In the first installment of this blog series on automated asset inventorying, we met Max, the CISO of a large manufacturer whose InfoSec team lost full visibility of the company’s hardware and software.
Dangerous blind spots appeared progressively over time as Max’s company adopted more and more digital transformation technologies, such as cloud computing, mobility, IoT, and virtualization.
Eventually, Max and his team became alarmed at the inability of their legacy on-premises security products to account for the new cloud instances, virtualized environments, mobile endpoints and other assets outside of the traditional, tightly-controlled network perimeter.
They were concerned that this lack of visibility could lead to an increase in employee use of unapproved personal devices and unauthorized software, as well as to data breaches.
With 2017 still in its infancy, plenty of time remains for InfoSec practitioners to make concrete strides toward better security and compliance in their organizations. That’s why to help you start off the year on the right foot, we’ve shared best practices, ideas and recommendations in our Qualys Top 10 Tips for a Secure & Compliant 2017 blog series.
As we continue our Qualys Top 10 Tips for a Secure & Compliant 2017 blog series, we zoom in on the all important area of compliance and risk monitoring, a key element of any comprehensive security program.
IT compliance and risk managers don’t have it easy. You face an increasingly complex regulatory landscape, constantly evolving industry standards and a technology environment that’s changing at a dizzying pace. It falls on your shoulders to make sure your organizations follow rules, regulations, laws, standards and practices in areas of IT across all business functions.
In this post, we’ll offer tips 5 – 7 on our list, to help you:
Ensure internal and external IT compliance
Assess procedural and technical controls among vendors to reduce the risk of doing business with them
Comply with the Payment Card Industry Data Security Standard (PCI DSS)
A new year has started, giving InfoSec professionals the perfect opportunity to evaluate what’s working and what’s not in their organizations, and, filled with that early-January optimism, set out to do better.
In that spirit of improvement and renewal, Qualys is kicking off today a blog series that outlines helpful tips — not just flimsy resolutions — for ensuring data security and compliance throughout the year.
In this initial post, we’ll discuss the first three of the Qualys Top 10 Tips for a Secure & Compliant 2017, addressing the importance of IT asset visibility, proper management of vulnerabilities, and continuous monitoring.
When Office Depot went looking for a new vulnerability management system, it picked Qualys’ for several reasons, including the variety and capabilities of its application programming interfaces (APIs). This was the topic of a recent talk by Office Depot Director of Global Information Security Jon Scheidell.
Since deploying Qualys Vulnerability Management (VM) about three years ago, the office supply chain has made ample and effective use of Qualys APIs in ways that have helped improve its overall security posture and its business operations.
“They’re one of the security vendors that does a better job of not only creating APIs for different features but also documenting them very, very well,” Scheidell said during a recent presentation at the Black Hat USA 2016 conference.
Qualys has always prioritized the extensibility of its platform via APIs, starting in the early 2000s with the release of its first product, and it has intensified its API efforts in the last four or five years.
Organizations worldwide have expanded and sharpened their continuous monitoring (CM) programs over the past year, but their adoption of this key set of security practices remains far from perfect.
That’s the main finding from the SANS Institute’s second annual survey on CM programs titled “Reducing Attack Surface” and published Nov. 2016.
Despite tangible improvements, CM “still has a way to go to attain the maturity needed to become a critical part of an organization’s business strategy,” reads the study, which polled almost 300 Infosec and IT pros actively involved in vulnerability assessment and remediation.
Today in London, to kick off the week of Infosecurity Europe, Qualys and FireMon announced the integration of QualysGuard Vulnerability Management (VM) and FireMon Security Manager with Risk Analyzer in FireMon’s upcoming Version 7.0 release. The integration enables customers to analyze their security postures across large network security infrastructures, evaluate remediation efforts through attack simulation, and see the impact of their actions to reduce risk and meet compliance regulations.
With the integration, FireMon Security Manager with Risk Analyzer is automatically updated with the latest QualysGuard VM scan results, and combined with Security Manager’s real-time network configuration and topology knowledge, identifies exactly what assets on the network are at truly at risk and which should be remediated first to reduce the greatest amount of risk.
Jody Brazil, President and CTO of FireMon commented: “The integrated FireMon Security Manager with Risk Analyzer and QualysGuard Vulnerability Management solution empowers IT Security organizations to automate the identification of assets that are truly at risk, and to know their network risk posture is always updated in real-time. This enables customers to move to a risk-centric security operations model that enables them to proactively identify and patch or make unreachable important assets that could be exploited before attackers do."
Qualys today announced that for the sixth time, readers of SC Magazine have named QualysGuard Vulnerability Management “Best Vulnerability Management Tool." The award was presented on February 26, 2013 at the SC Awards Gala in San Francisco.
“Our readers are on the front lines of information security, and they have recognized QualysGuard Vulnerability Management as a key tool for securing their organizations,” said Illena Armstrong, VP of editorial, SCMagazine. “Without leaders in innovation like Qualys, we would not be able to plan for the future of enterprise security.”
The SC Awards, now in its 16th year, is the premier recognition for IT security professionals and products that fend off the myriad security threats in today’s corporate world. The annual awards showcase the best solutions, services and professionals while recognizing achievement and technical excellence. QualysGuard Vulnerability Management was selected by a panel representing a cross-section of SC Magazine readership, comprised of large, medium and small enterprises from all major vertical markets, including financial services, health care, government, retail, education and other sectors. Read the full announcement.
The Terminator exposed it, the DARPA Grand Challenge rewards it, and Selenium puts its future in your hands. "It" is man versus machine… well, sort of. With Selenium, you are in control. Why link Selenium to the Terminator? Because it is that powerful.
As explained in the blog post above, Selenium scripts are often used to automate complex web app interactions such as authentication when scanning them via QualysGuard Web Application Scanning. Here we introduce a different use-case where we automate a QualysGuard subscriber’s interaction with the QualysGuard Vulnerability Management user interface, in order to demonstrate a best practice and make it easy to adopt — simply by running a Selenium script.
Make it happen
In a previous blog post about customizing Scorecard Reports, a fellow community member came up with a pretty good list of criteria of vulnerabilities to watch out for. Let’s take a closer look at creating a dynamic search list tailored to externally facing hosts. For such hosts, an initial starting point for discovering their "worst off the worst" vulnerabilities are those with the following criteria:
Remote (no authentication necessary) vulnerability.
Associated with a penetration testing toolkit (such as CORE or Exploit-DB).
Confirmed, severity 5 (easy segue to "game over").
Now I can show you screen shots of how to create this, but it’s so much easier to just create a Selenium script — by the way, it’s easier for you to run the script, too!
Open Firefox, log in to QualysGuard. While in QualysGuard, make sure you do not already have a search list with the name, "Remote exploit-available confirmed sev5 (Selenium)", or the script will error out.
From Firefox, Tools menu –> Selenium IDE
From Selenium IDE, File –> Open –> Open test case –> "create/Selenium test case, QualysGuard, create dynamic search list – remote exploit-available confirmed sev5.html". Check out the source, it is commented so you can see how it breaks apart building the search list.
Optional step. The script works at any speed, but if you would like to actually watch it work, I recommend slowing the execution down. Drag the speed bar from Fast to Slow so it’s easier to follow the script.
We are ready to run the script, also known as a test case in Selenium. Click on the "Play current test case" button. (Note this will play the test case that is shown in the right column under "Table | Source".)
Congratulations! You now have the dynamic search list we architected from our example. It’s called "Remote exploit-available confirmed sev5 (Selenium)".
You should see the dynamic search list under the "Search Lists" subtab (blue bar).
Note the criteria is optimized for externally facing hosts, as we described above:
Make it actionable
Pretty neat stuff, huh? But a search list on its own is not the most useful. Let’s create a report template that builds on it. Scratch that, let’s automate building of a report template that uses it.
Make sure you are still logged into QualysGuard inside of Firefox.
The test case creates a report template named "Remote exploit-available confirmed sev5 (Selenium)". So you want to make sure you do not already have a report template with the same name.
Load up the test case ("create/Selenium test case, QualysGuard, create report – remote exploit-available confirmed sev5.html") in the Selenium IDE. Check out the source, it is commented to explain how it accomplishes building the report.
Run it! It works at any speed.
After the test case completes, you will have a report template that uses the dynamic search list we just created.
Note the template filters against the search list we just created:
Make it easy
Now that we have built individual test cases for creating a search list and report template, let’s merge them into one step. Rather than copy and pasting the rows from one script into another, the Selenium IDE offers a much cleaner way via test suites.
Test suites offer a more coupled integration of test cases. This enables visible separation for troubleshooting individual test cases, while remaining transparently functional as a whole to the user. When we want to run a test suite, we click a different button from the Selenium IDE:
Let’s get started on running one together.
Confirm you are still logged into QualysGuard.
Before we recreate the report template and search list, we will need to delete the existing ones, as QualysGuard requires unique names of each. You can either delete them manually, or run the test suite, "Selenium test suite, QualysGuard, delete remote exploit-available confirmed sev5 report.html" that does it for you — try it, it’s not just for the lazy! Remember to click on the play button with multiple lines to its right, and it will delete both the report template and the search list.
Open the test suite, "Selenium test suite, QualysGuard, create remote exploit-available confirmed sev5 report" that combines the above test cases.
Run the entire suite. It will start to create the search list from the first test case, and then automatically progress to create the report template from the second test case.
Congrats! You now have both a search list and report template. Easy, huh?
Make yours the next big hit
Now that we are able to create search lists and report templates associated with those search lists in one simple step, what’s next? Collaborate! Share your favorite search list, or report template, or both. Feel free to comment the criteria, or QIDs (one can also automate creation of static search lists, too).
If you are feeling ambitious, and want to create Selenium scripts of these reports, feel free to modify the ones we demoed. I am here to help if you have questions, just comment on this post. To get things started, I shared one more test suite that you may find useful (great for creating policies in Remediation):
You can find the above script (and more to come!) by searching for the tag, selenium_script. Help us grow QualysGuard automation by contributing! If you need help or have a request, just comment on this post… I’ll be back.
