Qualys Blog

266 posts

Using QualysGuard 7.0: iDefense Threat Intelligence and Zero-Day Risk Analyzer

Vulnerability Management has always been defined by scanning assets for known vulnerabilities, applying the required patches, and then repeating the cycle.  Over the past few years, however, there has been and increasing threat from zero-day vulnerabilities:  threats that exploit vulnerabilities that are unknown to the software developer, and thus don’t have associated patches.  These new threats pose a major risk and have been very difficult to deal with using traditional vulnerability management tools.

I’m pleased to announce that QualysGuard 7.0 adds the new iDefense Threat Intelligence Module and Zero-Day Risk Analyzer in order to help customers proactively assess the risk of emerging zero-day threats in their environment.  This provides a few key abilities to QualysGuard users:

  • Exclusive coverage and analysis of emerging zero-day threats provided by iDefense
  • Customizable alerting and notification of new threats and their impact on your environment
  • Prediticative analysis of the threat in your environment without the need to perform new scanning

Let’s review how each of these items are implemented.

iDefense Threat Intelligence

Once the iDefense Threat Intelligence Module has been purchased and activated, a user with Manager role in your subscription should be used to log in.  You will see an new tab in the KnowledgeBase workflow:  iDefense Intelligence.  Navigating to this tab will lead to a prompt to activate and configure both the New data security model and iDefense Notifications:

Screen Shot 2012-02-25 at 5.43.38 AM

Both steps are optional but recommended in order to get the full value of the iDefense Threat Intelligence module.

  • New data security model:  By enabling this, the Zero-Day risk analyzer will be enabled to make predictions about the impact of new zero-day vulnerabilities based on previous scan results (discussed below).  Activating this also allows your subscription to take advantage of scheduled reporting and participate in the Asset Tagging beta program.
  • Manage Notifications:  Do to the sensitivity of the data contained, only Managers can configure for email alerts to be sent.  Different types of alerting are available and can be configured on a per-user basis; this is explained in more detail in the next section.

Once the intial configuration is complete, you’ll be greated with the iDefense Intelligence datalist:

Screen Shot 2012-02-25 at 5.15.36 AM

There are four important items to see:

  1. iDefense Identifier and Title:  The iDefense Document ID and description of the vulnerability are displayed here.  Many entries may indicate "iDefense Exclusive" – these are items that are only available from the research team at iDefense, and are not publically known.
  2. CVSS Score and Publication Date:  CVSS helps you determine the severity of the vulnerability; you can sort vulnerabilities by the publication date in order to see the newest items.  Vulnerabilities published in the last week are also marked with "New" next to the Document ID.
  3. Prediction Details:  Clicking on a row displays the prediction details.  "Predictable" indicates that a vulnerability can be evaluated by the Zero-Day Risk Analyzer, and a count of the assets at risk will be displayed here.
  4. % at Risk:  This shows the percentage of assets in your environment that the Zero-Day Risk Analyzer has predicted to be impacted.

Additionally, right-clicking on an entry allows you to either view the Threat Report from the Zero-Day Risk Analyzer (detailed below) or see the detailed analysis from iDefense about the vulnerability:

Screen Shot 2012-02-25 at 5.34.09 AM

Customizable Alerts

Managers can configure email alerts to be sent for new iDefense publications by using the iDefense Notifications selection in the Setup portion of the KnowledgeBase workflow.  It displays the following screen:

Screen Shot 2012-02-25 at 6.03.34 AM

For each entry you configure the following:

  • User:  Any defined QualysGuard user in your subscription can be chosen.
  • Email Type:  Either ASCII (Text) and HTML notifications can be used.  The contents of the message are identical.
  • Show Details:  If chosen, each new zero-day vulnerability published will be listed individually.  If show details is not selected then only a general statement ("New vulnerabilities have been published") will be emailed; users must log in to see the specifics.
  • Show Risk %:  If "Show Details" is chosen then this will be available; it will show the percentage of systems in your environment that have been predicted to be at risk to this new vulnerability based on the Zero-Day Risk Analyzer.

The most powerful type of alert is one with both "Show Details" and "Show Risk %" enabled; it provides immediate information on the risk of newly-published vulnerabilities without an need for scanning or other user intervention.

Screen Shot 2012-02-25 at 5.18.28 AM

Zero-Day Risk Analyzer

The Zero-Day Risk Analyzer performs analysis for predictable vulnerabilities from the iDefense listing.  It does so by taking the most current data available for assets ("automatic data" stored in the QualysGuard database) and looking for correlation points that would indicate a vulnerability.  Here’s an example:

  1. iDefense publishes a new vulnerability for CUPS affecting a variety of OS X and Unix platforms.
  2. The Zero-Day Analyzer determines the attributes (CUPS packages, known vulnerable version numbers, Operatiing systems, etc.) that can be used to make a prediction.
  3. The most recent scan data for each asset in your environment – whether from last night, or 3 weeks ago, or whenever – is used to determine if these is a correlation.
  4. The quality of the prediction (based on the number of matching attributes) is determined and is recorded.

The Zero-Day Risk Analyzer is accessed via the Quick Actions menu in the iDefense Datalist under the heading "Threat Report".

Screen Shot 2012-02-25 at 5.16.09 AMOnce opened, this will display the Zero-Day Risk Analyzer report for the selected vulnerability.

Screen Shot 2012-02-25 at 5.16.36 AM

This report displays several important items:

  1. At Risk Analysis:  This chart shows the percentage of your environment predicted to be at risk from this vulnerability.
  2. Prediction Details:  This shows to the breakdown of the types of predications made for the assets affected.  Predictions are made based on correlating existing scan data with known vulnerability attributes, and can have one of three different qualities:
       Confirmed:  For some vulnerabilities an actual scan may have been performed, and the QID detected.
       Likely:  A signficant number of attributes matched, giving a high likelihood that the asset is affected.
       Potential:  Some attributes matched, so there is a possibility that the asset is at risk, but the confidence level is lower.
  3. Most Impacted Asset Groups:  The top 10 most impacted asset groups are listed in descending order, so that remediation/mitigation activities can be prioritized.
  4. Vulnerability Details:  Specific information about the vulnerability can be found here.
  5. Asset Details:  Clicking this leads to the affected asset datalist.

When clicking on details you will see the affected asset datalist:

Screen Shot 2012-02-25 at 5.17.14 AM

Assets are listed with identifying attributes such as IP address and host name.  The OS and Software found that led to the predication are also displayed, along with the resulting confidence level of the prediction (Confirmed, Likely, and Potential).  Assets can be sorted, filtered by asset group, and a CSV of the results can be downloaded for additional analysis.


The iDefense Threat Intelligence module and the Zero-Day Risk Analyzer provide the information security professionals need in order to be truly proactive when dealing with emerging threats.  The iDefense Intelligence tab provides up-to-the-minute information on emerging threats, and offers customizable alerting so that your users can be informed immediately.  The Zero-Day Risk Analyzer allows you to determine the impact of the new vulnerability without having to wait for a time to actually perform the scan, but rather by using the extensive information you’ve already collected using QualysGuard scans.  This allows you to focus on mitigating controls and risk management, rather than scrambling to get scans of systems to determine the scope of the problem.

In the future we’ll be adding many more capabilities to the Zero-Day Risk Analyzer, including the ability to model the impact of mitigating controls (such as firewall rules to block traffic) and the ability to perform predictions on non-iDefense vulnerabilities (such as Microsoft Patch Tuesday vulnerabilities).  In the interim, we hope you find this new module to be useful, and would greatly appreciate any feedback you have on how it can be improved. 

If you are interested in obtaining a trial or purchasing the iDefense Threat Intelligence module, please contact your Technical Account Manager or Qualys' Technical Support Department at support@qualys.com.

Using QualysGuard 7.0: The New UI

Starting with QualysGuard 7.0 all accounts will be converted to use the New User Interface.  This new interface is designed to make use of QualysGuard easier and more efficient by focusing on four key areas:

  • Distinct modules and grouped workflows to help accomplish key tasks
  • Dashboards to provide immediate feedback on the security and compliance of your network
  • Context-sensitive menus and integrated dialogs to provide direct and relevant actions

Let’s review how each of these items are implemented.

The Module Picker

In the upper-left hand corner of the UI you’ll find the module picker, which allows you access the specific functionality you’re looking for:

Screen Shot 2012-02-13 at 3.05.00 PM

Several modules may be displayed depending on what is enabled for your subscription:  VM (my personal favorite), PC/FDCC, WAS, ASSET, MDS, and others.  Choosing a module changes the context of the rest of UI.  For example, when working in the Vulnerability Management context your workflows would look like this:

Screen Shot 2012-02-13 at 3.14.50 PM

Switch to Policy Compliance and the workflows adjust:

Screen Shot 2012-02-13 at 3.20.30 PM

The Module Picker allows you to focus on the tasks at hand – performing vulnerability scans, creating policies for Unix systems, or reviewing Malware statistics – without the distraction of menus or icons that aren’t relevant.

Grouped Workflows

Grouped workflows organize the various features of QualysGuard into related units so that you have easy access to the all the functions necessary to perform a task.  For Vulnerability Management there are seven workflows:

Screen Shot 2012-02-13 at 3.27.45 PM

Dashboard:  This displays a high-level overview of the number of vulnerabilities in your environment (see below for more details).

Scans:  All the activities required for provisioning scanner appliances, creating authentication records, and scheduling and launching new maps and scans.

Reports: All the activities required for creating customized reports of scan data.

Remediation:  Management of ticketing policies and reviewing/editing/resolving individual tickets.

Assets:  Functions to manage asset groups, lists of individual assets/virutal hosts/domains, and the ability to search for assets meeting specific criteria.

KnowlegeBase:  List of all current detections, iDefense Threat Intelligence information, and search list management.

Users:  All the activities require to provision new users, assign them to business units, and review their recent activities.

As new capabilites are added to QualysGuard you’ll see more entries under each workflow, and we may add additional workflows as well.


New Dashboards provide a high-level overview of the state of your network, the most common issues found, recent and upcoming scans, and recently generated reports.  For Vulnerability Management the Dashboard looks like this:

Screen Shot 2012-02-13 at 4.06.25 PM

The Policy Compliance Dashboard is similar, but provides additional abilities to drill down into specific policies to find trends and problem areas.

Screen Shot 2012-02-13 at 4.12.40 PMScreen Shot 2012-02-13 at 4.13.03 PM

You’ll notice in the Welcome to 7.0 message that there is a one-click way to make these dashboards your default home page; you can also change this yourself by choosing the "Homepage" option here:

Screen Shot 2012-02-13 at 4.10.09 PM

Context-Sensitive Menus and Integrated Dialogs

New "Quick Actions" items are available in every datalist in order to allow you to immediate access common tasks.  In the scanning datalist, for example, you can quickly view the results, relaunch the scan, download the file, and more.

Screen Shot 2012-02-24 at 3.38.57 PM

Many dialog boxes that used to be pop-up windows have also been converted into modal windows so that you don’t have to hunt through a pile of QualysGuard windows to find the ones dealing with the task you’re trying to accomplish.  For example, the "Info" quick action on Option Profiles now launches a modal window with start-to-finish navigation tabs listed on the left-hand side:

Screen Shot 2012-02-25 at 6.59.16 AM

If you prefer to have the information in it’s own window then you can click on the "Pop-out" button on the upper right corner.


We’ve worked hard to modernize the QualysGuard user interface in a way that’s more intuitive, more efficient for performing tasks, and more flexible for a variety of different types of users.  We’ve had many comments and suggestions from customers, and have made over 150 changes to the interface based on those suggestions; we’d love to hear more about how we can continue to make it better.  Please contact your Technical Account Manager,  Qualys' Technical Support Department at support@qualys.com, or make a posting here or in the New User Interface portion of our community with your thoughts and suggestions.