Qualys devoted the second day of the QSC USA 2020 virtual conference entirely to vulnerability management, detection and response (VMDR), a critical area for the security and compliance of hybrid cloud IT environments.
Mehul Revankar, VP of Product Management and Engineering for VMDR at Qualys, set the tone with the day’s opening keynote, titled “Risk-Based Vulnerability Management: Myth or Reality?”
The Qualys Approach to VMDR
“You can’t protect what you don’t see,” Revankar said in reference to the importance of having an always updated, global IT asset inventory.
The rapid expansion of the IT infrastructure has increased the variety of IT assets that must be inventoried and protected, including containers, cloud services, and IoT devices. “Traditional enterprise discovery tools can’t keep up,” Revankar said, adding that they are either not designed for these types of modern IT assets, or their scope is too narrow.
Relying on seldom-updated CMDBs isn’t the answer, as their data is often outdated, and trying to manually group and classify assets doesn’t scale. “Getting a handle on your assets is a difficult problem to solve,” he said.
With the increase in the number and type of assets comes an inevitable jump in vulnerabilities in the IT environment. To make matters worse, malicious hackers every day move faster at exploiting recently disclosed vulnerabilities, upping the ante for security teams.
Trying to get a handle on vulnerabilities with traditional scanning falls short, because increasingly many types of assets are outside of the scope of these appliances.
Likewise, prioritizing which vulnerabilities to tackle urgently can’t be based solely on their CVSS (Common Vulnerability Scoring System) scores, as such an approach is devoid of risk context. “Risk-based vulnerability management is a reality, but it’s a myth that it can be achieved based on CVE attributes,” he said. The context is key, and “prioritization needs real-time threat intelligence and asset context.”
Meanwhile, remediation must be thought of in a broader sense than just patching, as the time to remediate continues to lag the time to exploit. Security teams also must consider mitigation options, such as blocking access to an asset, or re-configuring it so it’s hardened, in order to cut the risk until, and if, a patch can be applied.
Sometimes the best solution isn’t to patch a piece of software, but rather retire it entirely from the environment, by, for example, standardizing on one browser, instead of allowing employees to use three or four different ones, he said. It’s also important to be strategic when patching. “We can continue to blindly patch, or instead patch smartly,” Revankar said. For example, a recent patch for Google Chrome — 86.0.4240.111 — superseded 189 different Chrome versions from 2020 alone, covering 174 vulnerabilities.
Jabil’s VM Journey with Qualys
Jabil, a large global manufacturing solutions provider with presence in 30 countries, has evolved its vulnerability management practices over the past several years with Qualys.
When Chris Ong, Jabil’s Manager of Information Security Solution Engineering, arrived at the company five years ago, Jabil was doing scanning for vulnerabilities across its global data centers with Qualys appliances.
This approach had some limitations and complications. Given the large number of assets, the scans took up a lot of network bandwidth, and sometimes would interfere with other devices, like electrical doors. They often also took a lot of time, and required tweaks to the company’s firewalls, so scan jobs sometimes wouldn’t complete. In addition, certain users, such as telecommuters, would often miss the scan windows, so their devices wouldn’t be included.
All of this changed when in early 2019, Jabil deployed 80,000 Qualys Cloud Agents to complement their appliance-based scanning. Because the agents are lightweight and only report changes on the assets they monitor, the network bandwidth issues disappeared, as well as any significant CPU impact on the devices.
In addition, security improved because Cloud Agents are constantly monitoring the assets they’re housed in, and beam data back to the Qualys Cloud Platform immediately. For that same reason, coverage of remote users and their devices improved significantly. “You’re improving your ability to track the security and vulnerabilities on those assets, and you get that content to the patching team for remediation,” Ong said during his QSC USA 2020 presentation. “We sealed the gap of appliance-based scanning,” he added.
This also resulted in more complete metrics about assets and vulnerabilities, which pleased senior executives at Jabil who now had access to more fresh and comprehensive data. “That was a home run for us,” Ong said.
In this same vein, Jabil also started leveraging Qualys’ dynamic and customizable dashboards to make security data available to different audiences – from IT staffers to line-of-business leaders. Gone are the 800-page vulnerability reports.
By leveraging Qualys APIs, Jabil integrated Qualys with third-party tools, like its ticket management system and Splunk, helping streamline and automate workflows. “We have the right tool, and we have the right processes. Vulnerabilities are being reduced, and that makes Jabil’s security posture a lot safer,” Ong said.
Looking ahead, Jabil is looking to extend its Qualys use to secure more types of assets, including ICS/SCADA systems, certificates, containers and IoT devices. It has also been using the new Qualys VMDR, and Ong and his team are impressed and delighted with the product – the next generation of Qualys’ vulnerability management solution.
It’s with all these challenges in mind that Qualys released this year Qualys VMDR, an all-in-one solution to discover, assess, prioritize and remediate critical vulnerabilities.
Qualys VMDR brings it all together in a unified, central console with dynamic and customizable dashboards, for full visibility of the organization’s security posture. “This gives you a single pane of glass to view your entire infrastructure and is customizable based on how you want to see your data,” he said.
A Sneak Peek at the Future
After a demo of Qualys VMDR, Revankar highlighted some upcoming additions and enhancements to the product.
In the area of vulnerability and asset prioritization, Qualys VMDR will gain a vulnerability rating based on risk and impact on assets, as well as the ability to automatically discover and classify the most critical and riskiest assets in your organization. Qualys VMDR will also gain new real-time threat indicators and improve its attack surface mapping capabilities. “We’ve already made a lot of strides to allow customers to prioritize the right set of vulnerabilities and assets, and we want to take it further,” he said.
Qualys VMDR will also tighten its patch deployment function by enforcing strict role-based access control, and extend its integration with ticketing services such as ServiceNow. A new remediation console is also in the works.
Another target for enhancement is the solution’s ability to import and merge asset and vulnerability data from third-party sources, according to Revankar, in order to provide a consolidated risk view across the entire infrastructure.
View these and all other sessions at QSC USA 2020.