Introducing QualysGuard Dynamic Asset Tagging and Management

Sean Molloy

Last updated on: December 21, 2022

Asset management and scanning complement and reinforce each other. It’s a case where the whole is greater than the sum of the parts.

image1

Scanning tools can deliver an accurate, automated inventory of assets in near real-time as a side effect of their scans. Likewise, a complete inventory of assets provides insight into their metadata and organization, which leads to better security decisions. Newly added features in QualysGuard extend its asset management capabilities to include both statically and dynamically categorized assets. These new features make it easier to get precise views into the security posture of different aspects of a complex IT environment, and they give IT managers consistently up-to-date data about the systems in their environments.

Why Asset Management Is Important

Asset management is key to security because of the number, variety and dynamic nature of assets. A company with 5,000 employees may have more than 20,000 IT assets. Mobile devices, laptops, and other BYOD devices configured by end-users may not comply with corporate configuration policies. Mobile devices, cloud-based applications, virtualization, and remote workers add complexity and volatility. Inventory and configuration snapshots of these devices in an organization can quickly become obsolete. With more and more employees using multiple IT assets, it is easy to see how inventories can change and grow quickly and in unexpected ways. Adding to this is the geographical distribution of buildings, offices and data centers across the globe. And to have a complete picture of assets requires an understanding of business ownership, including the structure of the organization and who owns the assets or has access to them, all the way down to details like what are their configurations, their status and their serial numbers.

Only with a clear view of assets can they be managed and secured.

Tagging

So where does tagging fit in? If the scan is already collecting the configuration data from the systems, why do you need tagging?

Simple answer: Tagging gives you flexibility to organize your assets in multiple ways simultaneously.

Many aspects of an asset, both technical and nontechnical, need to be easily visible to the organization of your assets. Entering and tracking such information manually on each asset will not scale in large enterprise environments. What is needed is a more flexible labeling or tagging system that has the ability to understand and apply one or more tags as labels to assets in an automated manner using rules. We refer to labels as tags and they can be used to organize, search and prioritize assets across all QualysGuard solutions such as Vulnerability Management, Web Application Scanning, Policy Compliance and Malware Detection Service.

The hierarchical tag organization can be understood best as a set of folders and subfolders, like you may have seen many times in a Windows folder “tree” structure. One of the big differences is that an asset may have many tags on it, which (using the folder analogy) means an asset can be in several folders at once. If your business has two or three or ten ways to group its assets, you don’t have to pick one, you can have all 10 at once.

Since tags can be nested inside other tags, the manual work of managing rollup groups is eliminated. This association is very useful when managing large sets of assets, and provides a cohesive, common foundation for other solutions such as compliance scans. Avoiding manual work when altering the groupings is another benefit: a simple reorganization of the tags (using drag & drop) is all you need to create new or altered groupings of your assets.

Applying Tags

image7

In the simplest case, tags are applied manually to assets. A simple tag may be placed manually on an asset to reflect almost any description.

A more powerful and automated set of tag rules can be placed on assets that check for certain criteria. This could be IP address, operating system, software installed, etc.

Finally, for more advanced users, logic can be applied to the rules which can zero in very accurately. For example, you may want to identify all assets in a selected IP range running Windows 2000, based in Asia and having an Adobe product installed; or all Windows clients in your call centers; or all mail servers. All of these rules will save a huge amount of manual operations and give the organization more confidence concerning the accuracy of their asset inventory and overall compliance posture.

When you scan the next time, tags are re-evaluated and updated automatically to reflect the latest scan data.

Advanced Techniques

A rule-based tagging capability enables the assets to reflect the true organizational structure across businesses, geographies and technologies in an automated way. Static, dynamic and advanced rules can be applied to very specific assets in an accurate manner. Some of the more advanced users can even use a scripting language (Groovy Scripts) to pinpoint specific assets for action.

For example, you may want to know whether a host has been scanned for the first time, i.e. if it is newly discovered. A Groovy scriptlet could be written to evaluate this case and automatically tag those assets.

Extending Tags Beyond Scans

Once the automatic rules are in place, the Asset Management and Dynamic Tagging module becomes a powerful platform to empower other solutions. For example, we can launch a scan targeting specific tags such as operating systems. A vulnerability report can be run against hosts with specific software installed. Searches can be performed which locate web applications with specific vulnerabilities. The real power of a highly automated and accurate a Asset Management and Dynamic Tagging module is tight integration with other security and compliance solutions. The Asset Management and Dynamic Tagging functionality is built into the very core of the QualysGuard Cloud Suite, and is integrated into each of the solutions it provides for a common, integrated approach.

Operating at Scale

In the real world, a key success factor is the ability to operate at scale in rapidly changing environments. The fundamentals of the QualysGuard scanning architecture are critical for operating at scale.

The QualysGuard Asset Management and Dynamic Tagging Cloud Platform has been specifically architected to scale across millions of assets. The module takes advantage of the rich data collected by the Vulnerability Management scan to build a near real time comprehensive asset database. These assets are then assigned tags to allow better organization and enable other solutions.

Unless you have a scaleable scanning architecture with a cloud-based management infrastructure separated from the physical scanning resources, scanning all hosts can take weeks if not months.

Built correctly, a network scanning platform can be an ideal vehicle to perform discovery of IT assets, web applications and network infrastructure. A more sophisticated authenticated scan of your assets can access and store a wealth of useful information; just a few examples being: inventory of software installed, detailed hardware specifications, local configuration settings, security policies, registry settings and more.

QualysGuard uses agentless scanning, where no software needs to be installed and maintained on target (scanned) systems in the environment. It’s very scalable, and can provide inventory scans of thousands of assets in a short time period. It’s also a good way to catch new assets as they enter the environment.

A scanning program that works at scale is the foundation. Not only does it provide security information such as vulnerabilities or variance from configuration standards, but it can also collect detailed information about these assets.

Future Direction

The Asset Management solution of the future is able to keep a continuous inventory of assets from many different internal and external sources, tag them and organize them into well-defined groupings (which, for example, could represent business units, geographies and technologies, or all of the above) in one central place. Although scanning using the QualysGuard Cloud Suite provides good visibility and inventory of the assets in your business, there will be other more direct sources that can provide asset information. This could be an Active Directory Service (Microsoft), APIs from leading virtualization systems such as VMware, or the cloud APIs from Amazon EC2, or 3rd-party asset repositories or tracking software. Regardless of the source, they would all come together to be reconciled, organized and managed in one place. This would form the foundation of a powerful platform that is able to service multiple security and compliance solutions, and flex to the needs of many teams across the enterprise.

To active Asset Tagging and Management in your QualysGuard Subscription, see Asset Tagging, Part 1: Activating

Technical Resources:

Quick Start Guide (pdf)

Tutorial

Show Comments (13)

Leave a Reply to Sean Molloy Cancel reply

Your email address will not be published. Required fields are marked *

  1. Very useful feature.

    Attempted to Create a Tag in The VM Asset Search based on running services, the following error was displayed:

    Error!

    Asset Tag

    An error occurred while creating the asset tag.

    The online help indicates "the new tag appears in your tag tree as a sub-tag below the "Assets Search tags" parent tag". In fact the tag tree did not contain the latter tag, added it but did not make a difference.

    Has anyone attempted the above successfully? Any advice?

    1. Hi ibsloan,

      I have done this successfully in the past, and just tested it again. Can you try this again and if it’s still not working can you pelase check your browswer setting for security, and make sure the https://portal.qualys.com address is whitlisted. Depending on how many Add-on’s you have it may also be nessasry to try the action with them disabled as I have seen some issues, but these are very remote. If you still get an error while trying to create a TAG from the Asset Search please open a Support Ticket so we can do some troubleshooting.

      Here are some of the things I noticed when I successfully created the TAG.

      I did notice it will take some time for all the assets to be tagged, so the TAG may not show anything for a while. If you want quikcer results you can force it to look for host by editing the TAG. Go into the "Tag Rule" tab and click on the check box "Re-evaluate rule on save" then save the Tag. This will force it to look for the hosts that match your Tag. This can take some time depending oh how many hosts you have but should speed up the process.

      Come back and check your TAG after about 10 mins. To check it I click on the TAGS tab and from the "Quick Actions" menu for that TAG I choose "Find assets".

      I hope this helps.

      Mike

        1. Hi Sean,

          Thank you now the tag is created because the parent tag "Asset Search Tags" appeared in the Tag tree. (EU platform)

          But it is not working as expected. "Tested Applicability" on one server which appears in the Search Report for the same criteria, and had the following error:

               An error occurred while trying to test the tag rule. Make sure your rule is valid.       An error has occurred

          The rule is for assets running any oracle service.

          <?xml version="1.0" encoding="UTF-8"?>

          <TAG_CRITERIA>

          <RUNNING_SERVICES>

            <SERVICE>oracle</SERVICE>

            <SERVICE>Oracle WebLogic Server Node Manager</SERVICE>

            <SERVICE>oracle-mts</SERVICE>

            <SERVICE>Oracle_Express_Server</SERVICE>

            <SERVICE>Oracle_Express_Server_xsagent</SERVICE>

            <SERVICE>Oracle_Express_Server_xsdaemon</SERVICE>

            <SERVICE>oracle_intelligent_agent</SERVICE>

            <SERVICE>ORACLE_RMI</SERVICE>

          </RUNNING_SERVICES>

          </TAG_CRITERIA>

  2. Hi,

    I need to see more granularity in report with s/w installed operating systems etc…
    for this i created dynamic tags for same w.r.t to their IP ranges.

    My quest is —
    will I run a report with same created tags or something else?

    Here i’m giving more clarification:
    I am trying to know about report w.t.r. to Dynamic tags as per mentioned above.

    Please help me if possible.

    1. Hi Romit

      I’m not quite sure what you are asking, perhaps you could provide more detail about what you are trying to achieve. In general you will use one or more tags to determine the assets that are included in your report. Tags can be combined in an “or” or “and”, and “not” functions by selecting either “any” or “all” from the drop down box, and “not” by putting in tags in the second field.

      For a much higher degree of accuracy wrt OS detection, and of course full software inventory, make sure you are using authenticated scanning or Qualys Cloud Agent.