QSC 2022 Day 1 Recap: Qualys Gives Organizations More Security in an Ever-Expanding Threat Landscape

The first day of Qualys’ annual security conference in Vegas was filled with a series of presentations by Qualys executives, product managers and customers’ stories about how they used the various security products. 

The keynotes given by Shark Tank celebrity businessman and CEO of Cyderes, Robert Herjavec, and Qualys’ President and CEO, Sumedh Thakar, mentioned the tradeoffs between the cost of providing sufficient cyber insurance coverage and the cost of having the right set of security management tools so that you can reduce your overall risk envelope. 

Simplifying Security, Aligning Stakeholders and Managing and Reducing Risk Faster with a Unified Platform

Qualys is nudging organizations away from using multiple siloed tools. Shailesh Athalye, the Senior Vice President, Product Management of Qualys spoke about how security teams are under increasing pressure to manage and reduce cyber risk as the digital asset landscape continues to expand and security attacks become more sophisticated. Many teams are dealing with a fragmented view of their attack surface and increased friction between the IT, devops and compliance stakeholders. The result? Surging security costs and complexities, assets exposed to attack and an overall slowed incident response.

Illion Minimizes Total Cost of Ownership with the Qualys Cloud Platform

The audience next heard from Eugene Ostapenko, the head of Information Security, Risk and Compliance for Illion – which provides business evaluation services for both Australia and New Zealand. They began their journey with Qualys three years ago to consolidate various tools – including three different vulnerability managers — to a single platform and potentially reduce their total costs. “I’ve spent 20 years in information security,” he said, “and learned to speak the language of business and how to get more done with budget constraints. We have a lot of sensitive data, now covering more than 25 million individuals’ records and we need to make sure we are continually assessing risks.” His job is made a lot harder thanks to increasing IT system complexity and the challenges of a post-Covid world with more remote workers. 

Various Qualys tools were used to shorten threat detection and response times from 30 days to four hours and standardize tracking and reporting, create an automated patch management system to shorten patching from days to hours and reduce pen testing costs and cutting the budget in half at the same time, among many other things. The overall result was saving five percent of their entire IT security budget, improving various processes and making his IT team more efficient and effective.

The Special Reveal: TotalCloud Live

Parag Bajaria, the VP for Cloud and Container Security Solutions at Qualys took the audience into a special deep dive into the recent TotalCloud announcement. 

With more than 31 million workloads already secured by Qualys, Qualys TotalCloud extends the accuracy of VMDR with cloud-native FlexScan assessments to unify Cloud Posture Management and Cloud Workload Security in a single view with risk insights. This allows organizations to combine multiple cloud scanning options for the most accurate security assessment of their cloud environment. New is the ability to use service providers’ APIs and snapshots of the workloads to perform vulnerability scans, be able to do network-based scans – which can be automatically deployed – and conduct agentless scans. 

Parag also mentioned improvements to TruRisk scoring and how QFlow can assemble your remediation workflows with drag-and-drop flowchart-like constructions. “Our goal is to simplify cloud-native security and provide immediate cloud posture analysis and insights with fast remediation with no-code workflows,” he said. 

To show how the various elements of TotalCloud fit together, the audience next heard from Terry Barber, the Manager of Security Operations for American Express Global Business Travel. The company has spent the past eight months migrating its applications and former on-premises data center to the AWS cloud. In the early stages, Barber had trouble getting accurate reports about vulnerabilities or misconfigured assets. “We couldn’t do standard scans by IP and couldn’t marry what we had on the public side of our network with their private IP addresses, which would change frequently.” 

After implementing TotalCloud, these and other problems were solved and now “Qualys has put all the various pieces together in one tightly integrated and unified platform, and what is more, their reports are actionable — my CISO can look at a dashboard and I don’t have to teach him how to get into each of the modules. This way my upper management can quickly get a handle on what their risk is – I call it full stack vulnerability management before you can see everything.” 

Getting More Security with the Qualys Cloud Platform 

Mehul Revankar, the VP for Product Management & Engineering at Qualys next gave what he called the state of the union and how the latest version of VMDR will help. “There are too many high and critical vulnerabilities, and the number of zero days is increasing more than 250% since 2020. There are also a lot of external assets that could contain new sources of risk. We can’t tool ourselves out of this situation – you need an all-in-one risk-based management solution.” 

Customers with the VMDR can patch software faster, with an average of 17 days versus 30 days without using VMDR. Brian Penn, the manager of Security Posture for insurer Aflac showed that his firm was able to reduce the number of vulnerabilities from 125,000 to 40,000 almost overnight, in the process saving $100,000 annually by not having to purchase any threat feeds since they are included in VMDR. 

Mike Orosz, VP of Information and Product Security for Vertiv – one of the main suppliers for data centers around the world – shared how Qualys allows him and his team to get an attackers-eye-view into their environment. “It is hard to secure something when you don’t know what you have and don’t know your attack surface or have blind spots in your coverage. Now we have saved time by prioritizing our responses, saved time and resources with automated discovery and meeting our SLA expectations.”

Josh Hankins, Chief Technical Security Officer for the Americas at Qualys demonstrated how Qualys Policy Compliance can help customers use automated security compliance tools.

Rounding up the day’s events was the “Innovation showcase,” where Qualys personnel demonstrated the MSSP Portal, accounting for the riskiest users and calculating the TruRisk of various business apps. 

Sessions and keynotes will be available on the Qualys site in the coming days. Stay tuned for the Day 2 recap of QSC 2022 Las Vegas!