Use Qualys ­­Flow to Automate Detection & Remediation with No-code Workflows

Parag Bajaria

Last updated on: December 12, 2022

The threat landscape is rapidly and constantly evolving. New software vulnerabilities and service misconfigurations are discovered daily, and exploits targeting them are often released within hours. For effective security, pursuing the automation of both detection and remediation processes is essential.

Several factors make security automation particularly challenging. First, the complexity of handoffs between Cybersecurity and IT Operations teams. Second, the need to orchestrate multiple tools such as security, change management, and alerting. A typical cybersecurity process in an enterprise looks like the following:

  1. Detect – To detect vulnerabilities and misconfigurations, Cybersecurity teams periodically scan their systems, which involves the following steps:
    1. Configure scanning for each cloud account with appropriate scanning parameters
    2. Decide how often to scan
    3. Stay on top of newly added cloud accounts, and then repeat steps (1.1) and (1.2) for new accounts
  2. Analyze – Cybersecurity teams then analyze the results of the security scan to:
    1. Identify and prioritize vulnerabilities and misconfigurations according to severity, criticality, risk score, and location (perimeter or internal)
    2. Create a ticket for the IT Operation team in their ITSM system to remediate the findings
  3. Remediate – IT Operations team processes and clears the security tickets as follows:
    1. Analyze the ticket
    2. Put in a change order ticket
    3. Once the ticket is approved, remediate the finding by applying a patch or correcting the misconfiguration
    4. Close the security ticket

On average, most enterprises take 45 days to patch a high-criticality vulnerability, according to Qualys research. The main reason is cascading delays due to poor orchestration of the various steps outlined above.

What if the steps in this complex process could be automatically orchestrated?

Introducing Qualys Flow

Qualys makes this possible through a new offering called Qualys Flow. Qualys Flow is a no-code automated workflow creation capability that allows you to build workflows, known as QFlows. It provides end-to-end orchestration of detection and remediation processes within the Qualys Cloud Platform as well as from your cloud infrastructure such as AWS. Qualys Flow visualizes the logical flow of events, data, and actions in the form of nodes, each of which delivers a specific function in the detection, analysis, or remediation chain. QFlows can be created directly in the UI by dragging and dropping nodes and configuring them as needed.

Let’s walk through two end-to-end security automation examples using Qualys Flow.

Using Qualys Flow to Automate Vulnerability Scanning and Remediation of Internet-facing Assets

Here’s an example from Qualys Flow for orchestrating and automating a workflow for risk assessment, vulnerability assessment, and remediation of a newly deployed virtual machine.

Qualys Flow visualizes complex workflows in its intuitive UI

All QFlows begin with a Trigger node, which specifies what event triggers the workflow. For this QFlow, we have configured the Trigger node to listen for a new virtual machine event.

Since we only want to scan Internet-facing assets, the next step is to check whether the virtual machine has a public IP address. We will assign an “external” Qualys tag using the Tagging node. Assigning Qualys tags is recommended for assets so you can use them later in other workflows. An example is creating vulnerability reports specific to virtual machines with external tags.

After assigning the tag, we now conduct a perimeter scan using a Qualys Action node. Qualys Action nodes allow you to call Qualys APIs for the supported application(s).

Upon completion of the scan, we check the virtual machine’s Qualys TruRisk score to verify that it is >900. The TruRisk score is calculated by analyzing several factors, including CVSS scores, asset criticality, etc., to establish that asset’s overall risk level. The TruRisk score ranges between 0 and 1000, with 0 representing the lowest risk and 1000 representing the highest risk. The TruRisk scoring model indicates that a virtual machine with a score >900 should be quarantined immediately.

Our next step is to quarantine the virtual machine. We do this by attaching a deny-all security group to it, preventing all communication with the network. In Qualys Flow, you can perform any action that the cloud service provider’s API supports. This means you can perform other actions, such as suspending or terminating the virtual machine, to quarantine the virtual machine.

We then notify the IT Operations and Cybersecurity teams about the quarantined VM by creating a ServiceNow ticket. Any remediation actions will require approval. As soon as the approval has been received, Qualys patches the VM automatically, removes it from quarantine by detaching it from the security group, and then closes the ServiceNow ticket.

Using Qualys Flow to Ensure that AWS EC2 Snapshots are Encrypted

Our next example involves triggering workflow actions in your AWS environment directly from Qualys Flow.

IT organizations frequently take snapshots of their virtual machines for backup purposes. One of the frequent mistakes we have seen customers make is forgetting to encrypt backups. If your organization suffers a breach, hackers can easily access the data in your virtual machines if your backups are not encrypted.

Using Qualys Flow, the Cybersecurity team can detect whether backups are encrypted and then encrypt them if they aren’t, as shown below. In this way, QFlow does its part to enforce security best practices automatically. Set it and forget it.

Qualys Flow also integrates with Qualys CloudView. You can create a custom control in CloudView by simply linking it to a QFlow.

Qualys Flow features full workflow integration with AWS

Conclusion

Qualys Flow empowers cybersecurity professionals to create powerful security automation workflows without writing a single line of code. Actions are orchestrated across Qualys cloud services, third-party applications, and cloud service providers using QFlow nodes arranged in a logical process. Many templated workflows are available out-of-the-box in QFlow. These templates can be used as-is or customized to meet your specific needs.

Qualys Flow is now generally available and currently supports workflows for AWS and Azure cloud. Interested parties can get started with QFlow for free by signing up for a free trial of Qualys CloudView here. Existing Qualys customers can try QFlow by contacting their Technical Account Manager for set up.

You are invited to join Qualys at AWS re:Inforce, being held July 26-27th in Boston. Drop by Booth #111 to learn about Qualys Flow. Visit this site to learn more.

Show Comments (3)

Leave a Reply to Parag Bajaria Cancel reply

Your email address will not be published. Required fields are marked *

  1. Hi Damian,

    Non-cloud environments are supported. Using the HTTP node, you can access any public endpoint, including Qualys API or any other service. We are building out-of-the-box integration to popular tools, but you can use any HTTP service. Let me know if you have a specific use case in mind and I can comment on the feasibility to implement it.

    Parag