Introducing the New Groundbreaking Qualys Cloud Agent Platform
Last updated on: March 21, 2021
Today we are excited to launch this revolutionary new platform which extends Qualys’ industry-leading Cloud Security and Compliance Platform with lightweight agents to continuously assess security and compliance of organizations’ global IT infrastructure and applications. Lightweight 1MB Cloud Agents can be easily installed on global IT assets, including on-premise systems, dynamic cloud environments, and mobile endpoints. With these Cloud Agents IT personnel can now search for information about any asset and easily scale to search millions of assets in a matter of seconds.
Traditional Scanning Approach
With infrastructure evolving dramatically and becoming more and more dynamic with globalization, virtualization and mobile endpoints, it’s becoming increasingly difficult to get a handle on your network and the devices on it. With the traditional scanner-based approach it becomes challenging to ensure these devices are reachable by scanners in the available scan windows and through the complex firewalls between the networks. To get high quality detections it is heavily recommended that credential-based authenticated scanning be performed on endpoints. Managing credentials can be a major task for global organizations as systems are constantly changing and credentials are being updated throughout the environment.
The Qualys Cloud Agent Platform
The newly released platform aims to solve some of these challenges with cloud connected, centrally managed, always up-to-date, lightweight agents that are constantly beaming up security and compliance data points to the platform. This innovative approach greatly simplifies deployment and management of these agents. Legacy enterprise agent solutions require deployment of a large amount of infrastructure to manage these agents. The Qualys Cloud Agent Platform with its simplified deployment significantly reduces the complexity and cost of management of agents when compared to these legacy agent solutions.
Architected for Minimal Impact
The Cloud Agent Platform stores a snapshot, which is security & compliance metadata about the target system collected by the Cloud Agent. This starts off with an initial background upload of the baseline snapshot which is a few Mbytes and is beamed up to the platform. After that only incremental deltas are uploaded in small chunks that are only a few kilobytes in size. Since all of the heavy lifting is done in the cloud, the agent needs minimal footprint and processing on the target systems. All target systems can be scanned (via their snapshots) in the cloud as soon as new vulnerability signatures are released. This means threats can be detected without having to wait for the target system to be online. This creates huge improvements in efficiency and speed over current scanning architectures.
Cloud Agents use native code that is optimized for each supported platform and tuned for high performance. Cloud Agents on Windows, which are installed as a local system service, require no DLLs for operation and no reboot for update.
Transfer of data is optimized for size and security. The Cloud Agents query the platform for updates to their manifests, which are the instructions for what asset data they should monitor. If there is an updated manifest to download, they will immediately start collecting any new data defined in the manifest update. For secure data transmission, Cloud Agents dial into the Cloud Agent Platform over port 443, and create no open ports and no listener. They implement encryption of connections, traffic and other data, and use SHA2 for signing & communication.
It is an important distinction as it relates to other agents and worth reiterating that the agent is NOT a scanner being run on the endpoint and hence it is very light.
On-Premise Servers and Desktops
The agents can now scan devices connected to the physical network without the need to manage credentials or a complex architecture for scanner deployment and firewall configuration that allows scanner traffic through. You don’t have to deal with typical issues of dynamic DHCP environments caused by scanning devices with changing IPs. With the agent the devices are tracked with a unique identifier given to each system which doesn’t change even if the IP address changes or the system moves to different subnet. It also helps resolve issue with overlapping IPs and supports IPv6 out of the box.
Elastic Cloud and Virtualized Environments
The ability to embed the agent in the master images used to create virtual instances greatly simplifies security and compliance in dynamic elastic environments. When new instances are created it can be complicated to automate the scaling of scanners to address the demand. The agent simplifies checking the posture of these instances since the agent activates itself as soon as the instance is booted, registers itself with the Qualys Cloud Agent Platform and uploads all its information into the platform for analysis.
As devices are becoming increasingly mobile, they travel all over the world passing through insecure networks at hotels and coffee shops. Legacy enterprise solutions require these endpoints to be on the corporate network to access them for security or compliance. Given their mobile nature they don’t end up connecting to the corporate network for days and weeks, which leaves them completely unmonitored. The Qualys Cloud Agent solves this problem by being always connected to the Qualys Cloud Platform no matter where the device is. As soon as a change is detected on the system it is uploaded and evaluated in real time to notify the administrators and users if threats are detected.
Integrated with Qualys Cloud Platform
The Cloud Agent Platform is integrated with Qualys Cloud Suite. Vulnerability assessment is conducted with the same Qualys vulnerability signatures used by Qualys scanners, and all vulnerability information collected by Cloud Agents is used by Qualys Vulnerability Management, just as if it were collected by a scanner. The difference is the data is collected continuously from the device without the need for a scanner. Policy compliance works the same way. A change detected by the Cloud Agent is reported to the platform, and immediately assessed. If it means compliance has changed, that’s immediately reflected within Qualys Policy Compliance. With Qualys Continuous Monitoring, you get notified with alerts, all within minutes of the change happening. In Asset Manager, a Cloud Agent tag is added automatically so you can see which assets are scanned via Cloud Agents. They work out of the box with existing API & Integrations with SIEM, CMDB & trouble ticketing systems.
Centrally Managed and Self-Updating
Cloud Agents can be deployed in a variety of ways including simple host installer, embed in master images or push through Group Policy. Once deployed the agents self-manage. Whenever they connect back into the Cloud Agent Platform, Cloud Agents check for updates and then automatically download and install the new version and check for updated manifests. Cloud Agents are self-repairing, so if there is any issue with data synchronization, they can recover automatically without user intervention. The agent keep-alive to the platform gives clear indication of “stale” or dead agents that are not connecting to the platform.
The agents will soon be available for the Linux and Mac OSX environment. We are also working on adding file integrity monitoring (FIM) capabilities that can be activated on the same agent so you don’t need to deploy an entirely different solution for FIM. The agents will also expand into detecting Indications of Compromise (IOC) and we are researching the ability to perform some policy enforcement as well.
We are quite excited about this innovative new platform and we hope to hear your feedback on how this will help simplify security and compliance as well as what we can improve to make the platform work better for your needs.
Additional resources are available at: