Closing the Visibility Gap: How Qualys Cloud Agent Passive Sensor (CAPS) Eliminates Blind Spots Without the Hassle

Himanshu Kathpal
Himanshu Kathpal, Senior Director, Product Management, Qualys Platform and Sensors.
- 8 min read

Table of Contents

In modern networks, the most significant risks come from systems that fall through the cracks. Modern networks are full of unknown and unmanaged assets. Some are seemingly benign devices introduced by well-meaning employees or contractors that can turn rogue. While some of these may be genuinely rogue devices introduced by disgruntled employees with access to IT infrastructure, others may be IoT devices running on sensitive OT networks or legacy systems that their vendor no longer supports but still supports a critical business function.

These systems often live in the shadows, making them prime targets for intruders, so strong security controls and monitoring are absolutely critical. With over 30% of on-premises and cloud assets and services lacking proper inventory, a significant cybersecurity visibility gap exists for organizations that experience attacks targeting unknown, unmanaged, or unauthorized devices. At the same time, they are exceedingly difficult to find. In fact, 43% of organizations spend 80+ hours each month tracking down unknown assets.

Introducing Qualys Cloud Agent Passive Sensor (CAPS)

Qualys Cloud Agent Passive Sensor (CAPS), the latest addition to the Qualys sensor family, natively integrates network analysis functions into the Qualys Cloud Platform. It completes IT visibility at scale while drastically reducing cost and complexity.

CAPS empowers security teams by giving them the ability to effectively eliminate blind spots and provides them with continuous and comprehensive detection of all assets across their IT and OT environments. Better still, CAPS does this all with zero hassle and overhead, leveraging the same trusted agent that Qualys customers rely on today for Vulnerability Management, Detection, and Response (VMDR), Patch Management (PM), File Integrity Monitoring (FIM), Endpoint Detection and Response (EDR), and more.

Fig1: CAPS revealing a diverse range of assets on the Asset Inventory page.

The Qualys Network Passive Sensor offers passive sensing capabilities, which is a network device that can be deployed within corporate networks. However, achieving 100% coverage with traditional, device-based network passive scanners can become challenging in many environments, especially those with dynamic, software-defined networks or sensitive OT environments.

Imagine a network with numerous switches, routers, and access points that are spread across various locations. Enabling network taps at strategic points to capture the entire traffic from every asset becomes difficult due to physical limitations and network design complexities. As a result, this then requires a substantial number of taps that are often not feasible and cost-prohibitive.

This is when Qualys Cloud Agent Passive Sensor proves to be the most effective solution.

What Are Passive Sensors?

Passive Sensors collect information about network-attached devices by monitoring network traffic data without actively engaging or interacting with the devices or systems. They rely on capturing and analyzing network traffic passively, unlike active scanning, which involves sending requests or probes to devices to gather information.

Passive Sensors allow organizations to continuously monitor their network traffic without disrupting or impacting the normal operation of the systems being observed. By analyzing network traffic passively, organizations can gather valuable information about devices connected to their networks, their communication patterns, protocols being used, and potential security issues. They also help detect unauthorized devices, identify misconfigurations, monitor for suspicious or malicious activities, and aid in incident response and forensic investigations. It is harder for rogue devices to evade detection.

Practical Capabilities of CAPS

CAPS is a new feature available with Qualys CyberSecurity Asset Management (CSAM) and can be enabled with a single click on any licensed Cloud Agent. CAPS turns a Cloud Agent into a Passive Sensor (in addition to other functions it performs routinely), enabling it to monitor broadcast and multicast traffic such as ARP, DHCP, SSDP, mDNS, LLDP, and various Plug-and-Play Network/Service Discovery protocols to achieve broad visibility across the network.

Cloud Agents then collect rich asset metadata and report information such as MAC addresses, IP addresses, Hostname, operating system, firmware version, and UUID (Universally Unique IDs). These data points can be used to build a central inventory of network assets, assess their security posture, and detect anomalies or potential threats.

The data collected through CAPS is automatically aggregated within the Qualys Enterprise TruRisk platform with information from network Passive Sensors, active network scanners, and Cloud Agents. It provides a single, comprehensive, and unified view of the network.

CAPS empowers organizations with a non-intrusive and continuous approach to network monitoring, enhancing their security measures, gaining real-time visibility into their IT assets, and proactively addressing potential risks or vulnerabilities.

Salient Features of CAPS:

Autonomous Architecture:- Enable the Cloud Agent with built-in intelligence that autonomously selects a “Leader” Reporter for each Broadcast/Multicast domain. This eliminates the need to have an in-depth understanding of constantly evolving networks, identify optimal locations for network taps, or concern yourself with the deployment and associated costs of these taps.

Complementary Scanner and Agent Asset Detection Identify assets through Qualys CAPS that cannot be actively scanned or monitored with agents. This is often the case with assets like industrial equipment, IoT, and medical devices.

Fig 2: Asset Inventory page showing CAPS detecting an unknown security camera.

Data De-duplication Automatically analyze asset data aggregated from multiple sensors and de-duplicate them to ensure that you have a single, centralized view of all assets from your environment. For example, if an unmanaged laptop moves from one network to another and two separate sensors in each of these networks discover the laptop, their data will be aggregated, and the laptop will be presented as a single asset.

Fig 3: Asset summary page showing 2 sources for same asset.

Bi-directional Integration with IT systems. Easily synchronize asset data with your CMDB (Configuration Management Database), SIEM (Security Information and Event Management), or data lake.

Automated Filtering Automatically filter out irrelevant data, such as data from public or home networks, to empower security teams.

Seamlessly Move “Unmanaged” to “Managed.” Remediate unmanaged devices, either by installing Cloud Agents or remote scanning, to ensure all systems always have proper security controls.

Automated Alerts Receive alerts whenever unidentified assets are detected with continuous monitoring.

Fig 4: Configuration screen for setting unmanaged asset alerts.

Benefits of CAPS as a Comprehensive Solution:

Introducing passive sensing into the Qualys Cloud Agent brings several unique benefits to the Qualys TruRisk platform, including:

1. Risk Minimization with Comprehensive Visibility. Qualys Cloud Agent Passive Sensor (CAPS) continuously monitors all network traffic and detects 100% of the devices communicating in the network. By eliminating blind spots in real time, CAPS helps security teams find many of the riskiest assets the moment they connect to the network to gain a complete view of cyber risk across the entire attack surface. At the same time, it speeds up risk mitigation and incident triage and response, enabling security teams to proactively contain threats, swiftly remediate vulnerabilities, and strengthen overall security posture.

2. A Unified View for SecOps and IT Ops. CAPS eliminates the cumbersome process of manually stitching together data across VM (Vulnerability Management), ITSM, CMDB, SOC (Security Operations Center), and GRC (Governance, Risk and Compliance) tools. It creates a unified source of truth centralized in the Qualys Enterprise TruRisk platform, non-intrusively covering even sensitive systems.

3. Reduced TCO (Total Cost of Ownership). SecOps and IT teams seek the benefits of reduced risk and comprehensive visibility without additional investments in software or hardware. CAPS consolidates siloed point products into a unified platform, reducing costs for licenses, integration, training, and monitoring.

Summary

The robust and seamless integration of network analysis into the Qualys Enterprise Qualys TruRisk Platform represents a significant advancement, offering customers unparalleled visibility with real-time insights into their entire hybrid IT ecosystems.

Through this enhanced feature, CIOs will have a constantly updated overview of their worldwide IT assets, accompanied by two-way CMDB synchronization, giving them unified visibility that stands as the fundamental cornerstone of security.

Get Started Today!

Take control of your IT and OT environments with centralized visibility! CAPS is available today as a feature of Qualys CSAM, which seamlessly aggregates and correlates data from the entire suite of Qualys sensors—CAPS, network scanners, and Cloud Agent active scanning. This powerful integration provides you with a centralized, detailed inventory of your hardware and software, along with a multi-dimensional view of your global, hybrid IT environment.

To learn more on how Qualys can help with security and compliance in your organization:

  • Contact your Qualys Technical Account Manager
  • Start a Qualys Trial at no extra cost.

FAQS

What platform and agent versions are supported?

Windows Cloud Agent 5.4 and greater.

Are there any additional URLs to allow?

Yes, an agent will download the necessary resources from Qualys CDN: https://www.qualys.com/platform-identification/

What licensing is required, and how do I enable it on my subscription?

CAPS is available for CSAM customers and is available by default to start with.

How do you ensure that only corporate assets are discovered?

Users will add one or more domains to detect if the host running the sensor is on or off-premises.

Will all the CAPS-enabled agents be engaged in passive sensing?

No, if there is more than one CAPS-enabled agent on the same subnet, the agents collaborate to determine a leader and standby. The standby ensures continuity in case the Leader leaves the network.

The Leader

  • Passively senses network traffic
  • Sending asset metadata to Qualys Platform The Standby
  • Passively senses network traffic
  • Not sending asset metadata to Qualys Platform

Not sending asset metadata to Qualys Platform

  • Not Passively sensing network traffic
  • Not sending data to Qualys Platform

Will split tunneling be an issue?

No, CAPS considers split tunneled assets as off-premises and, therefore, will be in an inactive state.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *