This document discusses the need for continuous security and compliance monitoring of global IT assets due to the decreasing time between vulnerability exposure and attack. It notes that WannaCry exploited vulnerabilities within 100 days on average, while exploits now occur within 30 days. The document recommends moving from periodic assessments to continuous monitoring using lightweight cloud agents that can assess both on-premise and remote assets like cloud servers and user endpoints. Qualys products provide continuous discovery, vulnerability management, and compliance through a single agent and platform.
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global IT Assets
1. Continuous Security and Compliance Monitoring
for Global IT Assets
January 18, 2018
Chris Carlson
VP, Product Management
Qualys, Inc.
2. WannaCry: Observations of Qualys Threat Data
Inadequate Patching timing: high severity
vulnerabilities are taking 100+ days to
patch/configure/correct
Exploits and attacks patterns are speeding
up and taking
< 30 days on average (WannaCry was
distributed in 26 days)
2
3. WannaCry (MS17-010) and VM Scanning
Auth Scanning / Agent
EternalBlue released
New Auth Scanning / New
Agent Deployment
WannaCry Released
Organizations doing
continuous VM
assessment with
agent / authenticated
scanning
and
aggressively
patching
were much less
impacted by
WannaCry
3
4. The core IT service areas must be improved
Asset Identification, Monitoring all enterprise assets
Alert Speed, Triage Accuracy, Enabling effective response
Effective Vulnerability Remediation for real risks targeting
individual environments (emergency) vs. commodity risks
Asset & Configuration Management / Build Compliance
Network Architecture and Segmentation gaps – on-premise,
cloud and remote-users
Observations of Qualys Threat Data
4
7. Why? What factors are driving this?
• Rapidly reducing time from Vulnerability to Attack
• Attacks shifting to organized crime and ransomware
• Board-level / C-suite visibility and impact to security events
• Digital Transformation is creating an IT Transformation
Are you prepared?
7
8. Digital Transformation is Driving IT Transformation for
Organizations
Private Clouds
Enterprise On
Premise
Remote
End Users
Internet
Public Clouds
8
9. … But creates new Challenges for Security
Private Clouds
Enterprise On
Premise
Remote
End Users
Can’t scan remote users
Don’t know how many assets you have
Don’t know when those assets are running
Credential issues / Authentication failures
Monthly / weekly scanning too slow
9
11. Qualys Sensors
Scalable, self-updating & centrally managed
Physical
Legacy data
centers
Corporate
infrastructure
Continuous
security and
compliance
scanning
Virtual
Private cloud
infrastructure
Virtualized
Infrastructure
Continuous
security and
compliance
scanning
Cloud/Container
Commercial IaaS &
PaaS clouds
Pre-certified in market
place
Fully automated with
API orchestration
Continuous security
and compliance
scanning
Cloud Agents
Light weight, multi-
platform
On premise, elastic
cloud & endpoints
Real-time data
collection
Continuous evaluation
on platform for security
and compliance
Passive
Passively sniff on
network
Real-time device
discovery &
identification
Identification of APT
network traffic
Extract malware files
from network for
analysis
API
Integration with
Threat Intel feeds
CMDB Integration
Log connectors
11
12. Qualys Cloud Agent
Lightweight
Software Agent
(collects metadata only)
On-Premise
Servers,
Public Cloud,
Remote
Endpoints
Windows, Linux,
Mac,
AIX
Delivers Multiple
Security
Functions in one
Agent
12
13. Qualys Suite of
Applications
Central Management / API
Efficient Network Usage
(Delta Processing average)
Qualys
Platform
Cloud Agent
50 - 350 KB / day
Lightweight Metadata
Acquisition Resources
1% CPU (tunable)
3 MB applicationWindows, Linux, Mac, AIX
13
14. Cloud Agent Extends Network Scanning
No scan windows needed
Find vulnerabilities faster
Detect a fixed vulnerability faster
No firewall changes or network impact
Best for assets that can’t be scanned
Unable to get credentials / authentication failures
Remote / roaming user assets
Remote systems that can’t be scanned
Cloud / Elastic deployments
Servers sensitive to port scans
14
15. Try and Manage Apps on one Cloud Agent
End the fight with IT to deploy security agents!
17. Selected Cloud Agent Deployments
Ecommerce Company
1,200,000 scope
(1M cloud + 150k users)
Financial Services 270,000 Windows (8K/wk)
Financial Services 25,000 user machines
Ecommerce 65,000 ~ 95,000 AWS
Oil Field Services 4,000 remote servers
Rx30 Pharmacy Management 4,500 servers/users/cloud
ACI Worldwide Payment Systems 1,500 servers/users
17
18. Global Pharmaceutical Company (Case Study)
Challenges • No vulnerability visibility of user endpoint machines
• Authenticated Scanning Failures on server machines
• Windows – 20% Failure rates
• Linux – 60% Failure rates
• Weekly scanning created gaps in reporting
• New IT initiative for AWS and Azure development difficult
to scan
• Deployed 75,000 Cloud Agents on user endpoints for
continuous visibility both on and off the network
• Deployed 20,000 Cloud Agents for on-premise servers to
overcome their authentication failures
• Cloud Agent finds new and fixed vulnerabilities faster than
scanning
• Building the Cloud Agent into gold cloud images
Solutions
Outcome
Customer
Global Pharmaceutical
Company
Industry
Pharmaceutical
Biopharmaceutical
Life Sciences
Qualys Applications
18
19. 1+ trillion
Security Events
3+ billion
IP Scans/Audits a Year
99.9996%
Six Sigma Scanning Accuracy
250+ billion
Data Points Indexed on
Elasticsearch Clusters
Single Pane of Glass
Via dynamic and customizable dashboards and centrally
managed, self-updating, integrated Cloud Apps
19