Armor Anywhere with Cloud Security Posture Management (CSPM) lets clients continuously inventory and assess the security and compliance of their public cloud services as per industry standard benchmarks and regulatory mandates (e.g. NIST, FEDRAMP, CIS).
The Qualys CloudView app extends Qualys’ relationship with Armor. Qualys Cloud Agents are already embedded and fully integrated with the Armor platform to deliver asset discovery and inventory, plus vulnerability assessment, including configuration controls, threat prioritization and patch detection. This integration now provides compliance and monitoring of public cloud workloads to Armor customers.
“The Qualys Cloud Platform is highly scalable and easily integrates with Armor’s security and compliance platform,” said Mark Woodward, CEO of Armor. The addition of Qualys CloudView allows us to further accelerate compliance outcomes and protect customers from intentional and accidental risks in their public clouds.”
“As a leading security provider, Armor is a trusted advisor helping companies to secure their hybrid cloud environments,” said Philippe Courtot, chairman and CEO of Qualys. “This expanded partnership enables Armor to further extend visibility into public cloud services to easily manage continuous compliance and risk for their customers.”
The new integration allows security and DevOps teams to set up automated security scans of container artifacts in Artifact Registry, now generally available. Qualys Container Security scanning will assess all images for software inventory, vulnerabilities and misconfigurations, and provide a unified view across multiple Google Cloud regions.
Customers can then leverage the Qualys security posture API of these container images for automation of security workflows like container deployments in Google Cloud Build or integrating with DevOps ticketing systems.
“Google Cloud’s Artifact Registry provides a convenient fully-managed service that allows customers to have a central repository for all their software artifacts,” said Philippe Courtot, CEO, Qualys.
“Now, with our new integration, customers can quickly adopt this artifact management offering from Google Cloud in their DevOps pipeline with seamless container security built-in from Qualys.”
“It’s important that DevOps and IT teams are able to deliver software quickly and securely, and we’re excited that Qualys is integrating its container security capabilities with Google Cloud’s Artifact Registry,” said Juan Sebastian Oviedo, Product Manager at Google Cloud.
Qualys Container Security
Built on the Qualys Cloud Platform, Qualys Container Security discovers, tracks and secures containers from build to runtime. Container Security continuously flags and responds to security and compliance issues in containers across your hybrid IT environment.
The addition of runtime protection extends these capabilities, delivering full, granular visibility into running containers and the ability to enforce policies that govern containers’ behavior.
As a result, you can immediately detect and act upon containers drifting from their parent images and potentially creating a security risk due to vulnerabilities or misconfigurations.
Qualys Container Runtime Security: Defense for containerized applications
Qualys Runtime Container Security, once instrumented in the image, will work within each container irrespective of where the container is instantiated and does not need any additional administration containers. This new solution addresses, in real time, container security use cases like critical file-access monitoring and blocking, network micro-segmentation, vulnerability and exploit mitigation, and virtual patching.
iStorage launches diskAshur M2, a portable PIN authenticated, hardware encrypted SSD
The diskAshur M2 is iStorage’s smallest, lightest, fastest and most rugged FIPS compliant encrypted portable SSD and includes connectivity for both USB type A and C ports. The new diskAshur M2 SSD encrypts data using FIPS PUB 197 validated, AES-XTS 256-bit hardware encryption and uniquely incorporates a Common Criteria EAL4+ ready secure microprocessor, which employs built-in physical protection mechanisms.
Ermetic’s platform provides full stack visibility and control over multi-cloud infrastructure entitlements
By analyzing identity and access management (IAM) policies as well as the configuration of network, storage and secrets assets, Ermetic eliminates attack surface blind spots and enables organizations to enforce least privilege across their entire cloud infrastructure.
McAfee launches MVISION XDR, a cloud-based advanced threat management solution
MVISION XDR improves security operations centers (SOC) effectiveness with quick risk mitigation and delivers total cost of ownership (TCO) for threat response with the inclusion of MVISION Insight’s proactive threat analytics.
SailPoint updates its SaaS identity platform to accelerate enterprises’ identity processes
SailPoint announced a series of planned updates to its SaaS identity platform to enable enterprises to automate important identity processes that match the speed and pace of today’s dynamic business environment. The new features, which include role insights and access request recommendations, leverage machine learning algorithms to deliver on the SailPoint Predictive Identity vision.
Qualys announced Container Runtime Security, which provides runtime defense capabilities for containerized applications. Qualys Runtime Container Security This new approach instruments an extremely lightweight snippet of Qualys code into the container image, enabling policy-driven monitoring, detection and blocking of container behavior at runtime. This capability eliminates the need for cumbersome management of sidecar and privileged containers by security solutions that are difficult to manage and administer on host nodes and don’t work in container-as-a-service environments. … More
The post Qualys Container Runtime Security: Defense for containerized applications appeared first on Help Net Security.
Qualys announced the immediate availability of Qualys Multi-Vector EDR. Taking a new multi-vector approach to Endpoint Detection and Response (EDR), Qualys now brings the unified power of its highly scalable cloud platform to EDR.
“Qualys Multi-Vector EDR provides our Infosec team with actionable visibility into our endpoints in terms of detecting malicious hashes provided by intelligent agencies as well as detecting potential malicious attacks through authorized processes, to keep our company assets secure.
“Bringing together asset management, vulnerability risk management and EDR through a single agent on a single console is very powerful and will help us reduce risk and secure our environment,” said Valentin Pashkov, head of IT Security at IKANO Bank.
“Qualys is entering the EDR space with an attractive offering — one particularly for companies that place a high priority on vulnerability management. This is therefore an opportunity for the vendor to expand its footprint within its installed base.
“Unfortunately, not all organizations have such a focus. Nevertheless, weaving in threat intelligence enables Qualys to combine in-house context and vulnerability management-driven prioritization with external context (i.e., the global threat landscape), representing an opportunity to achieve something greater than the majority of the market to date,” said Mark Child, research manager, European Security, IDC.
“We are proud to deliver Multi-Vector EDR to customers and extend into the detection and response market,” said Philippe Courtot, chairman and CEO of Qualys.
“Multi-Vector EDR is a truly groundbreaking offer that brings context and correlates billions of global events with threat intelligence, analytics and machine learning results to stops sophisticated multi-vector attacks.
“The combination of Qualys Vulnerability Management, Detection and Response (VMDR®) and Multi-Vector EDR allows us to provide a single end-to-end workflow that helps companies greatly reduce the time to respond and allows for the consolidation of their security stack.”
Qualys Multi-Vector EDR
Leveraging the Qualys Cloud Platform and the Cloud Agent to link vulnerability and visibility to EDR uniquely delivers a holistic approach that provides context beyond the endpoints to reduce false positives and streamline threat hunting. Qualys Multi-Vector EDR allows:
- Instant, real-time discovery of endpoints and their risk profile for continuous EDR monitoring across the enterprise.
- Prioritization of suspicious activities correlated with external threat intelligence and the context of other security vectors such as exploitable vulnerabilities, misconfigurations, and unapproved applications.
- Multi-tiered response capabilities to mitigate immediate risk and orchestration to natively patch and remediate endpoints to reduce the attack surface.
On this September 2020 Patch Tuesday:
- Microsoft has plugged 129 security holes, including a critical RCE flaw that could be triggered by sending a specially crafted email to an affected Exchange Server installation
- Adobe has delivered security updates for Adobe Experience Manager, AEM Forms, Framemaker and InDesign
- Intel has released four security advisories
- SAP has released 10 security notes and updates to six previously released notes
Microsoft has released patches for 129 CVEs, 23 of which are “critical”, 105 “important”, and one “medium”-risk (a security feature bypass flaw in SQL Server Reporting Services). None of them are publicly known or being actively exploited.
Trend Micro Zero Day Initiative’s Dustin Childs says that patching CVE-2020-16875, a memory corruption vulnerability in Microsoft Exchange, should be top priority for organizations using the popular mail server.
“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” he explained. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon.”
Another interesting patch released this month is that for CVE-2020-0951, a security feature bypass flaw in Windows Defender Application Control (WDAC). Patches are available for Windows 10 and Windows Server 2016 and above.
“This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all,” Childs explained.
“Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”
Many of the critical and important flaws fixed this time affect various editions of Microsoft SharePoint (Server, Enterprise, Foundation). Some require authentication, but many do not, so if you don’t want to fall prey to exploits hidden in specially crafted web requests, pages or SharePoint application packages, see that you install the required updates soon.
Satnam Narang, staff research engineer at Tenable, pointed out that one of them – CVE-2020-1210 – is reminiscent of a similar SharePoint remote code execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.
CVE-2020-0922, a RCE in Microsoft COM (Common Object Model), should also be patched quickly on all Windows and Windows Server systems.
He also advised organizations in the financial industry who use Microsoft Dynamics 365 for Finance and Operations (on-premises) and Microsoft Dynamics 365 (on-premises) to quickly patch CVE-2020-16857 and CVE-2020-16862.
“Impacting the on-premise servers with this finance and operations focused service installed, both exploits require a specifically created file to exploit the security vulnerability, allowing the attacker to gain remote code execution capability. More concerning with these vulnerabilities is that both flaws, if exploited, would allow an attacker to steal documents and data deemed critical. Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size,” he added.
Jimmy Graham, Sr. Director of Product Management, Qualys, says that Windows Codecs, GDI+, Browser, COM, and Text Service Module vulnerabilities should be prioritized for workstation-type devices.
Adobe has released security updates for Adobe Experience Manager (AEM) – a web-based client-server system for building, managing and deploying commercial websites and related services – and the AEM Forms add-on package for all platforms, Adobe Framemaker for Windows and Adobe InDesign for macOS.
The AEM and AEM Forms updates are more important than the rest.
The Adobe Framemaker update fixes two critical flaws that could lead to code execution, and the Adobe InDesign update five of them, but as vulnerabilities in these two offerings are not often targeted by attackers, admins are advised to implement them after more critical updates are secured.
None of the fixed vulnerabilities are being currently exploited in the wild.
Intel took advantage of the September 2020 Patch Tuesday to release four advisories, accompanying fixes for the Intel Driver & Support Assistant, BIOS firmware for multiple Intel Platforms, and Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).
The latter fixes are the most important, as they fix a privilege escalation flaw that has been deemed to be “critical” for provisioned systems.
SAP marked the September 2020 Patch Tuesday by releasing 10 security notes and updates to six previously released ones (for SAP Solution Manager, SAP NetWeaver, SAPUI5 and SAP NetWeaver AS JAVA).
Patches have been provided for newly fixed flaws in a variety of offerings, including SAP Marketing, SAP NetWeaver, SAP Bank Analyzer, SAP S/4HANA Financial Products, SAP Business Objects Business Intelligence Platform, and others.
Traditional endpoint detection and response (EDR) solutions focus only on endpoint activity to detect attacks. As a result, they lack the context to analyze attacks accurately.
In this interview, Sumedh Thakar, President and Chief Product Officer, illustrates how Qualys fills the gaps by introducing a new multi-vector approach and the unifying power of its Cloud Platform to EDR, providing essential context and visibility to the entire attack chain.
How does Qualys Multi-Vector EDR differ from traditional EDR solutions?
Traditional EDR solutions focus only on endpoint activity, which lacks the context necessary to accurately analyze attacks and leads to a high rate of false positives. This can put an unnecessary burden on incident response teams and requires the use of multiple point solutions to make sense of it all.
Qualys Multi-Vector EDR leverages the strength of EDR while also extending the visibility and capabilities beyond the endpoint to provide a more comprehensive approach to protection. Multi-Vector EDR integrates with the Qualys Cloud Platform to deliver vital context and visibility into the entire attack chain while dramatically reducing the number of false positives and negatives as compared with traditional EDR.
This integration unifies multiple context vectors like asset discovery, rich normalized software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, in-depth endpoint telemetry and network reachability all correlated for assessment, detection and response in a single app. It provides threat hunters and incident response teams with crucial, real-time insight into what is happening on the endpoint.
Vectors and attack surfaces have multiplied. How do we protect these systems?
Many attacks today are multi-faceted. The suspicious or malicious activity detected at the endpoint is often only one small part of a larger, more complex attack. Companies need visibility across the environment to effectively fully understand the attack and its impact on the endpoint—as well as the potential consequences elsewhere on their network. This is where Qualys’ ability to gather and assess the contextual data on any asset via Qualys Global IT Asset Inventory becomes so important.
The goal of EDR is detection and response, but you need a holistic view to do it effectively. When a threat or suspicious activity is detected, you need to act quickly to understand what the information or indicator means, and how you can pivot to take action to prevent any further compromise.
How can security teams take advantage of Qualys Multi-Vector EDR?
Attack prevention and detection are two sides of the same coin for security teams. With current endpoint tools focusing solely on endpoint telemetry, security teams end up bringing in multiple point solutions and threat intelligence feeds to figure out what is happening in their environment.
On top of it, they need to invest their budget and time in integrating these solutions and correlating data for actionable insights. With Qualys EDR, security teams can continuously collate asset telemetry such as process, files and hashes to detect malicious activities and correlate with natively integrated threat intel for prioritization score-based response actions.
Instead of reactively taking care of malicious events one endpoint at a time, security teams can easily pivot to inspect other endpoints across the hybrid infrastructure for exploitable vulnerabilities, MITRE-based misconfigurations, end-of-life or unapproved software and systems that lack critical patches.
Additionally, through native workflows that provide exact recommendations, security and IT teams can patch or remediate the endpoints for the security findings. This is an improvement over previous methods which require handshaking of data from one tool to another via complex integrations and manual workflows.
For example, Qualys EDR can help security teams not only detect MITRE-based attacks and malicious connections due to RDP (remote desktop) exploitation but can also provide visibility across the infrastructure. This highlights endpoints that can connect to the exploited endpoint and have RDP vulnerabilities or a MITRE-mapped configuration failure such as LSASS. Multi-Vector EDR then lets the user patch vulnerabilities and automatically remediate misconfigurations.
Thus, Qualys’ EDR solution is designed to equip security teams with advanced detections based on multiple vectors and rapid response and prevention capabilities, minimizing human intervention, simplifying the entire security investigation and analyze processes for organizations of all sizes. Security practitioners can sign up for a free trial here.
What response strategies does Qualys Multi-Vector EDR use?
Qualys EDR with its multi-layered, highly scalable cloud platform, retains telemetry data for active and historical view and natively correlates it with multiple external threat intelligent feeds. This eliminates the need to rely on a single malware database and provides a prioritized risk-based threat view. This helps security teams hunt for the threats proactively and reactively with unified context of all security vectors, reducing alert fatigue and helping security teams concentrate on what is critical.
Qualys EDR provides comprehensive response capabilities that go beyond traditional EDR options, like killing process and network connections, quarantining files, and much more. In addition, it uniquely orchestrates responses such as preventing future attacks by correlating exploitable-to-malware vulnerabilities automatically, patching endpoints and software directly from the cloud and downloading patches from the vendor’s website, without going through the VPN bandwidth.
BT Security has announced the key partners that it will work with going forward to provide industry-leading managed security services to customers. The decision follows BT’s largest-ever appraisal of its security suppliers, and a comprehensive review of the security vendor ecosystem as a whole.
BT’s decision to refine its security partner base was driven by the recognition that many of its customers find it difficult to navigate today’s complex security landscape.
The huge range of suppliers and products in the market can be bewildering, and lead to the adoption of multiple overlapping systems. This in turn can render security estates difficult to manage, burdened with unnecessary costs and, ultimately, with lower overall levels of protection.
BT Security is reflecting its customers’ desire to reduce complexity by having a leaner set of partners and clearly laying out its view of the best providers for specific security requirements.
The confirmed partners were agreed following a detailed evaluation of their respective capabilities across all security control and threat management technologies. The final selection provides BT’s view of the security market’s leading providers, who will support a harmonized portfolio of solutions to its customers going forward.
Kevin Brown, Managing Director of BT Security, said: “Our new security partner ecosystem showcases the benefits of BT Security as a Managed Security Services Provider. We’re able to use our deep experience and insight of the security ecosystem to help our customers navigate what can be an incredibly confusing market.
“We’re also ensuring that BT Security customers will benefit from working with the best suppliers from across the security industry.”
McAfee, Palo Alto Networks and Fortinet were selected as BT Security’s ‘Critical Partners’. Each of those companies will provide a range of services and products that will be incorporated into BT Security’s global portfolio, as well as providing holistic support to its commercial and operational activities.
BT Security will also work with these partners to develop a roadmap of security solutions which continue to reflect evolving customer demands and integrate the latest developments in security automation.
Lynn Doherty, Executive Vice President of Global Sales and Marketing at McAfee, said: “We’re proud to partner with BT to fight against cybercrime and accelerate new business environments for our customers as they look for more solution integrations, deeper engagement and faster modernization efforts.
“Together through our strategic service provider partners, like BT, McAfee is able to deliver world class security services that enable organizations to evolve their defenses into areas like Secure Access Service Edge (SASE) and Extended Detection and Response (XDR).”
Alex Zinin, VP, Global Service Provider Business at Palo Alto Networks, said: “We’ve been working closely with BT Security for several years to bring innovative cybersecurity solutions to our joint customers.
“We are honored to be selected as one of their critical partners to continue this close collaboration, in recognition of the breadth of our security capabilities across multiple market segments. This comes at a time when it’s never been more essential for communications and security to be closely aligned to help all organisations with staff working remotely.
“We look forward to working together as we strive to make each day safer and more secure than the one before.”
John Maddison, Executive Vice President of Products and Chief Marketing Officer at Fortinet, said: “Digital Innovation is disrupting all industries, markets, and segments, leading to increased risk as cyber threats take advantage of this disruption.
“To protect against known advanced threats as well as unknown sophisticated attacks, Fortinet enables organizations to apply security anywhere and protect all edges – including WAN, cloud, data center, endpoint, identity, and home – while reducing the number of required products to save costs and remove complexity.
“We’re proud to partner with BT Security to help customers address the most critical security challenges and protect data across the entire digital infrastructure.”
Microsoft, IBM and Cisco were all confirmed as ‘Strategic Partners’ for BT Security. This categorization reflects not only their relationship with BT Security, but also their broader activities and remit across the whole of BT.
BT Security also confirmed a further nine ‘Ecosystem Partners’, who will be incorporated into its global portfolio of solutions for customers due to their complementary technology capabilities. These partners are Skybox, Forescout, Zscaler, Check Point, CrowdStrike, Okta, Qualys, Netscout and F5.
Through deeper strategic relationships, BT Security and its partners will work together to provide better customer experience and protection, while those selected partners will also be BT Security’s main collaborators as they look to develop future customer solutions.
BT Security will regularly review the partnerships to monitor the latest vendor developments, while continuing to assess the wider industry for new and emergent security companies and technologies.
Qualys unveils Multi-Vector EDR, a new approach to endpoint detection and response
Traditional EDR solutions singularly focus on endpoints’ malicious activities to hunt and investigate cyberattacks. Qualys’ multi-vector approach provides critical context and full visibility into the entire attack chain to provide a comprehensive, more automated and faster response to protect against attacks.
McAfee MVISION Cloud now maps threats to MITRE ATT&CK
With the introduction of ATT&CK into McAfee MVISION Cloud, there is no longer the need to manually sort and map incidents to a framework like ATT&CK or to learn and operationalize a separate framework for cloud threats and vulnerabilities, which can be cumbersome and time consuming – especially as cloud-native threats become more abundant.
Amazon Fraud Detector: Use machine learning in the fight against online fraud
Amazon Fraud Detector is a fully managed service that makes it easy to quickly identify potentially fraudulent online activities like online payment and identity fraud. With just a few clicks in the Amazon Fraud Detector console, customers can select a pre-built machine learning model template, upload historical event data, and create decision logic to assign outcomes to the predictions.
Veritas is unifying data protection, from the edge to core to cloud
Veritas Technologies introduced new innovations to its Enterprise Data Services Platform to help customers reduce risk, optimize cost, strengthen ransomware resiliency, and manage multi-cloud environments at scale. With the launch of NetBackup 8.3, Veritas empowers enterprise customers by improving the resiliency of their applications and infrastructure regardless of the context.
Sonrai Dig maps relationships between identities and data inside public clouds
Sonrai Security announced the Governance Automation Engine for Sonrai Dig, re-inventing how customers ensure security in AWS, Azure, Google Cloud and Kubernetes by automatically eliminating identity risks and reducing unwanted access to data.
Pulse Zero Trust Access simplifies management and mitigates cyber risks
Pulse Zero Trust Access simplifies access management with single-pane-of-glass visibility, end-to-end analytics, granular policies, automated provisioning, and advanced threat mitigation that empowers organizations to further optimize their increasingly mobile workforce and hybrid IT resources.
CyberStrong platform updates allow customers to dynamically manage their risk posture
The updates reinforce CyberSaint’s mission to enable organizations to manage cybersecurity as a business function by enabling agility, measurement, and automation across risk, compliance, audit, vendor, and governance functions for information security organizations.
Qualys has acquired the software assets of Spell Security, an endpoint detection and response start-up.
This acquisition further strengthens Qualys’ security and threat research, advances endpoint behavior detection capabilities, and brings rich telemetry to the Qualys Cloud Platform. In addition, Spell’s deep knowledge of threat hunting and adversary techniques provides unique defense capabilities and analysis addressing the multi-vector threats customers are now faced with.
“The entire Spell Security team and I are thrilled to be part of such a pioneering and innovative cybersecurity company. Qualys’ approach to delivering a unified cloud platform with all the information needed for protection, detection and response at your fingertips is well ahead of anything we’ve seen. This groundbreaking approach allows expert Threat Hunters, who are in great demand, to respond more effectively to the most sophisticated attacks. Thus, drastically reducing the time to respond,” said Rajesh Mony, founder and CTO of Spell Security. “We look forward to continuing to bring new technologies and capabilities to the Qualys Cloud Platform and its new integrated Multi-Vector EDR offering.”
As with all Qualys acquisitions, key Spell Security employees have joined Qualys, including founder Rajesh Mony as CTO, Malware Detection Solutions.
“Spell Security’s thought leadership blended with their immense talent and experience delivers great value for our organization. The Spell Hunt Platform and hunting reports give Hughes Systique, actionable visibility into our endpoints for malicious activities. With Spell Hunt Reporting, our Infosec team receives the much-needed information to keep our company assets secure. Bringing together asset management, vulnerability risk management and multi-vector EDR into a single console is very powerful. I can’t wait to look at the new Qualys Multi-Vector EDR offering,” said Bhupinder Singh, AVP, Hughes Systique Corporation.
The Spell Security team has a very strong background in threat hunting and breach investigations, which enables them to incorporate this experience directly into a powerful EDR platform built from the threat hunter’s point of view.
The Spell Security Platform will help Qualys Multi-Vector EDR customers with:
- Deep malware threat research and reverse engineering expertise
- Additional niche agent data-collection techniques to detect malicious activities
- Continuous collection of host telemetry as well as MITRE-based detections across the endpoints through powerful in-house security and threat research
- Ability to automatically correlate telemetry with the context of historical threat events through a powerful anomaly detection and reporting engine
- Incident investigation and response instrumentation based on threat models
With native integration of Spell Security hunting and reporting capabilities on the Qualys platform, Qualys Multi-Vector EDR will enable security teams to detect and hunt for high fidelity threats, gain the full context of the attack path with powerful correlation of all security vectors for investigation and prioritization of security incidents, and respond appropriately to eliminate the root cause of the incident.
“Spell Security delivers outstanding malware and threat research capabilities, front line experience investigating security incidents and data breaches, and powerful triage-driven threat hunting capabilities,” said Philippe Courtot, chairman and CEO of Qualys. “Adding their technology to the Qualys Cloud Platform enables us to further strengthen our security and threat research, advanced endpoint behavior detection and provide customers with enhanced telemetry for even greater visibility, which helps them respond to threats more quickly. We welcome Spell Security to the Qualys family.”
Qualys today announced Qualys Multi-Vector EDR. Taking a new multi-vector approach to Endpoint Detection and Response (EDR), Qualys now brings the unifying power of its highly scalable cloud platform to EDR.
Traditional EDR solutions singularly focus on endpoints’ malicious activities to hunt and investigate cyberattacks. Qualys’ multi-vector approach provides critical context and full visibility into the entire attack chain to provide a comprehensive, more automated and faster response to protect against attacks.
Multi-Vector EDR enables security teams to unify multiple context vectors like asset and software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, network traffic summary, MITRE ATT&CK tactics and techniques, malware, endpoint telemetry, and network reachability by leveraging the Qualys backend to correlate with threat intelligence for accurate detection, investigation and response – ALL, in a single, cloud-based app with a single lightweight agent.
Qualys Multi-Vector EDR overview
Cloud Agent Telemetry Collection – Widely deployed Qualys cloud agents have been enhanced to collect large amounts of telemetry that is sent to the Qualys Cloud Platform on a real-time basis allowing deep analysis in the shortest timeframe. This approach helps customers eliminate an additional EDR agent on their endpoints.
Multi-Vector Detection – Leveraging the highly scalable data lake as part of the Qualys Cloud Platform, security analysts can quickly correlate additional vectors like software inventory, patch levels, vulnerability threat intelligence, and misconfigurations with endpoint telemetry like file, process, registry, network and mutex data. This approach eliminates the need for threat hunters to access multiple security solutions for context.
Investigate and Prioritize – By augmenting in-house MITRE ATT&CK-based detections with other context vectors enriched with third-party threat feeds, security teams can receive real-time alerts, investigate and prioritize security incidents, and threat hunt via intuitive workflows that take into account asset criticality and network attack paths.
Respond and Prevent – Qualys Multi-Vector EDR uses multi-layered response strategies to remediate threats and mitigate the risk in real time. In addition to traditional EDR response actions, Qualys Multi-Vector EDR orchestrates workflows for patching exploitable vulnerabilities and remediating misconfigurations across the environment to prevent attacks on other endpoints. To augment Multi-Vector EDR, endpoint protection capabilities like anti-malware/anti-virus are being added to the agent in Q4 2020.
“Qualys Multi-Vector EDR gives a broader view beyond the endpoint, which is necessary to eliminate false positives and more effectively prevent lateral movement. This is possible because Qualys Multi-Vector EDR is native to the cloud platform and collects vast amounts of telemetry from multiple sensors while capturing network information. The Qualys Cloud Agent, combined with the highly scalable Cloud Platform and forthcoming Incident Response capabilities, offers a unique opportunity for MSSPs to consolidate their managed services technology stack and orchestrate the appropriate response for faster and effective protection,” said Vishal Salvi, Chief Information Security Officer at Infosys.
“Qualys Multi-Vector EDR represents a major extension to both the Qualys Cloud Platform and our agent technology,” said Philippe Courtot, chairman and CEO of Qualys. “Adding context and correlating billions of global events with threat intelligence, analytics and machine learning results in a truly groundbreaking approach to EDR that not only stops sophisticated multi-vector attacks, but also automatically orchestrates the appropriate response all from a single solution, thus greatly reducing the time to respond while drastically reducing cost.”
Qualys today announced the appointment of Ben Carr as Chief Information Security Officer (CISO). Ben is responsible for providing cybersecurity guidance and security strategies to Qualys customers, leading the CIO/CISO Interchange, developed in partnership with the Cloud Security Alliance, and securing Qualys as he leads the internal risk and security efforts to reduce the companies risk and security exposure while ensuring compliance across the world.
Commenting on the new role, Ben stated, “It is a pleasure and honor to join Qualys as I have been a customer on multiple occasions and a competitor. As a result, I can appreciate Qualys’ unique ability to innovate. I have watched Qualys expand its native cloud-based vulnerability management solution into a highly scalable cloud platform that enables companies of any size to attain 360-degree visibility to secure their digital transformation initiatives and address the issue of security solution spread by providing a single integrated cloud platform that can also be delivered as a private cloud.”
“I look forward to using my background as an experienced CISO to help customers, particularly as they deploy the newest and groundbreaking Qualys VMDR offering (Vulnerability Management, Detection and Response) and the forthcoming EDR (Endpoint Detection and Incidence Response), increase security and compliance, streamline security workflows, prioritize threats, automate responses and reduce costs. Qualys is uniquely positioned for growth and success as the security industry finally fully embraces the shift toward cloud technologies. I am delighted to be part of the team that can make that happen,” Carr concluded.
“Ben has been a Qualys customer since our early days in 2008, and he has a history of providing thoughtful insights to us as part of the Qualys Customer Advisory Board. He is technology-driven and brings unique experience as a long-term transformative security executive of a large financial company addressing millions of vulnerabilities. It is with great pleasure that we welcome Ben to the team,” said Philippe Courtot, chairman and CEO of Qualys.
“Ben’s vast IT and security experience and customer perspective, including his familiarity with Qualys solutions, will be instrumental as we continue to expand the Qualys Cloud Platform and accelerate the growth of our company.”
Ben is a proven information security and risk executive and thought leader with more than 25 years of experience in executing long-term security strategies. Most recently, Ben was the CISO of Aristocrat, a global games leader, and before that, he held executive strategic leadership roles at Cyberbit and Tenable.
From 2012 to 2016, he was the senior director of Global Information Security for Visa, where he developed and led Visa’s global Attack Surface Management team and capability. Earlier in his career, he led all security programs for Nokia corporate IT as the Global Head of IT Security.
In this interview for Help Net Security, Shailesh Athalye, VP Compliance at Qualys, discusses cloud-based Remote Endpoint Protection and illustrates how security teams can leverage its numerous features.
Qualys recently added malware detection to its cloud-based Remote Endpoint Protection offering. How does it work?
As you know because of the recent surge in the remote workforce, the security of the remote hosts is on top of the mind for the security teams. It became immediately apparent when majority of the hosts shifted remote, that traditional enterprise security solutions deployed inside the organization’s network were utterly ineffective in protecting these remote endpoints, due to the sheer volume of remote hosts connecting over VPNs. What would happen when those remote computers needed to be updated? It would be impractical to deliver thousands of security updates, malware updates via the VPN, over limited bandwidth.
Architecturally superior cloud security solutions like Qualys are well positioned to address the need for protecting remote computers as we could connect directly to the cloud over the internet without the need to route a large volume of traffic through the VPN gateways.
We’re pleased with the reception the offer has garnered, and we have had more than 700 companies registering for the offer. And we didn’t stop there – as we realized we could give customers additional protections by adding the ability to detect malware – and that is the piece that we’ve just announced.
Powered by the Qualys Platform and Cloud Agent, malware detection uses file reputation and threat classification to detect known malicious files on endpoints, servers, and cloud workloads. As a result, security practitioners can respond more quickly to malware on employees’ systems.
What makes Qualys Remote Endpoint Protection unique?
In general, cloud-based security services have an advantage as they connect directly to the cloud over the internet without routing a large volume of traffic through the VPN gateways for assessing vulnerabilities and for applying patches. What’s unique about the Remote Endpoint Protection Offering is that it gives companies:
1. Visibility into what devices are connecting inside their network and what resources the devices are connecting to.
2. It assesses vulnerabilities, malware and security configurations on remote hosts such as Microsoft Office, the Google Suite of products, VPN software and conferencing solutions such as Zoom or Webex.
3. Detects malicious files and processes often missed because a company’s anti-virus tools are only pushed to remote computers connected to the VPN.
4. Prioritizes patches by correlating them with vulnerabilities as well as applying patches directly from the solution vendor’s content delivery networks via the internet, without putting pressure on the VPN and available bandwidth due to the size of the patches.
Not only does Qualys address remote endpoint issues, but we do so with one solution providing a continuous and integrated view of remote endpoint inventory, critical vulnerabilities, misconfigurations and now malware to speed remediation while enabling remote patching. This functionality is seamlessly integrated into one solution.
This approach is a first in the industry as previously companies would cobble together a solution for detecting vulnerabilities, one for patching and another for malware detection. While it did the job, it was complicated, clunky and the data was not consolidated for a true picture of the risk.
What does the process of integrating Qualys Remote Endpoint Protection into an existing security architecture look like?
Remote Endpoint Protection is easily enabled through the Qualys Cloud Platform and Cloud Agent. And like all Qualys Apps, it is self-updating, centrally managed and tightly integrated with other apps in the platform. The Cloud Agent continuously communicates and syncs-up collected data with the Qualys platform including pushing the latest vulnerability signatures and vendor patches. All of which, it does without the need for a VPN and or internal network bandwidth.
Qualys applications cover a broad swath of functionality in areas such as IT asset management, IT security, web app security and compliance monitoring. All apps are based on the same platform, share a common UI, feed off of the same scanners and agents, access the same collected data, and leverage the same user permissions. This lowers the complexity of usage while maintaining a high level of access control throughout the organization.
How can security teams leverage the features of Qualys Remote Endpoint Protection?
The Qualys Remote Endpoint Protection service is extremely easy to enable for customers who already have deployed the lightweight Qualys Cloud Agents. Once the customer signs up for the service, their existing subscription will have workflows and capabilities enabled for remote endpoint security assessment and patching.
The free, updated, Qualys Remote Endpoint Protection offer allows security teams to leverage the lightweight Qualys Cloud Agent to:
- Identify and inventory all remote endpoints including hardware and the applications they are running in real time
- Ensure remote systems are secure with a real-time view of all critical vulnerabilities, malware and misconfigurations impacting the OS and applications
- Decrease remediation response time by automatically correlating required patches with identified vulnerabilities, and prioritizing detected malware
- Deliver patches and respond to malware from the cloud within hours with one click, and all without using the limited bandwidth available on VPN gateways
Inventory of collaboration tools across remote endpoints
A simple query tags impacted remote hosts with the “CollaborationTools” asset tag for Zoom vulnerabilities:
To help prioritize patching effort, users are provided with a complete view of all vulnerabilities in collaboration and productivity applications across your remote endpoints.
Enabling trending via the dashboard widgets allows user to track specific trends, such as the Zoom vulnerability in the example, in your environment by importing pre-configured Zoom Vulnerabilities Dashboard.
One of the other key aspects of securing remote computers is their configuration hygiene and that you harden security settings of the technologies you are using on the remote computers. You can easily manage your security hygiene and configurations with the Remote Endpoint Protection service.
Qualys Malware Detection, integrated with the Remote Endpoint Protection offering and powered by the Qualys Platform and Cloud Agent, uses file reputation and threat classification to detect known malicious files on remote endpoints. As a result, organizations can respond more quickly to malware ultimately increasing their overall security posture.
In summary, with recent remote endpoint surge, attack surface of the organizations has expanded beyond just ‘crown jewels’, as weak remote hosts can compromise the security of the organizations and could result in a data breach.
Qualys Remote Endpoint Protection allows security teams to gain instant and continuous visibility of remote hosts in terms of their vulnerabilities, correlated patches, malware, security hygiene issues. Security teams will be able to prioritize missing patches for critical vulnerabilities and deploy them directly from the cloud.
The patches are delivered securely and directly from vendors’ websites and content delivery networks to ensure there is little to no impact on internet connectivity or the bandwidth of the organization.
The Malware Detection capability integrated in remote endpoint protection detects malware missed by anti-virus and classifies malware into threat categories and malware families to prioritize incident response. We encourage companies to sign up for the free 60-day trial.
Qualys Remote Endpoint Protection gets malware detection, free for 60 days
Powered by the Qualys Platform and Cloud Agent, malware detection in Remote Endpoint Protection uses file reputation and threat classification to detect known malicious files on endpoints, servers, and cloud workloads. As a result, customers can respond more quickly to malware ultimately increasing their overall security posture.
Nets Passport Reader: Bridging the gap between physical ID documents and digital identification
Demand for digital identification is growing rapidly and will likely only increase, given the current worldwide focus on social distancing. The Nets Passport Reader offers a simple, easy-to-use and secure way to authenticate a person remotely, even without an electronic ID.
DFLabs IncMan SOAR’s novel capabilities help successfully transition the OT-IT convergence
By creating a common platform where IT and OT work together, IncMan SOAR acts as a connective tissue between these two departments which allows them to collect information about the nature of the cyber attack quickly, assign the right person to make appropriate decisions, generate accurate KPIs, and pursue common objectives in an all-in-one platform.
Aruba ESP: Predicting and resolving problems at the network edge before they happen
Built on AIOps, Zero Trust network security, and a Unified Infrastructure for campus, data center, branch and remote worker locations, Aruba ESP delivers an automated, all-in-one platform that continuously analyzes data across domains, ensures SLAs, identifies anomalies and self-optimizes, while seeing and securing unknown devices on the network.
WatchGuard Firebox T Series firewalls: Heightened HTTPS throughput, security services, SD-WAN
WatchGuard announced the release of new Firebox T Series tabletop firewall appliances. WatchGuard’s new T20, T40 and T80 Fireboxes equip small, home and midsize office environments with the advanced performance required to support business-critical internet speeds and a broad range of enterprise-grade security services delivered in a compact form factor.
Qualys, a pioneer and leading provider of cloud-based IT, security and compliance solutions, announced the appointment of Joo Mi Kim as Chief Financial Officer (CFO). Kim will take over from current CFO Melissa Fisher who will depart at the end of the month.
An accomplished leader in financial and strategic planning for technology companies, Joo Mi will play a critical role in leading Qualys to its next stage of growth. She will have worldwide responsibility for all elements of the company’s finance organization, including finance, accounting, investor relations, treasury and tax.
“I’m delighted to be back at Qualys, especially at this time when its innovative cloud platform, product roadmap, and financial strength have well positioned the company to leverage the global enterprises’ massive shift to cloud-based solutions,” said Joo Mi Kim.
“I look forward to working with the executive team and continuing to scale the finance function to support the Company’s highly profitable growth.”
“It is with great pleasure that I welcome Joo Mi back to the Qualys team,” said Philippe Courtot, chairman and CEO of Qualys.
“During her past tenure at Qualys, Joo Mi built the foundation of Qualys’ financial systems and processes. This knowledge, coupled with her extensive finance and investor expertise, will be instrumental as we continue to expand the Qualys Cloud Platform and grow the company.”
Joo Mi brings over 15 years of combined experience in financial planning and operations, investor relations, investment banking, and economic consulting. Most recently, she served as CFO of Impact, a leader in partnership automation, and prior to that was CFO at Aera Technology, an enterprise SaaS company.
From 2016 to 2018, Joo Mi served as the vice president of FP&A and Investor Relations at Qualys. She holds a bachelor’s degree in economics from the University of Chicago and an MBA from The Wharton School of the University of Pennsylvania.
Commenting on Melissa Fisher’s departure, Courtot noted, “We would like to thank Melissa for her many contributions to Qualys and her leadership of the Qualys finance team over the past four years. In fact, Melissa, working with Joo Mi, was a key architect of building our business analytics capabilities and sharing the results with investors to explain the disruptive nature of the powerful cloud platform we have been building over time and of our corresponding business model. We wish her much success in her new position.”
Qualys researchers have found a way to exploit an previously known (and very old) vulnerability in Qmail, a secure mail transport agent, to achieve both remote code execution (RCE) and local code execution.
The Qmail RCE flaw and other vulnerabilities
In 2005, security researcher Georgi Guninski unearthed three vulnerabilities in Qmail, which – due to its simplicity, mutually untrusting modules and other specific development choices made by its creator Daniel J. Bernstein – is still widely regarded as one of the most secure pieces of software out there.
At the time Bernstein pointed out that the vulnerabilities (CVE-2005-1513, CVE-2005-1514, CVE-2005-1515) could not be exploited in a default Qmail installation as “the memory consumption of each qmail-smtpd process is severely limited by default”, so they were never addressed.
But Qualys researchers recently decided to audit the security of the software again, and discovered that the three vulnerabilities also affect the qmail-local process, which is reachable remotely and is not memory-limited by default, ergo the flaws can be exploited.
“We investigated many qmail packages, and *all* of them limit qmail-smtpd’s memory, but *none* of them limits qmail-local’s memory,” they added.
“As a proof of concept, we developed a reliable, local and remote exploit [for CVE-2005-1513] against Debian’s qmail package in its default configuration. This proof of concept requires 4GB of disk space and 8GB of memory, and allows an attacker to execute arbitrary shell commands as any user, except root (and a few system users who do not own their home directory).”
They said they will publish their PoC exploit in the near future.
The’ve also unearthed two vulnerabilities in qmail-verify, a third-party qmail patch that is not part of Qmail but is included in Debian’s qmail package and other Qmail forks: a mail-address verification bypass (CVE-2020-3811) and a local information disclosure bug (CVE-2020-3812).
Bernstein stopped developing Qmail in 1998. The last stable release of the software is v1.03.
Since then, it has been forked (s/qmail, netqmail, notqmail) and “patched” (third-party “patches” added new features to it), and implemented in third-party platforms.
Bernstein told Qualys that he runs each qmail service with a low memory limit and recommends the same for other installations. This limit can be configured in the the startup scripts of all qmail services and foils the exploitation of all the flaws discovered in 2005 by Guninski.
Qualys wrote a patch for Debian’s qmail package that fixes the qmail-verify issues and all three 2005 CVEs in Qmail – the latter by hard-coding a safe, upper memory limit in the alloc() function.
An updated version (v1.50) of qmail-verify with the issues fixed is available for download and, according to Qualys, “the developers of notqmail have written their own patches for the three 2005 CVEs and have started to systematically fix all integer overflows and signedness errors in qmail.”
Qualys, a pioneer and leading provider of cloud-based security and compliance solutions, announced that Qualys Container Security is immediately available and Qualys Vulnerability Management will be available within a month in Microsoft Azure Security Center.
This solution leverages the embedded Qualys Cloud Agent and Qualys Container Sensors to build Vulnerability Management automation into the CI/CD pipeline as well as real-time visibility into running virtual instances.
The solution automatically analyzes virtual machines and container images in Azure, providing customers visibility into vulnerabilities and configuration issues. Any discovered vulnerabilities are reported to Azure Security Center as recommendations, including the ability to create playbooks for one-click remediation with no software to deploy or update.
“Security is undergoing a fundamental transition, led by the digital transformation and the adoption of DevOps. Since our founding in 1999, Qualys’ vision has been that security must be woven into the fabric of the cloud,” said Philippe Courtot, chairman and CEO of Qualys.
“We are delighted to work with Microsoft to achieve this vision, which is a major milestone for the industry. Now, Microsoft Azure developers and customers have real-time visibility to secure and remediate cloud workloads at a click of a button with built-in orchestration as well.”
“Security is in the DNA of all products at Microsoft, and we believe in integrating security into everything we do. We share these beliefs with Qualys, and that is why we have collaborated to integrate their established vulnerability management and container security solutions directly into Microsoft Azure Security Center,” said Bharat Shah, corporate vice president at Microsoft Security.
The capability is currently available to all Azure Security Center customers for virtual machines and Azure Kubernetes Services.
In order to help global organizations of all sizes address cybersecurity during the COVID-19 pandemic, a number of vendors provide free (time-limited) access to their solutions.
All of the offers below are available immediately, and they cover a number of areas. Vendors are listed alphabetically, and all require registration.
Armorblox – Free email protection
Armorblox made its fully-featured email security platform free for businesses that have between 100 and 2,000 employees until April 30th and will reassess the situation for potential extensions beyond that.
Awake Security– Free platform access
Bugcrowd– Free access to Vulnerability Disclosure Program and Attack Surface Analysis
If you represent an emergency service, healthcare, or other care provider helping to manage the unprecedented COVID-19 situation, Bugcrowd are offering you free access to their Vulnerability Disclosure Program and Attack Surface Analysis for the next 90-days.
BullGuard – Free Small Office Security license
Dynatrace – Free access to Software Intelligence Platform
Dynatrace is providing new users with extended, free trial access to the Dynatrace Software Intelligence Platform, through May 19, 2020. In addition, new users will receive free access to the Dynatrace Real User Monitoring (RUM) for SaaS vendor experience, through September 19, 2020.
ERMProtect – Free security awareness training
ERMProtect is providing free access to its Security Awareness Training for 3 months. Organizations can access two animated training modules that teach employees to spot phishing attacks and work safely online from home – a particularly relevant module as employees shift to working remotely.
Foresite– Free emergency cybersecurity services
Foresite, a managed security and cyber-consulting services provider, are offering free cybersecurity services for small to medium enterprises: free external vulnerability scan, free phishing awareness campaign for up to 250 users, free firewall monitoring and management for 30 days, and more.
GreatHorn – Free email protection
GreatHorn will provide 60 days of free, unrestricted access to the GreatHorn Email Security platform to give business leaders and employees peace of mind as they navigate changes to work and business operations during the pandemic.
Qualys – Free remote endpoint protection
Qualys is offering instant security assessments, visibility and remote computer patching for corporate and personal computers – free for 60 days. The solution allows security teams to gain continuous visibility of remote computers, see missing patches for critical vulnerabilities and deploy them from the cloud.
SentinelOne– Free platform access
SentinelOne Core is available free of charge through Friday, May 16, 2020, enabling enterprises to secure remote work. SentinelOne’s cloud-based platform scales, making it well suited to protect both businesses and employees transitioning to a work-from-home environment, whether they are using corporate or personal devices.
Signavio – Trial for collaborative crisis resilience and people management
StorONE – Free enterprise storage platform
StorONE is providing its S1 Enterprise Storage Platform at no cost to any organization impacted by COVID-19 until June 30, with healthcare and scientific research facilities at the center of the pandemic response granted free use through October.
Sucuri – Medical service providers can get a year of Sucuri WAF for free
Sucuri is offering a year of their Web Application Firewall (WAF) service to medical service providers. Sucuri’s WAF is frequently updated with the latest and emerging threat definitions to block DDoS and other attacks by bad actors.
SyncDog – Free trial of Secure.Systems
SyncDog announced free access to their Trusted Mobile Workspace application. Secure.Systems delivers a suite of mobile productivity applications that encrypt corporate data and can be integrated into any existing mobile device on any carrier.
Votiro – Free Disarmer for Email
Votiro‘s advanced email attachment sanitization solution – Disarmer for Email – is free through the end of the year to help reduce organizations’ security risk. Rest assured knowing your workforce’s email attachments are safe from any known and unknown threats.
In this podcast, Prateek Bhajanka, VP of Product Management, Vulnerability Management, Detection and Response at Qualys, discusses how you can significantly accelerate an organization’s ability to respond to threats.
Qualys VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. VMDR continuously assesses these assets for the latest vulnerabilities and applies the latest threat intel analysis to prioritize actively exploitable vulnerabilities.
Here’s a transcript of the podcast for your convenience.
Hi everyone. This is Prateek Bhajanka, VP of Product Management, Vulnerability Management, Detection and Response at Qualys. Today I’m going to talk about the new concept that Qualys has introduced in the market. That is vulnerability management detection and response, which talks about the entire lifecycle of vulnerability management using a single integrated workflow in the same platform altogether.
Security is only as strong as the weakest link that you have in your organization. There could be so many assets and devices which are on the network, which are connected to the enterprise network, which are consuming your enterprise resources, which you may not even know of. You will not be able to secure anything that you do not know of. That’s the reason the VMDR concept picks up the problem of vulnerability management right from the bottom itself where it is helping you discover the assets which are connected, or which are getting connected to your enterprise network.
No matter whether it is getting connected using VPN, or locally, or through a network, as soon as a device is getting connected, it will be discovered by the sensors that are located in the network, which can tell you that these are the new assets which are connected and then you can go about inventoring them. You can maintain the asset inventory of those devices. Then the next step is that if you look at performing vulnerability management, then you go ahead and perform vulnerability assessment, vulnerability management of those devices, the existing ones, the ones which are already discovered and the ones which are now getting discovered. Then identify all the vulnerabilities which are existing in those assets, and then as it is perceived in the market, that vulnerability is a number game, but vulnerability management is no longer a number game.
The reason is, if you look at the statistics over the last 10 years, you would see that the total number of vulnerabilities which get discovered in a year, maybe let’s say 15,000 to 16,000 of vulnerabilities that are getting discovered, out of those vulnerabilities, only a handful, like 1000 vulnerabilities get exploited. That means the fraction of vulnerabilities which are getting exploited are not more than 10 to 12%. Let’s say that you have a thousand vulnerabilities in your organization, and even if you fixed 900 vulnerabilities, you cannot say that you have implemented vulnerability management effectively because the rest of the hundred vulnerabilities could be all the way more riskier than the 900 vulnerabilities that you fixed, and the rest hundred vulnerabilities that you left could be the vulnerabilities which are getting exploited in the wild.
Now we are bridging the gap and with the concept of VMDR, we are not just calculating these thousand vulnerabilities for you, but we are also helping you understand what hundred vulnerabilities are getting exploited in the wild using various formats. It could be malware, it could be ransomware, it could be nation-state attacks, it could be a remote code execution. So, what are the vulnerabilities that you should pay immediate attention to, so that you can prioritize your efforts because you have limited amount of remediation efforts, limited number of personnel, limited number of resources to work on vulnerability management, so that you would be able to focus on the areas which would be all the way more impactful then what it is today. So, right from asset discovery to asset inventory to vulnerability management, and then prioritizing those vulnerabilities on the basis of the threat which are active in the wild.
Right now, so far what we are doing is problem identification, but we may not be actually solving the problem. How to solve that problem? With the concept of VMDR, we are also adding response capabilities in the same platform, so that it is not just about identifying the problem and leaving it on the table, but it is also about going and implementing the fixes. If you see a particular vulnerability, you would also be able to see which particular patch can be implemented in order to remediate this particular vulnerability.
That kind of correlation from CVE to the missing patch, it tells you the exact parts that you need to deploy so that this particular vulnerability can be remediated. It also tells you the list of prioritized assets on the basis of various real-time threat indicators, on the basis of various attack surfaces.
Once you have the vulnerability data, while we are doing the scanning, you have a lot of asset context that you can use to filter the number of vulnerabilities. When I say that you divide the context into two parts: internal and external. Your external context would be your threat intelligence feed that is coming from so many different sources or which may be inbuilt in the platform itself. And this threat intelligence is an external context because this is not taking into account your asset context or your internal organization context. So this will help you identify the vulnerabilities which are getting exploited in the wild today, which are expected to get exploited in the wild, for which there are some kind of chatter going around in the dark web, and that these are the vulnerabilities for which the exploits have been developed, the proof of concept is available, and so many things. This is very external.
Now, the internal context. Out of 1000 vulnerabilities, let’s say, on the basis of external context, you are able to prioritize or filter out, 800 vulnerabilities and now you’re left with 200 vulnerabilities. But how to go down further, how to streamline your efforts and prioritize your efforts.
Now comes the internal context. Whether this particular vulnerability is on a running kernel or a non-running kernel. Of course, I would like to focus my efforts on the running kernel first, because those are the kernels which would be exposed to any outsider. This is the asset context I would be putting in. What are the vulnerabilities which are already mitigated by the existing configuration? Let’s say, the BlueKeep vulnerability. BlueKeep vulnerability is a vulnerability which is on port 3389. If the network devices or if the network level authentication is already enabled on the network, that means I do not need to worry about the BlueKeep vulnerability.
If that is already enabled, I can also filter out those vulnerabilities on which the assets have been tagged as BlueKeep vulnerabilities existing. On the basis of all these many factors, whether this is remotely discoverable or not, because you will have to see the vulnerabilities which are getting remotely discoverable, they can be remotely discovered by the attackers also. That means it’s a priority that you should go ahead and fix those vulnerabilities first. On the basis of so many other internal context filters that are available with the VMDR concept and VMDR platform, you would be able to identify those vulnerabilities, those hundred vulnerabilities out of a thousand vulnerabilities, which you should pay immediate attention to.
With the click of a button which is available on the console, you would be able to go ahead and deploy the remediation measures from the console itself so that the time to remediation is reduced to the minimum possible. And the ideal time to remediation, as our Chief Product Officer likes to call it as zero, the ideal time to remediation is zero because the average days before the vulnerability gets exploited in the wild is getting reduced. And now the average number of days has come down to seven.
You cannot have a significant delay before the vulnerability gets discovered and a vulnerability gets patched. This all, putting right from asset discovery to asset inventory, to vulnerability management, then prioritizing on the basis of the threats which are active, and then go about remediating and fixing those problems. This is the concept of vulnerability management, detection and response.
Qualys announced a cloud-based remote endpoint protection solution at no charge to its customers for 60 days that allows IT and security teams to protect the computers of remote employees. It will initially be available for Qualys customers. Delivery to others will be prioritized based on their signup date.
The Qualys remote endpoint security solution allows security teams to leverage the lightweight Qualys Cloud Agent to:
- Complete an up-to-date inventory of all their remote endpoint hardware and the applications they are running
- Gain a real-time view of all critical vulnerabilities impacting the operating system and applications posing a risk to these devices
- Remotely patch these systems within hours from the cloud with one click of a mouse without using the limited bandwidth available on VPN gateways
- Realize visibility in device hygiene by tracking common misconfigurations that leave the endpoints exposed to exploits
In summary, the free cloud-based Qualys remote protection solution allows security teams to gain instant and continuous visibility of remote computers, easily see missing patches for critical vulnerabilities and deploy them from the cloud. The patches are delivered securely and directly from vendors’ websites and content delivery networks to ensure there is little to no impact on external VPN bandwidth.
If you are a Qualys customer who already has the Qualys Cloud Agent, these systems can be easily enabled to deploy patches via the Qualys Cloud Platform, without the need to touch the client systems. Alternatively, a lightweight Qualys agent is deployed to the remote computers.
“The entire Qualys team is pleased that during these critical times, we can offer a real solution that will allow companies to ensure the security of both corporate and personal computers,” said Philippe Courtot, chairman and CEO of Qualys. “Thanks to our cloud-based implementation, this offer will enable companies to assess in real-time their security and compliance posture and remotely patch employees’ devices with the click of a button.”