iScan – 2013 Industry Innovators: Analysis and Control
Date: Dec 16, 2013
Guest post: from the December 2013 issue of SC Magazine
It’s the people, stupid! That probably is stretching the Clinton campaign slogan a bit, but in the case of iScan Online it really fits. The founder of iScan is none other than one of the founders of another fine innovator, Saint. And it’s no surprise that both companies are in the vulnerability assessment game. There is one huge difference between them, though. Saint is a professional tool for professional penetration/vulnerability testers, and a very fine one it is, too. iScan Online is a vulnerability assessment tool for the rest of us.
The innovator who put this together, one Billy Austin (from Dallas), introduced us to this service about a year ago. We’ve been watching it and it has grown. Austin certainly knows how to turn a phrase, and when he told us about the functionality his service has – web-based, self-service vulnerability scanning, complete visualization of endpoints, 60 seconds or less to run regardless of the number of endpoints, and scans inside of OST and PST email files to name just a few – all for the price of a Chicken McNugget, we were hooked, if a tiny bit skeptical. A deeper dive into how it does what it does convinced us that this really is a sterling example of forward-thinking innovation.
iScan Online works by executing a small script to run a small binary that sits on the endpoint. The script can be set to run using Active Directory, for example. And the endpoint basically is scanning itself. That’s how iScan achieves such remarkably fast scan times. The endpoint does not do any analysis, though. That all is done from the cloud. The service produces first-rate HTML reports that are simplified so that managers can get the important information quickly and accurately, plus they are presented in terms of solutions, not problems. This puts the reports directly in the actionable information class, rather than the obscure reporting that often is seen. PCI scans, PAN scans (to identify credit card info that is not secured), and vulnerability scans all are available.
This is a potential killer app in the vulnerability management domain. One huge benefit we see is that it is accessible to small and midsized businesses based on its reasonable cost and its ease of use. That’s good news because those are exactly the businesses that usually are considered low-hanging fruit by the bad guys. Oh, and those mobile device endpoints? Don’t worry. They’re covered too.