Qualys Blog

www.qualys.com
266 posts

The Shift from Securing our Networks to Enabling the Digital Transformation of our Enterprises

It’s not yet Thursday, but attendees at Qualys Security Conference 2017 were treated to a major “throwback” as CEO and Chairman Philippe Courtot journeyed back centuries during QSC17’s opening keynote to illustrate the seismic changes of today’s digital revolution.

Courtot cited some of history’s biggest shifts, such as the development of the printing press, which dramatically accelerated the distribution of knowledge, triggering massive political and economic changes, as well as Copernicus’ heliocentric model, which upended astronomy.

The difference is that changes of that magnitude are happening much more frequently in our time, as the Internet powers developments driven by digital technologies at dizzying speeds.

Continue reading …

Qualys Cloud Suite 8.11 New Features

This new release of the Qualys Cloud Suite, version 8.11, adds several new major features including:

  • Customizable Login Banners
  • New VM features including QID Changelog View, PCAP Scanning in Express Lite subscriptions, Scanning Options, and Timestamps on IG QID’s.
  • PC improvements to File Monitoring UDC as well as Policy Compliance Reporting Options.
  • Expanded Policy Compliance platform support including Palo Alto Firewall, MongoDB, and Apache Tomcat on Windows.

Continue reading …

Qualys Policy Compliance Notification: Policy Library Update

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from vendors such as Microsoft and VMware.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

This release includes the following new policies and updates:

  • New CIS Benchmarks for Amazon Linux, Apple OS X, Microsoft SQL Server, Microsoft Windows, and Ubuntu Linux
  • New DISA STIG policy for Windows Server 2016
  • New Best Practice Policies for Amazon Linux, PostGRE SQL, and HITRUST CSF
  • Several updates to existing CIS Certified benchmarks

Continue reading …

Bugcrowd Integration Now Available in Qualys Web Application Scanning

The new version of Qualys Web Application Scanning, WAS 5.7, adds an integration with Bugcrowd for centralized viewing and triaging of both WAS automated vulnerability detections and vulnerabilities submitted by Bugcrowd’s approved security researchers.

Continue reading …

QSC17 Focuses on Digital Transformation’s Challenges and Opportunities

Qualys Security Conference 2017 finds Qualys rapidly advancing in its ongoing quest to seamlessly and transparently thread security into the fabric of IT environments, and to make it essential for digital transformation.

At QSC17, happening this week in Las Vegas, Qualys executives will share how the company’s growing catalog of security and compliance apps, powered by the highly scalable Qualys Cloud Platform, can yield substantial benefits and unique advantages to our customers and partners.

Continue reading …

The Critical Security Controls: Basic Cybersecurity Hygiene for your Organization

It’s a well-known fact that most successful cyber attacks are easily preventable. That’s because the majority are neither highly sophisticated nor carefully customized.

Instead, they are of the “spray and pray” sort. They try to exploit known vulnerabilities for which patches are available, or to take advantage of weak configuration settings that IT departments could have handily and quickly hardened.

One recent and infamous example was the WannaCry ransomware, which infected 300,000-plus systems and disrupted critical operations globally in May. It spread using the EternalBlue exploit for a Windows vulnerability Microsoft had patched in March.

So why do many businesses, non-profit organizations and government agencies — including those with substantial cybersecurity resources and knowledge — continue falling prey to these largely unrefined and easy to deflect strikes?

In most cases, the main reason can be traced back to hygiene — of the cybersecurity type, of course. Just as personal hygiene practices reduce the risk of getting sick, applying cybersecurity hygiene principles goes a long way towards preventing security incidents.

That was the key message Qualys Product Management Director Tim White and SANS Institute Analyst John Pescatore delivered during the recent webcast “Automating CIS Critical Security Controls for Threat Remediation and Enhanced Compliance.”

Continue reading …

Achieve Continuous Security and Compliance with the CIS Critical Security Controls

For InfoSec pros, it’s easy to get overwhelmed by the constant noise from cybersecurity industry players — vendors, research firms, consultants, industry groups, government regulators and media outlets. A good antidote for this hyperactive chatter is to refocus on foundational InfoSec practices. That’s what SANS Institute Senior Analyst John Pescatore and I will do this week: An immersion into the Center for Internet Security’s Critical Security Controls (CSCs).

During an hour-long webcast on Sept. 28, we’ll be discussing the benefits of implementing these 20 recommended controls. Initially published in 2008, these information security best practices have been endorsed by many leading organizations and successfully adopted by thousands of InfoSec teams over the years. Now on version 6.1, the CIS CSCs map effectively to most security control frameworks, as well as regulatory and industry mandates, and are more relevant and useful than ever.

Continue reading …

SANS Institute: Hackers Paint a Bullseye on Your Employees and Endpoints

End users and their devices are right smack in the center of the battle between enterprise InfoSec teams and malicious hackers, and it’s not hard to see why.

When compromised, connected endpoints — desktops, laptops, smartphones, tablets — offer intruders major entry points into corporate networks. However, end users are also their organizations’ best threat detection tools.

That’s a key takeaway from SANS Institute’s “2017 Threat Landscape Survey: Users on the Front Line,” a report published in August and co-sponsored by Qualys.

The study, conducted in May and June, polled 263 IT and InfoSec pros from companies of all sizes and major industries such as finance, government, technology and education.

It found that most of the top intrusion methods reported by respondents sought to directly or indirectly compromise end users or their devices. Hackers’ preferred threat vectors included:

  • Email attachment or link (flagged by 74 percent of respondents)
  • Web-based drive by or download (48 percent)
  • App vulnerabilities on endpoints (30 percent)
  • Web server / web app vulnerabilities (26 percent)
  • Removable storage devices (26 percent)

Continue reading …

Qualys Cloud Platform 2.30 New Features

This release of the Qualys Cloud Platform version 2.30 includes updates and new features for Cloud Agent, EC2 Connector, Web Application Scanning, Web Application Firewall, and Security Assessment Questionnaire, highlights as follows.  (This posting has been updated on 9/6/2017 to reflect new feature capabilities in the release, as noted below.)

Continue reading …

Qualys Policy Compliance Notification: Policy Library Update

Qualys’ library of built-in policies makes it easy to comply with commonly adhered to security standards and regulations. Qualys provides a wide range of policies, including many that have been certified by CIS as well as ones based on security guidelines from vendors such as Microsoft and VMware.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library monthly.

This release includes new policies and updates covering:

  • New CIS versions for Apache HTTP Server, Solaris, Microsoft Windows 2016, centOS, Microsoft IIS, Oracle Linux, and Red Hat Enterprise Linux
  • New DISA STIG policies for Red Hat Enterprise Linux and Windows 2016
  • New Security & Configuration Policies for IIS, MS SQL Server 2016
  • New Mandate mappings for CIS Critical Security Controls & First Five CIS Controls
  • Several updates to minor versions for Vendor Recommended and CIS policies

Continue reading …