Enterprises are having a challenging time securing their data and systems. But it doesn’t have to be that way. We recently reached out to Tyler Shields, principal analyst at Forrester to discuss his presentation at Qualys Security Conference 2015, and what it means to be able to secure enterprises at “cloud scale.” And what it’s going to take for enterprises to succeed in security in the years ahead.
Risk I/O announced today that it has partnered with Qualys to integrate QualysGuard Vulnerability Management (VM) into Risk I/O, providing perimeter vulnerability scanning for its customers. For businesses that need to understand the vulnerability and threat risks of their organization’s perimeter in real-time, the new integration enables them to sync their vulnerability data with Risk I/O’s threat processing engine, allowing organizations to gain visibility into their most likely vector for a breach.
Today in London, to kick off the week of Infosecurity Europe, Qualys and FireMon announced the integration of QualysGuard Vulnerability Management (VM) and FireMon Security Manager with Risk Analyzer in FireMon’s upcoming Version 7.0 release. The integration enables customers to analyze their security postures across large network security infrastructures, evaluate remediation efforts through attack simulation, and see the impact of their actions to reduce risk and meet compliance regulations.
With the integration, FireMon Security Manager with Risk Analyzer is automatically updated with the latest QualysGuard VM scan results, and combined with Security Manager’s real-time network configuration and topology knowledge, identifies exactly what assets on the network are at truly at risk and which should be remediated first to reduce the greatest amount of risk.
Jody Brazil, President and CTO of FireMon commented: “The integrated FireMon Security Manager with Risk Analyzer and QualysGuard Vulnerability Management solution empowers IT Security organizations to automate the identification of assets that are truly at risk, and to know their network risk posture is always updated in real-time. This enables customers to move to a risk-centric security operations model that enables them to proactively identify and patch or make unreachable important assets that could be exploited before attackers do."
Merchants are getting ready for the upcoming changes to the internal scanning requirements for PCI compliance. This blog post provides a checklist on what you should have ready and will review some of the tools Qualys provides for these requirements.
There are four core areas to focus on in preparation for your compliance to PCI 11.2, taking into account the changes from PCI 6.2 regarding risk ranking of vulnerabilities.
Your documented PCI scope (cardholder dataenvironment)
Your documented risk ranking process
Your scanning tools
Your scan reports
Merchants will need to complete each of these elements to be prepared to pass PCI compliance.
1. Your documented PCI scope (cardholder data environment)
All PCI requirements revolve around a cross-section of assets in your IT infrastructure that is directly involved in storage, processing, or transmitting payment card information. These IT assets are known as the cardholder data environment (CDE), and are the focus areas of the PCI DSS requirements.
These assets can exist in internal or external (public) networks and may be subject to different requirements based on what role they play in payment processing. These assets can be servers, routers, switches, workstations, databases, virtual machines or web applications; PCI refers to these assets as system components.
QualysGuard provides a capability to tag assets under management. The screenshot below shows an example of PCI scope being defined within the QualysGuard Asset Tagging module. It provides the ability to group internal assets (for 11.2.1), external assets (for 11.2.2), and both internal and external assets together (for 11.2.3).
This allows you to maintain documentation of your CDE directly, and to drive your scanning directly from your scope definition.
2. Your documented risk ranking process
This is the primary requirement associated with the June 30th deadline; this is the reference that should allow someone to reproduce your risk rankings for specific vulnerabilities.
The requirement references industry best practices, among other details, to consider in developing your risk ranking. It may help you to quickly adopt a common industry best practice and adapt it to your own environment. Two examples are the Qualys severity rating system, which is the default rating as per the security research team at Qualys; or, the PCI ASV Program Guide, which includes a rating system used by scanning vendors to complete external scanning. QualysGuard is used by 50 of the Forbes Global 100, and spans all market verticals; it qualifies as an industry best practice. Additionally, the QualysGuard platform is used by the majority of PCI Approved Scanning Vendors and already delivers rankings within the PCI ASV Program Guide practices.
The core rules of your risk rankings should take into account CVSS Base Scores, available from nearly all security intelligence feeds. These scores are also the base system used within the PCI ASV Program Guide. Your process should also account for system components in your cardholder data environment and vendor-provided criticality rankings, such as the Microsoft patch ranking system if your CDE includes Windows-based system components.
The process should include documentation that details the sources of security information you follow, how frequently you review the feeds, and how you respond to new information in the feeds. QualysGuard provides daily updates to the vulnerability knowledgebase and now offers a Zero-Day Analyzer service, which leverages data from the iDefense security intelligence feed.
3. Your scanning tools
After you have your scope clearly defined and you have your process for ranking vulnerabilities documented, you will need to be able to run vulnerability scans. This includes internal VM scans, external VM scans, PCI ASV scans (external), internal web application scans and external web application scans. It is thefindings in these scans that will map against your risk ranking process and allow you to produce the necessary scan reports.
You will need to be able to configure your scanning tools to check for “high” vulnerabilities, which will allow you to allocate resources to fix and resolve these issues as part of the normal vulnerability management program and workflow within your environment.
QualysGuard VM, QualysGuard WAS and QualysGuard PCI all work together seamlessly to provide each of these scans capabilities against the same group of assets that represent your PCI scope or CDE.
4. Your scan reports
You will want to produce reports for your internal PCI scope, as defined in #1 of this checklist, both quarterly and after any significant changes. If you have regular releases or updates to your IT infrastructure, you will want to have scan reports from those updates and upgrades. Quarterly scan reports need to be spaced apart by 90 days. In all cases, these reports need to show that there are no “high” vulnerabilities detected by your scanning tools.
Each report for the significant change events will also need to include external PCI scope. QualysGuard VM makes it easy to include both internal and external assets in the same report. QualysGuard VM also provides a direct link to your QualysGuard PCI merchant account for automation of your PCI ASV scan requirements.
QualysGuard WAS allows you to quickly meet your production web application scanning requirement (PCI 6.6) as well as internal web application scanning as part of your software development lifecycle (SDLC), by scanning your applications in development and in test.
If you follow these guidelines you will be well prepared to perform and maintain the required controls for PCI 11.2.
Qualys is a firm believer in the tremendous benefits of sharing information to improve information security. Over the past year, we’ve demonstrated our commitment to industry collaboration with many projects, including the creation of the Ironbee Open Source project, our support of Convergence, and our work with StopBadware. I’m happy to announce today that Risk I/O has joined the community of our partners in sharing.
Risk I/O provides a centralized portal for vulnerability information, reporting, and remediation management. By utilizing the QualysGuard API, Risk I/O makes it easy to get an accurate and up-to-the-minute assessment of your vulnerabilites and share that information using concise charts and reports, improving efficiency and performance of vulnerability management programs. Tickets can be assigned to drive remediation work, and QualysGuard verification scans can be automatically launched to close the loop on remediation activities. Risk I/O can even aggregate QualysGuard results with other standards-based tools in your environment to multiply the value of your data. Since both QualysGuard and Risk I/O are cloud-based solutions, getting started is as easy as signing up for a free trial account. You can read more about the Qualys and Risk I/O partnership on the Risk I/O blog.
We’re excited to work with Risk I/O to help you perform better vulnerability management. Please share your experiences with us; we would love to hear your feedback so we can continue to improve our products and integrations!