Many years ago when I first started my career in network security as a support engineer, I received a phone call from a customer. (Let’s call him “Frank.”) He used our vulnerability scanner as a consultant for his own customers, and he was concerned that the scanner came back with 0 results. After reviewing his set-up, I easily discovered the answer.

“Here’s the problem: you’re not using credentials to gain access to your customer’s assets.”

“No, that can’t be. I’ve used your product for over a year and never use credentials but always receive results back.”

“Well, sometimes you’ll gain enough access to pull some low-level vulns. But in this case, we weren’t able to get any access at all. Without credentials, you aren’t seeing the true vulnerability state of your targets.”

“So you’re telling me that for the last year, I’ve given wrong information to every one of my customers?”

“Yep.”

“Uh-oh.”

Uh-oh, indeed, Frank. See, he bought our software, but he didn’t take the time to properly learn how it works, and in doing so, he gave bad information to his customers for a year about their vulnerability status. During my last 17 years at four different security companies, I’ve seen similar scenarios play out with some of my customers. Buying the software is the easy part. Learning how to use it, or best deploy it, is the often-missed part.

When your sales person sells you our software, they may talk to you about purchasing some additional services such as our Professional Services team (to best deploy it), Tripwire Remote Operations or ExpertOps (to help run it), or Technical Account Management (to help manage it). You may have turned them down. After all, you’ve been in security 10 years. Your team (Read more...)