For Kevin Hickey, the importance and necessity of what his company, BeyondTrust, does is nothing new—he’s been a part of the software and security industry since the early eighties. Further, he knows how breaches happen and how much more likely they are to happen these days. What is new is how many other businesses now understand this, too. “Customers are saying, ‘Look, we know we have vulnerabilities; we know we’re going to be breached … help us try to keep them out and minimize the damage if they do get in,’” Hickey says.
As it happens, BeyondTrust is all about handling both requests. The company is able to continuously monitor physical, virtual, mobile, and cloud environments—and then layer in privileged account management (PAM) to reduce internal threats, plus vulnerability management to mitigate external threats.
The company actually started out as a few different companies: Hickey’s eEye Digital Security—a vulnerability management pioneer—was acquired by BeyondTrust in May 2012. Since then, the computer security landscape has shifted considerably. “When we combined the companies, and started integrating PAM and vulnerability management under a central platform, we had a lot of analyst types saying ‘sounds like a good marketing message, but we don’t think much of it,’” he recalls. “But then the Snowden thing happened.”
“The Snowden thing,” of course, is Edward Snowden and his highly publicized 2013 disclosure of classified documents while working as an NSA contractor. The privileges he had, coupled with the fallout from his actions, stirred up issues that many organizations didn’t even consider in the past. “Before that story broke, matters related to employee access to IT systems might’ve come up once a year at a board meeting,” Hickey says. “Nowadays, I guarantee this is part of the discussion at every single board meeting.”
Breaches, privileges, compliance—terms like these are now part of the mainstream as businesses go about determining not if they need protection, but how much protection they need. Information, as well as the intelligence to use it properly, is at a premium, and Hickey feels BeyondTrust is superior at handling privilege and vulnerability management in a very practical manner. “What we’re doing that is very unique is taking both internal and external risk information, and supplying it to companies to help them make better decisions about their security environments,” he says, adding that it would essentially take six different security companies to cover all the services offered by BeyondTrust.
Furthermore, according to Hickey, none of BeyondTrust’s competitors are capable of integrating least privilege across desktops and servers, privileged password management, and vulnerability management. What BeyondTrust has is an analytics engine that correlates data from across these solutions to provide its customers with intelligence that serves both their specific role within the organization and their security initiatives. It shows what employees are and aren’t allowed to access, sets off alerts and/or lockdowns based on asset vulnerability profiles, and provides a single dashboard for analyzing and acting on internal and external threats. “We want to make sure that, without interrupting anyone’s workday, everyone has the rights to get to anything they need to get to do their job,” Hickey stresses. “But no more than that.”
The idea is for BeyondTrust’s products to provide everyone in a given environment—administrators included—with the same minimized rights, while escalating the rights to the application side. In doing so, intelligence is given to chief security officers, boards, and tech administrators, and a safer environment prevails.
At a time when security awareness is high, but the ability to pinpoint and minimize risk is not, it is little wonder why BeyondTrust is such a success. “What we’ve done is create a dashboard telling customers ‘if you fix these ten problems (and they range depending on the customer), you’ll reduce your risk by X percent,’” Hickey says. “That’s very valuable. That’s the key.”