Qualys has just launched a global IT asset inventory solution that offers full visibility across even the most hybrid, complex and distributed IT environments, addressing a challenge many security and IT teams face today.

When IT directors and CISOs look at their digitally transformed networks, they encounter many shadows that their legacy enterprise software tools can’t illuminate. These blind spots often include cloud workloads, containers, IoT systems, mobile devices, remote endpoints, and Operational Technology wares.

Because full visibility is essential for security, this foggy, fragmented view of a network makes the organization vulnerable to cyber attacks. Qualys Global IT Asset Inventory (AI) provides complete, continuous, structured and enriched asset inventory in hybrid environments.

“This is a really big deal because it’s the basis of security: If you don’t know what you have, you can’t secure it,” says Qualys Chief Product Officer Sumedh Thakar.

Justin Bendl, Senior Manager for Security & Compliance at Federal Home Loan Bank of Pittsburgh, says that Qualys AI has begun to assist the bank in expanding automation that provides real-time visibility into the completeness and accuracy of software assets.

“This automation is enhancing the bank’s overall control environment and further mitigating risks in a proactive manner,” Bendl says.

Philippe Courtot, Qualys Chairman and CEO, highlights the benefits of Qualys AI’s full integration with the Qualys Cloud Platform. “You will know instantly what assets connect to your network, and be able to assess their security and compliance posture in real-time, giving you unprecedented and essential visibility,” says.

Read on to learn more details about Qualys Global IT Asset Inventory and the use cases it’s designed for.

Continue reading …

Among the IT innovations that businesses are using to digitally transform operations, containers might be the most disruptive and revolutionary.

“They’re a real game changer,” Qualys Chief Product Officer Sumedh Thakar said at QSC 2018 in Las Vegas.

DevOps teams have embraced containers because they boost speed and flexibility in app development and delivery, and are ideal for microservices. In fact, by 2020 more than 50% of organizations will run containerized applications in production, up from under 20% in 2017, according to Gartner. Thus, security teams must prioritize protecting the applications that DevOps teams create with this OS virtualization method.

“We see container security as a significant new paradigm coming at us, which will bring a lot of change,” Qualys CEO Philippe Courtot said.

But to ensure the security and compliance of container-based code, organizations can’t rely on conventional application security products. “Your existing tools aren’t going to work,” said Asif Awan, Qualys’ Container Security CTO. Unsurprisingly, organizations cite security as the biggest challenge when deploying containers, according to Forrester.

“Security automation is a simple term but to get a handle over that entire automated and ever-accelerating CI/CD (continuous integration and delivery) pipeline is becoming more and more difficult,” Awan said.

Responding to this need, Qualys offers a comprehensive security solution that monitors and protects containerized applications from the inside.  In order to do that, Qualys technology collects granular behavior data about the application, providing deep visibility and enforcing normal application behavior for runtime protection.

Read on to learn about Qualys’ container security approach.

Continue reading …

When IT directors and CISOs look at their digitally transformed networks, they encounter many shadows that their legacy enterprise software tools can’t illuminate. These blind spots often include cloud workloads, containers, IoT systems, mobile devices, remote endpoints, and Operational Technology wares.

Since full visibility is essential for security, this foggy, fragmented view of a network makes the organization vulnerable to cyber attacks. It’s a problem Qualys is tackling head on, as several speakers stated during QSC 2018 in Las Vegas.

“This is a really big deal because it’s the basis of security: If you don’t know what you have, you can’t secure it,” Qualys Chief Product Officer Sumedh Thakar said.

That’s why Qualys is releasing a global IT asset inventory solution that offers full visibility across even the most hybrid, complex and distributed IT environments. Qualys Asset Inventory, now in beta, will provide complete and detailed visibility into on premises, cloud, remote, mobile, IoT and OT assets.

“It’s the source of truth that enterprise software hasn’t been able to deliver,” Qualys CEO Philippe Courtot said. “That’s the bedrock of what we’re doing.”

It will provide complete, continuous, structured and enriched asset inventory for IT and security teams managing assets in hybrid environments, according to Pablo Quiroga, Qualys’ Director of Product Management for IT Asset Management.

Read on to learn more details about Qualys Asset Inventory and the use cases it’s designed for; and watch the live demo from Qualys Security Conference 2018.

Continue reading …

Capital One prides itself on staying at the forefront of IT innovations to give its business a competitive edge.

For example, it adopted Agile software-development methodologies years ago, and uses artificial intelligence and machine learning. It was the first bank to implement a mobile wallet with “contactless” NFC payments, and to offer voice-activated financial transactions using Amazon’s Alexa. When 2018 ends, Capital One expects 80% of its IT infrastructure to be cloud based, allowing it to go from seven to two data centers.

Given its tech transformation track record, it’s not surprising that Capital One has embraced DevSecOps, embedding automated security checks into its DevOps pipeline. This effort has dramatically accelerated the process of assessing vulnerabilities and mis-configurations in its virtual machine images and containers.

As a result, the code created in the DevOps pipeline is certified as secure and released to production without unnecessary delays. This allows Capital One — one of the United States’ 10 largest banks, based on deposits — to consistently boost its business across the board by quickly and continuously improving its web properties, mobile apps, online services and digital offerings.

“This has provided a huge benefit to the entire company,” said Emmanuel Enaohwo, Senior Manager for Vulnerability/Configuration Management at Capital One, a Fortune 500 company based in McLean, Virginia that offers a broad spectrum of financial products and services to consumers, small businesses and commercial clients.

Read on to learn how the bank has automated vulnerability and compliance checks in its CI/CD software pipeline, helped by Qualys.

Continue reading …

With DevOps adoption spreading, infosec teams are scrambling to address the new security challenges stemming from DevOps’ accelerated code development and app deployment. But while IT organizations have made notable progress adapting security to their DevOps processes, work remains to be done.

That’s a key finding from SANS Institute’s “Secure DevOps: Fact or Fiction” report, which was discussed recently in a two-day webcast (Part 1 & Part 2) co-sponsored by Qualys. A revealing statistic: Under 50% of respondent organizations have fully “shifted left” to embed security throughout their DevOps pipelines, a figure that should be higher.

“Security is still being built in at the end, whereas risk reduction should start earlier in the software development lifecycle,” said Barbara Filkins, a SANS analyst. With security in the early stages of application design, “we can eliminate many issues that we’d see at the back end,” she said.

Threading security throughout DevOps also preserves the benefits of continuous and quick software delivery, like improved customer support and employee productivity. 

“As a DevOps engineer, you’re looking to automate security at the speed of what business needs,” said Qualys Product Management Director Hari Srinivasan.

“The goal is enabling a transition from DevOps to secure DevOps that is factual, not fiction,” Filkins said.

Read on to learn about DevSecOps challenges, best practices and case studies.

Continue reading …

In this latest roundup of cyber security news, we look at serious Bluetooth chip-level bugs, a zero-day vulnerability on Cisco software, a raft of Apple security fixes, and a massive customer data breach at Cathay Pacific.

Enterprise Wi-Fi access points vulnerable to Bluetooth bug

A pair of critical Bluetooth bugs could make popular wireless access points used in many enterprises vulnerable to breaches.

The critical vulnerabilities reside in Bluetooth Low Energy (BLE) chips from Texas Instruments which are present in Wi-Fi access points from Cisco, Cisco Meraki and Aruba.

Dubbed Bleedingbit, the bugs were discovered by researchers from Armis and disclosed last week.

If exploited, the vulnerabilities could allow unauthenticated attackers to stealthily break into enterprise networks, take over access points, spread malware, and move laterally across network segments.

The first vulnerability affects TI BLE chips cc2640 and cc2650, used in Cisco and Cisco Meraki Wi-Fi access points. The second bug impacts the Aruba Wi-Fi access point Series 300 with TI BLE chip cc2540 and its use of TI’s over-the-air firmware download (OAD) feature.

“These vulnerabilities are a sharp reminder that we need to ensure the security of the infrastructure we employ to support IoT devices is not undermined by those IoT devices or the protocols that support them,” Brian Honan, CEO at BH Consulting, told Help Net Security.

To exploit either vulnerability, an attacker would have to physically be within Bluetooth range of the targeted access point. TI, Cisco, Cisco Meraki and Aruba have all responded with patches, mitigations and information.

Continue reading …

Cyber criminals are constantly looking for opportunities to infect legitimate websites with malware.  They can use infected websites to cryptomine, steal data, hijack systems, deface pages, and do other damage to harm a company’s reputation and impact their users. This can result in lost revenue, and regulatory fines, and potentially drive customers away.

SiteLock researchers recently reported that a website is attacked on average almost 60 times per day, and that 1% of all websites — about 19 million globally — carry malware at any point in time.  Those often include websites from large, well-known companies. For example, Newegg, British Airways and Ticketmaster all recently fell prey to the Magecart credit card skimming malware.

It’s clear that anti-virus software, firewalls, and other prevention tools are not enough to defend against the steady stream of ever-evolving malware.  Even if a company’s website is secure from external attackers, this does not mean the website is safe from infection from third-party content providers or advertising used on the website.

Firewalls aren’t infallible, and neither are AV products.  Perhaps most frustrating of all is that despite years of awareness training, employees still inadvertently click on malicious links and attachments, John Delaroderie, a Qualys Security Solutions Architect, said recently at Microsoft Ignite 2018.

“That’s why you need a superhero sidekick on your team — to find this malware, root it out at the source, and keep your website safe,” he said.

Continue reading …

Threat hunting, an often misunderstood but powerful security practice, is gaining traction, as more organizations reap benefits from it and get better at it. However, there is still a lot of room for adoption to increase and for practices to improve.

Those were key findings from the SANS Institute’s 2018 threat hunting study, which experts from SANS, Qualys and other companies discussed recently in the two-part webcast “Threat Hunting Is a Process, Not a Thing.”

“Over the past two to three years, threat hunting has been moving from a ‘What is it?’ discussion into a more formal mentality of: ‘This is what it is. Am I doing it right?’,” said Rob Lee, a SANS instructor. “But we’re still in a transition.”

For starters, there’s still considerable confusion about what threat hunting is. For example, it’s very common for many to equate it with reactive practices such as incident response. Rather, threat hunting is by definition proactive. It assumes that the organization’s prevention defenses have been bypassed, and the IT environment breached, without any alerts being triggered.

Using threat intelligence analysis and other tactics, hunters formulate and act on a hypothesis about where the intruders are likely to be lurking in silence while pursuing their nefarious goals.

Continue reading …

In our latest security news digest, we delve into the brouhaha over Chinese spy chips, check out the latest in Facebook’s investigation of its recent hack, and look at Google’s controversial decision to delay disclosing a potential data breach.

Bloomberg’s spy chip report stuns tech industry, then draws skepticism

The hyperactive cyber security news cycle reached another intensity level when Bloomberg reported the presence of Chinese spy chips in servers used by Apple, Amazon and other major U.S. companies. But did the global news agency get the story right?

Citing numerous anonymous sources, Bloomberg stated that China surreptitiously modified server hardware and embedded tiny chips in motherboards to snoop on about 30 large American businesses.

The Chinese government reportedly did this by tampering with parts built in China by suppliers of Supermicro, a U.S.-based Fortune 1000 designer and maker of servers.

“In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies,” Bloomberg’s article reads.

But Bloomberg, which doubled-down on the original article with a follow-up, has become part of the story, as more and more parties question the accuracy of its bombshell reports.

Continue reading …

Qualys is expanding its security and compliance capabilities for Microsoft Azure, by adding protection for the on-premises Azure Stack and extending capabilities for public cloud deployments.

By using Qualys’ platform to defend hybrid IT environments, organizations get a unified view of their security posture, and can apply the same standards and processes on premises and in clouds.

“The advantages of doing so all within a single pane of glass is to reduce your total cost of ownership, and to have all the data in one place,” Hari Srinivasan, a Qualys Director of Product Management, said during a presentation at Microsoft’s Ignite 2018 conference.

That way, when a major attack like WannaCry is unleashed, organizations can quickly assess their risk and take action from a single console, instead of scrambling to assemble fragmented information from siloed tools.

Read on to learn more about Qualys’ comprehensive offerings for Azure.

Continue reading …