Hello everyone! On the one hand, because of the pandemic, we have become more distant from each other. We work mostly remotely from home. Traveling to a conference in another country has become much more difficult than it used to be. Now it is not only expensive. It has become much more difficult to obtain visas, there are restrictions related to vaccines, tests, quarantines, etc. And sometimes the borders are simply closed and it is impossible to get there.

On the other hand, we have become paradoxically closer to each other. Conferences have become much more online-oriented. And the main event of Qualys, QSC 21 Las Vegas, is now available to everyone with no delays or restrictions. This year, I not only watched the show, but also took VMDR training, passed the exam and received a certificate. I want to talk about this in this episode.

Conference

I will only state the main idea. Of course the way I understood it. Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA), btw not related to a security blogger Brian Krebs, started the conference by talking about attacks. There will only be more of them, and it will be more difficult to mitigate these attacks. Of course, if companies could be protected with prohibitive measures, that would be fine. But the problem is that in order for a company to be competitive, it must build the “permissive environment”. Especially in our COVID times.

What can we do? We have to raise the security level of the entire infrastructure. Which means “organizations need to know all devices, detect all vulnerabilities and misconfigurations across their systems and prioritize what needs to be fixed—then actually fix it”. And this is actually a very difficult task that can paralyze any security and IT team.

And of course Qualys offers a solution – VMDR. Moreover, unlike competitors, they can not only highlight problems, but also actively fix them. Everything can be done from one web interface without much thinking how it works under the hood. “Qualys effectively removes the need for security teams to write APIs and scripts to automate.”

VMDR

Let me tell you what I think about this. I totally agree with the VMDR concept.

• VM is impossible without understanding what hosts and software we have
• It is much better to do host inventory and vulnerability detection without active scanning
• Vulnerability prioritization is also important, otherwise you might miss the most important things
• Vulnerability fixing is definitely a part of the VM process that you need to manage somehow

Do I believe this particular commercial VMDR solution will meet all your needs? It is hard to say. Of course, I see the problems. Surely there will be something in the infrastructure that is not supported by Qualys, and therefore the requirement for complete transparency will not be achievable. Something will definitely be out of scope.

At the same time, I follow their development. QualysGuard used to be a pretty tough one-size-fits-all solution. Either adapt to us, or use something else. And now Qualys VMDR is a flexible framework that allows you to implement very complex practices using tags, dynamic groups and other automation. Everything is configured right in the web interface.

And they really solve problems. I was impressed that they added agents even for commercial Unix systems (FreeBSD, IBM AIX, Solaris). They’re also great for automating common use cases. For example, how they control the Certificates or Authorized & Unauthorized Software. Obviously, the company employs smart people who think what to do with problem cases and what cool things can be done based on the collected data.

In addition, even if you don’t want to become a Qualys client, even if you are a supporter of custom VM processes (like me), it is useful to look at their implementation. Just to get some idea of how this can be done.

Training

The training lasted 4.5 hours and consisted of a lecturer’s story and laboratory work. Unfortunately, the labs were not “real”. Qualys did not give access to the web GUI. There were slideshows with voice-overs (TTS) describing how to perform certain actions in the interface. From time to time you should click somewhere on the screen or enter text. In general, this is certainly worse than working with a real interface, but on the other hand, it is better than nothing.

The training covered the following topics:

1. Asset Management. Basically we were told how to configure Agents for VMDR
2. CyberSecurity Asset Management. We were mainly told how to build search queries using different categories: Hardware, OS, Software,Lifecycle Stages, Licenses, etc.
3. Network Passive Sensor. Unlike Tenable, Qualys only uses it to detect Unmanaged Assets.
4. CMDB Sync. We were shown how to collect asset data from ServiceNow.
5. Authorized & Unauthorized Software. We were shown how to mark which software needs to be removed.
6. Vulnerability Management. We were shown how to do vulnerability searches.
7. Dashboards & Widgets. We mainly covered the Count Widget settings..
8. Threat Detection & Prioritization. We were shown how to prioritize vulnerabilities using additional data Threat Feed, Asset Tags, Vulnerability Ages, Real-Time Threat Indicators, etc.
9. Patch Management. We were shown the patching capabilities and associated limitations. For example, you can patch only those hosts on which agents are installed, and only if downloading patches does not require additional authentication. Particular attention has been paid to establishing rules for the automatic installation of Zero-Touch patches.
10. Additional VMDR Applications. A very brief overview of other VMDR modules. Security Configuration Assessment (SCA), CloudView & Cloud Security Assessment (CSA), Container Security (CS), CertView (CERT), Continuous Monitoring, VMDR for Mobile Devices.

Exam

After completing the training, one could pass the exam. 30 questions. You need to answer 75% correctly. In the part of the questions, you need to choose one answer, in the part, several.

You can use everything and there is no time control. You can take the exam several times, but the instructor said that there is a limit of 5 attempts. Some of the questions are simple, but some require a lot of practice with VMDR, you can’t google it. I passed the exam the first time with 90% correct answers and received a certificate.

In general, I liked the training. It was quite informative. And it was definitely much more convenient than learning everything yourself, just using the documentation. Thanks to Qualys for providing free courses and exams even for non-customers. It is very cool and valuable. And if Qualys creates a fully functional test environment for labs, that would be even cooler.