Skip navigation

Qualys Technology

9 Posts authored by: Eric Perraudeau
0

The new QualysGuard Vulnerability Notification feature allows you to configure QualysGuard to send email notifications to users about new and updated vulnerabilities in the QualysGuard KnowledgeBase. An update to QualysGuard 7.11 will be released in production in the coming weeks to introduce this feature.

 

New QualysGuard Vulnerability Notification

It’s easy to configure different notifications for different groups of people. For example, you may want a group of IT Managers tasked with maintaining Windows systems to be notified when new critical Microsoft vulnerabilities are added to the KnowledgeBase. You may want a separate group responsible for monitoring cyber threats to be notified about all vulnerabilities with known exploits so they can be proactive and take appropriate actions even before a scan is launched.

 

Screen Shot 2013-08-27 at 4.36.26 PM.png

 

Screen Shot 2013-08-27 at 4.37.15 PM.png

 

Screen Shot 2013-08-27 at 4.37.25 PM.png

 

Full release notes will be available to customers from within the Resources section of your QualysGuard account.

 

Release Schedule

For details about the release dates and to subscribe to release notifications by email, please see the following:

 

Tip: What's my platform

0

QualysGuard 7.11 will be released in production in the coming weeks and includes enhancements to QualysGuard Vulnerability Management (VM) and Policy Compliance (PC) reports, and API.

 

Highlights include: ability to rerun a report, new “Host Scan Date” filter and “Vulnerability Fixed On” date filter for the vulnerability scorecard report, and API enhancements.

 

QualysGuard VM/PC Reports Enhancements

Ability to Rerun a Report: This release introduces the ability to rerun any report in your reports list by selecting “Rerun” from the Quick Actions menu.

Screen Shot 2013-07-26 at 11.28.29 AM.png

 

QualysGuard VM Enhancements

New filter options are introduced in the Vulnerability Scorecard Report to better help customers to measure the progress of their Vulnerability Management program. More details about the Vulnerability Scorecard are available here:Continuously Monitor Vulnerability Remediation Performance Across your Organization with QualysGuard v7.8 Vulnerability Scorecards

 

New “Host Scan Date” filter for the Vulnerability Scorecard Report: This filter allows you to limit which hosts are included in your Vulnerability Scorecard Report based on scan date. For example, only include hosts scanned in the previous month or only include hosts scanned within a selected date range.

 

New “Vulnerability Fixed On” date filter for the Vulnerability Scorecard Report: This filter allows you to set a timeframe in which you want to count Fixed vulnerabilities. When you display vulnerability counts in your report (by selecting Vulnerability Status on the Display tab) your report will include the total number of Fixed vulnerabilities for each asset group/tag in the report. When counting the total number of Fixed vulnerabilities, we include all vulnerabilities fixed since the start of your subscription. If you’re only interested in seeing the number of vulnerabilities fixed in say the previous quarter or since a certain date, then use this filter to select the timeframe.

 

Screen Shot 2013-07-26 at 11.30.18 AM.png

Here’s a look at the date picker used for both filters. As you can see, you have many options.

Screen Shot 2013-07-26 at 11.52.18 AM.png

 

QualysGuard API Enhancements

Full details about the API feature in QualysGuard 7.11 can be found here QualysGuard 7.11 API Notification

 

List of the API enhancements:

  • Enhancements to “/api/2.0/fo/asset/host” API
    • support for asset tags as input parameter for host selection
    • support for asset tags in the XML output
    • support for Qualys Host ID in the XML output when Agentless Tracking is used
    • support for custom page size output
    • “host_list_output.dtd” updated
  • Enhancements to “/api/2.0/fo/asset/host/vm/detection”
    • support for asset tags as input parameter for host selection
    • support for asset tags in the XML output
    • support for Qualys Host ID in the XML output when Agentless Tracking is used
    • “host_list_vm_detection_output.dtd” updated
  • New technology available in Authentication API V2 “/api/2.0/fo/auth”
    • support for Apache 2.2 (IBM http Server 7.x running on RHEL 5.x and 6.x)
    • support for Apache 2.2 (VMWare vFabric Web Server 5.2)
    • support for Microsoft IIS 6.x and 7.x
    • support for IBM WebSphere Application Server 7.0
  • Enhancements to “/api/2.0/fo/auth” API
    • output contains new authentication records mentioned above
    • “auth_records.dtd” updated

 

 

Full release notes will be available to customers from within the Resources section of your QualysGuard account.

 

 

Release Schedule

For details about the release dates and to subscribe to release notifications by email, please see the following:

 

Tip: What's my platform

2

QualysGuard 7.10 will be released in production in the coming weeks and includes enhancements to QualysGuard Cloud Platform, Vulnerability Management (VM), Policy Compliance (PC) and API.

 

New QualysGuard Express Lite

The new service offering QualysGuard Express Lite for SMBs is launched with this release.

img1.png

 

QualysGuard Cloud Platform Enhancements

Redesigned Application Picker: In this release, the application picker has been redesigned with a new look & feel to clearly show to users the various applications available in their subscriptions.

 

picker.png

 

New Virtual Scanner Wizard: This release introduces a new virtual scanner wizard to simplify the steps for selecting the right image for your virtualization platform, downloading the image and configuring your scanner.

vscanner_wizard1.jpg

 

New Virtual Scanner Image for VMware ESX/ESXi v3.5: In this release we are providing a new virtual scanner appliance image compatible with the former version 3.5 of VMware ESX/ESXi. For information, earlier versions of VMware ESX/ESXi are already supported.

 

QualysGuard VM Enhancements

New Resolved date for Remediation Tickets: As hosts are scanned, QualysGuard automatically updates remediation tickets and closes tickets for vulnerabilities that are verified fixed. If you don't run scans soon after fixing vulnerabilities then your tickets are not closed right away. QualysGuard 7.10 provides a new “Resolved” date that gives you a way to track which vulnerabilities have been processed. It allows you to measure the time when a ticket is created and the time when an action to resolve the vulnerability is performed. The resolving action may be to deploy a fix and mark the ticket Resolved or to ignore the vulnerability in the context of a risk acceptance process.

ticket_list.jpg

 

QualysGuard PC Enhancements

In QualysGuard 7.10, Policy Compliance includes new content in the control Knowledgebase to provide support of Application Server Technologies as detailed below. These new controls can now be used by customers to build Application Server Technology policies.

 

Support of Apache 2.2 Added: With QualysGuard PC, users can now audit Apache 2.2 configuration running on IBM HTTP Server and VMWare vFabric WebServer  5.2. The technology will be released with a set of controls supporting the CIS Apache HTTP Server 2.2.x Benchmark v3.2.0.

 

Support of Microsoft Internet Information Services (IIS) 6.0, 7.x Added: With QualysGuard PC, users can now audit Microsoft Internet Information System 6.x and 7.x configurations. The technology will be released with a set of controls supporting the CIS Microsoft IIS 7 Benchmark v1.3.0 and CIS IIS 5.0/6.0 Benchmark v1.0.0

 

Support of IBM WebSphere Application Server 7.0 Added: With QualysGuard PC, users can now audit IBM WebSphere Application Server 7.0 running on Unix. The technology will be released with a set of security controls.

 

Policy Editor: The new Policy Editor is no longer Beta. It is now the official editor for managing your policies. The old policy editor is still available for a limited time. Introduced with QualysGuard 7.9, the new policy editor is designed to be user-friendly with intuitive workflows and scalable for large policies, it includes a number of new functionalities:

  • Quick overview pane with the number of controls, the number of sections, the technologies associated, the applied groups, and more
  • Drag and drop of sections and controls
  • Quick search to directly access the control configuration page
  • Reference field to map a Qualys controls (CID) to authority documents or internal policies
  • New search control window only shows controls that are relevant to the policy
  • Quick navigation between controls using the arrow keys

New+Policy+UI+main+page.pngNew+Policy+UI+Section+View.pngNew+Policy+UI+Control+View.png

 

QualysGuard API Enhancements: New Asset Management and Asset Tagging API

A new API to manage assets and asset tags, including dynamic tags, in the Asset Management module is now available in production. Details are in the QualysGuard Asset Management and Tagging API User Guide.

 

Full release notes will be available to customers from within the Resources section of your QualysGuard account.

 

Release Schedule

For details about the release dates and to subscribe to release notifications by email, please see the following:

 

Tip: What's my platform

0

An air gap network, sometimes called an isolated network, is a set of systems that are intentionally isolated from the Internet or other networks for increased security. If there is an air gap, i.e. no physical connection between your systems and unsecured networks or the Internet, then you have better protection against data leakage or intrusion.

 

Air gap networks are most common in production or manufacturing environments, such as nuclear power plants or where SCADA-type systems are installed; in military or government organizations; and in sensitive financial applications like stock exchanges. Despite the air gap, these environments still can require security audits to ensure that other defense-in-depth controls are in place and working properly. For example, it is believed that the well-known Stuxnet virus entered the systems via a USB stick, showing how an air gap is not a foolproof security measure. In these cases, Qualys sees demand from our customers for a QualysGuard scan across the air gap.

 

Scanning an air gap network can be done using a QualysGuard Virtual Scanner appliance on a laptop connected over a MiFi connection. In this configuration, the laptop runs a wireless router acting as a mobile Wi-Fi hotspot providing Internet access via a cellular network and a mobile carrier. The virtual appliance is usually more convenient than a physical appliance, especially for consultants who prefer to run the virtual appliance on their own laptop.

image06.png

 

Security

In terms of security, the air gap network owner should look at both the configuration of the laptop attached to the network and the QualysGuard Virtual Scanner Appliance installed on the laptop.

 

For the laptop, the network owner typically vets the consultants running the scans and requires them to demonstrate the security controls they have implemented on the computer.

 

For the QualysGuard Scanner Appliance, Qualys has built a series of features to ensure that only scan data is transmitted out of the network and only to the QualysGuard platform. Specifically, the appliance is designed as a client-only device with no persistent services or daemons listening to the network. The scanner appliance runs a specifically hardened operating system kernel designed to prevent shell-code and buffer overflow attacks.

 

The scanner appliance does not require inbound Internet connections; it initiates all communications to the QualysGuard platform using HTTPS on port 443 over the Internet, so there is no need for inbound firewall rules. The QualysGuard platform IP networks are known and can be used to create outbound firewall rules that restrict all outbound Internet IP communications from the scanner appliance to only the QualysGuard platform IP networks.

 

The QualysGuard Scanner Appliance is limited in its function as a pure host on the network; it has no ability to route packets, even when multiple network interfaces are active in the split network configuration that is used for air gap networks. The appliance scans local systems, processes the resulting data, and then sends the processed data to the QualysGuard platform. The appliance runs no routing or bridging service.

 

The QualysGuard Scanner Appliance is packaged as a network appliance, pre-installed with Scanner Appliance software, and pre-configured for ease of installation and deployment within an enterprise. It is available as a physical device or a virtual image that can be deployed on various hypervisors, including virtual solutions for desktop and laptops such as VMware Player, VMware Fusion and Oracle VirtualBox.

 

Performance

The network performance of a QualysGuard scanner appliance connected via MiFi  to the QualysGuard platform is equivalent to performance of scans performed with a virtual scanner appliance and a laptop with “regular” Internet connectivity. The results of the performance tests demonstrate this, even for slower MiFi connections. The amount of data sent from the appliance to the QualysGuard data center is small enough that performance is not impacted.

 

Defense in Depth

The use of QualysGuard by organizations with greater-than-normal security requirements is a validation of both the value of the service and the strength of its security controls. But more importantly, it is a reminder that no matter the environment, the best practice is always to use defense in depth, i.e. multiple layers of security controls throughout all IT systems.

 

Please read the associated technical note, based on a recent customer RFP, for more information on How to use QualysGuard Virtual Appliance on a laptop connected to the Internet via MiFi.

0

With QualysGuard 7.8, customers can now create new Vulnerability Scorecard Reports and set remediation goals to measure and monitor the performance of the teams in charge of fixing vulnerabilities in their companies. Enhancements to the Vulnerability Scorecard Reports will help security professionals better monitor the progress of their vulnerability remediation process.

 

In addition, Dynamic Asset Tagging and Management, which automatically identifies, categorizes and manages large numbers of assets in highly dynamic IT environments, is now integrated with Vulnerability Scorecard Reports. This integration gives security managers and executives always up-to-date reports that measure the number of vulnerable hosts per business unit against a list of vulnerabilities that represent the most important security risks.

 

These reports also display the groups of assets, or business units, that are meeting their goals in term of fixing these vulnerabilities. Furthermore, Vulnerability Scorecard Reports provide additional vulnerability management metrics and statistics, giving managers and unit managers more visibility into the efficiency of fixing critical and important vulnerabilities that expose their business to IT risks.

 

The Vulnerability Scorecard Reports offer these new capabilities:

  • Customizable Business Risk Goals represent the maximum allowed percentage of vulnerable hosts per asset tag or asset group.

2013-02-25_11-24-36.png

 

  • Support for Vulnerability Search Lists: search lists can be used as a set of vulnerabilities that must be fixed according to their security risk, and the scorecards will measure the remediation progress and report the entities that have met their goal.

 

  • Breakdown of Vulnerabilities per Asset Tag and Asset Group organizes assets by business units, technology, or other organizational entities.

2013-02-25_11-23-31.png

 

  • Number of New, Active, Fixed and Re-Opened Vulnerabilities gives insight into vulnerability scanning and remediation performance.

2013-02-25_11-27-30.png

 

  • Number of Vulnerabilities by Age shows the number vulnerabilities that are less than one month, two months or three months old.

2013-02-25_11-27-41.png

 

  • Number of Vulnerabilities by Type shows the breakdown of confirmed vulnerabilities versus potential vulnerabilities.

2013-02-25_11-27-12.png

 

  • Vulnerability Scorecards can be scheduled on a daily, weekly or monthly basis to continuously monitor remediation progress.
  • Vulnerability Scorecards can be exported in CSV format automatically via the API or manually in the UI, for easy integration into external security performance dashboards.

 

scorecard.png

2

Oracle just released an extremely important critical patch for Java. It fixes an impressive number of vulnerabilities, and it is recommended to install this update as fast as possible. You can read more about this here: http://laws.qualys.com/2013/02/oracle-releases-early-cpu-for.html

And here is the official page on the Oracle website: http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

 

A new QID "120832 - Oracle Java SE Critical Patch Update - February 2013" has been released and you can use QualysGuard VM to scan your network to find the systems that require the patch.

 

Here is a report that gives you a preview of the details of a report for this QID, including a list of known exploits that are available for some of the vulnerabilities that are fixed by this patch:

 

java.jpeg

0

IPv6 first came onto the horizon years ago, and it has seemingly stayed out there ever since. Recently, we've heard or read a lot about having run out of IPv4 addresses. But the transition is not so simple, and we find ways to extend the time until it is necessary to make IPv6 a priority. Some great information on adoption is available at Google’s “IPv6 statistics" page.

 

image03.png

 

At this page, the Adoption tab shows a trend with enough historical data to tempt a statistician to extrapolate. Adding another dimension, the Per-Country adoption tab shows geographic adoption overlaid with very interesting info on connectivity issues – reliability and latency.

 

Even while global adoption is below 1%, IPv6 is showing signs of significant increase, and it is prudent to pay attention and make sure it doesn’t introduce new security exposures in your network. For instance, deploying IPv6 ready devices, such as desktops and laptops with modern operating systems, on IPv4 networks can cause problems as IPv6 traffic may bypass IPv4 specific protection systems (including firewalls, intrusion detection systems), allowing IPv6 traffic to reach unintended recipients if there is a lack of expertise in IPv6 networking. See footnote.

 

If you are interested in knowing more about the exposure of your IPv6 devices connected to the Internet, the steps below walk you through how to scan an IPv6 address using Qualys FreeScan:

 

Step 1: Create your account. If you already have an account you can skip to the next step:

 

1. Go to https://freescan.qualys.com/

 

2. Click on “Sign up”.

image00.png

3. Enter your name, email address and company information as indicated in the page.

 

4. You will shortly receive your credentials by email.

 

Step 2: Use your FreeScan credentials to open a session at https://freescan.qualys.com/

 

 

Step 3: Enter your Internet facing IPv6 address in the “New IP scan” field as shown below:

image02.png

 

Step 4: Wait a little while for the scan to finish. It typically takes 5 to 15 minutes:

image04.png

 

Step 5: Once the scan is completed you can review the vulnerabilities of your IPv6 device that are exposed on Internet and can be potentially be exploited in order of criticality: (note: we need a better screenshot here)

freescan.png

 

Whether or not IPv6 is imminent for everyone, or whether switchover is becoming a high priority, we can say that we are in a learning period whereby challenges, pitfalls and real-world problems will be exposed as all of us in the IT and security community increasingly are involved in working with IPv6.

 

To a large extent we will need experience, insight and ongoing input from the Qualys community to track and assess progress as well as setbacks, while inside Qualys we continue our work to stay ahead of the market.

 

Please let us know your feedback on utilizing this new capability in FreeScan. We'd also like to know how important IPv6 is to you in 2012, how important you expect it to be in 2013, and perhaps most importantly, how it needs to be supported by Qualys or your IT vendors.

 

 

Foot note: Draft Proposal filed with the Internet Engineering Task Force on April 27, 2012: “Security Implications of IPv6 on IPV4” by Fernando Gont of the UK Centre for the Protection of National Infrastructure

0

“You know only insofar as you can measure.”
        - Lord Kelvin
          
“If you want it, measure it. If you can't measure it, forget it.”
        - Peter Drucker

 

 

 

Measurement is critical in achieving objectives. But a more subtle factor drives your success: what you measure and how you measure it. These are what guide your actions.  The measurement of vulnerabilities is no exception, and with vulnerabilities, the difference between automatic and manual data and its implications are the key factors.

 

So, what is the difference?

 

Manual data is a point-in-time snapshot of vulnerability data that is tied to a single scan and shows the vulnerability posture of the hosts at the time the scan was run.

 

Automatic data is data from multiple scans normalized into a database. It is the asset-centric history of vulnerability data, built out of the results of previous scans.

 

Simple enough, right?  Let’s examine the implications.

 

Assessment vs. Management

Manual data lets you assess vulnerabilities, but you need automatic data for vulnerability management.

 

Manual data shows you where you’re vulnerable at the time of the scan.  You can think of manual data as a file folder on the left side of your desk with a folder corresponding to each scan.  Inside each folder is a piece of paper containing the forensic record of the raw results from that point-in-time scan.  The biggest limitation of this data model is that it lacks context and trending since it is a snapshot of a point in time.  For example, if you scanned on January 1 and found 500 vulnerabilities, then scanned the same assets on February 1 and found 300 vulnerabilities, what does that mean?  Did you fix all 500 vulnerabilities from January and have 300 new vulnerabilities for February?  Did you fix 200 vulnerabilities from January and have 300 left, but no new vulnerabilities in February?  There are several other potential scenarios that would also need to be considered, and determining the answer with any degree of certainty is problematic at best.

 

If you only have access to manual data, you have to perform a manual monthly process with a custom spreadsheet to attempt to reconcile and normalize the results from scan to scan to show month-over-month trending.

 

Another big problem with this data model is that it is difficult to track the lifecycle of a vulnerability on a particular host.  For example, you should be careful not to assume that if you don't find a vulnerability in a subsequent scan that it has been fixed.  This is a poor assumption as there is a huge difference between "fixed" and "not found".  For example, if you first scan with authentication, then scan without authentication, many vulnerabilities won't be detected in the second scan, simply because authentication wasn't used.  This does not mean that the vulnerabilities are actually fixed and can lead to a false sense of security.

 

Lifecycle of a Vulnerability

Automatic data addresses these limitations by introducing the concept of a vulnerability's state and providing additional context that is valuable when managing the lifecycle.  Automatic data can be thought of as a large relational database on the right side of your desk that normalizes the results of every scan over time for each asset.  A vulnerability can have one of four states:

 

  • NEW: Detected for the first time
  • ACTIVE: Detected more than once
  • FIXED: Detected, then confirmed to be resolved by scanning in the *same* manner as originally detected - e.g. with authentication
  • REOPENED: Detected, confirmed to be remediated, then detected again.  This may be the result of a machine being re-imaged without all relevant patches being applied.

 

states.png

 

The automatic data also enable users with the capability to mark vulnerabilities as IGNORED, and create an audit trail of all the transitions. The IGNORED state is complementary to the status. A vulnerability can be NEW/IGNORED or ACTIVE/IGNORED for instance. It is a way to manage exceptions.

 

Trending and Reporting

In addition to a vulnerability's state, automatic data allows us to report on when a vulnerability was first detected, last detected, and the number of times it has been detected.  Also, vulnerability status is tracked intelligently to account for different option profiles being used.  For example, if a vulnerability is first detected using authentication, it will not be considered closed until a rescan *with authentication* confirms that the vulnerability has been resolved.  This addresses the limitation of the assumption that not found = fixed. And it prevents "saw tooth" trend results that can happen when scans are conducted with varying configurations (e.g. with / without authentication) over time.

 

This type of accurate trending information is valuable to be able to correctly report the postures of organizations and the progress (or lack thereof) over time in remediating vulnerabilities in their environments.  Using the QualysGuard Detection API, this concept of vulnerability state/trend information can be included in data integrated with third party platforms (e.g. SIEM, GRC, etc).  Without automatic data, organizations are left to extremely manual, time-consuming, and error-prone approaches to attempt to measure and track the effectiveness of their vulnerability management programs over time.

 

Decoupling Reporting / Remediation from Scanning

One other main benefit of automatic data is that it allows the scanning and reporting/remediation efforts to be decoupled since all the data is tracked and normalized.  Scanning can be conducted according to location and reporting can be performed according to those responsible for remediation.

 

User Interface

The most obvious place where the difference between manual and automatic data is found in the QualysGuard user interface is when editing a scan report template and choosing the Scan Results Selection:

 

edit-scan-template.png

 

Automatic data is also used in “Status” and “Status with Trend” scan reports and Scorecard reports, as well as throughout the user interface including your dashboard, asset search results, remediation tickets and host information.

 

Automatic is the Way to Go

The difference between manual and automatic data is the difference between a vulnerability assessment program that identifies only current vulnerabilities and a vulnerability management program that drives the remediation of vulnerabilities over time. Automatic data makes QualysGuard the only vulnerability management solution that can differentiate between vulnerabilities that are actually fixed, versus those that simply weren't detected.

 

 

Contributors to this article: Jason Falciola, Steve Ouzman, Karl G. Schrade, and Leif Kremkow.

0

29 April 2013: edited with new screenshot

 

Trusted scans collect more detailed vulnerability information than “un-trusted” remote scans. That’s not surprising: with a trusted scan, the QualysGuard scanner logs into the target machine and reads configuration data including registry values and configuration files on the file system, just like a regular user session could. QualysGuard uses the configuration data to verify whether or not certain vulnerabilities exist. When running un-trusted remote scans, QualysGuard collects data by pinging network-accessible services on the target machine and interpreting the responses.  QualysGuard then reports security issues that a remote attacker might use to access those systems. This approach misses local vulnerabilities such as those requiring user interaction from the browser or email client. Also, the response sometimes indicates the machine has a potential vulnerability, but not whether it is a confirmed vulnerability. Often a configuration value available via a trusted scan is required to determine if the potential vulnerability can be ignored or should be classified as a confirmed vulnerability.

 

For policy compliance, QualysGuard always performs trusted scans because system configuration data is required to verify compliance checks, such as password strength. For vulnerability management (VM) scans, QualysGuard administrators can choose either trusted or remote scans. But they often perform remote scans, even though they would benefit from the more detailed data collected in trusted scans.

 

In large organizations where thousands of machines are scanned regularly for vulnerabilities, managing passwords is a challenge. Currently administrators must manually provide QualysGuard with login credentials for each asset to be scanned.  Password policies add more complexity; for example if a password ages out and gets changed, then those changes must be passed to QualysGuard so that its passwords remain current. The teams in charge of managing the scans usually don’t own the scanned machines.

 

Better Manageability with Cyber-Ark Integration

 

Using QualysGuard integration with Cyber-Ark Privileged Identity Management (PIM) Suite, management is simplified because organizations no longer need to store a copy of their passwords in QualysGuard. QualysGuard stores a pointer to the location of the password information in the Cyber-Ark Enterprise Password Vault® of the PIM suite, and the scanner appliance requests the password when it needs to perform the trusted scan.  Because passwords are maintained in the Cyber-Ark Enterprise Password Vault®, the organization can change passwords at will or by using any policy via Cyber-Ark without having to worry about synchronizing those changes to QualysGuard.

 

cyber-ark-integration.png

 

Increased Security, Control and Audit of Login Credentials

 

While QualysGuard has industry-leading protections on the data it stores, some organizations that are particularly sensitive to password controls now have the assurance the QualysGuard no longer needs to store passwords centrally.  In fact, an organization could set up a password policy to change its passwords via Cyber-Ark PIM Suite immediately after each password is used by QualysGuard to perform a trusted scan.

 

To revoke access, an administrator only needs to disable one user in Cyber-Ark  instead of changing the relevant password on each target machine. Cyber-Ark can also store an audit trail of all uses to the login credentials.

 

How it Works

 

Configurating Trusted Scans: Without the Cyber-Ark integration, an admin configures QualysGuard with the logins and passwords that will be used for the trusted scans. With the Cyber-Ark integration, the admin configures QualysGuard with the Cyber-Ark Enterprise Password Vault® server and the correct safe within the vault where the passwords are stored (see Figure 1) and the Windows or Unix authentication record specifying an authentication vault for a specific trusted scan (see Figure 2).

 

Screen_Shot_2013-04-29_at_1.56.32_PM.png

 

Figure 1 - Create a Cyber-Ark authentication vault record in QualysGuard

 

figure2.png

Figure 2 - Create a Windows or Unix authentication record specifying the use of an authentication vault

 

 

Running Trusted Scans: When the scan is ready to run, QualysGuard sends a request to the scanner appliance to run the trusted scan.  Instead of specifying the password of the target machine, QualysGuard specifies the IP address of the Cyber-Ark Enterprise Password Vault® server and the name of the safe.  The scanner appliance then passes this information to Cyber-Ark and requests the password for the given username, which it uses to log into the target machine and perform the trusted scan.  After performing the scan, the scanner deletes every trace of the password and sends the scan results back to QualysGuard. The process is done.

 

See the QualysGuard - Cyber-Ark PIM Suite Integration demo.

See the Cyber-Ark Integration: Technical Presentation and Demo.

 

Better Information for Stronger Security

 

For organizations that currently perform trusted scans, password management is now easier and more secure. This integration will hopefully encourage organizations to expand their trusted scanning across their global assets to collect better vulnerability and compliance data from their systems.



Bookmarked By (1)

Actions