evaluating their risks based on known vulnerabilities, then calculating the impact of these threats. These threats are then mapped directly to a set of regulatory compliance frameworks, whether for PCI or HIPAA, where the final output can be used to initiate appropriate countermeasures, eventually bringing the company into compliance.
Inside the Aegify SPM power train is the Rapid7 Nexpose vulnerability technology. Nexpose has a long history with 2,000 enterprises and government agencies using their wares. It must be doing something right. It can sniff out 31,800 vulnerabilities and it conducts more than 92,000 vulnerability checks that comprise
discovery, detection, verification, risk classification and mitigation. Impact analysis and reporting, like most of these security tools, are par for the course.
Riding on top of Nexpose and serving as the interface and compliance imperative is eGestalt’s own SaaS software called SecureGRC, which as the name implies, does governance and risk management by applying a compliance imperative on 400 regulations such as PCI, HIPAA/HITECH, SOX, FISMA, and GLBA.
The integration of these two programs has created a patent-pending system designed by eGestalt that can automatically map security vulnerabilities to popular compliance mandates, thereby automating the task of security posture management and compliance management. The tool can import data from other scanners as well.
A cool feature is how it provides a sequenced remediation roadmap with time estimates for each task.
Who among us likes to deal with government regulatory pressure?  Most companies do nothing but stand in the middle of the shooting range and “hope it won’t happen to me.” They hope no auditor will come knocking. It should be pointed out that ignorance is no excuse.
eGestalt President Anupam Sahai, who holds two master’s degrees from MIT’s Sloan School, claims the combination of Nexpose with his compliance driver eliminates manual work and is “10 to 20 times more cost-effective than any other competing solution.” He thanks the beauty of SaaS for those kind of savings.
Going to the cloud with this “all hands on deck” threat management approach can be a smart way to isolate trouble brewingacross physical and virtual networks, operating systems, databases and Web applications.
Whatever peace of mind you get out of this will be high, knowing that the Feds can’t disrupt your business with their eager probing.
That alone is worth something.

By Michelle Drolet, founder and CEO, Towerwall
Special to Infosec Island
This article was recently published in Infosec Island