It has been a long time since I wrote something about Qualys, but today I will write not just about their free product or service, like SSL Labs, but about the main Cloud Platform.
Qualys pioneered cloud Vulnerability Management. How the cloud VM works? In simple terms, there is a web portal https://qualysguard.qualys.com (or .eu for Europe). You can login there, specify a list of IP addresses you want to check and Qualys server(-s) will scan this hosts and show you a vulnerability report.
Ok, it’s clear with perimeter, but what if some hosts are only accessible from your internal network? In this case, you need to purchase Qualys network appliance, which will communicate Qualys server (read more at “Using Qualys Virtual Appliance“). You create a scan task on Qualys web portal to scan hosts in your internal network, Qualys server gives an order to appliance to gather information about these hosts and to send it back to the server for analysis. Most of the security analysis is done “in the cloud” by remote Qualys servers. End-user manage VM service either through Qualys web-portal GUI, or API.
In a previous post I described how to export Nessus scan reports to Splunk server using standard app. Today let’s see how to export any structured data presented in JSON, including of course Nessus scan reports, to Splunk using HTTP Event Collector.
First of all, we should create new HTTP Event Collector
SecurityCenter is an enterprise level vulnerability management product of Tenable Network Security. As the name implies, the it is designed to be the center of Tenable security infrastructure. SecurityCenter takes data from other Tenable products: Passive Vulnerability Scanner (PVS), Log Correlation Engine (LCE), Nessus, and provides a powerful GUI interface for searching and reporting. Sounds familiar? Well, yes, it is something like SIEM, but with a strong emphasis on Vulnerability Management.
In this post, I certainly will not fully cover SC functionality and all the features of its API. I just would like to pay tribute to a convenient asset mechanism of SecurityCenter and show very basic operation of SecurityCenter API: retrieving the results of the vulnerability scanning (as I did it for Nessus in “Retrieving scan results through Nessus API“). Continue reading →
This will be a practical confirmation of my thesis from “Vulnerability scanners: a view from the vendor and end user side“: the scanner for one operating system is easy to make. I also want to demonstrate that data collection and data analysis for Vulnerability Assessment may be successfully performed separately. There is no need to take the data directly from the vulnerable hosts, when it is already stored somewhere else, for example in IT monitoring systems.
The opacity of data collection and the need to have a privileged account on the remote host, traditionally causes conflicts between IS and IT departments and complicates implementation of VM process.
So, to detect vulnerabilities on our Linux host we need to know what version of the packages contain vulnerabilities, which versions of packages are installed on our hosts, and learn how to compare versions.
How do I know which versions of packages are vulnerable?
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at email@example.com or contact me any other way.