As remote working is becoming the need of the hour, IT and Security teams are working tirelessly to ensure continuity of services and deliver on all aspects of the business. To help our customers in these challenging times, we launched a 60-day no-cost ‘Remote Endpoint Protection’ service for managing the security, vulnerabilities and patching of the remote hosts. This service immediately received a good response as the traditional enterprise security solutions deployed inside the organization’s network are ineffective in protecting these remote endpoints. At the same time, Qualys VMDR® – Vulnerability Management, Detection and Response – is going live enabling customers to discover, assess, prioritize, remediate vulnerabilities and patch them across the global hybrid-IT landscape in an integrated manner.
Unfortunately, during the same time, Rapid7 launched a campaign of false claims, without a context of the overall use-cases. We will go over each of these claims and provide a response with evidence for each.
Before we do that, let us take a step back to understand major shifts happening in IT and having an impact on changing Vulnerability Risk Management Program, as this forms the basis of the topic.
Organizations not just have the on-premises datacenter hosts and applications but also have cloud-based workloads and instances. IT, DevOPs teams are leveraging containerized environment, emerging technologies. As you know, today’s remote workforce is creating surge of remote endpoints and collaboration, productivity tools for IT and security teams to manage.
Security teams need a real-time, always updated inventory of all assets and applications to have confidence in their vulnerability management program. Also, the vulnerability assessment has become more real-time. More and more organizations are doing proactive configuration assessment to stay on top of security hygiene issues.
It is becoming critical for the organizations to prioritize this laundry list of vulnerabilities on risk, not just based on CVSS or vulnerability risk, but in context of threats, mitigation factors such as asset status, configuration posture. Last but not the least, ability to respond quickly, patch vulnerabilities and take other remediation actions in a simple manner is becoming key to reduce the attack surface. Today’s security teams are looking at speeding up the response, instead of needing to put in time and cost in managing integrations, solutions.
These two shifts are where the importance of a single unified platform comes in. Qualys has put in years of hard work to create a single cloud platform to collate enormous amount of diverse data from multiple sensors, created for hybrid environment, integrate and analyze this data in real time and present it in a contextual manner for customers to take actions on. This is where the Qualys platform differentiates itself from the competition, which has separate tools, either built in-house or acquired to perform a ‘point’ use-case such as on-prem vulnerability management, cloud vulnerability management, container security etc., and require customers to create integrations between them as the data is never unified with a context. As the Qualys platform leverages a multi-layered, hybrid architecture built with the latest technologies and years of research, we are able to support at scale 31+ million cloud agents and 3+ billion IP scan/audits. The Qualys cloud platform today has 3+ trillion datapoints indexed in Elastic clusters and are able to processes 2+ trillion security events annually. This provides a robust and reliable solution for customers to prioritize vulnerabilities from multiple sources, with a context of other security data points and assets.
Now, let’s look at Rapid7’s claims one by one against Qualys VMDR.
While many of Qualys’ competitors rely on the CVSS scores to ascertain the current risk posture, Qualys has always supported asset-based risk criteria of the business, as well as CVSS scores, combined with environmental and temporal scores.
Where Qualys VMDR differentiates from competition is it provides true risk-based prioritization. It is achieved through following elements:
Qualys VMDR brings in all above elements together for customers to see true-risk, beyond just CVSS-driven risk.
Qualys has had a Malware and Vulnerability research lab for many years. A number of Qualys researched vulnerabilities have been nominated for awards such as RCE in exim, systemd-journald and more. With threat protect, the Qualys team has been doing research on zero-day, wormable vulnerabilities.
In addition to in-house research, Qualys integrates the threat feeds from other security research partners as well, so that customers have a comprehensive set of real-time threat indicators to leverage for prioritizing vulnerabilities. Qualys also makes its research useful for the security community. A popular example is Qualys SSL Labs, which keeps an eye on public internet and performs deep analysis of the digital certificate configurations for safe communication over internet.
Even, the CIS (Center for Internet Security) community has benefited through its MS-ISAC integration with Qualys Certificate View for continuous monitoring of digital certificates and SSL/TSL configurations. Qualys has also been authoring and contributing significantly to the CIS security hardening benchmarks for technologies such as AWS, Azure, and GCP public cloud platforms to help manage security hygiene when these technologies are utilized. Many competitive tools only use these benchmarks, however, do not contribute in the research of these security hardening guidelines.
With VMDR, customers can not only leverage but can also pick and choose from various in-house Qualys researched threat indicators as well as threat feeds coming from partners for comprehensive thread-based vulnerability prioritization, instead of relying on limited feeds from a single vendor, which you cannot pick and choose per your environment.
Qualys pricing has zero hidden costs. It is a simple, subscription-based annual pricing with free access to 24×7 support service as well as to technical account managers and solution architects. The cloud-based solution makes sure that customers don’t have any console or infrastructure to deploy and/or manage, meaning no deployment services to pay for, as is the case for many on-premises solutions. Additionally, there is no cost for Qualys trainings and certifications.
As you can see from the above screenshot, the VMDR solution is based on a simple asset-based pricing and includes all the above capabilities with the biggest differentiating value being it comes with integrated workflows, for end-to-end vulnerability management.
Qualys understands that not all customer environments and requirements are the same, and customers need flexibility in regards to which capabilities to purchase. For example, a customer might not require mobile and CI/CD integrations. To cater to such cases, Qualys provides an option to purchase ‘à la carte’ integrated capabilities as well.
Qualys VMDR is an all-in-one solution that helps customers with discovering and inventorying assets and applications running in a hybrid environment and arranges assets based on business criticality and the role they play in the environment. In vulnerability and configuration management, it enables threat-based prioritization with a context of assets and configurations, and deploys patches using the same VM cloud agent without choking the VPN and bandwidth. This end-to-end native workflow helps customers eliminate the need for complex and time-consuming integrations of multiple point solutions, which mostly do not interact well due to the difference in architecture and data flows.
The most important part of any Vulnerability Management solution is the unification of data from hybrid environment-based assets, as this collected data is further used for prioritization and remediation. As mentioned earlier, the Qualys cloud platform is built to unify the data coming from its various sensors unlike some of the competitive tools which have a separate on-premises VM solution and a separate cloud VM solution, creating issues in unifying collected data for further reporting, prioritization.
‘Best of breed’ is not separate solutions requiring integration, but a simple, end-to-end, unified solution helping customers assess vulnerabilities in a prioritized manner and remediate them through native patching, significantly reducing the ‘time-to-remediate’ (TTR).
The Qualys Cloud Platform has always been a single unified cloud platform with capabilities, data, modules and workflows connected to each other, bringing in all relevant data into one single cohesive dashboard. The screenshot on the right shows asset details showing IT, security, vulnerability and compliance posture in a single unified view. This view further enables customers to initiate the remediation process.
There are varied security capabilities and use-cases ranging from File Integrity Monitoring (FIM) to Indicator of Compromise (IOC) to Agent Management, requiring separate workflows, owned by separate teams in enterprises. As a mature solution, we provide dedicated access, workflows and capabilities to help each customer’s various teams with defining their specific workflows on the same platform.
As you can see below, customers can go from asset selection to vulnerability prioritization to patch deployment in a cohesive manner.
Ease of use and experience is just not about the modules and UI, but also about providing customers usability and the ability to embed sensors and capabilities in their own workflows, outside the tool, from the source. Below is another example of how one of the largest global banks has embedded the Qualys agent in their CI/CD workflow to manage the entire journey of asset inventory, vulnerability and configuration assessment from the source, before they go into production.
Another huge competitive differentiator Qualys platform provides due to its architecture and native cloud capabilities, is the ability to fully integrate and embed in many of the public cloud providers such as native integration of vulnerability assessment of hosts and containers in Azure (with partnership with Microsoft), where the deployment and assessment done by Microsoft Azure is powered by Qualys. In this case, the customer does not have to even deploy an agent or run any scans or assessment in the Qualys UI. This is done behind the scene in native Azure UI itself for customers to have seamless experience of security and vulnerability assessment.
This is a whole new level of ease of experience and use, going beyond just UI and dashboard improvements.
Qualys’ solutions are robust and mature, and they include in-built support for multiple remediation options and for some time have included a native ticketing engine.
Qualys VMDR supports multiple remediation options, such as:
Patch Management allows automated correlation of vulnerability and patch data, tracking of missing patches and to know what vulnerabilities the patches will fix. Patches can be deployed to the devices directly from the cloud, without impacting the organization’s VPN or bandwidth.
Qualys’ easy-to-use Exception Management tools, open-APIs for end-to-end external integrations, as well as the large number of remediation partners (BMC BladeLogic for example) who have done integrations with Qualys making no-cost remediation options available, are just a few features that make Qualys a better solution today.
The native integration of the continuous and proactive rule-based monitoring options backed by real-time alerts and notifications in Qualys solutions allow customers to persistently look for potential problems and proactively address them, instead of waiting to respond to incidents after they occur.
Hence, the statement that Qualys requires additional modules for varied functionalities can be said to be shallow and devoid of any merit.
Qualys’ dashboarding and reporting capabilities leverage the latest technologies and microservices such as ElasticSearch to include in-built capabilities for tracking vulnerabilities and context-based trending for remediation.
The VMDR solution combines advanced analytical methods and real-world contextual factors to deliver a prioritized workflow that drives effective remediation. The unified dashboard enables you to track mean-time-to-remediate, making it way ahead of its competitors.
Moreover, various other dashboard customizations that are provided out-of-the-box, such as reopened vulnerabilities, failing misconfigurations, vulnerability age, and scan age add to the competitive edge. One can make use of the various easy-to-use widgets that are directly built into the platform, collect trend data and track progress without having to write any SQL statements or complicated queries. With just one click, Qualys enables customers to track progress and compare the burn-down rate of various security data points.
Looking at the whole claim paragraph, we are assuming that Rapid7 means that Qualys platform does not provide any other remediation capabilities other than installing patches. As previously mentioned, Qualys VMDR not only fully automates the remediation process with number of capabilities such as ticketing, alerting and notifications so that security teams are notified when vulnerabilities are discovered to take actions outside the solution, but also helps with active remediation capabilities such as patching, certificate renewal based on asset-related contextual data. With agent-based patching in VMDR, vulnerabilities and patches are automatically correlated, which speeds the remediation response. Furthermore, the ability to auto-deploy patches via the cloud provides an additional advantage.
The recently launched 'Qualys Endpoint Protection' service provides customers with the ability to manage remote endpoints through a single cloud agent thus enabling a productive, collaborative global, remote workforce.
The cloud-based VMDR solution enables:
Rapid7’s claim that Qualys only provides 'patching via agents' as the only option for remediation renders baseless, as it does provide other remediation capabilities, both active and passive.
More than 70 technology solutions leverage and integrate with Qualys workflows and data flows, through easy-to-use, efficient and open XML APIs. Qualys is a long time SaaS provider and has open APIs that enable the developer community to leverage the extensibility and flexibility of the APIs to build external workflows suited for their business cases. Qualys VMDR enables automatic discovery of Windows servers with Active Directory, rule-based tagging and classification for Domain Controllers. Additionally, Qualys configuration management integrated in VMDR provides rich set of configuration controls not just for active directory but also for Microsoft Intune technology, used by customers to manage their remote endpoints. Qualys also provides elevated security for DHCP, DNS through integration with Infoblox.
Being a cloud-based, multi-tenant platform, Qualys has integrated very strict and strong built in RBAC capabilities in its products. The RBAC capabilities in Qualys are restricted not only to role-based access, but they extend to the scoping rights of the user account as well.
Additionally, tag-driven user scoping for dashboarding and searching capabilities are also another built in feature for Qualys. The new VM Dashboard, launched with VMDR, uses a customizable RBAC model with Read/Modify permissions for using the unified dashboard widgets.
There are two major shifts happening in IT and security – The IT environment is becoming increasingly hybrid and vulnerability management programs are evolving. Qualys VMDR is an all-in-one vulnerability management, detection and response solution, based on a cloud native platform with a multi-layered architecture, designed to scale for billions of security and vulnerability datapoints, required in providing risk-based context for vulnerability management. Qualys VMDR provides unified workflows for real-time asset inventory, vulnerability and configuration management, risk-based prioritization of vulnerabilities and the ability to deploy patches to fix vulnerabilities. The false claims made by Rapid7 can safely be dismissed as lacking in research and full context of customer’s end to end use-cases. During these times of an increasing remote workforce, Qualys is concentrating on helping customers address the security challenge of remote endpoints and applications and would encourage the competition to concentrate on the common enemies – attackers and vulnerabilities.
Get a free trial of VMDR, the all-in one Vulnerability Management, Detection and Response service.
See a live demo at VMDR Live on April 21, 11am - 1pm PT.
Learn how the Remote Endpoint Protection service can help with remote endpoint security challenges end to end.
Shailesh Athalye, VP of Compliance Solutions, Qualys