CSAM Drives Accurate TruRisk Scoring with EoL/EoS, Unauthorized Software, and Missing Security Agents

Kunal Modasiya

With the release of the Enterprise TruRisk Platform, Qualys is focusing each of its cyber security solutions on the more holistic goals of measuring, communicating, and eliminating cyber risk across the extended enterprise. Each offering within the platform works together, driving toward these goals to de-risk the business.

With that in mind, let’s look at the new ways CyberSecurity Asset Management (CSAM) contributes to TruRisk with Inventory Risk Assessment, helping both Security and IT teams understand and eliminate risk across the environment.

What is Inventory Risk Assessment?

You may have heard asset management or “knowing your assets” referred to as the foundation of a cyber security program. You can’t protect what you can’t see. Once you’ve identified your assets, the next stage of maturity is to identify vulnerabilities, right?

Well, not yet.

“Knowing your assets” means more than simply identifying them. You need to identify the assets AND understand the business context and cyber risk associated with them. This is often described exclusively in terms of vulnerabilities, but there’s more foundational work to do first.

Does the asset have:

  • Unapproved ports?
  • Unsupported (EOL) software?
  • Unauthorized software, open-source, or risky software?
  • Missing security and IT agents?

Once you understand these attributes, you truly “know your assets” and have a foundation for Risk-Based Vulnerability Management. You can’t have a successful vulnerability management (VM) program if misconfigured assets and unapproved / EoS software constantly introduce vulnerabilities that could have been avoided.

With Inventory Risk Assessment, CSAM is adding additional risk factors into TruRisk: EoS software, risky ports, unauthorized software, and missing agents.

CSAM has always identified these attributes, but now they are tracked, aggregated, and scored automatically into TruRisk to streamline communication and remediation across stakeholders from a single view.

Measure, communicate, and eliminate tech debt

CSAM provides a large catalog of Hardware and Software Lifecycle that is built and curated by a dedicated team of researchers and analysts. Through this robust process, Qualys delivers automated updates to all CSAM customers daily (from a catalog of over 5,500 software publishers and 300,000 software releases). This helps organizations focus on prioritizing the risk of end-of-life and upcoming end-of-support hardware and software.

CSAM now incorporates End-of-Support (EoS) data into the TruRisk scoring for assets. This allows security teams to:

  • Measure the risk posed by current and upcoming EoS software that contains critical vulnerabilities
  • Communicate status and mitigation strategy to internal and compliance stakeholders
  • Eliminate tech debt in order of highest potential business impact

In the example below, we are searching across all software inventory for software that is end-of-support or upcoming end-of-support and further filtering for software that has more risk due to vulnerabilities by using the “detectionScore” search token.

Within asset details, under the TruRisk tab, you will see the overall Risk Score, highlighting the highest contributing factors. Each tab below provides the list of contributing factors.

Within the “End of Support” tab, you get the list of unsupported software that has reached end-of-support as well as software that will be end-of-support in the next six months.

Each software in this list is scored with a Qualys Detection Score (QDS) and sorted from most critical to least critical.

By clicking on the QDS for software, you can bring up the detail page to understand how it was scored and the supporting information.

Clicking on the “CVE details” brings up the list of vulnerabilities associated with this software version. Vulnerabilities are matched with Threat Intelligence, scored, and listed in descending order of criticality.

With this latest addition to TruRisk Scoring, you can zero in on risk associated with upcoming EoS software and prioritize mitigation in advance.

Automatically identify unauthorized software/services that introduce cyber risk

Today’s workforce is often tech-savvy enough to find and use the technology they need, which creates business advantages. As a result, the enterprise attack surface is often littered with unauthorized software, which may or may not pose cyber risk. This can often include file-sharing software, packet inspection software, or open-source tools containing high-risk components (Log4j).

It’s neither practical nor helpful to the business for IT and Security to sift through every instance of unauthorized software and remove it. They need to be able to assess the risk of unauthorized software according to asset criticality and aim to remove the riskiest instances.

Once again, CSAM solves this challenge by including unauthorized software and associated vulnerabilities as a vector within TruRisk Scoring.

In the example below, you see a Firefox browser installed on a database server. An IT admin installed it to perform an isolated task and left it behind.

In this case, Firefox has multiple vulnerabilities, and it’s a waste of time for IT and Security to patch it as it no longer serves a purpose. The more practical solution is to monitor Firefox as unauthorized software on a database server and then have it removed.

By using TruRisk to prioritize risky unauthorized software, we have eliminated potentially critical risk AND avoided wasting resources to patch a useless software instance.

With CSAM, Security and IT have a single source of truth to query and filter unauthorized software with risk and potential business impact.

Where are required security and IT agents missing?

One way you’re de-risking your business is by deploying security and IT agents to assets to monitor, log, and remediate risk throughout the environment. But how do you know that all assets are running the appropriate agents?

CSAM allows you to define policies for required agents and criticality for each type of asset (e.g., Database servers should require DLP agent, PCI assets require endpoint agents, etc.) to scale security policies automatically. CSAM analyzes the cyber risk of inventory, including missing agents. Now, it will also consider missing agents (anti-virus, EDR, etc.) along with all other risk factors to determine the TruRisk of an asset.

For example, a group of recently discovered, unmanaged assets are missing the Splunk Collector agent or the EDR agent. How urgently must those agents be deployed? What is the potential risk for the business?

With Qualys TruRisk, you can pinpoint the risk to the business automatically. There is no need to comb individual asset records to determine business context—it’s already considered and sorted according to TruRisk. Now, IT and Security teams are on the same page when it comes to deploying missing agents.

Taking a risk-based approach

100% coverage of the attack surface is a fantastic prerequisite goal, but the inventory must contain actionable data. That means Security teams must understand the business context, asset criticality, and ultimately, the cyber risk associated with each asset by considering all risk factors.

Today, you can add tech debt, unauthorized software, and missing security agents to the list of risk factors that Qualys automatically captures and analyzes to provide a TruRisk Score.

Improve your asset coverage and turbocharge your risk-based vulnerability management program.

Share your Comments


Your email address will not be published. Required fields are marked *