Helping security teams respond to gaps in security and compliance programs with Qualys CSAM

Unlike traditional inventory tools that focus solely on visibility or rely on third-party solutions to collect security data, Qualys CyberSecurity Asset Management (CSAM) is an all-in-one solution.

In this interview with Help Net Security, Edward Rossi, VP, Product Management, Asset Inventory and Discovery at Qualys, talks about how the solution enables security professionals to see the entire picture of their assets – from inventory to detection to response.

Qualys CSAM

Many organizations can’t secure their hybrid IT environments since they don’t know what is in their inventory. What makes visibility into security context a gold mine for security teams?

When we spoke with our customers, it became clear that organizations need a comprehensive security view of their IT asset infrastructure, and they are struggling to get it. While traditional IT teams and inventory tools provide an IT view of inventory, software support, and licensing, security teams are looking for the security context of assets such as assets that are not running security tools, detection of unauthorized software, internet visibility, and more.

These teams need to manage the risk posture of the assets rather than only inventorying the assets. In fact, an increasing number of mandates like FedRAMP, PCI require organizations to report asset inventory data correlated with security health posture of the assets.

Security tools like EDR help secure assets, but do not let security teams know which critical assets are not running EDR, or if databases are visible from the internet? All security teams have defined authorized and unauthorized software policies. Yet, operationalizing these policies and alerting for deviations would help security teams pinpoint the issue immediately instead of waiting on inventory data from IT teams or manually correlating the data.

Asset inventory data specifically managed with security context helps security teams continuously assess asset risk, detect at-risk assets, and prioritize an often overwhelming number of security issues so they can respond quickly.

But doesn’t this mean that overburdened security teams just have to do more?

They would if they had to do it themselves. The primary goal of our new solution Qualys CyberSecurity Asset Management (CSAM) is to narrow down the IT inventory to focus on assets and applications that require the most urgent attention.

Security teams don’t just want a list of static issues and adding security context on an ad hoc basis or manually on top of IT asset inventory doesn’t work. They need to be monitoring changes to the security context of their assets, so they can know when the new assets with specific characteristics or risk profiles are introduced or when the risk of existing assets changes.

With limited resources on security teams, automated detection and alerting tools are required to achieve the scale and scope of managing small- and medium-sized environments, let alone enterprise-scale infrastructure. Simple policies like “No databases should run on webservers” can become a complex challenge to implement.

Qualys recently unveiled CSAM. What are its main features and what makes it unique?

First, Global AssetView, our free IT Inventory offering, automatically discovers and classifies all IT assets including software, on-prem devices and applications, mobile, clouds, containers, and enterprise IoT devices using both agent and agentless methods. It works in conjunction with the Qualys Cloud Platform and Qualys sensors (scanners, cloud connectors, container sensors, cloud agents, passive sensors and APIs), ensuring that you have a comprehensive view of your entire IT asset inventory.

CyberSecurity Asset Management builds on our free Global AssetView app and moves the needle beyond inventory by adding security context and response. It is asset management reimagined for security teams, focused on identifying all systems comprehensively, detecting at-risk assets, and mitigating with appropriate actions.

The app fills the gap between traditional IT inventory and the core security functions by overlaying key business and asset criticality data, establishing unauthorized and authorized software lists, applying current and upcoming EOL/EOS data, providing an outside-in view of the organization’s internet-facing assets, highlighting security endpoint blind spots, monitoring the result with policy-based alerts, and facilitating appropriate response with software uninstall. It represents a security foundation on which organizations can deploy and build before easily moving to vulnerability management, endpoint detection and policy compliance using our single agent.

CSAM delivers asset and risk detection from a single platform, providing comprehensive inventory from multiple native sensors and third-party sources with real-time grouping and classification. It also includes policy-based detection of an assets’ security health by applying business criticality and risk context, detecting security tool gaps and responding with alerts or unauthorized software removal, thus reducing the ‘threat debt’.

Other cybersecurity point solutions rely solely on third-party inventory tools or siloed technologies to collect data. Qualys not only provides a multi-pronged hybrid inventory capability with an in-context security view but uses that same infrastructure to deliver Endpoint Detection & Response, Vulnerability & Patch Management, Policy Compliance and more.

Qualys CSAM

How does the new solution help with enterprise IoT?

The incredible proliferation of IoT devices has vastly expanded the enterprise attack surface, but discovering, managing, and protecting those devices by traditional methods is not scalable. These devices lack built-in security controls. They can’t easily receive software updates, and can’t host agents, which leaves them unseen and unmonitored by traditional enterprise cybersecurity products.

There is also a lack of visibility into both known and rogue IoT devices connecting to the network. Not all IoT devices were designed with security in mind, as they often contain clear text passwords, weak self-signed certificate and are implemented without encrypted communications.

Qualys’ ability to track and identify IoT devices is crucial to ensuring overall visibility. CyberSecurity Asset Management identifies enterprise IoT devices by leveraging the Global AssetView passive sensor to listen to network traffic and to identify all IP-connected devices in real time. CSAM dissects multiple protocols to fingerprint and uniquely identifies thousands of IoT devices

Qualys is also significantly extending its enterprise IoT fingerprinting library and profiling capability for tens of thousands of additional devices across key categories prevalent within our customer networks. These devices include VoIP phones, building automation devices, access control and badge readers, security cameras, connected audio and media devices, IoT gateways and access points, network printers, smartphones and tablets.

Qualys CSAM allows teams to focus security prioritization efforts on high-importance and high-risk assets using Asset Criticality. What does that include?

Asset criticality, defined by the user’s unique business environment, is a key tool that helps customers focus their security prioritization efforts on high-importance assets. It is a user-defined measure of asset function, environment, and service. With CSAM, users pulling data from their CMDB will automatically assign the asset criticality score to a tag and the corresponding asset. Assigning asset criticality to Qualys tags, users can prioritize based on a wide range of factors including assets that are cloud-based, running databases, production, as well as location and function based, such as those at headquarters or belonging to a key business service.

And with multiple tags linked to a given asset, the highest criticality value is identified and assigned as a searchable attribute to the asset itself. This provides the user with a flexible, dynamic and scalable method of establishing and automatically updating an asset’s criticality. Once defined, this measure can be used in conjunction with other context data to focus on assets with the greatest potential to impact the business.

How can Qualys CSAM users take advantage of the identification of at-risk assets?

CyberSecurity Asset Management applies security context to help identify at-risk assets. For example, it allows for the management of authorized and unauthorized software lists, also known as whitelists and blacklists. It also understands which assets are missing required security and monitoring tools or which assets are running software they shouldn’t be running.

EOL and EOS software is also identified as it represents a substantial risk as vendors are no longer supporting these versions. Additionally, Qualys’ external scanning and integration with third-party sources like Shodan.io gives an outside-in view based on the IPs owned by your organization, so you can see which assets in your inventory are visible from the internet.

When used in combination, the detection features of CSAM allow you to answer questions like, “Do I have databases running on internet-exposed systems used by the accounting department at the headquarters office?” CSAM automatically alerts on configured policies and can even uninstall unauthorized or EOL, EOS software directly from the CSAM application.

What types of reports are available in Qualys CSAM?

Out-of-the-box security health reports are available, including FedRAMP and PCI-DSS, providing a high-level view of a set of assets, e.g. for an individual office in an organization, as shown below.

Qualys CSAM

In addition, interactive reports allow you to flexibly drill down into any set of assets for insights into specific asset risk. The strength of the reporting rests on the combination of comprehensive asset inventory, the security context that CSAM applies to the inventory, including from Qualys’ CMDB integration, and the flexible filtering and drilldown features in the reporting itself, supported by normalization and categorization of the data.

To learn more about Qualys CyberSecurity Asset Management, please join us for our AssetView Live event on June 2.

Don't miss