Qualys Announces TruRisk Eliminate to Augment Patching

Eran Livne
Eran Livne, Sr Director of Product Management, Qualys
- 6 min read

Last updated on: August 1, 2024

Table of Contents

About 5 years ago, we launched Qualys Patch Management to empower our customers to not just detect and prioritize vulnerabilities but also effectively remediate them. Since then, we have assisted our customers in addressing hundreds of millions of vulnerabilities, significantly enhancing the security of their environments

Now, we are leapfrogging forward and expanding our remediation capabilities to address vulnerabilities that do not have a patch or for which a patch cannot be deployed.

Our customers use Qualys Patch Management either as a complementary solution to their existing patch system or as a standalone solution. In both cases, they efficiently leverage patch automation at scale to address vulnerabilities in Windows, Linux, macOS, and third-party applications.

However, while patch management is a core capability for remediating vulnerabilities, it is not the only option, and in some cases, it may not be a viable option at all. That’s why we’re excited to announce that we’re introducing Qualys TruRisk Eliminate so our customers can address all vulnerabilities—even those that can’t be patched.

Sign up to be the first to find out when TruRisk Eliminate is live.

Sign Up Today

When Patching is Not a Viable Option

As our research shows and many of our customers told us, patching is not always the right answer to address a vulnerability. Here are a few reasons why:

  1. Not all vulnerabilities can be remediated with a patch. For instance, a vulnerability in end-of-life (EOL) software cannot be patched and requires the software to be uninstalled. Some vulnerabilities, like the old SMB 1.0, need to be addressed by a registry key change.
  2. Certain cases, such as the PrintNightmare vulnerability, require both a patch and a registry key change to be fully remediated. Without implementing both, the vulnerability remains unresolved.
  3. Sometimes, the business risk of deploying a patch is too high. Remediation teams may be concerned about potential downtime or outages that could directly impact the business and its customers.
  4. Vendors often release workarounds to mitigate zero-day vulnerabilities days or even weeks before an actual patch becomes available.

At Qualys, our goal is to help our customers reduce risk. Recognizing that risk reduction extends beyond just applying patches, we are expanding our solutions to help customers address all vulnerabilities, even when a patch is unavailable or cannot be deployed.

Introducing TruRisk Eliminate

Starting at the end of Q3 2024, Qualys TruRisk Eliminate will enable customers to use the same Qualys agent to deploy patches and map vulnerabilities to various actions that can be executed by the agent, addressing those vulnerabilities with or without deploying a patch.

Qualys TruRisk Eliminate Highlights:

  • Map Vulnerabilities to Patches and Required Configuration Changes: Identify and link vulnerabilities to their corresponding patches and necessary configuration changes for remediation.
  • Map Vulnerabilities Without Patches to Recommended Actions: Address the vulnerabilities that do not have patches available by mapping them to recommended remediation actions, such as applying registry key changes or uninstalling software.
  • Address Situations Where Critical Vulnerabilities Must Be Mitigated but the Business Risk of Deploying a Patch Is Too High: The Qualys Threat Research Unit continuously researches critical vulnerabilities and maps them to non-patch actions designed specifically to mitigate the risk of those vulnerabilities. Some examples of such actions are blocking specific ports, stopping specific services, or making configuration changes—all ways to reduce or completely mitigate risks.
  • Isolate Devices for Critical Issues: Ensure critical issues are addressed by isolating affected devices from the network.
  • Mitigate Zero-Day Vulnerabilities: Map zero-day vulnerabilities to non-patch actions based on vendor and Qualys research to effectively mitigate these threats.

Go to the TruRisk Eliminate product page

Read More

How Does TruRisk Eliminate Work?

Let’s take a sample vulnerability, here CVE-2024-1086: Linux Kernel Use-After-Free Vulnerability (Flipping Pages), and an example of the situation a customer may be looking at in choosing how to handle this vulnerability. Based on anonymized Qualys data, CVE-2024-1086 has been detected more than 1.5M times, and only 20% of those detected instances are remediated in customer environments. Furthermore, for those organizations that were able to remediate this vulnerability, it took an average of 28 days to do so. As you can see, this vulnerability—which is part of CISA KEV—takes far too long to remediate!

With TruRisk Eliminate, Qualys customers will be able to address this vulnerability far more efficiently.

Assume a customer has CVE-2024-1086 detected on their Linux-based desktops and a few production servers. Qualys TruRisk Eliminate maps this CVE to several alternative actions to help customers address it.

  1. One action is to deploy the relevant patch.
  2. Another action is to apply a configuration update to block user namespace creation, among other configuration changes, which, based on insight from the Qualys Threat Research Unit, will mitigate the vulnerability until a patch can be deployed.
  3. The final alternative is to isolate the entire device from the network, ensuring the vulnerability cannot be exploited.

Deploying the patch is considered less risky on Linux desktops. Therefore, the organization may choose to use the Qualys agent to test and deploy the patch to their desktops. However, applying the specific patch to production servers may be too risky at present. Instead, the organization may leverage the Qualys agent to apply the suggested mitigation, as the application owners consider the operational risk of blocking username space creation very low. Minimal manual work is required by the remediation teams for both actions, as all actions are pre-packaged and ready to be deployed by the Qualys agent. Once the customer utilizes Qualys to take these actions, the results will be automatically reflected in the VM reports, with the relevant QIDs marked as closed for all desktops and as mitigated for the production servers.

Conclusion

Qualys continues to evolve to meet the complex security needs of our customers. With the introduction of TruRisk Eliminate, we provide comprehensive solutions that go beyond traditional patch management, ensuring that all vulnerabilities can be effectively addressed. By leveraging our advanced mapping of vulnerabilities to various remediation actions, including non-patch solutions, we empower organizations to maintain robust security postures even in the face of the most challenging threats.

For more information and to experience these capabilities firsthand, visit our booth at Black Hat or contact your TAM.

Don’t miss the opportunity to enhance your security environment—join our waitlist to be the first to find out when TruRisk Eliminate is live.

Sign Up Today
Show Comments (1)

Comments

Your email address will not be published. Required fields are marked *