Qualys Announces TruRisk Eliminate to Augment Patching

Eran Livne
Eran Livne, Sr Director of Product Management, Qualys
- 6 min read

Last updated on: December 16, 2024

Table of Contents

About 5 years ago, we launched Qualys Patch Management to empower our customers to not just detect and prioritize vulnerabilities but also effectively remediate them. Since then, we have assisted our customers in addressing hundreds of millions of vulnerabilities, and since January 2024, we have deployed more than 100M patches, significantly enhancing the security of their environments

Now, we are leapfrogging forward and expanding our remediation capabilities to address vulnerabilities that do not have a patch or for which a patch cannot be deployed.

Our customers use Qualys Patch Management either as a complementary solution to their existing patch system or as a standalone solution. In both cases, they efficiently leverage patch automation at scale to address vulnerabilities in Windows, Linux, macOS, and third-party applications.

However, while patch management is a core capability for remediating vulnerabilities, it is not the only option, and in some cases, it may not be a viable option at all. That’s why we’re excited to announce that we’re introducing Qualys TruRisk Eliminate so our customers can address all vulnerabilities—even those that can’t be patched.

When Patching is Not a Viable Option

As our research shows and many of our customers told us, patching is not always the right answer to address a vulnerability. Here are a few reasons why:

  1. Not all vulnerabilities can be remediated with a patch. For instance, a vulnerability in end-of-life (EOL) software cannot be patched and requires the software to be uninstalled. Some vulnerabilities, like the old SMB 1.0, need to be addressed by a registry key change.
  2. Certain cases, such as the PrintNightmare vulnerability, require both a patch and a registry key change to be fully remediated. Without implementing both, the vulnerability remains unresolved.
  3. Sometimes, the business risk of deploying a patch is too high. Remediation teams may be concerned about potential downtime or outages that could directly impact the business and its customers.
  4. Vendors often release workarounds to mitigate zero-day vulnerabilities days or even weeks before an actual patch becomes available.

At Qualys, our goal is to help our customers reduce risk. Recognizing that risk reduction extends beyond just applying patches, we are expanding our solutions to help customers address all vulnerabilities, even when a patch is unavailable or cannot be deployed.

Introducing TruRisk Eliminate

Qualys TruRisk Eliminate expands the Patch Management solution to not only enable customers to use the same Qualys agent, platform, and workflows to deploy patches but also to map vulnerabilities to various actions that can be executed by the agent, mitigating those vulnerabilities or fixing them when a patch is not available. Furthermore, the same agent can be used to isolate assets from the network in order to ensure vulnerabilities that cannot be addressed cannot be exploited.

TruRisk Eliminate includes TruRisk Patch, TruRisk Mitigate, and TruRisk Isolate.

Qualys TruRisk Mitigate:

  • Map Vulnerabilities Without Patches to Recommended Actions: Address the vulnerabilities that do not have patches available by mapping them to recommended remediation actions, such as applying registry key changes or uninstalling software. For example, fix the WinVerifyTrust vulnerability (QID 378332) by modifying the required registry keys.
  • Address Situations Where Critical Vulnerabilities Must Be Mitigated but the Business Risk of Deploying a Patch Is Too High: The Qualys Threat Research Unit continuously researches critical vulnerabilities and maps them to non-patch actions designed specifically to mitigate the risk of those vulnerabilities. Some examples of such actions are blocking specific ports, stopping specific services, or making configuration changes—all ways to reduce or completely mitigate risks. With this solution customers can mitigate a large portion of CISA KEV vulnerabilities.
  • Mitigate Zero-Day Vulnerabilities: Map zero-day vulnerabilities to non-patch actions based on vendor and Qualys research to effectively mitigate these threats.
  • Fully integrated with VMDR –mitigated and fixed vulnerabilities are reflected back in VM reports ensuring VM admins get confirmation of the newly reduced risk.

Qualys TruRisk Isolate:

As a last resort, leverage the Qualys agent to Isolate devices from the network ensuring critical vulnerabilities on those devices cannot be exploited. The solution allows at-risk systems to remain isolated while maintaining connections to essential resources ensuring isolated assets can still communicate to the Qualys cloud and other approved resources.

Qualys Isolate is fully integrated with Qualys VMDR, allows VM security admins to ensure vulnerable assets are secured and reflect the reduced risk back in their VM reports.

Go to the TruRisk Eliminate product page

Read More

How Does TruRisk Eliminate Work?

Let’s take a sample vulnerability, here CVE-2024-1086: Linux Kernel Use-After-Free Vulnerability (Flipping Pages), and an example of the situation a customer may be looking at in choosing how to handle this vulnerability. Based on anonymized Qualys data, CVE-2024-1086 has been detected more than 1.5M times, and only 20% of those detected instances are remediated in customer environments. Furthermore, for those organizations that were able to remediate this vulnerability, it took an average of 28 days to do so. As you can see, this vulnerability—which is part of CISA KEV—takes far too long to remediate!

With TruRisk Eliminate, Qualys customers will be able to address this vulnerability far more efficiently.

Assume a customer has CVE-2024-1086 detected on their Linux-based desktops and a few production servers. Qualys TruRisk Eliminate maps this CVE to several alternative actions to help customers address it.

  1. One action is to deploy the relevant patch.
  2. Another action is to apply a configuration update to block user namespace creation, among other configuration changes, which, based on insight from the Qualys Threat Research Unit, will mitigate the vulnerability until a patch can be deployed.
  3. The final alternative is to isolate the entire device from the network, ensuring the vulnerability cannot be exploited.

Deploying the patch is considered less risky on Linux desktops. Therefore, the organization may choose to use the Qualys agent to test and deploy the patch to their desktops. However, applying the specific patch to production servers may be too risky at present. Instead, the organization may leverage the Qualys agent to apply the suggested mitigation, as the application owners consider the operational risk of blocking username space creation very low. Minimal manual work is required by the remediation teams for both actions, as all actions are pre-packaged and ready to be deployed by the Qualys agent. Once the customer utilizes Qualys to take these actions, the results will be automatically reflected in the VM reports, with the relevant QIDs marked as closed for all desktops and as mitigated for the production servers.

Conclusion

Qualys continues to evolve to meet the complex security needs of our customers. With the introduction of TruRisk Eliminate, we provide comprehensive solutions that go beyond traditional patch management, ensuring that all vulnerabilities can be effectively addressed. By leveraging our advanced mapping of vulnerabilities to various remediation actions, including non-patch solutions, we empower organizations to maintain robust security postures even in the face of the most challenging threats.

For more information and to experience these capabilities firsthand, visit our booth at Black Hat or contact your TAM.

Save time and reduce risk with TruRisk Eliminate — sign up to start your trial!

Sign Up Today
Show Comments (1)

Comments

Your email address will not be published. Required fields are marked *