In this podcast, Prateek Bhajanka, VP of Product Management, Vulnerability Management, Detection and Response at Qualys, discusses how you can significantly accelerate an organization’s ability to respond to threats.
Qualys VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. VMDR continuously assesses these assets for the latest vulnerabilities and applies the latest threat intel analysis to prioritize actively exploitable vulnerabilities.
Here’s a transcript of the podcast for your convenience.
Hi everyone. This is Prateek Bhajanka, VP of Product Management, Vulnerability Management, Detection and Response at Qualys. Today I’m going to talk about the new concept that Qualys has introduced in the market. That is vulnerability management detection and response, which talks about the entire lifecycle of vulnerability management using a single integrated workflow in the same platform altogether.
Security is only as strong as the weakest link that you have in your organization. There could be so many assets and devices which are on the network, which are connected to the enterprise network, which are consuming your enterprise resources, which you may not even know of. You will not be able to secure anything that you do not know of. That’s the reason the VMDR concept picks up the problem of vulnerability management right from the bottom itself where it is helping you discover the assets which are connected, or which are getting connected to your enterprise network.
No matter whether it is getting connected using VPN, or locally, or through a network, as soon as a device is getting connected, it will be discovered by the sensors that are located in the network, which can tell you that these are the new assets which are connected and then you can go about inventoring them. You can maintain the asset inventory of those devices. Then the next step is that if you look at performing vulnerability management, then you go ahead and perform vulnerability assessment, vulnerability management of those devices, the existing ones, the ones which are already discovered and the ones which are now getting discovered. Then identify all the vulnerabilities which are existing in those assets, and then as it is perceived in the market, that vulnerability is a number game, but vulnerability management is no longer a number game.
The reason is, if you look at the statistics over the last 10 years, you would see that the total number of vulnerabilities which get discovered in a year, maybe let’s say 15,000 to 16,000 of vulnerabilities that are getting discovered, out of those vulnerabilities, only a handful, like 1000 vulnerabilities get exploited. That means the fraction of vulnerabilities which are getting exploited are not more than 10 to 12%. Let’s say that you have a thousand vulnerabilities in your organization, and even if you fixed 900 vulnerabilities, you cannot say that you have implemented vulnerability management effectively because the rest of the hundred vulnerabilities could be all the way more riskier than the 900 vulnerabilities that you fixed, and the rest hundred vulnerabilities that you left could be the vulnerabilities which are getting exploited in the wild.
Now we are bridging the gap and with the concept of VMDR, we are not just calculating these thousand vulnerabilities for you, but we are also helping you understand what hundred vulnerabilities are getting exploited in the wild using various formats. It could be malware, it could be ransomware, it could be nation-state attacks, it could be a remote code execution. So, what are the vulnerabilities that you should pay immediate attention to, so that you can prioritize your efforts because you have limited amount of remediation efforts, limited number of personnel, limited number of resources to work on vulnerability management, so that you would be able to focus on the areas which would be all the way more impactful then what it is today. So, right from asset discovery to asset inventory to vulnerability management, and then prioritizing those vulnerabilities on the basis of the threat which are active in the wild.
Right now, so far what we are doing is problem identification, but we may not be actually solving the problem. How to solve that problem? With the concept of VMDR, we are also adding response capabilities in the same platform, so that it is not just about identifying the problem and leaving it on the table, but it is also about going and implementing the fixes. If you see a particular vulnerability, you would also be able to see which particular patch can be implemented in order to remediate this particular vulnerability.
That kind of correlation from CVE to the missing patch, it tells you the exact parts that you need to deploy so that this particular vulnerability can be remediated. It also tells you the list of prioritized assets on the basis of various real-time threat indicators, on the basis of various attack surfaces.
Once you have the vulnerability data, while we are doing the scanning, you have a lot of asset context that you can use to filter the number of vulnerabilities. When I say that you divide the context into two parts: internal and external. Your external context would be your threat intelligence feed that is coming from so many different sources or which may be inbuilt in the platform itself. And this threat intelligence is an external context because this is not taking into account your asset context or your internal organization context. So this will help you identify the vulnerabilities which are getting exploited in the wild today, which are expected to get exploited in the wild, for which there are some kind of chatter going around in the dark web, and that these are the vulnerabilities for which the exploits have been developed, the proof of concept is available, and so many things. This is very external.
Now, the internal context. Out of 1000 vulnerabilities, let’s say, on the basis of external context, you are able to prioritize or filter out, 800 vulnerabilities and now you’re left with 200 vulnerabilities. But how to go down further, how to streamline your efforts and prioritize your efforts.
Now comes the internal context. Whether this particular vulnerability is on a running kernel or a non-running kernel. Of course, I would like to focus my efforts on the running kernel first, because those are the kernels which would be exposed to any outsider. This is the asset context I would be putting in. What are the vulnerabilities which are already mitigated by the existing configuration? Let’s say, the BlueKeep vulnerability. BlueKeep vulnerability is a vulnerability which is on port 3389. If the network devices or if the network level authentication is already enabled on the network, that means I do not need to worry about the BlueKeep vulnerability.
If that is already enabled, I can also filter out those vulnerabilities on which the assets have been tagged as BlueKeep vulnerabilities existing. On the basis of all these many factors, whether this is remotely discoverable or not, because you will have to see the vulnerabilities which are getting remotely discoverable, they can be remotely discovered by the attackers also. That means it’s a priority that you should go ahead and fix those vulnerabilities first. On the basis of so many other internal context filters that are available with the VMDR concept and VMDR platform, you would be able to identify those vulnerabilities, those hundred vulnerabilities out of a thousand vulnerabilities, which you should pay immediate attention to.
With the click of a button which is available on the console, you would be able to go ahead and deploy the remediation measures from the console itself so that the time to remediation is reduced to the minimum possible. And the ideal time to remediation, as our Chief Product Officer likes to call it as zero, the ideal time to remediation is zero because the average days before the vulnerability gets exploited in the wild is getting reduced. And now the average number of days has come down to seven.
You cannot have a significant delay before the vulnerability gets discovered and a vulnerability gets patched. This all, putting right from asset discovery to asset inventory, to vulnerability management, then prioritizing on the basis of the threats which are active, and then go about remediating and fixing those problems. This is the concept of vulnerability management, detection and response.