To kick off RSA USA 2022 in San Francisco earlier this month, Qualys released VMDR 2.0 along with TruRisk, the latest version of its cloud-based vulnerability management, detection and response service platform.
The updated service places more emphasis on cyber risk management, as Qualys Vice President of Product Management Mehul Revankar explained on June 8 in an interview, streamed from the RSA Conference 2022, with the CyberRisk Alliance Vice President of Content Strategy Bill Brenner.
“When we launched VMDR 1.0 about two years ago, the main thing we were trying to drive was through integration,” Revankar said. “Customers have many tools but fewer solutions. They have one solution for asset management, one solution for vulnerability analysis and detection, another solution for prioritization, another solution for remediation and response.”
“These tools don’t necessarily communicate with each other,” Revankar added. “So we combined all of that into one all-in-one solution to discover, prioritize and fix vulnerabilities on a scale.”
VMDR has “helped us change the vulnerability management game,” Revankar said, citing faster detection of both vulnerabilities and assets, along with improved patching times of nearly 60 percent.
Appetite for risk management
But, he added, when the Qualys team started planning VMDR 2.0, they found out their clients were still looking for something.
“Customers are more risk -focused and less concerned about vulnerabilities,” Revankar said. “All in all, every question we’re asked is ‘How can I manage risk? How can I reduce risk? What can I do to close the gap in IT and security? How can I automate things?'”
To that end, VMDR 2.0 with TruRisk was developed to give organizations more insight into their cyber risk, along with new ways to mitigate and manage those risks. Users will be presented with a dashboard that applies risk scores of zero to 1,000 for internet -facing assets, high -risk assets and cloud assets, along with bar charts showing being critical and distribution of assets and vulnerabilities.
“The concept of risk is very easy to understand, but implementation is very difficult,” Revankar explained. “You can have a vulnerability in an internal asset and a critical vulnerability but the risk is low. But the same one in an external facing asset, it’s really a big deal.”
“Same thing goes with the criticality of the asset,” he added. “What value does it prove? It’s like, you know, import[ant]? Does it serve an important role in the organization? All of these things should be considered as part of your risk equation. “
There are no critical errors
Asset criticality is automatically determined in VMDR 2.0, Revankar explained, to prevent human error.
“One of our core beliefs is if organizations need to manually set the criticality we’ve lost in the game,” he said. “If you have like 100 systems, that’s probably fine, but if you’re dealing with 100,000 or millions of assets, that’s not feasible. So we’ve included CMDBs. [configuration management database] to automatically bring business criticality to asset criticality, and that automatically drives the asset’s risk score. ”
Also, VMDR 2.0’s assessment of vulnerability risk is based on the specific risk to a particular organization rather than based on a one-size-fits-all CVSS score, which Revankar said “represents[s] the technical severity of the weakness. “
Instead, VMDR 2.0 investigates the parameters of each vulnerability to reveal its aspects and how they can threaten your organization.
“What is the maturity of the exploit code for this vulnerability?” Revankar asked. “Is it weaponized? Can somebody just take it and run it and exploit in a compromised system? Or is it just a proof of concept? Are there malwares or threat actors exploiting this vulnerability? If so, which one is exploiting that vulnerability? this? “
Qualys’s threat-intelligence database contains about 185,000 known vulnerabilities, Revankar said, but only about 4,000 have corresponding exploits. And of those, he said, “only 700 to 300 vulnerabilities are exploited by malware or threat actors,” which naturally poses a high risk.
However, even known vulnerabilities may not pose high risk to all organizations, Revankar said.
“If you have a mitigation controller that provides system control for that vulnerability, we lower the risk score for you so you can focus on the real high-priority items in your infrastructure,” he said.
Closing the gap
Revankar explained that one of the main things Qualys aims to do with VMDR 2.0 is “close the gap between IT and security.”
“One of the core beliefs we have is [that] in order to properly manage vulnerabilities, three key aspects need to come and come together: people, technology and processes, ”he said.“ No matter how many improvements we make, how many improvements we make to the client’s algorithm. risk, if people and processes are not taken care of, the vulnerability management program will fail. “
One way to achieve that, Revankar says, is the introduction of Qualys modules that are compatible with ServiceNow’s IT service management (ITSM) platform.
“You can directly import all these findings into ServiceNow, create tickets, assign it to the right people, close it,” he said. “IT teams can track their reporting and dashboards directly from ServiceNow.… No more manual spreadsheets, no more forwarding PDF reports and objects falling into cracks.”
Another is to add a code-free, drag-and-drop programming workflow to VMDR 2.0 to make automating tasks easier.
“With increasing vulnerabilities, the number of people needed to fix these things is not increasing at the same rate,” Revankar said. “You expect to do more with less. The only way to do that is with more automation.”
“So we’re also introducing workflows without code,” he says. “We are introducing templates to our platform where you can quickly select our pre-packaged templates” to respond more quickly to new threats.
“It’s all included in the VMDR solution so [our customers] get risk -based vulnerability management automation with our integration with ITSM and then code -free workflows to empower security teams and IT teams to do more, ”Revankar said.“ There’s a lot of value is packed with VMDR so customers can manage vulnerabilities efficiently. “