The 2023 Qualys Security Conference (QSC) started wrapping up on Thursday, November 9th, with two days of new technology announcements, impactful customer use cases, and thought-provoking talks from a host of engaging speakers, including Rachel Wilson, Managing Director at Morgan Stanley and Frank Dickson, Group Vice President, Security & Trust at IDC Research.
If you were not able to join QSC23 in person, keynote sessions were streamed live and are available on-demand here: https://qualys.com/qsc23-americas-livestream
What You Need to Know – #QSC23 In Summary
QSC started off with a bang as our very own Dino DiMarino, Qualys Chief Revenue Officer at Qualys, took to the stage and was followed by guest speaker Rachel Wilson, Managing Director at Morgan Stanley.
Sumedh Thakar, President and CEO at Qualys, then unveiled an exciting new milestone for the company, announcing the Qualys Enterprise TruRisk Platform to the world. Its release marks a seismic shift for the future of Qualys through a platform approach that allows the Qualys TruRisk engine to ingest external third-party Risk Factors from IT and security tools and then employ them with risk-eliminating actions using Qualys Vulnerability Detection and Management (VMDR).
With the release of the Enterprise TruRisk Platform, Qualys is the only cybersecurity platform vendor that offers customers transparent cyber risk scoring capabilities that complement a full suite of asset management, attack surface management, vulnerability management, remediation, policy compliance, and advanced threat protection—all offered in a single, unified interface. According to a recent survey from Splunk, nearly 50% of CISOs now report directly to the CEO, and nearly 100% regularly brief their Board of Directors, increasing the pressure to report Key Risk Indicators (KRIs), as well as Key Performance Indicators (KPIs) to these direction-setting stakeholders. In short, this means that cybersecurity experts must also become business risk experts and be able to link cyber risk actions directly to business impact.
In addition to facilitating faster, more accurate threat remediation, the Enterprise TruRisk Platform is built to meet these evolving risk management needs. By leveraging the power of the platform, CISOs, and executive security leaders can gain more confidence with the ability to measure, communicate, and eliminate cyber risk by guiding remediation actions linked to financial metrics through a single platform.
To watch the live stream of the announcement at QSC Americas, 2023, go here: https://qualys.com/qsc23-americas-livestream
The Enterprise TruRisk Platform represents much more than a name change. Over two days, Qualys Product Leaders introduced many exciting innovations spanning the core solution components that comprise Qualys offerings—from asset management to cloud security. Here are a few noteworthy announcements that illustrate how Qualys is helping customers measure, communicate, and eliminate cyber risk across the entire security solution stack.
Eran Livne, Sr. Director of Product Management at Qualys, continued the momentum after the release of the Qualys Enterprise TruRisk Platform by introducing TruRisk Eliminate—Qualys’ all-in-one, AI-powered, risk patch management, remediation, and mitigation solution that differentiates the Qualys platform approach from all other security and risk quantification solutions.
With TruRisk Eliminate, customers get everything they have come to expect and rely upon with Qualys Patch Management (Remediation) but also adds in risk-based, intelligent mitigation actions (Mitigation) that include compensating controls, patchless patching, configuration changes, and more. Better yet, since TruRisk Eliminate is guided by the TruRisk risk quantification engine, customers can leverage automation and intelligent targeting of high-risk assets to make sure that the right mitigation or remediation action is taken every time.
TotalCloud with TruRisk Insight
Parag Bajaria, VP of Cloud and Container Security at Qualys, unveiled TruRisk Insight, which is designed to consolidate critical security data from diverse sources into a cohesive, actionable dashboard for TotalCloud Customers. It sheds light on the critical concept that risks in the cloud are not merely additive; they are multiplicative. A vulnerability, when paired with a misconfiguration and compounded by internet exposure, escalates into a significantly higher threat. This toxic combination demands immediate and prioritized remediation. It’s not just about identifying a long list of issues to address; it’s about understanding the compound effect and pinpointing where a single fix can mitigate multiple risks.
By unifying these varied data streams, each with its own set of priorities, TruRisk Insight offers a singular, prioritized view of your cloud risk landscape. It’s not just a collection of alerts and alarms—it’s a strategic overview that allows you to see how all the different pieces of the puzzle fit together. It’s about transforming complex, multifaceted data into a clear narrative that guides your security decisions. With TruRisk Insight, you’re not just reacting; you’re anticipating and strategizing. It’s a powerful tool that doesn’t just inform you of what’s happening now but also prepares you for what could happen next, ensuring that your responses are as informed as they are swift.
TruRisk Artificial Intelligence (AI)
Dilip Bachwani, Qualys CTO, shared the Qualys approach to AI with TruRisk AI and summarized the purpose-built, petabyte-scale security data lake, trillions of high-fidelity security data events, and signals across asset inventories, vulnerabilities, misconfigurations, cloud and OT/IOT that make TruRisk AI possible.
Qualys TruRisk AI will learn from customer behavior, Qualys apps, third-party apps, and more to help customers apply practical aspects of artificial intelligence to help customers better identify assets and users, discover critical assets, and propose remediation actions that may be overlooked. In early 2024, TruRisk AI will be available for VMDR customers to add to their subscriptions.
CyberSecurity Asset Management (CSAM) and SBOM
In the spirit of measuring, communicating, and eliminating risk, QSC attendees learned how they can now extend the power of TruRisk with CSAM detections, including EoL/EoS software, unauthorized software, unsanctioned ports, and missing required software (such as anti-virus or EDR). Through this new functionality, you can now accurately measure risk by automatically adding these new vectors to an asset’s TruRisk score. Previously, it was difficult to quantify risk throughout the sprawl of tech debt, unauthorized software, and missing security agents. Now, security teams can easily understand the risk that each of these factors poses to the business to prioritize mitigation.
In addition to tighter integration with TruRisk, Qualys also previewed an upcoming CSAM capability that helps our customers “Know the TruRisk of your SBOMs.” Soon, CSAM will track all software bills of materials (SBOMs) in a single place to analyze and measure the TruRisk of software component vulnerabilities in your production environment. This allows security teams to quickly identify applications running any vulnerable component, prioritize using TruRisk, and triage/remediate in a fraction of the time.
Rachel Wilson – Managing Director at Morgan Stanley
“It is now imperative for all of us to take a risk-based approach to cybersecurity.”Rachel Wilson
Wilson laid out how global threat actors are evolving in their motivations and how they affect their geo-political, financial, and tactical outcomes. Now, at increasing levels, government-sanctioned efforts with data and tools purchased from the Dark Web are targeting financial institutions and their customers. She emphasized that it is untenable to defend every inch of the technology environment in a reactive manner. Organizations, from the board to the C-suite to the boots on the ground deploying patches, must be aligned on how to prioritize vulnerabilities that expose the business to the most potential risk.
That challenge of communicating and prioritizing risk falls on CISOs and cybersecurity leaders, according to Wilson.
“In these unfortunate cases of major security breaches, how often does it fall at the feet of the CIO or the IT leader?” asked Rachel, highlighting that when it comes to cyber breaches, it ultimately falls on the CISO and cybersecurity leaders.”
Wilson explained that IT may be responsible for deploying the patch or the mitigation. Still, the CISO must lead the risk-based approach to cut through the noise and identify the critical priorities. As the attack surface continues to evolve, and as geo-political conflicts increasingly lead to cyber-attacks, the stakes are higher than ever for security teams to identify and prioritize critical business risks.
Frank Dickson – Group Vice President, Security & Trust at IDC research
According to IDC reporting, 40% of revenue from Global 2000 companies will come from digital products by 2026. That’s why Dickson says the “digital transformation era” is over, and the “digital-first era” has begun.
“Digital decision velocity creates complexity,” Dickson explained. “And complexity is the enemy of security.”
To simplify their approach, cybersecurity professionals need to narrow their focus on goals and outcomes, according to Frank. He encouraged the audience to force their vendors to explain the benefits, not the technology.
“If you can save 30% on your most precious resource—your peoples’ time, that helps you become more secure because now they can solve multiple problems,” Dickson said.
Digital complexity is introducing cyber risk, which is a problem all businesses will continue to face as more and more of their revenue depends on technology. For cybersecurity teams, that means consolidating tools, focusing on goals and metrics that drive security, and measuring ROI in business terms.
QSC 2023 In Retrospect
QSC23 marks the maturation of a platform concept that Qualys began working on years ago, guided by a commitment to our customers’ needs to link cyber risk to business risk.
As we approach 2024, our customers should expect an amazing year of innovation and new customer success.
Special thanks to all our partners and customers!
To watch the Qualys keynotes mentioned above and much more, go here: https://qualys.com/qsc23-americas-livestream
- Shailesh Athalye, Sr. Vice President, Product Management, Qualys