Put SecOps in the Driver’s Seat with Custom Assessment and Remediation

Hariom Singh

When zero-day threats emerge, time is of the essence. Security teams struggle to manage and respond to a range of challenges that often require custom approaches outside of existing vulnerability and security programs. Recently, many companies scrambled to mount their defenses against the Log4Shell vulnerability.

For example, a large health care provider knew it had to detect whether Log4Shell was present in its critical lifesaving systems. But to do so, the company had to develop custom scripts and scan its entire environment. The security team faced myriad challenges, from script deployment to evidence collection to threat validation. The whole process was slowed by inefficient collaboration with IT Operations, complex analysis and correlation processes, and a disjointed decision-making process. For this health care leader, its response to the threat was further slowed as the same cycles repeated in multiple iterations before any remediation action could be taken.

This all too familiar story has been repeated at enterprises in industries from financial services to media communications. In each case, the cybersecurity team finds itself with little control over the tools and processes necessary to respond quickly to the emerging threat.

Further complicating any effective response is the prevalence of homegrown and highly customized applications. Typically, the process of securing them is completed manually (and infrequently) using custom scripts. This laborious process leaves security gaps. These gaps become a problem when a new threat emerges. In the middle of a crisis, accounting for all these custom apps further compounds timely MTTR.

Out-of-Band Processes Slow Response to Zero-Day Attacks

Continuing Log4Shell as our example, the more time that your security team spends on threat assessment and decision-making, the greater the delay in response and remediation. The Qualys Research Team analyzed anonymized Log4Shell security data across the networks of our global enterprise customers to ascertain their average MTTR. It took more than 25 days to remediate the remote code execution vulnerability (CVE-2021-44228) associated with Apache Log4jShell, on average. The question is: why?

When time is of the essence, your security team requires a centralized way to scale their custom detection or remediation scripts across your entire IT environment to contain the attack. Here are some of the many challenges posed by the lack of a custom scripting solution:

  • Siloed solutions: When capabilities for vulnerability management, threat detection, and response are distributed across multiple security products, this leads to a disjointed approach to confronting a zero-day attack
  • Lack of scalability and coverage: Enterprise security teams need to scale their custom scripts to hundreds of thousands of assets, yet available tools seldom support such scale, with multiple tools often deployed across the organization
  • Custom applications: Security gaps created by manual out-of-band processes leave organizations more vulnerable at critical times
  • Dependence on IT Ops: Since they usually lack access to ITSM tools, security teams must rely on IT Operations for script execution across the IT environment, which can drastically hamper response and mitigation time

Introducing Qualys Custom Assessment and Remediation

To address these many challenges, Qualys has introduced Qualys Custom Assessment and Remediation, a new cloud service on the Qualys Cloud Platform that empowers security teams to rapidly respond to immediate threats through custom scripts and security controls within their organization’s existing vulnerability management processes, security programs, and workflows.

Read the press release

Now security teams can script, execute, and automate any assessment or remediation task on any endpoint infrastructure or application wherever the Qualys Cloud Agent resides across their IT, cloud, and application estate. Direct actions can be taken swiftly, such as conducting data collection, evaluation, validation, configuration updates, shutting down ports, and utilizing custom tools on the endpoints.

Qualys Custom Assessment and Remediation

Webinar

Empower Your Security Team with Custom Scripting

Qualys Custom Assessment and Remediation delivers the following benefits to enterprise security teams:

Quickly Address Zero-Day Threats, Reducing MTTR by 50%

Qualys Custom Assessment and Remediation opens our platform to allow security teams to create and access custom scripts that can be natively integrated with other Qualys cloud services like Qualys VMDR and Qualys Policy Compliance. By empowering security teams to orchestrate workflows, secure custom applications, and take immediate action, an organization’s MTTR to zero-day attacks and other threats is reduced up to 50% or more. Even better, it ends the security team’s reliance on IT Operations for script execution. As illustrated below, multiple out-of-band steps can be eliminated to accelerate threat response as a result.

In-band processes eliminate steps to speed MTTR

Close the Security Gap Caused by Custom Applications

Highly customized apps – whether commercial or open-source – typically require custom scripts for assessment and remediation. Qualys Custom Assessment and Remediation brings the custom application in line with established vulnerability management and compliance security programs, eliminating out-of-band manual processes. It automates security and compliance reporting against standards such as CIS, NIST CSF, DISA STIG, and more for hardening defenses. The new cloud service supports multiple scripting languages including Perl, Shell, Python, Lua, PowerShell, VBScript – with no vendor-specific syntax or restrictions. Select the language of your choice and start by leveraging out-of-the-box scripts or creating your own scripts for custom detection, validation, and remediation. As shown below, a shell script was used to detect the Log4Shell vulnerability in the environment.

Creating a Shell script to detect log4j vulnerability

Access a Centralized Library for Custom Scripts and Controls

Qualys Custom Assessment and Remediation provides centralized control over custom scripts, easily mapped into workflows and secured by role-based access control (RBAC) as well as strict review and approval processes with audit logs. Additionally, deployment of scripts is simplified by using a centrally managed and customizable library of more than 50 popular reusable scripts to address common problems. Actions can include removing or encrypting sensitive data, removing browser extensions, patching web browsers, installing security agents, executing remediations for misconfiguration control failures, or executing remediations for critical vulnerabilities that don’t have immediate patch availability.

CAR script to detect, remove browser extensions

Native Integration with Qualys Cloud Platform for Better Context

Qualys Custom Assessment and Remediation is tightly integrated with the cloud services of Qualys Cloud Platform. This eliminates out-of-band correlation and analysis and makes reporting to stakeholders more efficient, leveraging existing business security processes. As shown below, this dashboard from Qualys Custom Assessment and Remediation displays summary results from Log4Shell custom script detections and remediation actions combined with vulnerability and compliance data.

Integration with Qualys Cloud Platform

See Qualys Custom Assessment and Remediation in Action

Make your Security Operations more productive and efficient within your organization’s existing processes, programs, and workflows… and without relying on IT Ops. Stop inventing new security processes to address immediate threats!

Join our webinar on June 1st where we will demonstrate all the capabilities of Qualys Custom Assessment and Remediation. Put yourself in the driver’s seat!

Better still, sign up to a no-cost trial now and see what this new cloud service can do for your SecOps team.

Share your Comments

Comments

Your email address will not be published.