1 2 3 Previous Next 113 Posts tagged with the vm tag

A new release of Qualys Cloud Suite, Version 8.7 includes an API update which is targeted for release in January 2016.   The specific day will differ depending on the platform.  See platform release dates for more information. This API notification provides an early preview into the coming API changes, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.

 

This release includes features with changes to XML, CSV output, and/or DTD which could impact existing API implementations.  Notification about other new API features along with additional details and examples will be posted prior to the release.

 

For details about the changes, please see the attached detailed release notification below.

 

What's New

  1. Scan Report List - New Target Element
  2. VM - Vulnerability Threat Intelligence Information
  3. VM - Easily Identify Vulnerabilities Supported by Module
  4. VM - First Found Date Added to Asset Search Report CSV, XML

 

Scan Report List - New Target Element

The Scan Report List API (/msp/scan_report_list.php) is used to retrieve a list of saved scan reports in XML format. A new TARGET element in the XML output lists the IP address(es) that were scanned. In previous releases, the target was shown as an attribute of the SCAN_REPORT element.  There are changes to the XML output and DTD.

 

VM - Vulnerability Threat Intelligence Information

We’ve added Real-time Threat Indicators to the vulnerabilities in our KnowledgeBase and you can easily report on them to get threat intelligence information right away.

 

Real-time Threat Indicators are data points collected per vulnerability that contain accurate, timely and actionable information aggregated from multiple reliable data sources, allowing you to prioritize and filter the flood of security alerts.

 

Current Real-time threat indicators include values such as Zero Day, Exploit Public, Active Attacks, High Lateral Movement, Easy Exploit, High Data Loss, Denial of Service, No Patch.

 

Changes are made to the Dynamic Search List API (v2), KnowledgeBase API (v2), and KnowledgeBase Download (v1).  Please review the release notes for details of the changes to the API calls, XML Output, and DTD.

 

VM - Easily Identify Vulnerabilities Supported by Module

Now you can find out what vulnerabilities in our KnowledgeBase are supported by different Qualys modules - VM, Cloud Agent, WAS, WAF and MD. Use the KnowledgeBase Search option to identify vulnerabilities that can be detected by VM scans, Windows Cloud Agent and Linux Cloud Agent plus more. We’ve added a supported modules section to the vulnerability (QID) information, and this is where you’ll see the Qualys modules that may be used to detect each QID.

 

Changes are made to the Dynamic Search List API (v2), KnowledgeBase API (v2), and KnowledgeBase Download (v1).  Please review the release notes for details of the changes to the API calls, XML Output, and DTD.

 

VM - First Found Date Added to Asset Search Report CSV, XML

You can now view the First Found Date of an asset in the same way you download other data of the Asset Search Report.

The report can be downloaded from the Asset Search Report page, or via the Asset Search API (v1).

 

Please review the release notes for details of the changes to the API calls, XML Output, and DTD.

Many customers that use the Qualys Cloud Platform for vulnerability management are also using Splunk Enterprise to collect their security and compliance data. Thanks to the new Qualys App for Splunk Enterprise with the included Qualys Technology Add-on, customers can monitor and evaluate real-time threat alerts and analysis through a single dashboard. With this unified perspective, customers achieve a more complete picture as well as a streamlined workflow – across their entire infrastructure.

 

Big Data Analytics + Vulnerability Data

splunk-logo-400-156-2x.jpgThe Qualys App for Splunk Enterprise offers access to valuable, integrated vulnerability data that empowers security operations and incident response teams to more efficiently gather information needed to identify where and when organization may be vulnerable to attack. Additionally, this integration can also be leveraged to collect, analyze and report audit data for accelerated and continued compliance with standards such as PCI, HIPAA, SOX, NIST, and more.

 

How It Works

The Qualys App for Splunk Enterprise, which can be found in Splunkbase, accesses the Qualys VM data through the Qualys Cloud Platform API. The app streamlines the importing (with ETL capabilities) of the Qualys vulnerability and KnowledgeBase data into Splunk. Within Splunk Enterprise, the Qualys App provides a vulnerability dashboard containing a variety of summary charts as well as multiple vulnerability search tools. For example:

 

The main Dashboard includes information on Total Hosts, OS Distribution, Top 10 Hosts and Most Prevalent Vulnerabilities (Figure 1).

 

fig1-dashboard.png

Figure 1: Dashboard

 

 

Days Since Last Scan (Figure 2) provides a timeline of the number of Hosts Scanned, the OS Distribution, as well as details on the individual hosts in the bottom pane.

 

fig2-days-since-last-scan.png

Figure 2: Days Since Last Scan

 

 

With Search for Vulnerabilities (Figure 3), one of the two search tools, users can search for vulnerabilities by Qualys ID, vulnerability name, time range, whether or not they are patchable, and whether or not that are potential or confirmed. Details on the affected devices are provided in the lower pane.

 

fig3-vuln-search.png

Figure 3: Vulnerability Search

 

 

The other search tool, Qualys Vulnerability Search (Figure 4) provides a timeline of vulnerability counts as well as individual event details. Users can build complex searches across all of the available vulnerability fields and save those searches for repeated use.

 

fig4-qualys-vuln-search.png

Figure 4: Qualys Vulnerability Search

 

 

The examples above are just the proverbial “tip of the iceberg.” Additional tools include the Qualys KnowledgeBase, Hosts and the IP Lookup Form. The Dashboard also includes preconfigured searches and reports, and can also be configured to display data in formats and aggregations that match your organization’s needs.

 

Getting Started

Getting started is easy if you’re presently a joint Qualys-Splunk customer.

 

  • Download the App – We're in the homestretch for certification with just a few more details need to be ironed out. Please check back later this week for the new App's download link. For now you can download the present version of the Qualys App for Splunk Enterprise (1.2.2 beta) from Splunkbase. If you come across "TA-Qualys" in Splunkbase here, please note that entry temporarily exists as part of the certification process, but nothing is available for download there.
  • Ensure You Have Qualys API Access and the Qualys KnowledgeBase Enabled – You will need a Qualys account that includes Vulnerability Management and API access. If your account does not have API access, please contact your Qualys Technical Account Manager to add it and also check that the Qualys KnowledgeBase is enabled for your account.
  • Sign up for a Splunk Account – Since the app only works with Splunk Enterprise, you will also need a Splunk Enterprise account. Please contact your Splunk sales representative if you need to upgrade to Splunk Enterprise.

 

It will only take you a few minutes to upload the app to Splunk, enter your Qualys credentials and the URL for your Qualys API server platform and voila! you’re ready to set the default schedule for syncing data. The first time the app connects with the Qualys API, it pulls all data, after that it pulls changes only.

 

Once you start using the app, you’ll see that its biggest benefit is the ability to transform Qualys vulnerability data into user customizable, dynamic reports and dashboards to help quickly identify and respond to the most critical threats within your enterprise. Also for the first time, you’ll be able to correlate Qualys and other security data such as IDS/IPS logs in Splunk to create a holistic view of your security posture across multiple tool sets.

 

Resources

ForeScout Integrates with Qualys to Provide Joint Customers Real-time Vulnerability Management Assessment and Mitigation Capabilities

 

Qualys and ForeScout Technologies, Inc. recently announced a partnership which integrates Qualys Vulnerability Management (VM) and ForeScout CounterACT, to provide joint customers with real-time assessment and mitigation capabilities against vulnerabilities, exposures and violations. This post will detail how the integrated solution can help organizations improve timeliness and efficacy of their vulnerability assessments, automate policy-based mitigation of endpoint security risks, and reduce security exposures and their attack surface.

 

 

How CounterACT Works with Qualys

 

If you’re not familiar with CounterACT, it is an appliance that identifies and evaluates network users, endpoints and applications to provide visibility, intelligence and policy-based mitigation of security problems. Policies within CounterACT allow one to evaluate a one or more conditions and based on the results, take one or more actions. Let’s look at a simple example in the case where a new endpoint is added to the enterprise network (Figure 1).

Figure 1: ForeScout-Qualys VM Workflow Resulting from Addition of a New Endpoint

Figure 1: ForeScout-Qualys VM Workflow Resulting from Addition of a New Endpoint

 

Of course the IT security team doesn’t want a vulnerable machine to be added to the network, so a simple policy can be created within CounterACT to ensure various steps are taken to vet that endpoint before it’s granted full network access. As soon as the endpoint is connected to the network (Step 1), CounterACT detects it, knows it’s a new endpoint and can isolate it until it can be scanned for vulnerabilities.

 

CounterACT then requests Qualys VM, via its REST-based API, to initiate a scan on that device (Step 2). Qualys VM performs the scan (Step 3) and returns the results to CounterACT (Step 4). For this simple example, let’s assume that a CounterACT user reviews the scan results, sees that the endpoint has several vulnerabilities and decides to temporarily block it from the network (Step 5). The policy can then instruct CounterACT to remediate the endpoint as CounterACT integrates with 3rd-party patch management solutions (e.g., Microsoft SMS/SCCM, WSUS, etc.). After the endpoint is patched, this policy workflow would restart with CounterACT asking Qualys VM to rescan the endpoint (Step 2), and once it is determined that it is a “clean” machine, CounterACT will grant it full network access.

 

Automated Detection and Mitigation

 

This is just one example of how the integrated ForeScout/Qualys solution can leverage CounterACT’s continuous monitoring capabilities to increase the chances of detecting transient devices as they join the network. A small sampling of the capabilities of the combined solution are:

 

  • Each time the enterprise initiates its standard periodic vulnerability scan (e.g., weekly), CounterACT will compare the endpoints in the scan results with what is in the CounterACT Inventory. If there are endpoints that are missing from the scan results (usually because they were not connected and/or powered on when the scan occurred), CounterACT can ask Qualys VM to initiate a scan for those endpoints when they next appear on the network.

 

  • Depending on the maturity of the enterprise’s vulnerability management and remediation programs, there may be an extended period of time between when a vulnerability is discovered and when it is remediated, leaving those affected endpoints open to compromise. In these cases CounterACT has the ability to: 1) isolate them from the network, 2) block ports or shut down services that are causing the endpoint to be vulnerable or 3) patch the machine via CounterACT’s integration with 3rd-party patch solutions.

 

The combined solution can also automate remediation and reduce the gap between detection and mitigation of risks. For example, once Qualys VM system scans a device, CounterACT then analyzes the scan results, and initiates risk mitigation actions if vulnerabilities are detected.

 

So there you have it, by combining the functionality of Qualys VM and ForeScout CounterACT, the integration provides joint customers real-time assessment and mitigation capabilities against vulnerabilities, exposures and violations.

 

Implementation Resources

 

This integration can be obtained from the ForeScout customer portal as a 3rd-party plugin within their Vulnerability Assessment Integration Module. Install the plugin, do some very basic configuration (e.g., provide CounterACT your enterprise’s Qualys API credentials, etc.), and you’re ready to begin creating policies (in addition to those that are included out of the box).

 

Learn more about:

This new release of the Qualys Cloud Suite, version 8.5, includes updates for usability and functionality across the platform as well as Vulnerability Management and Policy Compliance.

 

Cloud Platform: You can now add multiple scanners to a scan, simplifying the balancing of scans across devices in large deployments.  Also, a number of improvements have been added making it easier to work with and report on Authentication Records along with several improvements to notifications.

 

Vulnerability Management: There are several scanning and reporting improvements in this release, along with the initial capabilities for SSL Labs integration into VM.

 

Policy Compliance: There are several improvements to make it easier to use Policy Compliance by hiding unneeded technologies and policies throughout the UI.  You can also now create a CSV Report of your policy configuration, a feature many have been asking for!  Platform support has been expanded with coverage for new technologies and the UDC has been enabled for 8 new versions of popular OS's.

 

 

Feature Highlights

 

 

 

 

Qualys Cloud Suite 8.5 will be released in the coming weeks.  For release notifications containing details specific to each platform, including the release date, and to subscribe to release notifications for your platform, please see the following:

 

Qualys Cloud Platform Updates

 

Select Multiple Scanner Appliances for Scans

 

With this release you can select multiple scanner appliances for your internal vulnerability and compliance scans (PC and SCAP). This is especially useful when scanning a large number of hosts because it allows you to distribute the scan task across scanner appliances.

 

fig1.png

 


 

Set Expiration Date for Excluded Hosts

 

You can now set an expiration date when adding IPs to the Excluded Hosts list. When the date is reached, the IPs are automatically removed from the list and made available again for scanning. We’ll send you an email 7 days before removing the IPs, allowing you time to change the date if you want. To notify other users, simply add distribution groups and the email will be sent to them as well.

 

fig2.png

 


 

Last Scan Date added to Authentication Record Details

 

Drill down into authentication record details to see the date/time of the last authenticated scan for each host in the record. This is when the Pass/Fail status was last updated for the host.

 

The Credentials Breakdown options (on the authentication dashboard) only consider hosts scanned in the last 30 days. Now you can easily identify hosts that aren’t being counted because they were scanned more than 30 days ago.

 

fig4.png

 


 

More Host Info in Authentication Reports

 

The following information has been added to the report for each host: 1) the host’s operating system, 2) the last time you scanned the host with authentication, and 3) the last time authentication was successful.

 

fig5.png

 


 

Send Email Notifications to Bcc List

 

You can now select “Send as Bcc” in your distribution group settings. We’ll hide the list of recipients any time the distribution group is selected for a notification - scan notifications, report notifications, vulnerability notifications, etc.

 

fig7.png

 


 

Get Notified Before Your Account Expires

 

The Manager Primary Contact (for the subscription) will now receive an email notification when the account is going to expire with details on how to renew.  The email is sent 45 days, 30 days, 14 days and 7 days before the expiration date, and every day after that until the expiration date.

 

fig8.png

 


 

 

Vulnerability Management (VM)

 

SSL Labs Grade added to Certificates List

 

We’re excited to announce that we’ve integrated SSL Labs with Qualys VM. When enabled, you’ll get a letter grade (A+, A, A-, B, C, D, E, F, T, M, NA) for each certificate on your certificates list. Grades are updated automatically each time new vulnerability scan results are processed for your hosts.  Please Note – The SSL Labs Grade feature must be enabled for your subscription. Please contact your Technical Account Manager or Support to get this feature.

 

 

fig9.png

 


 

 

Algorithm added to Certificates List

 

For each certificate you’ll see the algorithm (sha1WithRSA, md5WithRSA, etc) in the new Algorithm column. Just go to VM > Assets > Certificates to see it.

 

fig12.png

 


 

 

Identify Vulnerabilities on Non-Running Kernels

 

With this release, users can create reports that show non-running kernels in the vulnerability details. This way you can identify vulnerabilities found on a kernel that is not the active running kernel.

 

A new option “Display non-running kernels” has been added under “Non-Running Kernels” on the Filter tab of report templates for scan, patch, and scorecard reports.

 

fig14.png

 

 


 

 

View QIDs Applicable to Report Filters

 

With this release you can identify the vulnerabilities that apply to these report template filters: “Exclude QIDs on non-running services” and “Exclude QIDs not exploitable due to configuration”. These filters appear in templates for scan reports, patch reports and scorecard reports.  You can also find these QIDs in the KnowledgeBase and create a search list based on these options.

 

fig16.png

 


 

 

Select time frame for Scorecard Reports

 

We have enabled time frame selection for Scorecard reports. This means only the scan results during the period defined by you will be displayed in the Scorecard Report.  Using the Host Scan Date you have options like today, all dates before, all dates after, date range, in the previous day, week, month, year, etc, to define the time frame.

 

 

fig19.png

 


 

 

Policy Compliance (PC)

 

Ability to Deactivate Policies

 

You can now mark policies that you are not using in your account as Inactive.  Policies that are in inactive state will not be scanned or reported on.

 

You may want to hide a new policy while you’re working on it and then publish it at a later time. Or let’s say a  policy has become out of date and you want to edit the policy before republishing it. In such cases you mark the policy inactive and make the required changes. Only after you activate the policy, it will be available for scanning and reporting.

 

When you deactivate a policy:
- No posture evaluation will take place for the policy
- The policy will be hidden from your dashboard, reports and exceptions
- Any policy report schedules for the policy will be deactivated
- The policy will be removed from compliance scorecard reports
- The policy will be removed from option profiles (with the Scan by Policy option enabled)

 

fig20.png

 


 

View Preferred Technologies with Configurable Account Filters

 

You can now hide technologies that you do not use on a regular basis.  By hiding these technologies, you no longer need to go through the whole list of all the available technologies to select the ones you want.  This is especially useful while searching controls by technologies. Only the controls related to the preferred technologies are displayed and are available for search.

 

fig22.png

 


 

Platform Support for Apache Tomcat and Microsoft SQL Server 2014

 

We now support compliance scans for tomcat servers running on Unix hosts. Simply create a new Tomcat Server authentication record with details about your Tomcat installation and instance. Unix authentication is required so you’ll also need a Unix record for the host running the server.

 

fig23.png

 

Instance-based support has been added for Microsoft SQL Server 2014.  You will use the same Authentication Records and configuration as you have in the past for older supported versions of Microsoft SQL Server.

 

fig26.png

 


 

Extended UDC Support for New Technologies

 

These technologies are now supported for user defined controls:

  • Windows 8.1
  • Windows Server 2012 R2
  • Mac OS X 10.10
  • Mac OS X 10.9
  • Red Hat Enterprise Linux 7.x
  • Oracle Enterprise Linux 7.x
  • CentOS 7.x
  • Ubuntu 12.x

 

fig25.png

 


 

Export Policy Configuration Details to CSV

 

You can now export a policy to your local system in CSV format. This lets you quickly and easily share the policy and compare it to other policies you may have. A policy exported in CSV format will display information about Sections, Controls and Expected values.

 

fig27.png

 


 

Evidence Details Added to SCAP CSV Report

 

Evidence Details have been added to the SCAP CSV Report.  By reviewing the evidence you can determine why a rule passed or failed for a host. The evidence content includes nodes (definitions and test sections) that represent the logic of the rule and the scan tests performed on the host

 

Example:

 

<EVIDENCE>
  <definition id="oval:gov.nist.usgcb.xp:def:45" title="Access Audit for Global System Objects Disabled" description="Audit the access of global system objects is disabled" result="Pass"/>
  <AND result="Pass">
    <definition id="oval:org.mitre.oval:def:105" title="Microsoft Windows XP is installed" description="The operating system installed on the system is Microsoft Windows XP." result="Pass"/>
    <test id="oval:gov.nist.usgcb.xp:tst:9" comment="Registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\AuditBase Objects matches oval:gov.nist.usgcb.xp:var:45" result="Pass">
      <expected>type : reg_dword ^(0|1)$</expected>
      <actual>HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa AuditBaseObjects reg_dword 0 32_bit </actual>
    </test>
  </AND>
</EVIDENCE>



 

fig28.png

 


 

Release Schedule

For release notifications containing details specific to each platform, including the release date, and to subscribe to release notifications for your platform, please see the following:

This new release of the Qualys Cloud Suite, version 8.4, includes updates for usability and functionality across the platform as well as Vulnerability Management and Policy Compliance.

 

Feature Highlights

 

 

Qualys Cloud Suite 8.4 will be released in production in the coming weeks and includes enhancements to Vulnerability Management (VM) and Policy Compliance (PC), the Qualys Cloud Platform and the API.

 

For release notifications containing details specific to each platform, including the release date, and to subscribe to release notifications for your platform, please see the following:

 

Qualys Cloud Platform Updates

 

Launch Scan from the Host Assets List

We’ve heard from customers the need to quickly perform ad-hoc scans directly from the host assets list; the following two features will enable that capability.

 

platform1.png

 


Launch Scan on EC2 Classic Hosts Only

Now you can avoid scanning VPC hosts in a selected EC2 region. Just select the new checkbox “Only scan EC2 Classic Hosts in the region” when defining your EC2 scan.

 

platform2.png

 

We’ve received feedback that previously deleting networks was a long task due to having to remove the data within the networks first.  We’ve now automated that task and provided a wizard to detail what exactly you’re deleting.

 


Delete Networks with Data

Now you can easily delete networks, even if there is data associated with your network.

 

platform3.png

 

We’ll provide you with a conflict report when the network has data associated with it like assets, schedules and scanner appliances. Review the report for all the details.

 

Check out this sample report:

 

platform4.png

 


Support for MySQL Authentication

We’ve expanded database authentication to include MySQL databases.

 

platform5.png

 


Show Passing Credentials in Breakdown

With one click you can find authentication records with credentials that were successful 100% of the time (in the last 30 days). Tip – The credentials breakdown is a great way to learn about your records – which ones are failing, problematic, unused, etc.

 

platform6.png

 


Change Your Time Zone

Your time zone setting affects how dates/times will be shown in the UI and reports. By default it’s set to your browser’s time zone (Auto). Your time zone selection will be the default for new schedules. You can override the time zone in the Scheduling details.

 

platform7.png

 


New Columns added to the Users List

The SAML SSO column identifies whether SAML is enabled for the user’s account. The External ID column shows the external ID assigned to the user, if any.

 

platform8.png

 

New columns are hidden initially. When the option is selected to show the columns in the list, the details will appear in downloaded reports. You can quickly find users that have SAML SSO enabled or disabled by using the Search and Filter options above the Users list.

 

platform8a.png

 


Enhanced Support for Restricted View of User Information

We’ll no longer show a user’s email address and phone number in the Users list to users outside of their Business Unit. This is in addition to the following information which is already hidden: fax, address, SAML SSO and external ID.  Managers can restrict the view of user information.

 

platform9.png

 

platform9a.png

 


New Extended View of Asset Groups within Workflows

Users will now be able to view the asset group information when they need it – while selecting asset groups for scans and reports. Starting with release 8.4, we have made enhancements by adding an extra column named “Info” in the Select Asset Groups window. This column provides a clickable information icon against every asset group listed in the window.

 

The detailed information displays in a separate frame within the “Select Asset Groups” window. Users with permissions to edit asset groups can also edit the asset group.

 

platform10.png

 

platform11.png

 


Improved Asset Group Auto-Complete Widget

We have added improved auto-complete functionality to the Asset Groups widget for asset group selection in Scans, Assets, Reports, and other launch pages. The new multi-select combo box provides features like auto-complete, multiple selection of items, clearing all items in one go, and adding or removing the selected items. The combo box expands as the number of items increase allowing you to view all selected items without scrolling inside the component.

 

platform12.png

 


Change Contact Info in Email Notifications

You may want to change the contact that appears in email notifications to ensure users are reaching out to the appropriate person or group. Managers can provide a single contact for the subscription, and they can allow Unit Managers to override the contact for each business unit.

 

platform13.png

As a Manager, you can change the name and email address to display for a contact.

 

 

 

Vulnerability Management (VM)

 

Ability to Delete Domains

While the ability to delete domains has been available by request from support, we’ve now added the ability for our customers to delete those domains themselves.

Managers can now delete domains from the subscription. Any domain can be deleted except for the system-provided domain “qualys-test.com”.

 

 

What happens next?

  • The unique domain (network/domain) will be removed from the account along with any map data associated with it. This data cannot be recovered once deleted.
  • Any scheduled maps on the domain will be deactivated at the next scheduled launch time.

 


Find Out when a Host was First Discovered by a Map

The Host Information window provides the detailed information including the “First Found” date.

 

If a dash is displayed, your host was not discovered by a map, or it was discovered before December 2011, which is when we started saving the first found date.

 

 

You can also use the Asset Search to list hosts found within a certain time frame, for example hosts found within the last 30 days.

 

 

On clicking Search the Asset Search Report opens.

 

 


Easily Disable DNS Traffic for Your Maps

If your maps are generating too much DNS traffic, overwhelming your DNS server(s), or you want to get a map back quickly, you can disable DNS traffic in an option profile and run your maps using that profile.  This option applies only to maps on target domains with netblock(s), e.g. none:[10.10.10.2-10.10.10.100].

 

How it works
We’ll perform network discovery only for the IP addresses in the netblocks:

  • No forward or reverse DNS lookups, DNS zone transfers or DNS guessing / bruteforcing will be made
  • DNS information will not be included in map results

 


New Ways to Search and View Certificates

Tag-based Certificate Search: This new option on the Certificates dashboard allows you to filter the list to only show certificates for hosts with certain tags. If you don’t see this option, Asset Tagging is not enabled for your account. Please contact your Account Manager or Support to get this feature.

 

 

Additional Certificate detection via Option Profile: Finding certificates is no longer limited to the ports only. With this new option (and the use of authentication) we can find certificates in more locations on your hosts, like in Apache, Tomcat, Java KeyStore, and Windows IIS.

 

Newly discovered certificates will be added automatically to your certificates list as new scan results are processed. Certificate details will include the location where the certificate was found. A certificate may be found on a port, on a location or both. A new search option lets you quickly find certificates found exclusively on ports.

 

 

View the Signature Algorithm: You can now view the signature hash algorithm in the Certificate Information page.

 

Note – You must run new vulnerability scans on your hosts to get this information.

 

New information details – signature algorithm and location – will also appear in the CSV report when you click Download.

 

 


Remediation Policy Rule – Exclude Non-Running Kernels

By selecting this option, you can be sure tickets are only created for vulnerabilities found on the running Linux kernel. Sound familiar? That’s because this filter already exists in your scan report templates for filtering vulnerabilities from your reports.

 

 


Patch Report – Display CVSS Base Scores

A new option is available in the patch report template to display CVSS base scores. For each patch, you can show the assigned score for the patch detection or the highest score across all QIDs fixed by the patch. You’ll also see the score for each QID in your report (when you choose to display QIDs).

 

 

Check out the following samples. The assigned score for patch MS10-030 is 9.3 and the highest score is 10. Also note the CVSS Base score for each QID fixed by the patch.

 

 

 


Most Vulnerable Hosts Report – Filter QIDs by Severity

Your Most Vulnerable Hosts Scorecard Report will now include confirmed vulnerabilities with severity 3 and above by default (previously this report included severity 4 and 5 only). Edit the filter settings in your scorecard template to include more or fewer severity levels.  When you choose to filter QIDs by severity level, you cannot also filter QIDs by search list.

 

 

This sample report shows the 10 most vulnerable hosts – the hosts with the highest number of vulnerabilities with severity levels 3, 4 and 5.  When you include confirmed and potential vulnerabilities, we’ll add them together and show the sum for each severity level.

 

 

 


Vulnerability Scorecard Report – PDF Improvements

You’ll notice these improvements to the PDF version of the Vulnerability Scorecard Report: 1) we now display the Business Risk Goal setting and 2) nicer page breaks.

 

 

 


CVSS Vectors added to CSV reports

Your vulnerability scan reports in CSV format will now show the CVSS vector for each CVSS Base and Temporal score. The vector is a string of abbreviated metrics and values that describe the components used to calculate the score. For example, you might see:

    CVSS Base
    9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

 

In this example, the base vector includes these metric values: Access Vector: Network, Access Complexity: Medium, Authentication: None, Confidentiality Impact: Complete, Integrity Impact: Complete, Availability Impact: Complete.

 

Want to know more? Go to CVSS v2 Complete Documentation

 

Here’s a sample report:

 

 

 


Associated Tags added to CSV reports

With this release vulnerability scan reports in CSV format will show asset tags associated with each host listed in the report. Tags appear in a new “Associated Tags” column when your report target includes asset tags and your report template is configured for host based findings (automatic data). Associated tags already appear in other report formats like HTML and PDF.

 

Here’s a sample report:

 

 

 

Policy Compliance (PC)

 

Reopen Exceptions when Evidence changes

With this option, we’ll automatically reopen an exception if a future scan returns a value for the control that is different than the value at the time of the original approval when the control is still failing.

 

For example, let’s say CID 1071 “Status of the ‘Minimum Password Length’ setting” has an expected value of 8 and your host returned a value of 5, which is failing. You request an exception for the host and it gets approved. The next scan of the host returns a value of 6 which is an improvement but still failing. If the reopen feature was enabled, then the exception status changes from Approved to Pending. The exception will need to be re-evaluated and approved again.

 

You can choose this option when requesting the exception or when approving it.

 

 

You’ll see a check mark next to the Approved status when the option “Reopen exception on change of evidence” is enabled for the exception.

 

 


Criticality added to Dashboard and Reports

Get trend information and control statistics broken down by criticality. Check out the changes we made to the Dashboard, Policy Summary and Scorecard Report.

 

Dashboard: Get passed/failed statistics across all your policies for each criticality level.

 

 

Policy Summary: This new pie chart shows the number of failed control instances at each criticality level.

 

 

Scorecard Report: Edit your scorecard report template to select the criticality levels and sections to include in your reports.

 

 

Here’s a sample scorecard report. Check out the new pie chart in the Report Discoveries section.

 

 

Scroll down further to see the Compliance by Criticality section.

 

 

The last section of the report shows the Top 5 failed controls for each criticality level.

 

 

 


Apache HTTP Server 2.4 Support

We’ve extended our support for Apache Web Server authentication to include Apache HTTP Server 2.4. These technologies are already supported: Apache HTTP Server 2.2, IBM HTTP Server 7.x and VMware vFabric Web Server 5.x.

 

 

 


Policy Library Content and Label Updates

Finding the policy you want in our Compliance Policy Library is easier than ever. Just choose one of the new labels on the left to filter the list. “New” policies were added in the last 90 days and “Updated” policies were changed in the last 90 days.

 

 

We've also removed the unlocked versions of the CIS Benchmarks, and older content that has been replaced with newer versions of policies.

 

 

Release Schedule

For release notifications containing details specific to each platform, including the release date, and to subscribe to release notifications for your platform, please see the following:

Recently three students from University of Saarland in Germany discovered that the MongoDB databases running on several thousand commercial web servers allow remote attackers to easily access and manipulate the database from the Internet. According to their research, it is not uncommon for MongoDB databases to be configured to accept any connection from the Internet.

In this blog I will discuss how unauthorized access works and how to check if your MongoDB is exposed. Qualys Vulnerability Management has released QID 19965 to check for the same.

 

Qualys Detection

The Qualys detection works by sending a query to the default MongoDB port and analyzing the response to see if an instance of MongoDB is running on that port, and then sending a second query and analyzing the response to see if the MongoDB instance is open to unauthenticated access from the Internet.

 

Step 1: Identify MongoDB

The MongoDB service is running on TCP port 27017 by default, but database administrators can of course change it to another port.

 

The MongoDB Wire Protocol packet format is:

 

struct MsgHeader {
    int32  messageLength; // total message size, including this
    int32  requestID;    // identifier for this message
    int32  responseTo;    // requestID from the original request
                                        //  (used in reponses from db)
    int32  opCode;        // request type
}












 

To identify the service, a message with a Query “OpCode” with “whatsmyurl” in the request is sent.

 

In the reply from the MongoDB service, you should see the “requestID” at offset 9 which will be followed by \x01\x00\x00\x00. This signifies that it is a response to your previous request. You could also match other fields like “you” or “ok” in the document structure to confirm that MongoDB is running, as shown in the screen capture below.

 

youok.jpg

 

 

Step 2: Perform the Test

The second step of our detection is to send a “list Databases” query to the remote MongoDB server. Targets that are exposed to unauthorized access should return the packets shown in the screen capture below.

 

databases.jpg

 

If the remote service returns its databases list and ‘sizeOnDisk’ which means our “list Databases” got executed, we can conclude that it allows remote access without authorization. At this point an attacker could run the MongoDB client to connect to the server and perform any unauthorized action or take control of the database, as shown in the screen capture below.

 

client.jpg

 

 

Conclusion

As you can see it is quite easy to find MongoDB that are exposed in this way on the Internet. With the computing power of today attackers can send thousands of packets in a very short time to get a list of running IPs. It is reported that around 40,000 vulnerable MongoDB databases were discovered in this way on the Internet.

This new release of the Qualys Cloud Suite includes multiple improvements to Vulnerability Management and Policy Compliance.

 

Feature Highlights

 

 

Qualys Cloud Suite 8.3 will be released in production in the coming weeks and includes enhancements to Vulnerability Management (VM) and Policy Compliance (PC), the Qualys Cloud Platform and the API.

 

For release notifications containing details specific to each platform, including the release date, and to subscribe to release notifications for your platform, please see the following:

 

 

 

Qualys Cloud Platform Updates

 

New Getting Started Tutorials: You’ll see Get Started Tutorials as you navigate the main sections of the UI – Scans, Reports, Assets, Users, etc. These appear in VM and PC to help guide you and provide shortcuts.

 

Here are a few examples:

 

GettingStartedTutorials1.png

 

Here is a look at the Users section:

GettingStartedTutoria2.png

 

 


 

Forgot Password Workflow: Can’t  remember your password? No problem. We’ll help you get a new password in just a few steps. Simply click the Forgot Password link, give us your email address and follow the instructions.

 

ForgotPassword1.png

 

 

This release introduces secret questions to help you when you forget your password. Go to the Security section in your user account and choose three secret questions and answers.

 

ForgotPassword2.png

 

 

We’ve moved the VIP two-factor authentication and Change Password options to a new Security section. Managers and Unit Managers will see this when editing another user’s account.

 

VIPSecurity1.png

 

 


 

Expired Password Options: Managers can set new options for expired passwords:

  1. notify users when their password is going to expire
  2. prompt users to change their password at login after it has expired.

 

ExpiredPassword1.png

 

ExpiredPassword2.png

 

 


 

Ability to Delete Empty Networks: Managers can now delete empty networks from the subscription. A network is empty if it does not have scanner appliances, associated asset groups, scheduled tasks or hosts with scan data. If the network has any account data associated with it, then it cannot be deleted from the UI. You also can’t delete networks if the subscription All group is assigned to any business units or sub-users.

 

DeleteEmptyNetwork1.png

 

 


 

Cisco IOS Authentication – Support for Cyber-Ark PIM Suite Vaults: This release introduces the ability to use your Cyber-Ark PIM Suite password vault when authenticating to Cisco IOS devices. Note – We already support Cyber-Ark vaults for other technologies, including Unix and Windows.

 

Cyber-Ark1.png


 

Run Scheduled Reports on Demand: You can now run scheduled reports as needed instead of waiting for the next scheduled launch time.

 

RunScheduleReportsOnDemand1.png

 

 


 

Download Email List from Distribution Group: You can now easily download the list of members assigned to a distribution group so you can verify the list easily outside of Qualys.

 

DownloadEmailList1.png

 

 


 

General UI Improvements: A number of improvements have been made to make Qualys 8.3 easier to use. Throughout the UI you’ll notice an improved list selector. For example, when assigning asset groups to a user, you’ll now see:

 

UIImprovements-EasierSelect.png

 

 

Use the Search field to quickly find asset groups and add them to the user’s account. Just start typing the asset group name and we’ll show you matches. Then add all matches with one click.

 

UIImprovements2.png

 

 

You’ll see these improvements when searching the KnowledgeBase and when selecting list criteria for your dynamic search lists.

 

KnowledgeSearch1.png

 

 

It’s easier to select multiple items. Just start typing or select from a drop-down. Also, you can now choose multiple categories where you were previously limited to one. We’ll use OR logic when multiple items are selected. For example, CGI OR Web server OR Windows.

 

KnowledgeSearch2.png

 

 

The Vendor and Product fields are now tied to each other. If you pick Adobe from the Vendor list, you’ll only see Adobe products in the Product list. If you select more than one vendor, like Adobe and Microsoft, then you’ll see products for both.

 

KnowledgeSearch3.png

 

 


 

New Authentication Vault API: The new Authentication Vault API (/api/2.0/fo/vault) allows you to manage authentication vaults for authentication records that use them. Using this API you can list vaults, create new vaults, update and view vault settings, and delete vaults.  For more details, see the Qualys Cloud Suite 8.3 API Release Notification.

 

 

 

Vulnerability Management (VM)

More Date Filtering Options for Host-Based Scan Reports: With this release it’s easy to create scan reports with host-based findings within a specific timeframe. In the scan report template under Host Based Findings just choose the date range you’re interested in – starting on a specific date, or the date the report is run (today).

 

DateFiltereing-HostBased1.png

 

 

Additional Vulnerability Filters in Scan Reports: New vulnerability filters allow you to exclude certain vulnerabilities from your reports like vulnerabilities found on a port/service that isn’t running, and vulnerabilities that can’t be exploited because of a host configuration. Apply these filters to your scan reports, patch reports and scorecard reports.

 

 

 


 

Vulnerability Scorecard Report – New Vulnerable Hosts per Severity: The Vulnerability Scorecard Report now shows you the number of hosts affected by the vulnerability severities (Level 5, 4, 3).

 

 

 


 

Remediated Vulnerabilities Report – Improvements:  This report tells you about vulnerabilities that have been remediated in your account within the last 30 days. We’ve made improvements to the report for this release. We’ll always show the full date range for the report, even if there are no remediated vulnerabilities for the selected hosts.

 

 

 

 

Policy Compliance (PC)

Introducing Control Criticality: Control Criticality is a new feature in Policy Compliance that provides ratings for controls, including the ability to customize ratings at the control level and at the policy level. When enabled, you’ll see criticality wherever control details appear – in the controls list, in your policies and reports.

 

 

 

Customizing Control Criticality in a control:

 

 

 

Customizing Control Criticality within a Policy:

 

 

 

You can also customize the labels associated with the different control criticality levels:

 

 

 

You’ll see criticality in the Control Statistics table (as shown below) and in the Detailed Results section where control details appear.

CriticalityInReport1.png

 

 

 

We’ve also added 2 new pie charts to your policy report to show the number of passed and failed controls at each criticality level. Controls without a criticality level are counted as “Undefined”.

 

CriticalityPie1.png

 

 

 

You can also filter your reports by Criticality:

 

FilterByCriticality1.png

 

 


 

New Windows Directory Search UDC: This release introduces a new User Defined Control (UDC) called Windows Directory Search Check. Configure this control to find files and directories that match certain parameters (name, permissions, etc). You’ll tell us where to search and what you’re looking for, and we’ll return a list of matches in your scan results.

 

 

 

You can specify directories, recursion depth, and filename patterns as well as user and permission information to look for:

 

 

 


 

Policy Report – Hostnames Appear in PDF Bookmarks: The list of bookmarks in your PDF policy reports will now include the hostname for each host. Click any bookmark to jump directly to the host details in the report.

 

 

 


 

Control Technologies and Frameworks in Alphabetical Order: You’ll see that the technologies and the frameworks listed in the Control Information page are now in alphabetical order, making the information you want easier to find.

 

 

 

 

Release Schedule

 

For release notifications containing details specific to each platform, including the release date, and to subscribe to release notifications for your platform, please see the following:

 

This new release of the Qualys Cloud Suite of Security and Compliance Applications includes multiple improvements to Vulnerability Management and Policy Compliance designed to improve ease of use, add reporting options and features, and expand platform support including compliance scanning for Amazon EC2.

 

Feature highlights include:

  • Asset Tag Support in Remediation Policies in Vulnerability Management
  • Policy Library and Reporting Improvements in Policy Compliance
  • Compliance Scanning support for Amazon EC2 in Policy Compliance
  • Several core improvements including:
    • New Authentication Dashboard with drill down support
    • Account Activity page
    • Customizable report footers
    • Improved date picker
    • Notification improvements
    • Platform support for Microsoft IIS 8

 

Qualys 8.2 will be released in production in October 2014 depending on the platform.  Details about the release schedule are at the end of this blog post.

 

 

Vulnerability Management

 

Asset Tag Support in Remediation Policies:  With Qualys 8.2 Vulnerability Management, you can now use tags in a remediation policy rule to tell us which hosts the rule applies to.  We’ll evaluate the policy rule against scan results for the hosts that match your tag selection.

 

 

 

Use IP Network Range Tags Option: Like with scans, this option lets you select tags with IP address rules. For each tag you select, we’ll include the entire IP range (or IP ranges) defined in the tag rule, and we’ll evaluate the policy against any scanned host in the IP range(s).

 

 

Policy Compliance (PC)

 

Import Locked Policies as Unlocked: In previous versions of Qualys Policy Compliance, the locked state of a policy could not be changed on import. As a result, the library contains Locked and Unlocked versions of the policies.

 

With Qualys Policy Compliance 8.2, you can now select a locked policy in our Library and import it as unlocked. This makes the policy completely editable – you’ll be able to add/remove controls, change control values, add technologies, etc.  We will soon be revising the content in the policy library to take advantage of this new feature.  This will make it easier to find the policies you are interested in as our policy library expands.

 

 

 

You’ll notice that the policy is saved to your policies list as unlocked (you won’t see a lock icon).

 

 

 

Policies added to Asset Group Information: With Qualys Policy Compliance 8.2, it is now easier to see which policies are associated with an asset group.  When you view asset group information, we’ll now show you all the policies the asset group belongs to.

 

 

 

Launch Scans in your Amazon EC2 Environment: We now support launching EC2 compliance scans on your Amazon EC2 hosts (in your Amazon Web Services account). The Amazon EC2 Scan workflow using Qualys is pre-authorized by AWS.  The feature must be enabled in your account, please visit the release notes for prerequisites and additional details about this exciting new feature.

 

 

 

SCAP Policy Report in CSV Format: We’ve added the ability to generate SCAP policy reports in CSV format for customers that prefer to import the data to external systems or to open the data in spreadsheet format. SCAP policy reports were previously only available in XML format.

 

 

 

Below is a sample CSV report. The scan result details section shows the compliance posture for each rule on each host included in the report. Other sections show host statistics and rule statistics.

 

 

 

Qualys Cloud Platform

 

New Authentication Records Dashboard: We’ve added a new dashboard to the authentication records list with search and filter options that make managing your authentication credentials easier than ever.

 

Use the dashboard to quickly:

  • Find credentials not used in the last 30 days
  • Find credentials failing more than 50% of the time (Failing)
  • Find credentials failing more than 25% of the time (Problematic)
  • Find credentials stored in a password vault
  • Search for records by type, network, title, IP address, vault
  • Drill down into record details to see pass/fail authentication status for your hosts

 

 

 

Drill-down into the details:  For any record click the Details link to get information like the pass/fail authentication status for each host in the record.  You can also remove hosts from the record and download the list in various formats, including CSV, MHT, ZIP and XML.

 

 

 

View Account Activity: We’ve added a new Account Activity page to help you identify unusual or unauthorized account access. You’ll also have the ability to sign out of other active sessions. We’ll show you when each session was created and the IP address from which the session was established.

 

 

 

New Scan Complete Notifications:  You can now have an email notification sent to distribution groups when your scheduled scan is finished and the results have been processed. Keep in mind that your distribution groups may include email addresses for users in the subscription and for users outside of the subscription.

 

 

 

You can also have a scan complete notification sent to distribution groups when your on-demand scan is finished and the results have been processed. On the Launch Scan page, scroll down to the Notifications section and complete the form.

 

 

 

Add a Custom Footer to Your Reports: You can now add custom text to the footer section of your reports. For example, you may want to include a disclosure statement or data classification (e.g. Public, Confidential) in this section.

 

 

 

Asset Group ID added to the Asset Groups List: You can now show each asset group’s ID directly in the asset groups list (Assets > Asset Groups). In previous releases, the ID appeared only in the Asset Group Information page.

 

 

 

MS IIS 8.x Platform Support: We have extended our support for MS IIS authentication to include MS IIS version 8.x (6.0 and 7.x are already supported).

 

 

 

 

Improved Date Picker:  When specifying a timeframe using “Within the Last N days” you can now enter a value directly into the field instead of picking a set value from the drop-down. This gives you greater flexibility since you can enter values that aren’t in the list. You can also type values like “last 99 days” and “previous quarter” directly into date fields.

 

Here are a few examples.

image-17.png    image-18.png

 

Release Schedule

 

For details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following:

 

A new release of Qualys, Version 8.2, includes an API update which is targeted for release in October 2014.

 

This API notification provides an early preview into the coming API changes in Qualys 8.2, allowing you to proactively identify new opportunities to automate your Qualys service or to integrate with other applications.  Qualys 8.2 includes some modifications to existing APIs that required 30 day notification that can be viewed at Qualys 8.2 API Release Notification.

 

Please review the attached document below for more details about the 8.2 API Features.

 

Full release notes will be available to customers on the day of the release.

 

API Enhancements

Manage Excluded Hosts via API: You can now manage IP's in the global exclusion list via the API.  This will allow you to sync data with external systems such as CMDB's to identify hosts to exclude from scans.

 

Update Asset Groups Assigned to Compliance via API: You can now manage asset groups assigned to Qualys Policy Compliance (PC) policies via the API.  This allows customers to sync Qualys policy assignments to align with internal systems such as risk management systems.

 

Access Audit Scan Times and Live Hosts per Scan Level via API: The scan list v2 output now tells you the duration for each scan, the time it took for the scan to complete, in the new DURATION elements. This helps you to audit scan times. You’ll see scan duration for vulnerability scans (using/api/2.0/fo/scan/?action=list) and compliance scans (using /api/2.0/fo/scan/?action=list). Any scan that is not finished (for example in the queued or running state) will have its duration set to “Pending”.

 

Network ID Attribute Added: We've added the attribute "network_id" to network elements in the scheduled scans v1 output returned by the Scheduled Scans v1 API.

 

Max Capacity Units available via API: We've added the MAX_CAPACITY_UNITS element in the Scanner Appliance List v2 API allowing you to determine percentage of capacity available programmatically.

 

Manage VLANs and Static Routes for Virtual Appliances: You can now manage your VLANs and static routes for virtual scanner appliances via the Scanner Appliance v2 API.

 

Show Asset Group ID's in CSV:  Now you can easily find the IDs for your asset groups in the CSV report output.

 

Include "Vulnerability Severity" in detection API Output: We’ve added the vulnerability severity level to the XML output returned by the Host Detection API v2.

 

Policy Compliance - Support for EC2 Scanning:  Now we support launching EC2 compliance scans on your Amazon EC2 hosts (in your Amazon Web Services account) using the PC Scan API v2.

 

 

What is the <baseurl>?

This is the API server URL where your Qualys account is located. For an account on US Platform 1, this is <qualysapi.qualys.com>; on US Platform 2, this is <qualysapi.qg2.apps.qualys.com>; on EU Platform, this is <qualysapi.qualys.eu>.

A new release of Qualys, Version 8.2, is scheduled to be released in production on the Qualys US Platform 1 on Thursday, October 23, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details:

  • Qualys version 8.2 core features include New Authentication Dashboard with drill down support, Account Activity Page, Customizable Report Footers, Improved date picker, Notification improvements, Platform support for Microsoft IIS 8
  • Qualys VM version 8.2 includes Asset Tag Support in Remediation Policies in Vulnerability Management
  • Qualys PC version 8.2 includes Policy Library improvements, Reporting improvements, Compliance scanning support for Amazon EC2.
  • API enhancements include addition of several attributes, Manage excluded hosts, VLAN and static route management, and EC2 support for Compliance.

 

See  Qualys 8.2 New Features and Qualys 8.2 API Release Notification 2 for more details.

 

To continue to receive notifications by email, please subscribe at US Platform 1.

A new release of Qualys, Version 8.2, is scheduled to be released in production on the Qualys US Platform 2 on Tuesday, October 21, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details:

  • Qualys version 8.2 core features include New Authentication Dashboard with drill down support, Account Activity Page, Customizable Report Footers, Improved date picker, Notification improvements, Platform support for Microsoft IIS 8
  • Qualys VM version 8.2 includes Asset Tag Support in Remediation Policies in Vulnerability Management
  • Qualys PC version 8.2 includes Policy Library improvements, Reporting improvements, Compliance scanning support for Amazon EC2.
  • API enhancements include addition of several attributes, Manage excluded hosts, VLAN and static route management, and EC2 support for Compliance.

 

See  Qualys 8.2 New Features and Qualys 8.2 API Release Notification 2 for more details.

 

To continue to receive notifications by email, please subscribe at US Platform 2.

A new release of Qualys, Version 8.2, is scheduled to be released in production on the Qualys EU Platform on Thursday, October 16, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details:

  • Qualys version 8.2 core features include New Authentication Dashboard with drill down support, Account Activity Page, Customizable Report Footers, Improved date picker, Notification improvements, Platform support for Microsoft IIS 8
  • Qualys VM version 8.2 includes Asset Tag Support in Remediation Policies in Vulnerability Management
  • Qualys PC version 8.2 includes Policy Library improvements, Reporting improvements, Compliance scanning support for Amazon EC2.
  • API enhancements include addition of several attributes, Manage excluded hosts, VLAN and static route management, and EC2 support for Compliance.

 

See  Qualys 8.2 New Features and Qualys 8.2 API Release Notification 2 for more details.

 

To continue to receive notifications by email, please subscribe at EU Platform.

Make your Qualys data your own by synchronizing it locally. Though report templates are an easy way to set up and distribute that data, they are typically not flexible enough to meet the unique requests from unique teams that crop up over time. Synchronizing your Qualys data locally and enabling all teams in your organization to query it locally, will give you the most scalable access to your data.

 

This will enable the ultimate flexibility in reporting: SQL queries, correlation with other security tools, and finally the ability to build those reports with Comic Sans headers that Jim from the audit team so badly wants. The benefits don't stop at security use cases, either. They can bring even greater value to your organization: trust in your reporting.

 

I'm Sold, How Do I Do This?

Qualys offers a multitude of ways to extract your vulnerability management data. By far, the leanest, most flexible, and fastest method is to use the Host List Detection API. The Host List Detection API was precisely created for the use case of downloading all your VM data. It's already being used by customers today to download vulnerability data from millions of hosts that are scanned monthly.

 

The best way to download your VM data is to download delta sets continuously, which you can do quite easily. But before that happens, we'll have to download an initial seed of all your data.

 

Download Your VM Data Seed

Downloading all vulnerability (and information gathered data) will result in downloading in an enormous set of data, even with the host list detection API. There are three strategies that ensure a quick download:

  1. Download assets in multiple chunks instead of one large call. This will result in quicker spin ups and spin downs from the Qualys platform, and faster downloads.
  2. Download by host ID. Downloading by asset group or ips will results in additional lookups.
  3. Download your data with multiple threads. Your network tubes can hold more than one connection, use them!

 

Implementing the above is challenging. Lucky for us, I created a free & open source Python script that does exactly this:

paragbaxi/qualysguard_host_list_detection · GitHub

 

Download speed comparisons of the host list detection API for about 93,000 hosts:

QualysGuard Host List Detection API XML Speed.png

QualysGuard Host List Detection API CSV Speed.png

 

Download your VM Data Deltas Continuously

Now that you have an initial seed of all your data, the most efficient method for downloading your data is by scoping by time. The Host List Detection API has a parameter, vm_scan_since, that enables one to only download hosts that have been scanned & processed since a certain time -- this time can be measured down to the second. Let's step backwards a little to understand when a host is processed.

 

First, let's go over how an individual host is scanned. The Host List Detection API's vm_scan_since parameter scopes host by their processed date. Below are the stages of a host getting scanned:

QualysGuard_Scan colorized.png

Now that we understand when a host is in scope, it's important to understand that the entire host is in scope. This means the vm_scan_since parameter scopes at the host level, not at the vulnerability finding level. All vulnerabilities from previous scans will be included (by default) since the Host List Detection API leverages Host Based Findings.

 

In the following example, both Monday's QID 90086 and Tuesday's QID 90252 vulnerabilities (as well as any previous findings) are included in the response:

Host_A_Scanned.png

This enables you to atomically replace your database entry for the entire host, which is quite simple.

 

How do I do this for all scans?

The Host List Detection API call best serves your needs when requested continuously. This will provide visibility on hosts regardless of when scans complete.

 

In the example below, the host list detection is called at the top of every hour. The vm_scan_since parameter is dynamically set for an hour earlier.

Host_List_Detection colorized.png

The 2pm host list detection response call will include:

  • Host A's first scan
  • Host B

The 3pm host list detection response call will include:

  • Host A's first & second scan
  • Host C
  • Host D

 

All set up and automated, what now?

With your VM data now synced locally, the use cases are only limited by the teams you provide this data to. I have seen a customer identify millions of dollars of unnecessary software licensing by leveraging Qualys's ability to identify software installations. It just so happened the customer had thousands of Office & Photoshop licenses on older, unused workstations that their procurement team had lost track of, which resulted in procuring new software licenses for new employees when they could have reused existing licenses. With Qualys able to identify these applications, their procurement team now performs weekly audits on what software is actually installed in their environment.

 

Synced Qualys data can also be used to check the accuracy of CMDBs. With Qualys being an agent-less tool, it brings to light the unknown hosts, appliances, and other such devices that you provision. What's even better, is bringing visibility to the unknown unknown. Perhaps the previous IT Administrator provisioned non-standard compliant devices from a 3rd party vendor, or perhaps you discovered a 4G-enabled laptop sitting in a box in your mailroom that has managed to connect to your internal wireless network. Agents will not find these devices, and programmatically syncing your CMDB will enable your security ops team to take action with business context.

 

It's your VM data, and it always has been. The Host List Detection API is just the fastest and easiest way to get it.

A new release of QualysGuard, Version 8.0, will be available in production on QualysGuard US Platform 2 on April 29, 2014. The deployment is completely transparent to users and will require no downtime. The release will occur between 12:00 PM PDT (20:00 UTC) and 6:00 PM PDT (02:00 UTC next day).


Featured Enhancement: Overlapping IP Support

QualysGuard 8.0 brings support for managing overlapping IP ranges within a single QualysGuard subscription, providing the user with the ability to define discrete private Networks to keep overlapping blocks isolated from each other.

 

Also in 8.0, QualysGuard enhances its support in Vulnerability Management (VM) for SSL Certificate status reporting and for maintaining multiple PCI Option Profiles at different performance levels.

 

QualysGuard Policy Compliance (PC) receives improvements to the organizational structure of golden images.  QualysGuard Express receives a variety of usability enhancements.  All solutions benefit from an improved method for defining and selecting groups of IP addresses in the UI.

 

API enhancements include the addition of virtual appliance lifecycle management and automation of the Amazon EC2 Scan workflow.

 

See QualysGuard 8.0 New Features and QualysGuard® API Release Version 8.0 - 15 day notification for more details.

 

To continue to receive notifications by email, please subscribe at

https://community.qualys.com/community/notifications-us2

QualysGuard 8.0 adds the following capabilities to the QualysGuard Cloud Platform and its suite of services:

 

  • Featured Enhancement: Overlapping IP support
  • Vulnerability Management
    • Improvements to the SSL Certificates List
    • Configure Multiple PCI Option Profiles
    • Security Risk Score Summary Added to XML and CSV Reports
  • Policy Compliance
    • Golden Image Policy Organized Into Sections
    • Select Individual IPs for Your Policy Reports
    • Control Checksum Requirement Removed from Policy XML
  • QualysGuard Platform
    • New Look and Feel for QualysGuard Express
    • Improved IP Selection
    • QualysGuard API Enhancements

 

QualysGuard 8.0 will be released in production in the coming weeks and  includes enhancements to QualysGuard Vulnerability Management (VM) and  Policy Compliance (PC), QualysGuard Cloud Platform and the API.

 

For release notifications containing details about the release dates  for specific platforms and to subscribe to release notifications by  email, please see the following:

 

 

 

Featured Enhancement: Overlapping IP Support

With QualysGuard 8.0 customers can now manage overlapping IP ranges within a single QualysGuard subscription, providing the user with the ability to define discrete private networks to keep overlapping blocks isolated from each other.  This is a common need that appears in many use cases including:

 

  • M&A events;
  • Air gap networks;
  • Business continuity/disaster recovery
  • Dev/test,
  • IaaS environments;
  • "Cloned" small office networks.

 

These different network zones can now be easily defined and separated within QualysGuard through the UI and API.

 

To take advantage of this new capability, the administrator uses the new “Networks” tab under Assets, defines a new network, and assigns a scanner.   Once defined, one can perform asset discovery, launch a vulnerability scan, run reports, and track mitigation on that network as a specific entity.  Assigning scanners to networks resolves the issue of duplicate IP addresses occurring in different networks, but allows the administrator to maintain centralized management across the entire organization.

 

 

Create a Network

2.create a new network.png

 

 

Discover Assets on Your New Network

4.new network wizard.png

 

 

Scan Your Network

5.scan launch showing networks.png

 

 

QualysGuard Vulnerability Management (VM)

Improvements to the SSL Certificates List

We’ve made several improvements to the SSL Certificates list to make managing your certificates even easier.  Relationships are now maintained between a given certificate and the ports, services, or even different hosts on which it is found, which helps prevent duplicate entries and simplifies reporting and remediation efforts.  The reason for an invalid status now appears in a preview pane.

 

certificates_list.png

 

Configure Multiple PCI Option Profiles

With the QualysGuard 8.0 release you can configure multiple PCI option profiles with different performance settings.  For example, you can create one profile set to High performance, another set to Normal performance, and a third set to Low performance. Then apply the appropriate profile to each scan based upon your network requirements.

 

pci_profile_new_menu_cropped.png

 

 

Security Risk Score Summary Added to XML and CSV Reports

With this release vulnerability scan reports now include a security risk score summary for the report as a whole and per host, in all available report formats.  Previously security risk metrics were not included in XML or CSV output types.  As before, the risk score summary appears when your report template is configured for host based findings (automatic data) and the Text Summary option is selected. The corresponding asset_data_report.dtd was updated.

scan_report_csv.jpg

 

 

 

QualysGuard Policy Compliance (PC)

Golden Image Policy Organized Into Sections

When you create a golden image policy, we automatically add controls to the policy for you. In the QualysGuard 8.0 release we now go one step further and organize those controls into sections based on the control category, giving your policy structure within the Policy Editor.

 

policy_sections.png

 

 

Select IPs for Your Policy Reports

You can now select individual IP addresses or ranges to include in your policy compliance report.  Simply select the policy you want to report on and click the “Select IPs in policy” option. Then tell us which IPs/ranges from the policy you want to include in the report.

 

policy_report_select_ips.png

 

 

Control Checksum Requirement Removed from Policy XML

Now it’s possible to manually import policies without the requirement to have a checksum for control configurations. We’ve updated the XML output of the EVALUATE element. We’ll use the new XML output without the checksum when you export policies. No changes were made to the policy export output DTD (https://<base_URL>/api/2.0/fo/compliance/policy/policy_export_output.dtd).

 

 

QualysGuard Cloud Platform

New Look and Feel for QualysGuard Express

The QualysGuard Express UI has a new look and feel – you’ll notice more tips and details throughout the UI to help you with your configurations and tasks.

 

express_quick_start_tips.png

 

Here’s a look at the Scans section. Helpful details and links are shown on the screen to help you understand the different scan configuration options available to you in the Scans section. Similar details appear in the Reports and Remediation sections.

 

express_scans.png

 

 

Improved IP Selection

You’ll now see a simple text field where you can directly enter IPs/ranges or paste them in. This new method for IP selection is used throughout the UI. You’ll see it when setting up your asset groups, configuring approved hosts lists for your domains, removing IPs from your subscription, and so on. If it seems familiar that’s because we introduced this change in authentication records in the last release.

 

ip_selection_callouts.png

 

 

QualysGuard API Enhancements

The QualysGuard API delivers these new capabilities and enhancements with this release.  More information is available at QualysGuard® API Release Version 8.0 - 15 day notification.

 

  • VM – “Security Risk Score” summary added to XML and CSV reports
  • VM – Manage the EC2 Scan Workflow using the API
  • VM and PC – Select Multiple Scanner Appliances for Scans
  • VM and PC – Launch Reports using Asset Tags
  • PC – Limit Policy Reports to Selected IPs
  • PC – Compliance Scorecard Report XML – added NetBIOS name and DNS name
  • PC – Policy XML updated to remove control checksum requirement
  • PC – Posture Info API improvements
  • Cloud Security Platform – Manage your Virtual Scanners using the API
  • Cloud Security Platform – Network Support API

 

VM – “Security Risk Score” summary added to XML and CSV reports
VM – Manage the EC2 Scan Workflow using the API
VM and PC – Select Multiple Scanner Appliances for Scans
VM and PC – Launch Reports using Asset Tags
PC – Limit Policy Reports to Selected IPs
PC – Compliance Scorecard Report XML – added NetBIOS name and DNS name
PC – Policy XML updated to remove control checksum requirement
PC – Posture Info API improvements
Cloud Security Platform – Manage your Virtual Scanners using the API
Cloud Security Platform – Network Support API

aly