New vulnerabilities are found almost daily. However, most organizations struggle to identify, prioritize, and remediate vulnerabilities efficiently—making their environments vulnerable to risk. Last year, Qualys introduced Qualys VMDR with TruRiskTM, which helps organizations quantify cyber risk so that they can accurately measure it, take steps to reduce exposure, track risk reduction trends over time, and better measure the effectiveness of their cyber security program.
In a recent analysis, Aflac was able to reduce risk by 55% by leveraging Qualys TruRisk™ to focus on the highest risk first.
As an extension to TruRisk, Qualys Patch Management is now introducing the Risk Reduction report, which brings the remediation steps closer to vulnerabilities by using TruRisk scores to help organizations focus on the top remediation actions that will reduce the risk faster.
The Risk Reduction Recommendation Report
When you click the Prioritized Products tab from the Qualys Patch Management application, you will see a new report named “Risk Reduction Recommendation.” It lists the top 50 patches that will help you remediate the vulnerabilities (QIDs) with critical and high-risk QDSs (Qualys Detection Scores) found against the assets.
These top 50 patches are listed against the assets that are associated with the selected asset tag. One may change the default tag selection to focus on the right environment during execution.
Another alternative view is to group the patches based on the product family. This helps you select all the latest patches, including the cumulative and superseding patches applicable to the product family. This view is more helpful from an IT Operations perspective, where the focus is on reducing risk from a product perspective rather than focusing on some version updates.
How the Report Helps
Let us look at critical vulnerabilities in VMDR, whose QDS score is greater than 90.
As you can see in the screenshot above, there are a lot of vulnerabilities detected against the assets for different product families.
If you want remediation details against the vulnerabilities that will help reduce the overall organization risk, go to the “Risk Reduction Recommendation” report in the Qualys Patch Management application.
Top 50 patches against critical QDS:
Grouping patches by product family:
This report shows patches that you should execute against those assets or products. The patching job, once successful, will help you eliminate the risk posed by the critical and high QDS vulnerabilities. Once these patches are applied and vulnerabilities are fixed, this report will show the next top 50 patches that you should focus on.
Proactive and Reactive Patching
Most organizations focus on automating patching processes and often want to patch the most common applications, like updates to browsers, such as Chrome and Firefox, as soon as the vendors publish new versions. Such applications are easy to patch, and if they are deployed automatically, they rarely cause any operational problems. The “Patch Automation” report under the “Prioritized Products” tab shows the products with the highest vulnerabilities reported in your environment. This report helps in proactively creating zero-touch patch jobs, which can be aimed at automatically patching the applications that get the highest number of vulnerabilities without looking at the vulnerability scan reports.
Another pivot to creating a zero-touch patch automation job is by looking at the VMDR prioritization report. Using the VMDR prioritization, you can create jobs based on vulnerability attributes that can target critical vulnerabilities such as ransomware, Cybersecurity and Infrastructure Security Agency (CISA) Known Exploitable, zero-day threats based on RTIs, etc., as soon as they are detected in the environment.
The “Risk Reduction Recommendation” report under patch management is meant for a reactive patching process where organizations want to analyze the vulnerabilities found in the environment. It allows users to assess their business risk and the impact that may be caused by patching against the vulnerabilities, so they make this evaluation before selecting patches from the report.
Get Started Now
Address the most critical vulnerabilities with efficient vulnerability remediation, including automated patching based on prioritized risk reduction data with the Risk Reduction Recommendation report. See for yourself by registering for a Qualys Patch Management free trial!