QSC16: from Vulnerability Management to IT Visibility

I want to share my impressions of QSC16 conference, where recently I had pleasure to attend. This yearly conference is held in Munich for ten years already. I was there before only one time, in 2012. It made a great impression and this year was no worse.

My photo QSC16

First of all, I should write some words about the conference itself. QSC is an acronym for Qualys Security Conference. It is clear from the name that it is fully dedicated to Qualys products.

Who might be interested in such event?

Mainly, of course, current and potential users of Qualys products, partners, competitors (from own experience, they are not welcomed there ;-)) and, I think it is the smallest group, analysts of Vulnerability Management market and Vulnerability Assessment geeks, like me. For people, who are sincerely interested in VM market changes, road show of the global VM vendor with the biggest market share (is it right, Gartner?) is a precious information source. Here you can learn about real experiences in the use of Qualys products and hear about the company’s future plans.

BTW, if you are one of those, and we do not know each other, we should definitely have a talk. 😉

QSC Agenda

Why is this event important? Despite existing skepticism about mono-vendor conferences and roadshows, QSC is one of the few events in Europe dedicated to the VM, in the broad sense of the term, almost exclusively. All discussions are, of course, in the context of Qualys solutions and you won’t hear any real critics of the vendor, however questions raised there are relevant for the entire VM market.

Current landscape

I was always very inspired by the introductory speeches of Qualys top managers. It is a good set of ideas explaining why vulnerability management is important and promising. Unfortunately, this time my favorite speaker, Philippe Courtot, Chairman and CEO of Qualys, could not attend the event, Sumedh Thakar, Qualys CPO replaced him. I’m not going to repeat everything that has been said, and just try to express the the points used by Qualys management  to promote their products. As far as I understand it.

We live in very fast and strange changing world. These changes can be called “digital transformation”. This includes such things as the 4th industrial revolution, hyper-connected world and UBERisation. These changes directly affect information technology.

Companies that do not keep up with the changes in the world, will eventually be superseded by competitors. Entry barriers to the markets decline each year. Development of of cloud services that make development faster, and more scalable deployment contributes to this barriers reducing.

What does this mean in for information security? Nothing good. Traditional perimeter disappears, you need to take into account the cloud infrastructure and services, virtual environments and containers etc. “IT becomes service-oriented”. This creates additional difficulties for information security departments. How can you protect something that you can’t even see? However, if information security people will defend the old principles, it can damage competitiveness of the company.

On the other hand, these same changes in cloud services, allow us to make more cost effective and scalable information security. It is a reference to Qualys cloud services of course 😉

At QSC16 very little has been said about Internet of Things (IoT). But this topic was central at Qualys events previous years. Every day we see news about massive DDoS-attacks via IP-cameras, routers, smart light bulbs and other device permanently connected to the Internet. We all understand it’s all because of lack of vulnerability/patch management, both on the part of the device vendor, and end-user.

Regulators are actively engaged in the information security, but their “assistance” often means high fines for companies, sometimes more than 4% of the revenue.

Positioning

Qualys product positioning corresponds to HD Moore thesis that traditional vulnerability management vendors want to get away from their own business. Or at least they strongly want to modify it. The main message of QSC16 top managers, was “Qualys is significantly more than Vulnerability Management”, it is “single visibility solution” or “security side ‘amazon services'”. It can assess overall security of IT infrastructure.

Information for assessment may be collected with an active scanner, cloud agents or passive network analyzer. The greatest attention on the conference was paid to cloud agents. Correct work with Qualys is no longer mean creating scanning tasks and analysis of scan results, but enriching asset model and assets analysis via Elasticsearch based AssetView/ThreatProtect modules. Using cloud agents and AssetView makes possible to collect information about infrastructure state more rapidly. IT don’t need to wait week when weekly scan will be finished, to assess results of patching.

New announces

  • New cloud agents for Solaris 10+, AIX 7.1+, HP-UX 11iv3+; web-proxy support, version control, Agent SDK, beta support for FIM and IOC
  • Patch deployment via integration with HEAT/Lumention solutions
  • File integrity Monitoring (FIM) – new module for file analysis
  • Indication of Compromise (IOC) – new module for process analysis
  • SSL View
  • Passive Network Analyzer
  • Cloud View 360
  • WAF virtual patching and integration with Qualys WAS

 Qualys positioning as a reflection of common trends in VM

The following text has little to do with the conference. These are my thoughts about VM solutions that I have ever used. It should once again admit that VM vendors now rarely speak about vulnerabilities. Even at the QSC16 nobody  actually talked about critical vulnerabilities that have emerged during last year. The systems that will be supported by cloud agents was referred as families (Solaris, AIX, etc.). The implication was that Qualys will support all known vulnerabilities for those systems. But how end-user will verify this? Speaking of configuration standards mass certification of CIS standards was mentioned. That’s great, but why no one wants to talk about the implementation of the checks?

And this applies to all major VM-vendors. Their solutions are changing heavily. For example, I support the idea that the scanner must perform well the basic function: to search for vulnerabilities. The rest can be automated relatively easily. But the trend in VM-solutions is different and it can’t be denied.

Intentionally or accidentally, they all use the same concept, despite some differences in the implementation and family traits. The idea of new SIEM-like VM solutions (Tenable SC, Nexpose, Qualys AssetView, Positive Technologies MPX) is transparency provision for whole IT-infrastructure. Data sources for analysis: active scanner, agents, traffic and logs. Key solution components and modules: Active scanner, VM, PC. Additional components: Agents, PVS, LCE, WAS, WAF.

Traditional SIEM solutions are focused on the log files. “New VM solutions” are mainly focused on data collected by active scanners and agents. There is some disappointment in traditional SIEMs. They are very expensive, require productive hardware and huge storage, make significant network load and it is necessary to develop own correlation rules (read more critics at “PHDays VI: The Standoff“).

VM solution, that provides host inventory, configuration, vulnerabilities, etc. can be a very valuable source for SIEM. So why can’t VM from yet another source become the primary tool for visualization and analysis of IT assets?

We see a number of vendors replacing common interface “scan target – scan process – scan report” with new asset management features. This approach is used now by Rapid7 Nexpose, Tenable SC and MPX/PT SIEM. This solutions fill asset model mainly from Nexpose, Nessus and Maxpatrol 8 scan results. Tenable SC and MPX/PT SIEM support also system logs, like traditional SIEMs. Qualys makes a big bet on cloud agents.

Filling assets model from the scan results is a significant amount of work. Where should vendor get extra money for this transformation? Interesting solution was found in Qualys. They announced 2 new modules for controlling integrity of files (FIM), and processes (IOC). Could users Qualys users do the same work earlier, for example, with configurable compliance checks? Sure. But now it will be much more convenient, with beautiful search interface, dashboards and automatic blacklisting for malicious files and processes. A similar situation with ThreatProtect and great Qualys expertise in vulnerability prioritizing.

This is an interesting case how technically the same functionality with some extra expertise can be presented in asset-centric form and can provide additional monetization for the product. I think a lot of the functionality can be presented in future as useful individual modules. And other vendors may soon use the same approach as well.