Yesterday Qualys introduced CyberSecurity Asset Management 3.0. The product name contains “Asset Management”, but in the first sentence the solution is presented to us as “re-defining attack surface management” (EASM). Such a Gartner-style marketing mishmash. 🤷♂️ At the same time, Qualys does have quite unusual Asset Management and EASM. And it’s unusual how they came to this. These are solely my impressions as an outside observer; I do not have any insider information.
🔹 In 2020, Qualys introduced a Global AssetView solution. To put it simply, users could roll out Qualys cloud agents to hosts in the their infrastructure, deploy Qualys Passive Sensor to search for unknown assets in network traffic, and based on this get some basic understanding of their infrastructure (without detecting vulnerabilities). And most importantly, it’s all free! This is a Freemium offer that allowed the company to conveniently upsell the functionality of Vulnerability Management and Compliance Management. The move is very, very bold.
🔹 In 2021, as a development of Global AssetView, the CyberSecurity Asset Management product appeared. This was already a full-fledged Asset Management: two-way synchronization with ServiceNow CMDB, asset criticality assessment, analysis of installed software, attack surface analysis using Shodan (the last option was not particularly emphasized back then). As far as I can understand, the original purpose of CSAM was to deal with cases that affect the security of assets, but are not, strictly speaking, vulnerabilities: shadow IT, upcoming end-of-life (EoL)-of-support (EoS) hosts, hosts without installed EDR, risky ports accessible from the Internet, misconfigurations of software and services.
🔹 In 2022, Qualys released CyberSecurity Asset Management 2.0 with an integrated External Attack Surface Management (EASM) solution. The idea that EASM can be developed and delivered as part of an Asset Management solution is quite unusual. But there is logic in this. Reducing the attack surface is not about patching this or that vulnerable server. This is about the fact that there should not be any unnecessary junk (“if an externally facing asset or its configuration is not necessary for the business, then it should be shut down“). And from this point of view, EASM is really not so much a perimeter scanner. It is rather a cunning utility that lists non-obvious assets that are, with some probability, related to the company, and shows the risks associated with them. 🐇 🎩 Is this part of Аsset Management? Well, apparently so.
So, as far as I understand, Qualys now has VMDR (Vulnerability Management, Detection and Response), which includes CSAM (CyberSecurity Asset Management ), which in turn includes EASM (External Attack Surface Management). Something like a matryoshka. 🪆
What’s in CSAM 3.0?
🔻 Qualys removed mentions of Shodan. “CSAM 3.0 uses new attribution scoring and expands the use of open-source technology and a proprietary internet scanner to drive accurate discovery, attribution, and vulnerability assessment”. When attributing an asset, attribution scoring are displayed (you can filter by them).
🔻Cloud Agent Passive Sensing asset detection capabilities are now used (host agents that sniff traffic).
🔻Connectors for integration with asset data sources (connectors for Active Directory and BMC Helix announced). Apparently there was no integration with AD before.🤷♂️
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.