Qualys Blog

www.qualys.com

Using QualysGuard 7.0: iDefense Threat Intelligence and Zero-Day Risk Analyzer

Vulnerability Management has always been defined by scanning assets for known vulnerabilities, applying the required patches, and then repeating the cycle.  Over the past few years, however, there has been and increasing threat from zero-day vulnerabilities:  threats that exploit vulnerabilities that are unknown to the software developer, and thus don’t have associated patches.  These new threats pose a major risk and have been very difficult to deal with using traditional vulnerability management tools.

I’m pleased to announce that QualysGuard 7.0 adds the new iDefense Threat Intelligence Module and Zero-Day Risk Analyzer in order to help customers proactively assess the risk of emerging zero-day threats in their environment.  This provides a few key abilities to QualysGuard users:

  • Exclusive coverage and analysis of emerging zero-day threats provided by iDefense
  • Customizable alerting and notification of new threats and their impact on your environment
  • Prediticative analysis of the threat in your environment without the need to perform new scanning

Let’s review how each of these items are implemented.

iDefense Threat Intelligence

Once the iDefense Threat Intelligence Module has been purchased and activated, a user with Manager role in your subscription should be used to log in.  You will see an new tab in the KnowledgeBase workflow:  iDefense Intelligence.  Navigating to this tab will lead to a prompt to activate and configure both the New data security model and iDefense Notifications:

Screen Shot 2012-02-25 at 5.43.38 AM

Both steps are optional but recommended in order to get the full value of the iDefense Threat Intelligence module.

  • New data security model:  By enabling this, the Zero-Day risk analyzer will be enabled to make predictions about the impact of new zero-day vulnerabilities based on previous scan results (discussed below).  Activating this also allows your subscription to take advantage of scheduled reporting and participate in the Asset Tagging beta program.
  • Manage Notifications:  Do to the sensitivity of the data contained, only Managers can configure for email alerts to be sent.  Different types of alerting are available and can be configured on a per-user basis; this is explained in more detail in the next section.

Once the intial configuration is complete, you’ll be greated with the iDefense Intelligence datalist:

Screen Shot 2012-02-25 at 5.15.36 AM

There are four important items to see:

  1. iDefense Identifier and Title:  The iDefense Document ID and description of the vulnerability are displayed here.  Many entries may indicate "iDefense Exclusive" – these are items that are only available from the research team at iDefense, and are not publically known.
  2. CVSS Score and Publication Date:  CVSS helps you determine the severity of the vulnerability; you can sort vulnerabilities by the publication date in order to see the newest items.  Vulnerabilities published in the last week are also marked with "New" next to the Document ID.
  3. Prediction Details:  Clicking on a row displays the prediction details.  "Predictable" indicates that a vulnerability can be evaluated by the Zero-Day Risk Analyzer, and a count of the assets at risk will be displayed here.
  4. % at Risk:  This shows the percentage of assets in your environment that the Zero-Day Risk Analyzer has predicted to be impacted.

Additionally, right-clicking on an entry allows you to either view the Threat Report from the Zero-Day Risk Analyzer (detailed below) or see the detailed analysis from iDefense about the vulnerability:

Screen Shot 2012-02-25 at 5.34.09 AM

Customizable Alerts

Managers can configure email alerts to be sent for new iDefense publications by using the iDefense Notifications selection in the Setup portion of the KnowledgeBase workflow.  It displays the following screen:

Screen Shot 2012-02-25 at 6.03.34 AM

For each entry you configure the following:

  • User:  Any defined QualysGuard user in your subscription can be chosen.
  • Email Type:  Either ASCII (Text) and HTML notifications can be used.  The contents of the message are identical.
  • Show Details:  If chosen, each new zero-day vulnerability published will be listed individually.  If show details is not selected then only a general statement ("New vulnerabilities have been published") will be emailed; users must log in to see the specifics.
  • Show Risk %:  If "Show Details" is chosen then this will be available; it will show the percentage of systems in your environment that have been predicted to be at risk to this new vulnerability based on the Zero-Day Risk Analyzer.

The most powerful type of alert is one with both "Show Details" and "Show Risk %" enabled; it provides immediate information on the risk of newly-published vulnerabilities without an need for scanning or other user intervention.

Screen Shot 2012-02-25 at 5.18.28 AM


Zero-Day Risk Analyzer

The Zero-Day Risk Analyzer performs analysis for predictable vulnerabilities from the iDefense listing.  It does so by taking the most current data available for assets ("automatic data" stored in the QualysGuard database) and looking for correlation points that would indicate a vulnerability.  Here’s an example:

  1. iDefense publishes a new vulnerability for CUPS affecting a variety of OS X and Unix platforms.
  2. The Zero-Day Analyzer determines the attributes (CUPS packages, known vulnerable version numbers, Operatiing systems, etc.) that can be used to make a prediction.
  3. The most recent scan data for each asset in your environment – whether from last night, or 3 weeks ago, or whenever – is used to determine if these is a correlation.
  4. The quality of the prediction (based on the number of matching attributes) is determined and is recorded.

The Zero-Day Risk Analyzer is accessed via the Quick Actions menu in the iDefense Datalist under the heading "Threat Report".

Screen Shot 2012-02-25 at 5.16.09 AMOnce opened, this will display the Zero-Day Risk Analyzer report for the selected vulnerability.

Screen Shot 2012-02-25 at 5.16.36 AM

This report displays several important items:

  1. At Risk Analysis:  This chart shows the percentage of your environment predicted to be at risk from this vulnerability.
  2. Prediction Details:  This shows to the breakdown of the types of predications made for the assets affected.  Predictions are made based on correlating existing scan data with known vulnerability attributes, and can have one of three different qualities:
       Confirmed:  For some vulnerabilities an actual scan may have been performed, and the QID detected.
       Likely:  A signficant number of attributes matched, giving a high likelihood that the asset is affected.
       Potential:  Some attributes matched, so there is a possibility that the asset is at risk, but the confidence level is lower.
  3. Most Impacted Asset Groups:  The top 10 most impacted asset groups are listed in descending order, so that remediation/mitigation activities can be prioritized.
  4. Vulnerability Details:  Specific information about the vulnerability can be found here.
  5. Asset Details:  Clicking this leads to the affected asset datalist.

When clicking on details you will see the affected asset datalist:

Screen Shot 2012-02-25 at 5.17.14 AM

Assets are listed with identifying attributes such as IP address and host name.  The OS and Software found that led to the predication are also displayed, along with the resulting confidence level of the prediction (Confirmed, Likely, and Potential).  Assets can be sorted, filtered by asset group, and a CSV of the results can be downloaded for additional analysis.

Summary


The iDefense Threat Intelligence module and the Zero-Day Risk Analyzer provide the information security professionals need in order to be truly proactive when dealing with emerging threats.  The iDefense Intelligence tab provides up-to-the-minute information on emerging threats, and offers customizable alerting so that your users can be informed immediately.  The Zero-Day Risk Analyzer allows you to determine the impact of the new vulnerability without having to wait for a time to actually perform the scan, but rather by using the extensive information you’ve already collected using QualysGuard scans.  This allows you to focus on mitigating controls and risk management, rather than scrambling to get scans of systems to determine the scope of the problem.

In the future we’ll be adding many more capabilities to the Zero-Day Risk Analyzer, including the ability to model the impact of mitigating controls (such as firewall rules to block traffic) and the ability to perform predictions on non-iDefense vulnerabilities (such as Microsoft Patch Tuesday vulnerabilities).  In the interim, we hope you find this new module to be useful, and would greatly appreciate any feedback you have on how it can be improved. 

If you are interested in obtaining a trial or purchasing the iDefense Threat Intelligence module, please contact your Technical Account Manager or Qualys' Technical Support Department at support@qualys.com.

Leave a Reply