Know What’s on Your Network at All Times with Qualys Asset Inventory
Last updated on: September 6, 2020
Qualys has just launched a global IT asset inventory solution that offers full visibility across even the most hybrid, complex and distributed IT environments, addressing a challenge many security and IT teams face today.
When IT directors and CISOs look at their digitally transformed networks, they encounter many shadows that their legacy enterprise software tools can’t illuminate. These blind spots often include cloud workloads, containers, IoT systems, mobile devices, remote endpoints, and Operational Technology wares.
Because full visibility is essential for security, this foggy, fragmented view of a network makes the organization vulnerable to cyber attacks. Qualys Global IT Asset Inventory (AI) provides complete, continuous, structured and enriched asset inventory in hybrid environments.
“This is a really big deal because it’s the basis of security: If you don’t know what you have, you can’t secure it,” says Qualys Chief Product Officer Sumedh Thakar.
Justin Bendl, Senior Manager for Security & Compliance at Federal Home Loan Bank of Pittsburgh, says that Qualys AI has begun to assist the bank in expanding automation that provides real-time visibility into the completeness and accuracy of software assets.
“This automation is enhancing the bank’s overall control environment and further mitigating risks in a proactive manner,” Bendl says.
Philippe Courtot, Qualys Chairman and CEO, highlights the benefits of Qualys AI’s full integration with the Qualys Cloud Platform. “You will know instantly what assets connect to your network, and be able to assess their security and compliance posture in real-time, giving you unprecedented and essential visibility,” says.
Read on to learn more details about Qualys Global IT Asset Inventory and the use cases it’s designed for.
Without the right processes and technologies, it’s hard to maintain a continuously updated and comprehensive IT asset inventory. A major problem is the lack of cohesive visibility across hybrid environments when different tools are gathering asset data throughout the organization.
“The issue is the gap between these solutions. Those will be your biggest blind spots,” says Pablo Quiroga, Qualys’ Director of Product Management for IT Asset Management.
Having to manually clean up and correlate the asset data that these disparate point products gather is difficult and time-consuming. “A lot of time is wasted crunching data instead of making business decisions,” he says.
At issue is the nature of IT asset data, which Quiroga refers to as the “three Vs.” Volume: There’s lots of it. Velocity: It changes quickly. Variance: It’s highly inconsistent. That last point, its variance, is ultimately “what complicates everything,” Quiroga says.
In the average asset inventory, vendor names are rendered eight different ways, and product names in twenty different ways. As a result, when searching the asset database for, say, Microsoft, queries must be formulated for “Microsoft,” “Microsoft Corp.,” “Microsoft Corporation” and so on. And that doesn’t even factor in the product naming complexities from Microsoft’s 200-plus company acquisitions.
The Qualys approach
The platform service Qualys AssetView collects and indexes asset telemetry data, and provides instant visibility to customer’s assets. Asset Inventory takes that same continuous stream of asset telemetry and automatically adds structure by normalizing and categorizing the data.
This means that it scrubs the data and makes it uniform, eliminating, for example, the variations in product and vendor names that clutter asset inventories and render them ineffective.
It also enriches the inventory with non-discoverable metadata, such as vendor lifecycle dates and license types. This data is provided by Qualys via research and curation.
With simple queries in its powerful search engine, or a few clicks on pre-defined asset categories in its dashboard, organizations can instantly discover things like:
- How many Lenovo laptops running the latest Windows 10 version and located in the New York office have a particular vulnerability?
- Which servers are running an operating system that its vendor recently stopped supporting?
- Which devices have unauthorized software?
The product also syncs up with ServiceNow’s CMDB, continuously feeding it fresh data, so the CMDB can accurately map assets’ relationships, connections, hierarchies, and dependencies. “The Holy Grail of CMDBs is complete, continuous, categorized, clean data,” Quiroga says.
Like other Qualys apps, Asset Inventory gets its data from Qualys sensors, so its reach is as broad as the various sensors’ coverage, including on-prem, clouds and remote endpoints. “Everything starts with our scalable, self-updating and centrally managed sensors,” Quiroga says.
By collecting data with agentless, agent-based and passive sensors, Qualys provides a truly multidimensional view of the assets and of the IT environment as a whole.
Quiroga highlighted the Passive Network Sensor, currently in beta, which does real-time network analysis, eliminating blind spots through continuous traffic monitoring.
That allows Asset Inventory to include both “managed” assets which the organization is monitoring with scanners or agents, and “unmanaged” assets which are continuously detected by the passive sensor.
Those unmanaged assets can include anything: From IoT and OT devices to any of the many WiFi-enabled gizmos that employees or intruders can connect to a corporate network. “Everything we see on the network, we bring it together on a single view,” Thakar says.
This ability to account for the myriad types of assets found on today’s hybrid networks sets Asset Inventory apart from competing products that lack this reach and scope.
A wide variety of use cases
An automated IT asset inventory benefits the entire organization, in areas like financial planning, procurement, service desk automation, compliance and strategic projects.
“Harnessing a good IT asset inventory from single data source that you can use across these different teams is very powerful,” Quiroga says. “They can share the same visibility.”
By providing complete, continuous, structured and enriched asset data, and storing it in a central cloud-based backend repository, Qualys Global IT Asset Inventory can help in multiple scenarios, such as:
- Helping improve the efficiency of IT help desk staff by giving them accurate, complete information about assets they’re called to support and troubleshoot
- Optimizing the use of existing assets by making it easier to identify hardware and software that’s underused, completely idle, or obsolete
- Providing detailed asset information to auditors, which eases regulatory and internal compliance processes that require documenting asset information
- Prioritizing vulnerability remediation work by focusing on patching the critical assets that need the most immediate attention
- Responding more quickly and precisely to incidents like breaches by revealing the location, configuration, and owner of a device, or the presence of rogue software
In compliance in particular, IT asset management is key, as industry regulations and standards such as PCI DSS, HIPAA, GDPR and FedRAMP require organizations to continuously identify, track and secure assets storing sensitive data.
Qualys AI frees security and compliance teams from dependence on legacy inventory tools and helps these teams manage the risk profile of their assets in real time by:
- helping ensure no unauthorized assets are spun-up in production.
- detecting when applications outside their whitelist are running.
- alerting teams when vulnerable, end-of-life or unlicensed software is present.
Ultimately, Asset Inventory can play a key role in helping IT and security achieve their main common goal: “To make sure you enable your users to be productive and secure,” Quiroga says.
Please watch a video of Quiroga’s presentation at QSC18 Las Vegas, where he provides more details about Qualys Global IT Asset Inventory, shows a live demo, and holds a question-and-answer session with the audience.