Qualys Patch Management: A Review of New Features in 2023 for Faster Elimination of Cyber Risk

The recent debut of Qualys’ Enterprise TruRisk Platform promises three key benefits: measuring, communicating, and eliminating cyber risk across the extended enterprise. Qualys Patch Management plays a pivotal role in this process towards the rapid elimination of cyber risk.

Our focus during 2023 was to help customers reduce their organizational risk in a more efficient and optimized way. Smart automation techniques were implemented within the application that:  

• Have the ability to fix more vulnerabilities on all device types and simplify the remediation process and tracking.
• Use vulnerability and risk data from the customer’s environment to determine which products and patches are the best candidates for smart automation.
• Ensure maximum risk reduction and minimize the operational risk involved in deploying patches by using a data-based approach.

We’re proud of the product innovations we introduced last year and are even more excited for the future! If you missed any of our announcements throughout the year, this blog post will catch you up on the top capabilities added to Qualys Patch Management during 2023.

Risk Reduction Recommendation Report

The primary focus of Qualys Patch Management is helping customers optimize the remediation process to reduce risk faster – i.e., fixing QIDs. Last year, we introduced the prioritized products tab to help our customers use historical vulnerability data to determine which products they should proactively automate patching for (hint: focus on the products that introduced the most vulnerabilities)—that helps them to make sure that those applications are always patched and updated to the latest version. Later, we introduced a new real-time report designed to help our customers analyze their vulnerabilities and find the patch that, if deployed, will reduce the most risk within their environment – i.e., answer the hypothetical question of: if I can only deploy one patch, which patch will reduce the most risk in my environment?

For more details, please refer to the blog post: Reduce Risk Faster With the Qualys Risk Reduction Recommendation Report.

Added Support for Mac OS and Mac Third-Party Applications

In February of last year, we introduced support for Mac OS and third-party application patching on Mac, with the same familiar workflows used by customers for patching Windows and its applications. Patch Management has made continuous improvements since then to keep Mac capabilities on par with the Windows patching feature set.

For more details, please refer to the blog post: macOS Patching Is Here!

Broadened Support for Linux Patching

Unlike Windows OS and Mac OS, Linux has many different variants – each of which has vulnerabilities that require different remedial processes. To help customers eliminate risk, during 2023, we continued expanding our support for Linux variants to ensure you can use the same Qualys TruRisk Platform to eliminate the risk of Linux variants. For example, we added support for SUSE and openSUSE, Oracle Linux, Rocky Linux, Debian, Ubuntu, and Alma Linux. We have also ensured parity between Windows and Linux in terms of supported capabilities such as reporting, pre and post actions, job level debugging, and others.

Deployment Rings for Testing and Automation

This new capability allows customers to create a job or jobs to test candidate patches against test devices and then use the same tested patches within another job to deploy into production. The capability offers additional benefits for patch automation. Deployment of most new patches (think 95% or more) does not cause any operational impact.

With this new feature, customers can create an automated test job that runs, for example, a day after each Microsoft Patch Tuesday, targeting a set of test devices and deploying the latest Microsoft security patches. You might create another automated patch deployment job eight days after each Patch Tuesday using the exact same patches validated in the first test job. As a result, two days after Patch Tuesday, the latest Microsoft patches will be deployed to test devices; eight days after Patch Tuesday, the second job will automatically deploy the same tested patches into production – all without user intervention. Since most patches will cause no harm, only in rare cases where a patch is breaking an application on the test machine will an administrator need to intervene and manually stop the production job from running. It’s a tremendous time saver for security and IT professionals!

Report and Communicate Your Patch Progress to the Business

We have added a few more widgets that can be used within the Patch Management dashboard to help customers communicate to the business how many patches were deployed and how many vulnerabilities were remediated because of those patches. Patch Management reports clearly and simply correlate the action of patching software with the real benefit of enterprise risk reduction.

Job Debug and Management 

Realistically, while Qualys deploys vendor-provided patches, things can go wrong, and a patch may fail to deploy. I like to call it “Windows Voodoo,” but there are many reasons why this can happen with Windows, Mac, or Linux. In 2023, Qualys invested significant effort in helping customers manage and debug these failed deployments. New features for job debug and management include more reports, more granular status readings for patches and jobs, and updated agent logs to help customers better understand where and why things went wrong. We will continue refining these capabilities in 2024.

We also introduced aggregated job level reporting to get consolidated details across multiple jobs that help to correlate failures and better tracking around patches and assets within the jobs.

Expanding API Base for Smooth Integrations

Expanded API support allows customers to integrate Patch Management with other tools, such as getting a list of the “right” patches required to remediate a list of QIDs. The APIs come with swagger support that helps users understand the working of the API, needed inputs, and expected output of APIs without the need to go through static documentation.

ServiceNow Integration

New out-of-the-box closed-loop integration with ServiceNow change management workflows helps our customers using ServiceNow to implement ITIL processes. Users can deploy patches against detected vulnerabilities upon approval, assign change tickets to specific assignment groups, and track changes done in the environment by logging the details of patch jobs back in ServiceNow change tickets.

For more details, please refer to the blog post: Automating Vulnerability Management with Qualys VMDR & ServiceNow.

Other Capabilities

We added many other features to improve the overall experience of using the product:

• The ability to download files to agent from local SMBs while executing install software action

• The ability to patch products with gated patch files (e.g., Java and Citrix), and more

• System reboot as a pre-action

• Global settings to bypass powershell policies for running pre/post actions and prioritizing patch deployment over other scans

To 2024 and Beyond

In closing, we’re pleased with the innovations released in 2023, and Qualys Patch Management has an exciting roadmap for 2024.

Qualys welcomes customer engagement. If you are curious about the roadmap or would like to share ideas for improvements, please contact your Technical Account Manager to schedule a call. If you are not a customer but would like to learn more about Qualys Patch Management, check out this product description and consider a complimentary 30-day trial.

Contributors

• Eran Livne, Senior Director, Endpoint Remediation, Qualys