Académique Documents
Professionnel Documents
Culture Documents
Vulnerability
Management
2nd Edition
by Wolfgang Kandek
These materials are 2015 John Wiley & Sons, Ltd Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
Foolish Assumptions
In writing this book, weve assumed that you:
Are somewhat familiar with information technology and
networking.
Want to understand the risks of networking and buggy
software.
Are thinking about using a vulnerability management
application to improve your network security.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
PartI
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Whos at Risk?
Every single business with an Internet connection is at risk
due to network vulnerabilities. Whether youre a small business, a multinational corporation or a government, it makes
no difference youre at risk.
The challenge for every business, then, is to maintain a
safe, open, and interconnected network, making it easy to
exchange information with customers, suppliers and business
partners around the world.
Unfortunately, making this information both highly available
and secure is hard work. Malware, such as Trojan horses and
viruses, constantly threaten the theft of information and disruption of business operations. Moreover, the constant rate of
new vulnerabilities discovered each day and the speed with
which new exploits are created make this challenge even
steeper.
The solution is to immunize your network from security
threats by eliminating their origin: vulnerabilities.
Where do vulnerabilities
come from?
Programming mistakes, or bugs, cause most vulnerabilities in
software. For example, a common mistake which happens
in the memory management area of programs is data blocks
still being used after theyve been declared free by other parts
of the programs. When this use-after-free programming mistake is found by attackers, they can often exploit it and gain
control over the computer.
Computer scientists estimate that every thousand lines of
software code in well-managed software products contain
about one bug, with that number rising to 25 per thousand for
unscrutinized code. Modern software projects typically have
millions of lines of code. An operating system like Windows7,
for example, has 40 million lines of code, a Microsoft Office
application between 30 and 50 million and popular Internet
browsers between five and 10 million. Its no surprise, therefore, to see regular announcements of new vulnerabilities,
with related patches and workarounds.
Attackers do not develop exploits for all vulnerabilities that
are published, but they do constantly scrutinize critical vulnerabilities in widely installed software packages. To give
you an idea of the attackers reach, consider Microsoft; the
organization has determined that between 10 and 25 per cent
of the vulnerabilities it publishes are exploited within the first
30days of publication.
The best way to counter this threat is to quickly identify and
eliminate all vulnerabilities and on a continuous basis. For
example, Microsoft and Adobe release advisories and patches
on the second Tuesday of each month commonly called
Patch Tuesday whereas Oracle releases vulnerability patches
on a quarterly schedule. Many of the newer software projects,
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
10
11
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
12
Getting Ready to Do VM
As you get ready to do VM, be sure to organize your priorities
for security. This includes determining everything that needs
protection, including servers, network services, applications
and endpoints. In the past, this process was a manual one
that required an enormous effort to organize details and keep
the information current. Luckily, new software tools can now
automate this process, saving you time, improving accuracy
and lowering the total cost of ownership (see Part II).
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Part II
Doing Vulnerability
Management
In This Part
Discovering and categorizing assets for VM
Scanning systems for vulnerabilities
Prioritizing assets by business risk
Remediating vulnerabilities
Informing the security team, auditors and management with reports
Continuously repeating these steps for ongoing security
Adopting the right solution
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
14
Figure 2-1: A network map identifies and shows the logical relationship
between all the assets on a network.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
15
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
16
Industry: Technology
Headquarters: San Jose, California,
USA
Locations: Worldwide
Major Brands: eBay, PayPal,
Shopping.com
Employees: 34,000+
Annual Revenue: USD$15.2+ billion
Stock Symbol: EBAY (NASD)
Qualys VM has made the job of auditing our network much easier. We
used to have to dig through results
and do a lot of manual analysis to get
meaningful reports, and those were
inconsistent. Qualys takes care of
that nightmare. Senior Manager,
Information Security
Objectives:
Reliably identify network vulnerabilities across the global network.
Audit the network security of
business partners and help those
partners to quickly remediate vulnerabilities and eliminate risks.
Rollout an automated solution
that would find the most recent
vulnerabilities without requiring
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
17
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
18
Launching a scan
You can usually schedule a vulnerability scan to run repeatedly or run it on demand. Your scan request needs to specify
the particular computer systems or network devices that you
want to check for vulnerabilities, typically as a combination
of IP addresses, ranges of IP addresses and asset groups. The
scan is then initiated by your VM application. Figure 2-3 shows
a scan created to launch repeatedly every week.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
19
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
20
Mobile computing
Many organizations have shifted a large percentage of workstations from fixed desktop computers to portable notebook
computers for more productivity and flexibility.
This flexibility presents a serious challenge for VM scanning:
How can you scan a machine that is sporadically connected
to your organizations network? One way is to intercept
machines when they access the virtual private network (VPN)
server and catch them with a traditional remote VM scan. But
this approach is getting harder to execute because many organizations no longer require VPNs to perform remote work.
Instead, e-mail and other applications are increasingly used
through the Internet with Software-as-a-Service (SaaS).
The best solution for mobile is an agent-based approach,
where locally installed small-footprint software provides all
the information necessary to evaluate the security state of the
machine. An agent tuned for VM information gathering can
be non-intrusive without affecting functions of the operating
system and applications with a near-zero effect on processing,
memory and network bandwidth.
Non-intrusiveness and ease-of-installation are key factors
for deployment and acceptance by mobile users. The other
hurdle is winning acceptance by IT staff because they will
scrutinize requests for additional agents, and insist the
agents provide clear value without negatively affecting
IT infrastructure.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
21
Virtualization
For servers, virtualization has led to similar gains in flexibility. With virtualization technology, a server can be set up on
demand, often within a few minutes. Generic virtualization
service providers now provide the ability to host these servers with geographical options worldwide. However, while virtual server infrastructure has become more agile and efficient,
virtual servers are also harder to track especially for VM.
In order to properly address scanning virtualized servers in
your VM program, evaluate:
Virtual scanners: Scan engines are available for your
virtualization platforms, allowing you to seamlessly
integrate the scanner into your virtualization setup.
Monitoring: In virtual environments, the creation of new
servers tends to be dynamic. This is especially true for
virtualization service providers and may result in the
creation of new server networks. The downside for you
is that your virtual servers on these networks are not
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
22
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
23
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
24
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
25
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
26
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
27
Figure 2-6: Asset search for New York servers with HTTP.
(continued)
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
28
Employing technologies
toimprove scanning
Look for scanners that use a variety of active operating
system (OS) discovery techniques, such as banner grabbing
and binary grabbing, OS specific protocols and TCP (transmission control protocol)/IP stack fingerprinting (determines
operating system used by a remote target), and passive techniques such as packet spoofing (concealing or forging identity
with a fake source IP address). Fingerprinting entails careful
inspection for subtle variations in implementation of RFC
(request for comments) standards. A service discovery engine
detects backdoors, Trojans and worms by checking TCP and
UDP (user datagram protocol) services, including those on
non-default ports and with fake banners. A similar discovery
process is used to fingerprint HTTP applications by leveraging
softwares version ID, service pack ID and installed patches. A
good scanner will correlate OS and HTTP fingerprint tests to
quickly find true vulnerabilities and minimize false positives.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
29
Traditional manual processes for finding flaws, suggesting patches and other remediation actions are far too slow,
error-prone and ultimately too expensive to be used efficiently. Also, the high cost of patching coupled with the high
volume of flaws detected in software applications sometimes
encourages organizations to delay remediation. This may
cause an organization to delay updates even for critical
patches or large, highly tested updates such as service packs.
Unfortunately, delay causes a technical debt in the software
systems, which is a fatal strategy. As an example of technical
debt, recall the recent case of Windows XP. Organizations that
did not prepare for its end-of-life in 2014 and failed to replace
the aging operating system are now faced with immense
problems. On one hand, the technical debt is so high that
an upgrade to a supported system requires a major change
in underlying hardware, technology and user interface. The
alternative is to pay Microsoft top dollar for each necessary
patch and continue using an operating system that can be
easily invaded by any moderately skilled attacker.
So, fixing vulnerabilities is essential. Fortunately, mature software vendors fix flaws in their products on a regular basis
and perform extensive testing on the new versions. Operating
system, Internet browser and standard application updates
should thus be transparent to your business and cause no
interruption in your workflow. This tendency has accelerated in recent years, especially on mobile platforms. Thanks
to ubiquitous connectivity, the industry is moving to silent
updates such as with Google Chrome, the Windows App store
and the new Windows 10.
If you have special configurations that are not covered by the
software vendors testing, or applications that are custom
written, it makes sense to perform your own pre-testing on
patches before applying them to live systems.
Pre-testing patches
Follow these tips for pre-testing:
Ensure the testing takes place in your organizations
unique environment. Most problems with patches are
due to third-party applications or modifications to
default configuration settings.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
30
Managing patching
Follow these tips for patching:
Remediate vulnerabilities as quickly as possible and
minimize risk by applying the patches in the priority we
outline in Step 3.
Adopt automated patch management and software distribution solutions these are crucial for all but the smallest environments in streamlining the patching process
and keeping costs to a minimum. The rollback capability
included in such tools can restore software to a previous state and ensures that organizations use appropriate
software versions efficiently.
Integrate patch management with other automated VM
processes. For example, Qualys VM provides one-click
links to vulnerability patches, fixes and workarounds to
use during this phase of workflow.
31
Industry: Manufacturing
Headquarters: Hamburg, Germany
Locations: Europe
Employees: 4,700
For me, the Qualys VM platform
is simultaneously also the central data basis for communicating
with the management. The reports
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
32
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
33
34
35
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
36
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
37
(continued)
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
38
Results:
Fifth Third has 20 Qualys VM
appliances deployed that continuously audit more than 30,000
specific IP addresses automatically throughout the banks infrastructure.
Via Qualys VMs ability to assign
highly-specific asset tags (which
quantifies monetary value of an
asset based on business purpose), the bank can now examine and report its vulnerability
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
39
Third, attackers are leveraging the power of cloud and parallel computing to continuously scan and attack vulnerabilities
within your networks and systems, often at speeds that surpass your ability to react. In this new age of cyber crime, it is
truly a race to the finish line to see who can identify and patch
vulnerabilities quickest.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
40
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
41
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
42
Southeastern
Results:
Qualys VM helps The Equitable
Bank to automate the full continuous cycle of vulnerability management to protect its network
and operations from the latest
security threats. Automation
has helped the bank achieve its
risk management and resource
objectives.
Qualys Express allows The
Equitable Bank to document and
submit proof of network security
policy compliance to auditors
and regulators.
See w w w . q u a l y s . c o m /
customers/ for more info and
other case studies.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
43
Time to Choose a
Solution for VM
After reviewing the steps to VM in the preceding sections
comes the time to choose a solution that can:
Map your network and all its devices.
Accurately and efficiently scan for the largest potential
number of vulnerabilities.
Clearly and comprehensively report scanning results.
Shepherd the remediation process, whether through use
of the VM ticketing system or integration with your IT
organizations system.
Test and confirm that vulnerabilities are fixed.
Automatically produce accurate, comprehensive and det
ailed reports and dashboards to verify compliance with
internal policies, and legally mandated regulations for
security.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
44
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
PartIII
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
46
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
47
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
48
Carry out pen testing after implementing a vulnerability management program. The Council on
CyberSecurity recommends pen
testing as Priority 18, whereas vulnerability management is listed
as Priority 4. Ask pen testers for
yourself; most will agree that if you
already have a VM program, using a
pen test is of very limited value.
49
50
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
51
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
52
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
53
Smooth integration of these resources with enterprise management platforms is often challenging, if not impossible.
A cloud solution, however, has many operational advantages:
Cloud is already up and running so deployment is
instant, no matter how many sites need VM, and no
matter where they are in the world.
Cloud covers mobile workstations with Internetconnected agents that provide continuous visibility.
Cloud is inherently scalable and immediately begins
working for the largest enterprise.
Cloud solutions typically provide an API allowing for
simple integration with enterprise network management
platforms.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
54
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
PartIV
56
Discovering Continuous VM
Whereas non-cloud-based VM involves acquiring, installing,
supporting and maintaining a software-based solution, cloudbased continuous VM brings in a trusted third party, such as
Qualys VM.
Industry experts define VM to include the following criteria.
Continuous VM should:
Identify both external and internal weaknesses.
Automatically scan using a continually updated database
of known attacks.
Be highly accurate, essentially eliminating false positives
and false negatives and be non-intrusive.
Use inference-based scanning to ensure that only
applicable vulnerabilities are tested for each scan.
Generate concise, actionable, customizable reports,
including vulnerability prioritization using severity levels
and trend analysis.
Provide tested remedies and workarounds for cases
where no remedy as yet exists.
Provide distributed scanning capabilities with consolidated reporting and centralized management capabilities.
Offer both authenticated (credential-based) and simple
non-authenticated techniques for scanning.
Provide user access management to restrict users roles
and privileges to their function in the organization and
network responsibility.
Supply workflow capabilities for prioritizing and tracking
remediation efforts.
Enable customers to build compliance reporting.
Integrate seamlessly with customers Security
Information & Event Management (SIEM), Intrusion
Detection System (IDS), patch management and help
desk systems.
Automatically execute the steps of VM in a continuous,
ongoing process.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
57
Accessing Qualys VM
Users access Qualys VM by simply logging in via a web
browser. By using this standard approach to access its web
service-based delivery architecture, Qualys VM users can
immediately use the service and audit the security of their
external and internal networks. Continuous VM services with
Qualys VM are available 24x7 to all subscribers worldwide.
With Qualys VM you can schedule scans to occur automatically, including selected scan targets, start time, duration and
occurrence frequency.
Continuous VM features in Qualys VM provide a broad array
of capabilities for finding and eliminating network vulnerabilities. Qualys VM:
Discovers all systems attached to your network.
Identifies and analyzes vulnerabilities on all discovered
systems.
Reports findings of discovery and vulnerability analysis.
Shepherds the vulnerability remediation process.
Confirms that remedies or workarounds have been
applied.
Provides documentation to verify security compliance.
Automatically repeats the VM-for-continuous-protection
steps.
Alerts on variances from expected configurations in
vulnerabilities, exposed services, installed software and
certificates.
Elements of Qualys VMs architecture in the Qualys Cloud
Platform (which you can see in Figure 4-1) include a
KnowledgeBase, Security Operations Centers, Internet scanners, scanner appliances and a secure web interface.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
58
KnowledgeBase
The core of Qualys VM is its KnowledgeBase. KnowledgeBase
contains the intelligence that powers the Qualys VM continuous vulnerability management service. Its updated daily with
signatures for new vulnerabilities, validated patches, exploit
usage indicators and other data that continuously improves
its effectiveness.
Internet scanners
Qualys VM Internet scanners carry out perimeter scanning
for customers. These remote scanners begin by building an
inventory of protocols found on each machine undergoing an
audit. After discovering the protocols, the scanner detects
which ports are attached to services, such as web servers,
databases and e-mail servers. At that point, the scanners initiate an inference-based vulnerability assessment, based on
vulnerabilities that could actually be present (due to operating system and configurations) to quickly identify true vulnerabilities and minimize false positives.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
59
Scanner appliances
To map domains and scan IPs behind the firewall, Qualys VM
Scanner Appliances are installed by customers. These are
either virtual or physical devices that install within a matter
of minutes, gather security audit data inside the firewall
and communicate securely with Qualys SOCs. These appliances use a hardened operating-system kernel designed to
withstand attacks. In addition, they contain no services or
daemons (background software processes) that are exposed
to the network. These devices poll the SOCs for software
updates and new vulnerability signatures, and process job
requests.
Prioritizing Remediation to
Guide and Speed Up Staff
Follow-Through
Qualys VM provides a remediation ticketing capability similar to trouble tickets created by a support call center. As the
security manager, you can control the priority-driven policies
for these tickets and automatically assign responsibility for
fixing them. Qualys VM notes when tickets have been created,
and tracks all remediation changes in subsequent scans. The
automation of these processes can dramatically speed remediation of vulnerabilities.
Reports from Qualys VM automatically identify and rank vulnerabilities with the Qualys VM Scanning Engine. This engine
assigns one of five severity levels to define the urgency associated with remediating each vulnerability. Rankings are based
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
60
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
61
Automating Compliance
Documents for Auditors
One area that distinguishes Qualys VM from other VM solutions is its very flexible, comprehensive and intelligent reporting capability. Most other solutions produce rigid reports
that reflect, one-for-one, whatever data they gathered during
a scan. Few, if any, mechanisms can filter, regroup or synthesize the data into higher levels of information abstraction.
Qualys VM reports, however, are like quality business intelligence reporting and come with filtering and sorting that
enables you to view data any way you want.
Components of Qualys VM reporting are:
Network assets (IPs and/or asset groups) included in the
report.
Graphs and charts showing overall summaries and network security status.
Trending analysis for a given network.
Vulnerability data with detailed specificity.
Filtering and sorting options to provide other flexible
ways to view your networks data.
The Qualys VM Dashboard provides an instant one-page snapshot of your networks overall security position, as you can
see in Figure 4-3.
62
Ease of integrations
Qualys open, XML-based application programming interface (API)
platform is unique in the security
industry. The APIs programmatically
expose core Qualys VM capabilities, including scan, map, scheduler,
ticketing, account management
and references. This allows Qualys
VM to easily interface with other
security and network management
applications.
In addition to viewing reports with
Qualys web-based interface, as a
customer you can manually or programmatically export your vulnerability data and scan results/reports in
XML format using Qualys VMs open,
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
63
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
64
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
65
66
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
67
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
68
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Part V
Embracing Continuous
Monitoring
In This Part
Distinguishing the relationship between VM and CM
Perusing examples of some results of using Qualys CM
Forging an alwayson approach to security with Qualys CM
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
70
Understanding Continuous
Monitoring and Vulnerability
Management
Qualys Continuous Monitoring provides organizations with
a comprehensive, alwayson view of potential security holes,
empowering them to immediately identify and proactively
address potential vulnerabilities before they are exploited
into breaches. Built on the Qualys Cloud Platform, Qualys
CM uses its elastic scanning capacity to dynamically scale to
networks of any size and scope.
The key benefit of Qualys CM is that it instantly alerts first
responders on operational teams as soon as an unauthorized
change is detected.
A deep, symbiotic relationship exists between continuous vigilance and alerting aspects of Qualys CM and the assessment
and remediation aspects of Qualys Vulnerability Management
(VM). Cyber threats may consist of softwareborne threats,
such as exploits that install worms, viruses and driveby
infections from malware on websites; they also may target
internal issues such as those related to bad configurations
of your IT environment. Responding to threats from both
scenarios requires the integration of continuous monitoring
plus assessment and remediation.
The whole idea of continuous monitoring hinges on the availability of timely, accurate data about your IT environment,
including information about changes to systems and configurations that expose new vulnerabilities. These data are automatically collected and analyzed during scans. CM is the next
step of immediately putting this information into the hands of
first responders for judgment and action.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
71
(continued)
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
72
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
73
Figure 5-1: Qualys CM alerts let first responders instantly drill down to
details such as new open ports, ports closed or ports changed.
74
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
75
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
76
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Part VI
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
78
Perform Vulnerability
Management both Inside
and Outside the DMZ
Be comprehensive about your network auditing. Therefore,
perform VM both on your demilitarized zone (DMZ, or the
external network boundary) and on your internal systems.
Thats the only way to achieve optimal security protection.
Hackers exploits are crafty and will otherwise breach your
network, so make sure you guard and check everything.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
79
Remediate by Prioritizing
Patching Efforts
Prioritize application of patches, starting with the most
critical vulnerabilities on the most important assets, and
proceed to the less critical ones. Get in the habit of setting
(and exceeding!) performance goals to reduce the level of
critical vulnerabilities in the network.
80
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are 2015 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited.