All Posts

30 posts

Automatic vs. Manual Data

“You know only insofar as you can measure.”
        – Lord Kelvin
          
“If you want it, measure it. If you can’t measure it, forget it.”
        – Peter Drucker

Measurement is critical in achieving objectives. But a more subtle factor drives your success: what you measure and how you measure it. These are what guide your actions.  The measurement of vulnerabilities is no exception, and with vulnerabilities, the difference between automatic and manual data and its implications are the key factors.

So, what is the difference?

Manual data is a point-in-time snapshot of vulnerability data that is tied to a single scan and shows the vulnerability posture of the hosts at the time the scan was run.

Automatic data is data from multiple scans normalized into a database. It is the asset-centric history of vulnerability data, built out of the results of previous scans.

Simple enough, right?  Let’s examine the implications.

Assessment vs. Management

Manual data lets you assess vulnerabilities, but you need automatic data for vulnerability management.

Manual data shows you where you’re vulnerable at the time of the scan.  You can think of manual data as a file folder on the left side of your desk with a folder corresponding to each scan.  Inside each folder is a piece of paper containing the forensic record of the raw results from that point-in-time scan.  The biggest limitation of this data model is that it lacks context and trending since it is a snapshot of a point in time.  For example, if you scanned on January 1 and found 500 vulnerabilities, then scanned the same assets on February 1 and found 300 vulnerabilities, what does that mean?  Did you fix all 500 vulnerabilities from January and have 300 new vulnerabilities for February?  Did you fix 200 vulnerabilities from January and have 300 left, but no new vulnerabilities in February?  There are several other potential scenarios that would also need to be considered, and determining the answer with any degree of certainty is problematic at best.

If you only have access to manual data, you have to perform a manual monthly process with a custom spreadsheet to attempt to reconcile and normalize the results from scan to scan to show month-over-month trending.

Another big problem with this data model is that it is difficult to track the lifecycle of a vulnerability on a particular host.  For example, you should be careful not to assume that if you don’t find a vulnerability in a subsequent scan that it has been fixed.  This is a poor assumption as there is a huge difference between "fixed" and "not found".  For example, if you first scan with authentication, then scan without authentication, many vulnerabilities won’t be detected in the second scan, simply because authentication wasn’t used.  This does not mean that the vulnerabilities are actually fixed and can lead to a false sense of security.

Lifecycle of a Vulnerability

Automatic data addresses these limitations by introducing the concept of a vulnerability’s state and providing additional context that is valuable when managing the lifecycle.  Automatic data can be thought of as a large relational database on the right side of your desk that normalizes the results of every scan over time for each asset.  A vulnerability can have one of four states:

  • NEW: Detected for the first time
  • ACTIVE: Detected more than once
  • FIXED: Detected, then confirmed to be resolved by scanning in the *same* manner as originally detected – e.g. with authentication
  • REOPENED: Detected, confirmed to be remediated, then detected again.  This may be the result of a machine being re-imaged without all relevant patches being applied.

states

The automatic data also enable users with the capability to mark vulnerabilities as IGNORED, and create an audit trail of all the transitions. The IGNORED state is complementary to the status. A vulnerability can be NEW/IGNORED or ACTIVE/IGNORED for instance. It is a way to manage exceptions.

Trending and Reporting

In addition to a vulnerability’s state, automatic data allows us to report on when a vulnerability was first detected, last detected, and the number of times it has been detected.  Also, vulnerability status is tracked intelligently to account for different option profiles being used.  For example, if a vulnerability is first detected using authentication, it will not be considered closed until a rescan *with authentication* confirms that the vulnerability has been resolved.  This addresses the limitation of the assumption that not found = fixed. And it prevents "saw tooth" trend results that can happen when scans are conducted with varying configurations (e.g. with / without authentication) over time.

This type of accurate trending information is valuable to be able to correctly report the postures of organizations and the progress (or lack thereof) over time in remediating vulnerabilities in their environments.  Using the QualysGuard Detection API, this concept of vulnerability state/trend information can be included in data integrated with third party platforms (e.g. SIEM, GRC, etc).  Without automatic data, organizations are left to extremely manual, time-consuming, and error-prone approaches to attempt to measure and track the effectiveness of their vulnerability management programs over time.

Decoupling Reporting / Remediation from Scanning

One other main benefit of automatic data is that it allows the scanning and reporting/remediation efforts to be decoupled since all the data is tracked and normalized.  Scanning can be conducted according to location and reporting can be performed according to those responsible for remediation.

User Interface

The most obvious place where the difference between manual and automatic data is found in the QualysGuard user interface is when editing a scan report template and choosing the Scan Results Selection:

edit-scan-template

Automatic data is also used in “Status” and “Status with Trend” scan reports and Scorecard reports, as well as throughout the user interface including your dashboard, asset search results, remediation tickets and host information.

Automatic is the Way to Go

The difference between manual and automatic data is the difference between a vulnerability assessment program that identifies only current vulnerabilities and a vulnerability management program that drives the remediation of vulnerabilities over time. Automatic data makes QualysGuard the only vulnerability management solution that can differentiate between vulnerabilities that are actually fixed, versus those that simply weren’t detected.

Contributors to this article: Jason Falciola, Steve Ouzman, Karl G. Schrade, and Leif Kremkow.

QualysGuard First to Support Solaris 11

oracle-solaris11-clouds-505571

On November 9, 2011, Oracle announced the launch of Oracle Solaris 11 as the first fully virtualized operating system providing customers with comprehensive, built-in virtualization capabilities for OS, network and storage resources. Solaris 11 is designed to meet the security, performance and scalability requirements of cloud-based deployments allowing customers to run their enterprise applications in private, hybrid, or public clouds.

Working closely with Oracle during development and testing, Qualys is pleased to be the first vendor to add support for Oracle Solaris 11 within QualysGuard Policy Compliance.  The new compliance checks includes configuration checks based on the Oracle Solaris 11 hardening guideline, such as service checks, sshd_config checks, file permission and ownership checks.  This content is immediately available within QualysGuard Poilicy Compliance for all subscribers.

To enable support for Oracle Solaris 11, simply add your Oracle Solaris 11 IP addresses to a valid Unix authentication record. QualysGuard Scanner Appliances support Oracle Solaris 11 authentication as of ML 5.18.  Once successfully authenticated, QualysGuard Policy Compliance will scan Oracle Solaris 11 configurations and report results in a valid Oracle Solaris 11 policy.

For more information regarding QualysGuard Policy Compliance or how to configure QualysGuard Policy Compliance, please visit the Policy Compliance Community.

Risk I/O Integrates with QualysGuard to Further Automate Vulnerability Management

 

It’s good to share.

Qualys is a firm believer in the tremendous benefits of sharing information to improve information security.  Over the past year, we’ve demonstrated our commitment to industry collaboration with many projects, including the creation of the Ironbee Open Source project, our support of Convergence, and our work with StopBadware.  I’m happy to announce today that Risk I/O has joined the community of our partners in sharing.

Risk I/O provides a centralized portal for vulnerability information, reporting, and remediation management.  By utilizing the QualysGuard API, Risk I/O makes it easy to get an accurate and up-to-the-minute assessment of your vulnerabilites and share that information using concise charts and reports, improving efficiency and performance of vulnerability management programs.  Tickets can be assigned to drive remediation work, and QualysGuard verification scans can be automatically launched to close the loop on remediation activities.   Risk I/O can even aggregate QualysGuard results with other standards-based tools in your environment to multiply the value of your data.  Since both QualysGuard and Risk I/O are cloud-based solutions, getting started is as easy as signing up for a free trial account.  You can read more about the Qualys and Risk I/O partnership on the Risk I/O blog.

We’re excited to work with Risk I/O to help you perform better vulnerability management.  Please share your experiences with us; we would love to hear your feedback so we can continue to improve our products and integrations!

Dashboard and Drill-down Reporting in Policy Compliance

With the release of the new QualysGuard UI, Policy Compliance can now stand alone as it own module within QualysGuard.  This focused approach to modules in the new UI makes it easier to consolidate compliance reporting and provide additional capabilities specific to Policy Compliance.  A perfect example of this is the new Dashboard and Policy Summary Report released in QualysGuard 6.22.

Policy Compliance Dashboard

By enabling the new UI in QualysGuard 6.22, Policy Compliance gets its own dedicated Dashboard.

 

This new dashboard summarizes the compliance status across all policies in the subscription in one single view, identifying your top failing technologies that need attention.  In addition, view and access your last scans, upcoming scheduled scans, and latest reports directly from the dashboard.  For more information, drill down into your top failing and passing policies, which opens the new Policy Summary Report.

Policy Summary Report

The new UI also exposes a new tab under Reports called Policy Summary.  This new tab provides a summary of your policy without running template based reports, as required in previous versions of Policy Compliance.  To see the summary, simply select a policy and a trend duration.

 

This new summary report provides trending of your pass/fail status, controls, and hosts by policy.  In addition, drill down into your top failing hosts and controls, which opens an interactive report with detailed results.

These new features in QualysGuard 6.22 enhance the reporting capabilities of Policy Compliance and provide a global view of compliance.  To try these new features, simply switch over to the new UI in your subscription.  To see a demo of these new features, please visit the Dashboard video in the QualysGuard Policy Compliance Video Series.

Transporting Policies in Policy Compliance

Have you ever wanted to export a policy from Policy Compliance and import it into another subscription?  Customers with multiple subscriptions and partners have been requesting this capability and with the release of QualysGuard 6.22, their requests have been answered.  With this release, policies can be exported and imported freely.

Why importing and exporting is important?

Policy creation is a key component of Policy Compliance.  It is the policy that sets the expected values to determine overall compliance.  Once a policy is created in a subscription with QualysGuard 6.22, the policy can be easily transported to another subscription and used there.  This makes it easier for partners and customers with multiple subscriptions to fully adopt Policy Compliance.

How to transport policies?

With QualysGuard 6.22, you can now export a policy as an XML file from one subscription and import the policy into another subscription in four easy steps:

  1. Select a policy and click export.
    Policy Export - Large
  2. Save the XML file to your computer.
  3. In another subscription, select New, Import Compliance Policy, Import from XML file.
    Policy Import - Large
  4. Select the XML file on your computer.

New possibilities for sharing policies

In addition to transporting policies for partners and customers with multiple subscriptions, this new capability provides new possibilities for customers to share policies with each other.  It also allows Qualys to share new policies with customers and prospects quickly before they become available in the import library.  Adding policies to the import library requires thorough testing prior to upload.  However, this new feature will allow us to share these policies prior to upload, allowing customers to get a head start on policy creation.

To see a demo of this new feature, please vist the Policy Import and Export video in the QualysGuard Policy Compliance Video Series.

Integrated Vulnerability Risk Management and IT Risk and Compliance with QualysGuard and Modulo

Understanding overall security and compliance risk is an integral part of a risk management program. The integration of security and compliance solutions has provided some insight to understanding this risk, but lack true security risk as organizations are challenged with hundreds or even thousands of vulnerability detections every day.

Integrating QualysGuard and Modulo

Modulo provides a simple mechanism for importing asset and vulnerability data into Modulo Risk Manager. With Modulo Risk Manager, QualysGuard Vulnerability Management data is tightly integrated into the risk management program, allowing vulnerability risk to be correlated with other risks, controls, and assets providing a holistic management perspective of the most important risks.

Integration Benefits

Asset Synchronization and Correlation

Schedule import of assets from QualysGuard Vulnerability Management to constantly keep your asset management module updated with new assets and vulnerabilities.  In addition, correlate these assets with other business assets in Modulo to understand business risk.

Displaying_Qualys_vulnerabilities_at_asset_level

Holistic IT Risk Approach

QualysGuard Vulnerability Management data is automatically collected and integrated into the risk management program, allowing vulnerability risk to be correlated with other risks, controls, and assets, providing a holistic management perspective of the most important risks.  In addition, the Risk Score, the formula used to calculate the risk score for vulnerabilities, can be customized using the following variables:

    • Asset Criticality
    • Asset Relevance
    • CVSS Score
    • Vulnerability Level
    • Vulnerability Type

Evaluation_of_Qualys_vulnerabilities_in_Risk_Manager

Prioritized Remediation

This integration allows customers to prioritize not only compliance risks, but also security risks to manage remediation efforts across the organization, prioritize large amounts of vulnerability data using a mature and reliable approach, produce compliance documentation and make more accurate decisions.

Treatment_of_Qualys_vulnerabilities_in_Risk_Manager

For more information regarding this integration, please see the Qualys and Modulo Showcase Integrated Vulnerability Management with IT GRC Press Release.

QualysGuard SCAP Validation

The National Institute of Standards and Technology (NIST) has re-validated the QualysGuard® FDCC service as conforming to the following SCAP capabilities:

  • Logo of NISTFDCC Scanner
  • Authenticated Configuration Scanner
  • Authenticated Vulnerability and Patch Scanner
  • Unauthenticated Vulnerability Scanner

With the growing adoption of the Security Content Automation Protocol (SCAP), the QualysGuard® FDCC service is committed to supporting the Federal Desktop Core Configuration (FDCC) and has added support for the United States Government Configuration Baseline (USGCB).  Government agencies and industry should use the SCAP-validated QualysGuard® FDCC service to test and assess compliance with FDCC and USGCB standards.

FDCC

What is the Federal Desktop Core Configuration?

In March 2007, the Office of Management and Budget (OMB) Memorandum M-07-11 announced the “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems”, directing agencies who have Windows XP deployed and/or plan to upgrade to the Windows Vista operating system to adopt the Federal Desktop Core Configuration (FDCC) security configurations. On June 20, 2008, the National Institute of Standards and Technology (NIST) published the updated FDCC Major Version 1.0 settings release. FDCC is comprised of settings that can be checked using the updated Security Content Automation Protocol (SCAP) content and SCAP-validated tools with FDCC Scanning capability as specified by NIST.

USGCB

What is the United States Government Configuration Baseline? How does it differ from FDCC?

In May 2010, the Architecture and Infrastructure Committee of the CIO Council announced the United States Government Configuration Baseline (USGCB) settings for Windows 7 and Internet Explorer 8. The USGCB is a further clarification of the Federal Desktop Core Configuration (FDCC); specifically, the USGCB initiative falls within FDCC and comprises the configuration settings component of FDCC. To assist in implementation, NIST will release the supporting Security Content Automation Protocol (SCAP) content for all USGCB settings.

QualysGuard® FDCC Service

The QualysGuard® FDCC service is the first certified cloud based computing solution for FDCC compliance.  It allows federal agencies to scan and report compliance with the FDCC and USGCB requirements through a centralized, integrated solution leveraging the QualysGuard® Software-as-a-Service (SaaS) architecture. The QualysGuard® Scanner Appliances support FDCC and USGCB scanning for internal systems on a global scale.

The QualysGuard® FDCC service is validated by NIST as conforming to SCAP and its component standards. The QualysGuard® FDCC service currently supports the following SCAP content:

  • FDCC: Windows XP
  • FDCC: Windows XP Firewall
  • FDCC: Windows Vista
  • FDCC: Windows Vista Firewall
  • FDCC: Internet Explorer 7
  • USGCB: Windows 7
  • USGCB: Windows 7 Firewall
  • USGCB: Internet Explorer 8

Windows Share Enumeration, Detailed Audit Settings, and ExploitKit Mapping

Sometimes it’s the little things that make your day run more smoothly.  The release of QualysGuard 6.19 includes highly-focused new features that add functionality for Windows systems. Also, an update to the Qualys KnowledgeBase identifies vulnerabilities that can be attacked via exploit kits, helping organizations better prioritize patching efforts and protect against vulnerabilities that could be abused via exploit kits.

Windows Share Enumeration: Find Windows shares that are readable by everyone, and report details like the number of files in the share and whether the files are writable. This is good for identifying groups of files that may need tighter access control.

Detailed Audit Settings: Verify auditing subcategory settings introduced in Windows Vista, Windows 7, and Windows Server 2008. You can now check all of the audit logging settings within Windows.

Both of the above features require the new dissolvable agent, which is configured via a new workflow for easier activation.  Details in the 6.19 Notification.

ExploitKit Mapping: If a vulnerability can be attacked via an exploit kit, it should be considered higher priority simply because of the larger number of people who can easily attempt to attack it via the exploit kit. The new ExploitKit Mapping in the KnowledgeBase makes it easier to identify these vulnerabilities and prioritize their remediation.

QualysGuard PCI Now Includes Open Services Report

I was surrounded by numbers, more numbers that I could ever remember or justify.  Every time I tried to add them up they would find a new combination – one I hadn’t seen before – and mock me with a sum that was just a few dollars above or below where it was supposed to be.  I spent nearly three days doing calculations before I finally swallowed my pride and put in a "calculation error" entry to finish the process.

Reconciling my family’s checkbook had defeated me…this time.

Over the years I got better at doing the reconciliations, and eventually Microsoft Money made everything easier by automating the process, downloading transactions from my bank and helping me categorize and track all expenses.  Today I can happily say that balancing my account takes just a few minutes each month.

In many ways the PCI DSS section 1.1.5 requirement is a lot like reconciling a bank statement.  It states the following:

Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.

Simply keeping track of the assets in a cardholder data environment (CDE) can be a challenge, and this requirement adds on the responsibility for administrators to keep track of all ports and protocols that are in use in the CDE.  Additionally, the business justification for each port and protocol must be included; for most enterprises this requires involving multiple people and keeping notes about what the justification is and who provided it.

I’m pleased to announce that QualysGuard PCI version 5.3 now provides the Open Services Report.  In the same way the Microsoft Money helped me keep track of my spending, the Open Services Report can help you comply with PCI 1.1.5 by automating the workflow for discovering, authorizing, and reporting of the ports and protocols in your CDE.

Once you have performed a scan of your CDE you can access the Open Services Report via Network -> Open Services Report.

PCI_Main

You’ll immediately see a few key capabilities:

  • The Summary section shows you how many services have been identified during the most recent scans and tracks how many have been categorized.  As you perform the workflow to approve/reject services these numbers will be updated.
  • A dynamic listing of all open ports and protocols detected in your CDE is listed in the grid.  You can change the grouping by host IP or by service, and can filter the list to show only the items you are interested in (such as description containing "NetBIOS" or service marked as "Unauthorized")
  • A CSV download of all the services and their status can be downloaded for distribution outside of the PCI application.

The Open Services Report includes the ability to classify services as authorized or unauthorized.  To do so, simply select all the services you wish to mark and click on "Classfiy".  You’ll be prompted to enter a business justification for that decision:

PCI_Classify

A complete history of all activity – who classified a service, when, and the reasons why – will be maintained and viewable in the report.  You can then proceed to use the report to demonstrate your compliance with the PCI 1.1.5 requirement.

We hope you find these new capabilities helpful in tracking and justifying the business needs for services in your CDE, and look forward to hearing your feedback.

Improving Policy Editing and Reporting

Ever wonder what 314159265358979 or 161803399999999 stand for in a compliance policy?  You’re not alone.  These special values, known as Pi and Golden Ratio, are used to report specific status conditions within QualysGuard Policy Compliance.  The translation of these special values vary by technology and configuration.  With the release of QualysGuard 6.18, these special values will be converted to check boxes in the policy editor, providing clear translation of these special values.  In addition, policy reports will no longer display these special values; only the translated values.

The Use of Pi and Golden Ratio

Policy Compliance uses two special values to indicate status information about a compliance check, also referred to as a data point. These special values are:

  1. 314159265358979 (the first 15 digits of PI)
  2. 161803399999999 (the first 15 digits of the "Golden Ratio")

These values are highly unique numbers which represent various conditions encountered during scanning.  The status values will have slightly different results according to which technology the control is using.  Valid examples of these special values include, but are not limited to, the following:

  1. Registry key path was not found.
  2. Registry key parameter was not found.
  3. File was not found.
  4. Setting was not found.

Previous Policy Editor and Reports

Previously, these special values would appear in your policies as the expected value for various data point checks. Below are a few examples of the policy editor prior to QualysGuard 6.18:

  1. The first example below uses a complex control to verify the 'Number of days prior to password expiry before a warning is displayed at login'.  Notice the AND condition makes sure that the value is less then Golden Ratio.  Golden Ratio is returned when the setting is not found, and therefore not set.  This additional AND condition is required to prevent false positives, as we do not want to pass the control if the setting is not found.
    Hybrid before Mask Pi-GR
    Figure 1: Complex Control using Golden Ratio
  2. The second example below uses multiple values in the regular expression to verify the startup state of the 'Clipbook' service.  Notice both Pi and Golden Ratio are included in the regular expression.  Pi is returned when the registry key path is not found and Golden Ratio is returned when the registry key parameter is not found, both meaning the service is not installed.  Since the service should be disabled, represented by 4, we should also pass the control if the service is not installed, represented by Pi and Golden Ratio.
    Fixed Values before Pi-GR
    Figure 2: Complex Regular Expression using Pi and Golden Ratio

These special values may also appear in your compliance reports.  We have been converting the actual values to translated values in the reports for several releases, however the expected values may still use Pi or Golden Ratio.

Improved Policy Editor and Reports

With the release of QualysGuard 6.18, the policy editor will start to display Pi and Golden Ratio as check boxes with their translated meanings.  Not all of the controls will be translated initially, as we will be updating the existing controls to use the new feature over time.  However, new controls will be created using this new feature. 

After QualysGuard 6.18, all controls will fall into one of the following categories:

  • Values Only: The control only allows user-customized criteria. User must select the operator, cardinality and enter an expected value. This is how controls work prior to this release.
  • Fixed Values Only: The control only allows fixed value selections. User must select/clear checkboxes.
  • Hybrid: The control allows a combination of user-customized criteria and fixed value selections.

Below are the same samples from above using the new feature in QualysGuard 6.18:

  1. The first example below simplifies the control to verify the 'Number of days prior to password expiry before a warning is displayed at login'.  Notice the AND condition has been removed and replaced with check boxes.  These check boxes will allow you to pass the control if the setting is not found.
    Hybrid after Mask Pi-GR
    Figure 3: Hybrid Control using Value and Fixed Values
  2. The second example below converts all values in the regular expression to fixed values to verify the startup state of the 'Clipbook' service.  Notice that all values, including Pi and Golden Ratio, have been converted to check boxes.  By checking the appropriate check boxes, we can now check all conditions of the service.
    Fixed Values after Mask Pi-GR
    Figure 4: Fixed Values Control

Updated compliance reports will now display the translated values for the 'Expected' column.  A sample report for the Fixed Values example above is provided below:

Fixed Values Report after Pi-GR

Figure 5: Fixed Values Report

In addition to resolving the translation of Pi and Golden Ratio, we also improved the layout of the policy editor and reports.  We added shading to both the policy editor and reports to highlight the values associated with each control.  We also added auto-sized text boxes in the policy editor to make it easier to see larger strings of text, especially for file integrity hashes.

Demo

To see a demo of this new feature, please view the Improved Policy Editor and Reporting Demo.