In this Help Net Security interview, Kunal Modasiya, VP of Product Management and Growth at Qualys, explores the key features, significant advantages, and innovative technologies behind Qualys CyberSecurity Asset Management 3.0.
Can you explain the key features of Qualys CyberSecurity Asset Management 3.0 and how it differs from previous versions?
The modern attack surface continues to evolve, and it is becoming untenable for organizations today to rely on siloed point solutions for narrow asset discovery use cases. They often use one tool to provide snapshot data of their internet-facing assets, another that pulls unstructured data from third-party sources, and a configuration management database (CMDB) that’s never up to date.
Qualys CyberSecurity Asset Management 3.0 consolidates asset discovery and risk assessment into a single solution. The latest version extends external asset discovery with attribution, internal asset discovery with passive sensing for unmanaged or rogue devices, and third-party API connectors to integrate with existing tools. This comprehensive approach covering internal- and external-facing assets, as well as third-party applications eliminates the cyber risk from unknown assets. For instance, in one case, our customer was surprised to discover an employee’s smart toothbrush connected to the company’s network!
A key differentiator of Qualys CyberSecurity Asset Management 3.0 is in the way its External Attack Surface Management (EASM) technology works. It uses a patent-pending attribution process to pinpoint internet-facing assets that are part of an organization. This eliminates wasted effort on assets a user might not be responsible for. Additionally, a lightweight vulnerability scanner is integrated within the EASM functionality. While many EASM scanners deliver data from a snapshot in time, Qualys identifies critical vulnerabilities on external assets in real time, and often picks up vulnerabilities that other scanners miss.
Another improvement is passive sensing for IoT and rogue devices. Traditional methods might miss these unmanaged devices on a network. Our solution leverages existing Qualys agents to passively detect such devices, giving users greater visibility and control over their entire attack surface. Finally, Qualys CyberSecurity Asset Management 3.0 goes beyond vulnerabilities to account for all risk factors in our proprietary TruRisk prioritization scoring.
Now, end-of-support (EoS) software, missing security controls (such as having no endpoint detection and response (EDR) agents), risky open ports, and misconfigured or unauthorized software and services are all baked into the TruRisk Score to help cybersecurity teams automatically pinpoint the greatest risks.
What is the most significant advantage that Qualys CyberSecurity Asset Management 3.0 offers to cybersecurity teams?
CyberSecurity Asset Management 3.0 provides security teams with a strong combination of asset discovery and cyber risk assessment. This combination is perhaps most apparent in our unique EASM scanner. With this new release, customers not only discover every asset, but can attribute them to specific areas of the business, including subsidiaries and acquisitions. The patent-pending discovery technology identifies related organizations, domains and subdomains, DNS lookup, and numerous open-source technologies for a high degree of confidence. Once discovered, external assets are quickly scanned for vulnerabilities with Six-Sigma accuracy.
As a result, the Qualys Threat Research Unit (TRU) has already observed three times more critical vulnerabilities detected and a 60% reduction in irrelevant, unconfirmed vulnerabilities as compared to traditional external scanning methods, which rely on stale data snapshots. (According to Qualys TRU with anonymized customer data.)
A complete view of the external attack surface in CSAM 3.0
What are the common challenges organizations face with traditional asset discovery methods, and how does Qualys CyberSecurity Asset Management 3.0 address these issues?
A typical, outdated approach to asset discovery might look something like this: a tool that exclusively uses API-based connectors to create a foundation of an asset inventory, with a separate EASM scanner adding snapshot data of internet-facing assets.
The problem with this approach is that unstructured asset data from numerous sources requires additional resources to normalize, validate, and be included in one’s vulnerability management program. Not to mention, looking at stale data from a snapshot in time is not fully reflective of a dynamic internet, making it difficult to attribute assets accurately, which then leads to inaccurate risk assessments. Furthermore, organizations usually have blind spots on their internal networks, particularly when it comes to IoT or rogue devices.
CyberSecurity Asset Management 3.0 addresses these challenges with flexible discovery methods that cover the bases for the full spectrum of use cases. This includes scanning and sensors for IT assets, patent-pending EASM technology, monitoring of multi-cloud environments, built-in network passive sensing, and third-party connectors to enrich the asset inventory. It is the only solution in the market that combines each of these discovery methods, reducing the customer’s total cost of ownership (TCO) and eliminating the risk of unknown assets.
Can you elaborate on the importance of passive sensing for IoT and rogue devices and how Qualys CyberSecurity Asset Management 3.0 leverages this capability?
The risk associated with IoT devices can be difficult to track and measure because you can’t always deploy agents. Remote scanning often yields limited information, returning basic Linux or Android OS detail. With Qualys, customers can use passive sensing, through network appliances or built-in to the Cloud Agents that passively discover assets within the same subnet. This allows real-time detection and fingerprinting of IoT devices based on traffic, protocols, and with additional details from the wire.
Scans and log-based detections provide only snapshots, making them suboptimal for tracking rogue devices that come and go from the network. If a rogue device is not connected during a scan, it will go undetected. By leveraging passive sensing, security teams can identify rogue devices as soon as they connect to the network, assess the risk, and immediately take mitigating actions such as blocking access.
The CISO snapshot of cyber risk in CSAM 3.0
How does Qualys CyberSecurity Asset Management 3.0 improve the identification and mitigation of vulnerabilities compared to traditional external scanning tools?
Traditional external scanning tools often rely on a technique called banner-grabbing to identify assets and their vulnerabilities. Banner-grabbing involves sending a request to a device and looking at the response to identify the device type, operating system, and any services running on the device. However, this method has several limitations.
First, banner-grabbing can be inaccurate. Devices may be configured to provide misleading information, or the response may not be clear enough to definitively identify the device or its vulnerabilities. Second, traditional scans are typically scheduled, which means they may miss vulnerabilities that appear between scans.
Qualys CyberSecurity Asset Management 3.0 offers several advantages here. First, it utilizes a lightweight vulnerability scanner within the EASM functionality, leveraging best-in-class threat intelligence from Qualys TRU. While traditional tools can miss critical vulnerabilities or produce false positive detections, this scanner identifies more critical vulnerabilities and provides much faster risk assessment. Second, the attribution process helps teams focus on and manage assets that belong to the organization and prioritize remediation for associated cyber risks. Finally, our tool integrates with other Qualys solutions, such as Vulnerability Management, Detection and Response (VMDR), allowing organizations to effectively de-risk their business.
Can you share success stories or examples of organizations significantly improving their cybersecurity posture using Qualys CyberSecurity Asset Management 3.0?
We’re continually refining and improving on our platform based on customer feedback. While our customers are just now using the new capabilities within Cybersecurity Asset Management 3.0, we do have documented outcomes from early adopters. Brown & Brown Insurance, for example, discovered 34% more unmanaged and untrusted devices connecting to their internal network with Cloud Agent Passive Sensing.
Gary Bowen, director of security operations at Brown & Brown Insurance noted, “The Qualys Cloud Agent passive sensor has proven to be a game-changer, providing us with unparalleled visibility and immediate insights across our hybrid IT and OT domains, all without the complexities of identifying optimal locations for network taps. By helping to eradicate blind spots, this passive sensing capability empowers our security teams to identify and address potential risks the moment they arise, offering a comprehensive view of cyber risk across our entire attack surface.”