Vulnerability Remediation: It’s Not Just Patching

Eran Livne

Last updated on: November 16, 2022

Vulnerability does not equal a patch, as such remediating a detected vulnerability requires deploying the right patches and, in some cases, making the right configuration changes. Using multiple tools to detect, map and deploy the right remediation actions is time consuming and will result in less efficient remediation results. With the new pre/post actions feature introduced in Qualys Patch Management, security and IT professionals can now use one tool to efficiently remediate more vulnerabilities in less time.

Patches used to be considered merely a software update that just so happened to fix security issues. Patch management solutions were introduced to help organizations deploy these software “updates” to their entire infrastructure at scale. These initial solutions focused on deploying the latest software fixes to a large set of devices. Since then, the security landscape has evolved. The main goal of deploying patches today is to help remediate vulnerabilities – i.e. to fix security issues. However, the security fix for some vulnerabilities is to apply a configuration change, while for others it’s to apply patches. In some cases, it’s both, for example to remediate the Spectre/Meltdown vulnerability one must deploy the patch and make the required registry changes.

Asking the key question, “are we vulnerable?” implies that customers must understand exactly what is needed to remediate each vulnerability detected. Is it a patch, a set of patches, or/and a configuration change.

To answer this question, customers must accurately map the detected vulnerabilities to the required remediation actions. This is a complex, time-consuming task… but a required one. The remediation team needs to deploy the relevant patches once mapped, and then apply the necessary configuration changes. Finally, a vulnerability scan is necessary to ensure all vulnerabilities have been remediated. Only using a patch tool to validate that all patches were installed is not enough.

Remote and WFH Users

The pandemic forced many employees to work from home. This created an issue, as most companies used legacy on-premises tools designed to serve users inside the corporate network. Customers found it challenging to adjust those tools to the new reality – i.e. supporting a large number of remote users. As a result, many customers were challenged to create efficient processes to remediate vulnerabilities remotely. As vulnerability remediation may require both a patch and a configuration change, those tools must support patching and configuration changes to any device, anywhere.

Complex IT Environments

In complex IT environments, deploying patches and applying configuration changes may require elaborate workflows and dependencies. For example, customers may need to execute scripts before deploying the patch, or after the patch is deployed and the device is rebooted as in a cleanup scenario. Additionally, many environments may include proprietary software not supported by out-of-the-box patch tools. Patching proprietary software, whether installed on-premises or on remote devices, introduces another challenge to the remediation team.

Introducing Patch Management Actions

Qualys Patch Management (PM) is an innovative solution that helps you remediate vulnerabilities and keep your compliance posture up to date.

Qualys PM currently provides key capabilities designed to streamline the remediation process. For example it has the ability to automatically map detected vulnerabilities to the right patches required in your specific environment, and then to remediate those vulnerabilities. It also can create zero touch patch jobs to automate vulnerability remediation based on criteria that apply uniquely to your organization.

Now Qualys is taking Patch Management and its automation a step further by introducing both Pre and Post action capabilities. Qualys PM is adding the ability to run scripts and software installations before or after deploying patches, or without deploying any patch at all!

As a result of the introduction of these new actions, Qualys customers can use a single solution to detect and remediate most Windows based vulnerabilities, regardless of the remediation action required. Any vulnerability that requires a configuration change or a patch to remediate (or both) can be remediated using the same enterprise grade workflow.

Qualys Supports the “Work From Everywhere” World

Qualys Patch Management is an integral part of the Qualys Cloud Platform – a pure cloud solution. There is no need to connect to a VPN or re-architect your network to support a large number of WFH devices. As long as the single Qualys Cloud Agent is installed correctly on a device, the device can be patched and configuration changes can be applied – no matter where the device is in the world.

What’s New in Qualys Patch Management?

One new capability added to Qualys PM allows customers to run actions before deploying patches, after deploying patches (i.e. after reboot if one is required), and even without deploying any patch at all.

In this release we have introduced two new actions:

  1. The ability to run any PowerShell script
  2. The ability to install or patch any software that is not supported out-of-the-box by Qualys

By adding these two new actions, customers can remediate the majority of Windows based vulnerabilities quickly and effectively.

This new functionality allows customers to:

  • Fix vulnerabilities that require a configuration change only
  • Fix vulnerabilities that require a configuration change and a patch at the same time
  • Clean up after patch deployment or “prepare” the device before deploying the patch
  • Install any new software on your assets
  • Remediate any vulnerability that requires a patch that is not supported out-of-the-box by Qualys PM

In addition, as these new actions are part of a patch job, all the standard job capabilities will be honored. This means that they will honor maintenance windows, can be scheduled to start at a specific time or automated, and can control reboots.

Pre Action Selection as part of a patch job*

Qualys Patch Management: Controlling Complexity with Automation

A vulnerability does not equal a patch. Some vulnerabilities can be remediated with a single patch. Some require a few patches. Still others only a configuration change, while some need both a patch and a configuration change. With the new actions introduced in Qualys PM, enterprises both large and small can rely on Qualys Patch Management to remediate all those vulnerability types on any device located anywhere in the world.

In addition, those new actions allow customers to create more complex patch deployment jobs to support more complex environments, including environments that have vulnerabilities in applications that are not supported out-of-the-box by Qualys.

The ability to push any software to any device, no matter where the device is located, is an add-on benefit of using a unified, cloud-based solution for all your remediation needs.

*Note: the configuration changes can only be applied to assets on Windows Cloud Agent version 4.6.1.6 or higher.

Show Comments (1)

Comments

Your email address will not be published.

  1. Thank you for writing this article and giving us partner, good information.
    Please share this with your technical department, they are under the impression this feature “Install any new software on your assets” will not be available until Q3 2022.