Qualys Blog

www.qualys.com
356 posts

Meltdown and Spectre Aren’t Business as Usual

The new year brought a new vulnerability type — the CPU-based Meltdown and Spectre bugs — that’s forcing vendors and IT departments to modify long-standing ways of identifying threats, prioritizing remediation, managing patches and evaluating risk.

“Meltdown and Spectre are different vulnerabilities from what you’re used to seeing,” Jimmy Graham, a Product Management Director at Qualys, said during a webcast on Wednesday.

As a result, it’s essential for organizations to fully understand the nature of these vulnerabilities, stay on top of the latest information, and analyze the vulnerabilities’ impact in their IT environments, in order to stay as safe as possible.

“It’s not a simple [process] of just install a patch and you’re done,” he said.

Continue reading …

Meltdown / Spectre Mitigation Is a Work in Progress

Since researchers disclosed the Meltdown and Spectre vulnerabilities on Jan. 3, vendors and IT departments have been consumed trying to figure out how to properly address the potentially devastating effects of these kernel-level bugs.Meltdown Spectre Mitigation is a Work in Progress

By now, one thing we know for sure is that dealing with the vulnerabilities is a moving target. This situation is compounded by the fact that they have broad implications and that every day seems to bring new, relevant information that must be factored into ongoing mitigation efforts.

Thus, it’s important to stay on top of the latest developments, so we’re providing a snapshot of what we know to date, how Qualys can help and and what InfoSec teams can do. We’re also tracking a list of Qualys resources.

Continue reading …

Processor Vulnerabilities – Meltdown and Spectre

UPDATE 1/4/2018: Qualys has released several QIDs for detecting missing patches for these vulnerabilities.
UPDATE 1/5/2018: Pre-built AssetView dashboards to visualize impact and remediation progress.

Vulnerabilities potentially impacting all major processor vendors were disclosed today by Google Project Zero. These vulnerabilities have been named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715). Organizations should inventory their systems by processor type, apply vendor patches as they become available, and track their progress. This article describes how Qualys can help in all three areas.

Continue reading …

Cloud Security Improves, But Much Work Still Remains to Be Done

As cloud computing adoption accelerates among businesses, InfoSec teams are struggling to fully protect cloud workloads due to a lack of visibility into these environments, and to hackers’ increasingly effective attacks.

That’s the main finding from SANS Institute’s “Cloud Security: Defense in Detail if Not in Depth” report, which surveyed IT and security pros from organizations of all sizes representing many industries.

“We’re seeing more organizations moving to the cloud. They’re definitely moving quickly. And security teams aren’t wholly comfortable with the way cloud providers are giving us details about what’s going on in the environments,” report author Dave Shackleford, a SANS Institute analyst and instructor, said during a webcast to discuss the study findings.

Continue reading …

Call For Customer Presentations at RSA Conference 2018!

Tell your security story to your peers at RSA Conference 2018 San Francisco!

Qualys Customer Presentation at RSA ConferenceQualys is looking for customers excited to share their security and DevSecOps successes, best practices and case studies leveraging the use of the Qualys Cloud Platform. Take the stage in the Qualys booth to share your experience with RSA Conference attendees two or three times total during exhibit hall hours on April 16, 17, 18 and 19.

If you would like to be considered as a presenter, please send a title and short abstract for a 25-minute presentation to David Conner at dconner@qualys.com. The call for presenters is open through Thursday, February 15, 2018.

RSA Conference 2018 is held at Moscone Convention Center in San Francisco. Qualys will provide accepted presenters with a full conference pass, and pay your airfare plus hotel expenses for the conference.

Implementing the CIS 20 Critical Security Controls: Make Your InfoSec Foundation Rock Solid

For almost 10 years, thousands of organizations eager to solidify their security and compliance foundations have found clarity and direction in the the Center for Internet Security’s Critical Security Controls (CSCs).

This structured set of 20 foundational InfoSec best practices, first published in 2008, offers a methodical and prioritized approach for securing your IT environment. Mapping effectively to most security control frameworks, government regulations, contractual obligations and industry mandates, the CSCs can cut an organization’s risk of cyber attacks by over 90%, according to the CIS.

Continue reading …

Implementing the CIS 20 Critical Security Controls: Delving into More Sophisticated Techniques

Corden Pharma needed a standardized security program to meet customer requirements. Link3 Technologies wanted to prioritize its network security improvements. Telenet was looking for a road map to implement its ISO-27000 compliance program.

These three companies — a German pharmaceutical contract manufacturer, an IT services provider in Bangladesh and a large telecom in Belgium — all found the InfoSec clarity and guidance they needed in the Center for Internet Security’s Critical Security Controls (CSCs).

They are among the thousands of organizations that over the years have successfully adopted the CSCs, a set of 20 security best practices that map effectively to most security control frameworks, as well as regulatory and industry mandates.

Continue reading …

Implementing the CIS 20 Critical Security Controls: Building Upon Foundational Cyber Hygiene

Most successful cyber attacks exploit known vulnerabilities for which patches are available, or take advantage of weak configuration settings that could have been easily hardened. You can significantly lower the risk of being victimized by this type of common, preventable attack by adopting the Center for Internet Security’s Critical Security Controls (CSCs).

This set of 20 structured InfoSec best practices offers a methodical and sensible plan for securing your IT environment, and maps to most security control frameworks, government regulations, contractual obligations and industry mandates.

The CSCs were first developed in 2008 and are periodically updated by a global community of volunteer cybersecurity experts from government, academia and industry. “The CIS Controls provide a prioritized approach to cyber security, starting with the most essential tasks and progressing to more sophisticated techniques,” Tony Sager, CIS Chief Evangelist, wrote recently.

In this blog series, we’re explaining how Qualys Cloud Platform — a single, integrated, end-to-end platform for discovery, prevention, detection, and response — and its Qualys Cloud Apps can help security teams of any size to broadly and comprehensively adopt the CIS controls.

Continue reading …

Implementing the CIS 20 Critical Security Controls: Slash Risk of Cyber Attacks by 85%

If a CISO needed to cut cyber attack risk by 85%, how would this security chief go about accomplishing that? Would the CISO even know where to begin? It’s safe to say that such a mandate would be considered daunting, and maybe even overwhelming.

CISOs are scrambling to protect IT infrastructures whose boundaries are increasingly fluid due to the adoption of mobility, cloud computing, IoT, and other new technologies. They get bombarded daily with information — research studies, threat warnings, vendor announcements, regulatory requirements, industry recommendations. Making sense out of it all is a challenge.

And yet, that dramatic cyber-attack risk reduction is an attainable goal for organizations that apply the first five of the Center for Internet Security’s 20 Critical Security Controls.

Continue reading …

Webcast Q&A: DevSecOps – Building Continuous Security Into IT and App Infrastructures

As organizations adopt DevOps to create and deliver software quickly and continuously — a key step for supporting their digital transformation initiatives — they must not overlook security. In DevOps, development and operations teams add agility and efficiency to software lifecycles with automation tools and constant collaboration, but the added speed and flexibility can backfire if security is left out.

Rather, organizations should bake security personnel, tools and processes into the process to end up instead with DevSecOps, a topic whose business and technology aspects were explored in depth during a recent webcast by Qualys Product Management VP Chris Carlson and SANS Institute Analyst John Pescatore.

In this blog post, we’re providing an edited transcript of the question-and-answer portion of the webcast, during which participants asked Carlson and Pescatore about a variety of issues, including the dangers of using Java, the right tools for DevSecOps, and the best way to embed security into the process. We hope you find their explanations insightful and useful.

In addition, if you didn’t catch the live broadcast of the webcast — titled “DevSecOps – Building Continuous Security Into IT & App Infrastructures” — we invite you to listen to its recording, which we’re sure will provide you with a lot of practical tips, useful best practices and valuable insights about DevSecOps and digital transformation. Continue reading …