All Posts

2 posts

Introducing QualysGuard Dynamic Asset Tagging and Management

Asset management and scanning complement and reinforce each other. It’s a case where the whole is greater than the sum of the parts.

image1Scanning tools can deliver an accurate, automated inventory of assets in near real-time as a side effect of their scans. Likewise, a complete inventory of assets provides insight into their metadata and organization, which leads to better security decisions. Newly added features in QualysGuard extend its asset management capabilities to include both statically and dynamically categorized assets. These new features make it easier to get precise views into the security posture of different aspects of a complex IT environment, and they give IT managers consistently up-to-date data about the systems in their environments.

Why Asset Management Is Important

Asset management is key to security because of the number, variety and dynamic nature of assets. A company with 5,000 employees may have more than 20,000 IT assets. Mobile devices, laptops, and other BYOD devices configured by end-users may not comply with corporate configuration policies. Mobile devices, cloud-based applications, virtualization, and remote workers add complexity and volatility. Inventory and configuration snapshots of these devices in an organization can quickly become obsolete. With more and more employees using multiple IT assets, it is easy to see how inventories can change and grow quickly and in unexpected ways. Adding to this is the geographical distribution of buildings, offices and data centers across the globe. And to have a complete picture of assets requires an understanding of business ownership, including the structure of the organization and who owns the assets or has access to them, all the way down to details like what are their configurations, their status and their serial numbers.

Only with a clear view of assets can they be managed and secured.


So where does tagging fit in? If the scan is already collecting the configuration data from the systems, why do you need tagging?

Simple answer: Tagging gives you flexibility to organize your assets in multiple ways simultaneously.

Many aspects of an asset, both technical and nontechnical, need to be easily visible to the organization of your assets. Entering and tracking such information manually on each asset will not scale in large enterprise environments. What is needed is a more flexible labeling or tagging system that has the ability to understand and apply one or more tags as labels to assets in an automated manner using rules. We refer to labels as tags and they can be used to organize, search and prioritize assets across all QualysGuard solutions such as Vulnerability Management, Web Application Scanning, Policy Compliance and Malware Detection Service.

The hierarchical tag organization can be understood best as a set of folders and subfolders, like you may have seen many times in a Windows folder “tree” structure. One of the big differences is that an asset may have many tags on it, which (using the folder analogy) means an asset can be in several folders at once. If your business has two or three or ten ways to group its assets, you don’t have to pick one, you can have all 10 at once.

Since tags can be nested inside other tags, the manual work of managing rollup groups is eliminated. This association is very useful when managing large sets of assets, and provides a cohesive, common foundation for other solutions such as compliance scans. Avoiding manual work when altering the groupings is another benefit: a simple reorganization of the tags (using drag & drop) is all you need to create new or altered groupings of your assets.

Applying Tags

image7In the simplest case, tags are applied manually to assets. A simple tag may be placed manually on an asset to reflect almost any description.

A more powerful and automated set of tag rules can be placed on assets that check for certain criteria. This could be IP address, operating system, software installed, etc.

Finally, for more advanced users, logic can be applied to the rules which can zero in very accurately. For example, you may want to identify all assets in a selected IP range running Windows 2000, based in Asia and having an Adobe product installed; or all Windows clients in your call centers; or all mail servers. All of these rules will save a huge amount of manual operations and give the organization more confidence concerning the accuracy of their asset inventory and overall compliance posture.

When you scan the next time, tags are re-evaluated and updated automatically to reflect the latest scan data.

Advanced Techniques

A rule-based tagging capability enables the assets to reflect the true organizational structure across businesses, geographies and technologies in an automated way. Static, dynamic and advanced rules can be applied to very specific assets in an accurate manner. Some of the more advanced users can even use a scripting language (Groovy Scripts) to pinpoint specific assets for action.

For example, you may want to know whether a host has been scanned for the first time, i.e. if it is newly discovered. A Groovy scriptlet could be written to evaluate this case and automatically tag those assets.

Extending Tags Beyond Scans

Once the automatic rules are in place, the Asset Management and Dynamic Tagging module becomes a powerful platform to empower other solutions. For example, we can launch a scan targeting specific tags such as operating systems. A vulnerability report can be run against hosts with specific software installed. Searches can be performed which locate web applications with specific vulnerabilities. The real power of a highly automated and accurate a Asset Management and Dynamic Tagging module is tight integration with other security and compliance solutions. The Asset Management and Dynamic Tagging functionality is built into the very core of the QualysGuard Cloud Suite, and is integrated into each of the solutions it provides for a common, integrated approach.

Operating at Scale

In the real world, a key success factor is the ability to operate at scale in rapidly changing environments. The fundamentals of the QualysGuard scanning architecture are critical for operating at scale.

The QualysGuard Asset Management and Dynamic Tagging Cloud Platform has been specifically architected to scale across millions of assets. The module takes advantage of the rich data collected by the Vulnerability Management scan to build a near real time comprehensive asset database. These assets are then assigned tags to allow better organization and enable other solutions.

Unless you have a scaleable scanning architecture with a cloud-based management infrastructure separated from the physical scanning resources, scanning all hosts can take weeks if not months.

Built correctly, a network scanning platform can be an ideal vehicle to perform discovery of IT assets, web applications and network infrastructure. A more sophisticated authenticated scan of your assets can access and store a wealth of useful information; just a few examples being: inventory of software installed, detailed hardware specifications, local configuration settings, security policies, registry settings and more.

QualysGuard uses agentless scanning, where no software needs to be installed and maintained on target (scanned) systems in the environment. It’s very scalable, and can provide inventory scans of thousands of assets in a short time period. It’s also a good way to catch new assets as they enter the environment.

A scanning program that works at scale is the foundation. Not only does it provide security information such as vulnerabilities or variance from configuration standards, but it can also collect detailed information about these assets.

Future Direction

The Asset Management solution of the future is able to keep a continuous inventory of assets from many different internal and external sources, tag them and organize them into well-defined groupings (which, for example, could represent business units, geographies and technologies, or all of the above) in one central place. Although scanning using the QualysGuard Cloud Suite provides good visibility and inventory of the assets in your business, there will be other more direct sources that can provide asset information. This could be an Active Directory Service (Microsoft), APIs from leading virtualization systems such as VMware, or the cloud APIs from Amazon EC2, or 3rd-party asset repositories or tracking software. Regardless of the source, they would all come together to be reconciled, organized and managed in one place. This would form the foundation of a powerful platform that is able to service multiple security and compliance solutions, and flex to the needs of many teams across the enterprise.

To active Asset Tagging and Management in your QualysGuard Subscription, see Asset Tagging, Part 1: Activating

Technical Resources:

Quick Start Guide (pdf)


Meeting PCI Requirement 11.2 with QualysGuard

Your PCI 11.2 Checklist and Toolbox

Merchants are getting ready for the upcoming changes to the internal scanning requirements for PCI compliance.  This blog post provides a checklist on what you should have ready and will review some of the tools Qualys provides for these requirements.

There are four core areas to focus on in preparation for your compliance to PCI 11.2, taking into account the changes from PCI 6.2 regarding risk ranking of vulnerabilities.

  1. Your documented PCI scope (cardholder dataenvironment)
  2. Your documented risk ranking process
  3. Your scanning tools
  4. Your scan reports

Merchants will need to complete each of these elements to be prepared to pass PCI compliance.

1. Your documented PCI scope (cardholder data environment)

All PCI requirements revolve around a cross-section of assets in your IT infrastructure that is directly involved in storage, processing, or transmitting payment card information. These IT assets are known as the cardholder data environment (CDE), and are the focus areas of the PCI DSS requirements.

These assets can exist in internal or external (public) networks and may be subject to different requirements based on what role they play in payment processing. These assets can be servers, routers, switches, workstations, databases, virtual machines or web applications; PCI refers to these assets as system components.

QualysGuard provides a capability to tag assets under management.  The screenshot below shows an example of PCI scope being defined within the QualysGuard Asset Tagging module.  It provides the ability to group internal assets (for 11.2.1), external assets (for 11.2.2), and both internal and external assets together (for 11.2.3).


This allows you to maintain documentation of your CDE directly, and to drive your scanning directly from your scope definition.

2. Your documented risk ranking process

This is the primary requirement associated with the June 30th deadline; this is the reference that should allow someone to reproduce your risk rankings for specific vulnerabilities.

The requirement references industry best practices, among other details, to consider in developing your risk ranking.  It may help you to quickly adopt a common industry best practice and adapt it to your own environment.  Two examples are the Qualys severity rating system, which is the default rating as per the security research team at Qualys; or, the PCI ASV Program Guide, which includes a rating system used by scanning vendors to complete external scanning. QualysGuard is used by 50 of the Forbes Global 100, and spans all market verticals; it qualifies as an industry best practice.  Additionally, the QualysGuard platform is used by the majority of PCI Approved Scanning Vendors  and already delivers rankings within the PCI ASV Program Guide practices.

The core rules of your risk rankings should take into account CVSS Base Scores, available from nearly all security intelligence feeds.  These scores are also the base system used within the PCI ASV Program Guide.  Your process should also account for system components in your cardholder data environment and vendor-provided criticality rankings, such as the Microsoft patch ranking system if your CDE includes Windows-based system components.

The process should include documentation that details the sources of security information you follow, how frequently you review the feeds, and how you respond to new information in the feeds.  QualysGuard provides daily updates to the vulnerability knowledgebase and now offers a Zero-Day Analyzer service, which leverages data from the iDefense security intelligence feed.


3. Your scanning tools

After you have your scope clearly defined and you have your process for ranking vulnerabilities documented, you will need to be able to run vulnerability scans. This includes internal VM scans, external VM scans, PCI ASV scans (external), internal web application scans and external web application scans. It is thefindings in these scans that will map against your risk ranking process and allow you to produce the necessary scan reports.

You will need to be able to configure your scanning tools to check for “high” vulnerabilities, which will allow you to allocate resources to fix and resolve these issues as part of the normal vulnerability management program and workflow within your environment.

QualysGuard VM, QualysGuard WAS and QualysGuard PCI all work together seamlessly to provide each of these scans capabilities against the same group of assets that represent your PCI scope or CDE.


4. Your scan reports

You will want to produce reports for your internal PCI scope, as defined in #1 of this checklist, both quarterly and after any significant changes.  If you have regular releases or updates to your IT infrastructure, you will want to have scan reports from those updates and upgrades. Quarterly scan reports need to be spaced apart by 90 days.  In all cases, these reports need to show that there are no “high” vulnerabilities detected by your scanning tools.

Each report for the significant change events will also need to include external PCI scope. QualysGuard VM makes it easy to include both internal and external assets in the same report.  QualysGuard VM also provides a direct link to your QualysGuard PCI merchant account for automation of your PCI ASV scan requirements.


QualysGuard WAS allows you to quickly meet your production web application scanning requirement (PCI 6.6) as well as internal web application scanning as part of your software development lifecycle (SDLC), by scanning your applications in development and in test. 

If you follow these guidelines you will be well prepared to perform and maintain the required controls for PCI 11.2.