C O N T I N U O U S S E C U R I T Y

VULNERABILITY
MANAGEMENT
Qualys, Inc. Confidential
1

Quick Requests
Breaks are generally every hour

Exam

Qualys VM
Topics Covered

Getting Started With Qualys

Introduction to Qualys SaaS Architecture
Qualys Vulnerability Management Lifecycle
Qualys KnowledgeBase and Search Lists

Configuring a Qualys Solution
Mapping
Asset Management
Scanning
Reporting
User Management
Remediation
EXAM
3

Qualys Software-as-a-Service
Dashboard
Risk Analysis
Scorecards
Trend Reports

Compliance
Reports
Asset
Inventory
Audit trail

Management Team

Vulnerability and
Risk Management

Auditors

IT Remediation Team

Security, Compliance, and Asset Management

Single Solution

No Software to Deploy or Maintain!

Patch Reports
Alerts
Configuration
Reports

Technical Reports
Differential
Reports
Risk Reports by
host

Qualys Cloud Platform

IaaS Providers

Cloud Asset

QUALYS
PLATFORM

Internal Scanner

Strong Data
Encryption
Firewalls
IDS
TLS communications
External Scanner Pool

Internal
Asset
External
Asset

Qualys User

Corporate Environment
Appliances support Vulnerability Management, Policy Compliance, and Web Applica:on Scanning
5

Vulnerability Management Lifecycle

1.
Discover

6.
Verify

2.
Organize
Assets

5.
Remediate

3.
Assess

4.
Report

Demonstration and Labs

C O N T I N U O U S S E C U R I T Y

THE KNOWLEDGEBASE

Qualys, Inc. Confidential

8

KnowledgeBase
The Central Repository

All QIDs are stored here
9

10

Vulnerability Severity Levels

Severity 1 Least Urgent

Severity 5 Most Urgent

11

Common Vulnerability Scoring System

Defacto rating system for PCI DSS
The Qualys KnowledgeBase provides CVSS scores (NIST) in
addition to Qualys Severity.

12

CVE and Bugtraq

Correlates Vulnerabilities and CVE ID (http://cve.mitre.org/)

Correlates Vulnerabilities and Bugtraq ID (http://securityfocus.com)

13

KnowledgeBase
Anatomy of a QID

General Info - Provides basic details like title, severity, type"

Details - QID, CVE ID, Bugtraq ID and other vendor references info"

Software - Vendors and products associated with the vulnerability"

Threat - Defines the inherent threat within the vulnerability "

Impact - What could happen should the vulnerability be exploited"

Solution - How to fix the issue"

Exploitability - Exploitability info correlated with this vulnerability

Malware - Malware information that is correlated with this vulnerability"

Compliance - If there are compliance concerns"

Results - What was returned when we probed for information
(Available in a report or scan result after scan completion)

Disabled vulnerabilities are still scanned for but they are not reported or
ticketed.
14

KnowledgeBase
Editing Vulnerabilities

Change Severity Levels

Threat Impact Solution have user comments field
Updates from the service not overridden
Edited vulnerabilities are noted in Scan results
15

KnowledgeBase
Search

Use the search functionality to find vulnerabilities by QID, title, user

configurations and many other criteria

KnowledgeBase Searching Weve added the ability to select multiple

items (OR) as well as NOT conditional operators along with Vendor and
16
Product hierarchy

C O N T I N U O U S S E C U R I T Y

KNOWLEDGEBASE SEARCH LIST

Qualys, Inc. Confidential

17

Using Search Lists

Report Template
& Scorecards
On which vulns do
we want to report?
Remediation Policy
For which vulns do we
want tickets?

Option Profile
For which vulns are
we scanning?

SEARCH LISTS

18

Search Lists Overview

User-defined Groups of QIDs

Static search list

Manually defined

Dynamic search list

Defined based on search criteria

Benefits

Dynamic List updates when new

QIDs meet the search criteria
No limitation to the number of
QIDs in search list

19

Search Lists
Static Saved Searches

Static searches are

good in cases
where a specific
set of QIDs needs
to be excluded

20

Search Lists

Saved Search Object Information

Detailed information about a
saved search is available
anywhere the
is shown

General Info, the KB criteria, and
all QIDs that match the criteria
are shown

Also shown is a list of all report
templates, option profiles and
remediation rules where the list
is used

21

Search Lists
Use Cases

Create an automatically updated report for Microsofts Patch

Tuesday vulnerabilities

Create remediation rules that link the application having the

vulnerability with the right person to fix it

Scan for single vulnerability

Create report for PCI vulnerabilities

Scan for high severity, exploitable vulnerabilities

Build a report for only the vulnerabilities published in the last 30

days

22

Demonstration and Labs

23

C O N T I N U O U S S E C U R I T Y

ASSET MAPPING

Qualys, Inc. Confidential

24

Mapping Options
1.

DNS Reconnaisiance
-
-
-
-

Domain Lookup <whois> (identifies DNS servers)

DNS Zone Transfer (collects host records from DNS database)
DNS Brute Force (www.qualys.com, ftp.qualys.com, mail.qualys.com)
Reverse DNS Lookups (based on IPs already discovered/known)

2.

Host Sweep (via ICMP, TCP and UDP probes)

- Very important for mapping netblocks.
- Provides Live host status in map results via Host Discovery

25

Mapping Configuration
Map

Option Profile
(the how)

Scanner
Appliance

Assets
(the what)

Domains/
Netblocks

Map
Preferences

Asset Groups
26

Mapping Options

27

Mapping Benefits
Shows an overall view of your corporate assets

Mapping is the foundation for proper asset management

28

Map Results

A: Approved
S: Scannable
L: Live
N: Netblock

29

Mapping: Graphic Mode

30

Demonstration and Labs

31

C O N T I N U O U S S E C U R I T Y

ASSETS

Qualys, Inc. Confidential

32

Adding and Removing IPs

Managers can:
-

Add Assets to the Subscription

Remove Assets from the Subscription

33

Asset Group
Primary mechanism for assigning host access privileges
within the Vulnerability Management application.
Asset groups can be based on:

Device type
Priority or criticality
Geographic location
Ownership (department)

34

Asset Group Scanning Targets

For scanning, work with Asset Groups based on location
Asset Groups:
Scan_Chicago
Scan_London
Scan_Tokyo

(Workstations / Desktops)

(Workstations / Desktops)

(Workstations / Desktops)

CHICAGO

LONDON

TOKYO

35

Asset Group Reporting Targets

Asset Groups for Reports have different requirements. Each department needs
information about their responsibilities (Server Admin vs. Desktop Admin)
Asset Groups:
Servers
Desktops

(Servers)

(Servers)

(Servers)

(Desktops)

(Desktops)

(Desktops)

CHICAGO

LONDON

TOKYO

36

Asset Group: Business Impact

Business Impact is used to calculate the Business Risk.

Business Risk scores can be used to measure overall progress.

37

Business Risk
Two factors
Security Risk
Business Impact
Business Impact is a configurable
attribute of an Asset Group

Five levels
Titles are freely configurable
For each Business Impact level, a weight is
assigned for each Security Risk

38

AssetView and Tagging

AssetView provides the
following capabilities*:
Dynamic tagging automatically
assigned based on any detectable
attribute

Custom, dynamic, Dashboards
Query all your or asset data
obtained via scans and Cloud
Agents in one centralized location,
instantaneously

* Asset Tagging feature must be added to your
subscription
39

Automated discovery and tagging

IP Address: 10.0.30.18
OS: Windows 2008
Tags:

(IT Security)

Server
Chicago Branch
TELNET ON

(Scanner)

Network
10.0.30.16/28

01001

?
10.0.30.20

Workstation
10.0.30.16/28

10.0.30.17

10.0.30.19

10.0.30.18

Server
10.0.30.16/28

Server
10.0.30.16/28
TELNET ON
40

Workstation
10.0.30.16/28

Initial Asset Tags

The service creates some initial
asset tags based on existing
objects in your account:

Asset Groups
Business Units
Malware Domain Assets
Web Application Assets

41

Creating and Assigning Tags

Edit and create new
tags in:
1.

Asset Search (in

Vulnerability
Management)

2.

The AssetView
application

42

Asset Tag Rule Engine

Although tags can be created
statically (No Dynamic Rule),
Dynamic Asset Tags provide
the most flexible and scalable
way to automatically
discover, organize and
manage your assets.

43

AssetView

Build customizable, dynamic, dashboards

Query all of your host data in a centralized location,

instantaneously

44

Applications Inventory

45

Ports and Services Inventory

46

Certificates Inventory

Certificate related information such as certificates by expiration

date, by key size, by certificate authority, by port, and selfsigned certificates as well as the certificates detail.

47

Host Operating Systems Inventory

48

Demonstration and Labs

49

C O N T I N U O U S S E C U R I T Y

VULNERABILITY SCANNING

Qualys, Inc. Confidential

50

Qualys VM Scanning Engine

Core Engine

Inference-Based Scanning Engine

Intelligently launches modules specific to each unique host
Provides for optimal performance and accuracy

Modules

Responsible for collecting data from the hosts

Modules are launched based upon information collected
Hundreds of modules can coexist during a single scan

Information

Data collected by modules

Operating System
Open Ports
Active Services
Installed Applications
51

Qualys Scanning Engine

Host Discovery Module

Requires : {IP ADDRESS}

Task :
Checks if remote host is alive
Produces : {HOST STATUS:HOST ALIVE/DEAD}

Port Scanner Module

Requires : {HOST STATUS:ALIVE}

Task :
Finds all open TCP/UDP ports
Produces : {Open Ports}

Service Detection Module

Requires : {Open Ports}

Task :
Detects which service is running on an open port
Produces : {Active Services}

OS Detection Module

Requires: {Open Port} (at least one open TCP port)

Task:
Detects host OS
Produces: {OS}

52

Host Discovery Module

ARP (scanner must reside on local subnet of target)
13 TCP ports (configurable to 20)
Half-open/SYN scanning
6 UDP ports
ICMP

GOAL: Identify LIVE hosts in map results, and eliminate DEAD hosts
from vulnerability scans

53

Port Scanning Module - TCP

TCP (connection-oriented): 0 to 65535 ports!
Standard Qualys scan uses 1900 TCP ports!
Half-open/Syn Scanning open TCP port will acknowledge a
connection request!
!
!
!
!

54

Port Scanning Module - UDP

UDP (connectionless): 0 to 65535 ports!
Standard scan uses 180 UDP ports!
Open UDP ports do not always respond to packets sent!
Closed UDP ports will typically respond with ICMP Port
Unreachable (which may be blocked by filtering rules)!
Because of the unpredictable nature of UDP probes, UDP
Service Detection is implemented during UDP port scanning!

!
!
!
!
!

55

Service Detection Module

Service Discovery
Engine

. . . TELNET

23/tcp

. . . HTTP

80/tcp

. . . SNMP

161/udp

Note: Qualys VM can detect more than 600 different services on TCP
and UDP ports. To review these services go to the Help > About Section.

IANA guidelines are used to perform initial test specific to the services port number
Detection by valid protocol negotiation (non-destructive)

Exceptions Initial tests may fail if:

Service running on non-standard port (more common for TCP)
Service using non-standard (unpredictable) banner
Qualys will continue to negotiate communications until the correct service can be
identified (may result in service impact).
56

OS Detection

Based on TCP/IP stack fingerprinting.

OS vendors implement the TCP/IP stack differently
Specially crafted packets are sent to target host to collect replies and
build an OS fingerprint (using TTL, MSS, window size, etc)
TCP/IP stack fingerprinting alone, does not always produce accurate
results

Enhanced using additional protocols (e.g. NetBIOS, HTTP, SNMP etc..) when
available

Authenticated scanning is more accurate, as the host simply tells us what it is

(uname -a, Windows registry, cat /etc/redhat-release, etc).

57

Vulnerability Scanning
Host Discovery

- Checks for availability of target hosts. One response from the host indicates the host is "alive"

Port Scanning

- Finds all open TCP and UDP ports on target hosts (based on scan preferences)

Service Discovery
- Identify which services are running on open ports

Device Identification (OS Detection)

- Attempts to identify the operating system on the first open port

Vulnerability Assessment

- Based on 1) Operating System, 2) Active Services, and 3) Installed Software

58

Vulnerability Detection
Module launching
- Specific vulnerability modules loaded based on information gathered in previous
phases

Signatures
-
-
-
-

Template-based vulnerability signatures

Active (but non-intrusive) tests for almost all detections
Specially crafted request to distinguish between patched and un-patched versions
Multiple tests validate each others results to confirm the vulnerability

59

Scan Configuration
Scan

Option Profile (the

how)

Scanner
Appliance

Assets
(the what)

Scan Preferences

Netblocks

Authentication

Asset Groups
Asset Tags

Auth Record
60

Option Profile
Scanning

61

Option Profile
Scanning

Add a Search List:

Although recommended in some cases, in general it is better to attach a Search List to a
Report or Remediation Rule.
62

Option Profile

Authenticated (Trusted) Scanning

Connect to service to extract

more meaningful data

Discover vulnerabilities not

detected by untrusted scan

Confirm Potential Vulnerabilities

Requires Authentication Record

* Application Records &

SQL server records are
supported in Policy
Compliance module.!
63

Authentication Vaults

In large organizations where thousands of machines are scanned regularly

for vulnerabilities, managing passwords is a challenge.

Some organizations are reluctant to let their credentials leave the network

64

Launch Vulnerability Scan

Scan Settings

65

Vulnerability Scan
On Demand

66

Vulnerability Scan
Scheduled

Allows the automation of

the scanning process

Schedules can be paused

to comply with maintenance
windows

Send notifications before

and after scan

67

Qualys Scan Calendar

68

Vulnerability Scan Results

Unfiltered, raw data of your scan targets

69

Demonstration and Labs

70

C O N T I N U O U S S E C U R I T Y

REPORTING

Qualys, Inc. Confidential

71

Report Configuration
Report

Assets
(the what)

Report Template

Host Based vs
Scan Based Data
Assets

Filtering and
Search Lists

Netblocks

Graphics and
Details

Asset Groups
Asset Tags

72

Qualys Reporting
Makes Map and Scan data readable
Create a report of pertinent data
Raw data is cumbersome
Many Report Types:
Scan Reports

Remediation Reports
Patch Reports

Map Reports
Scorecards

Uses a central repository for users to
store reports for multiple viewers

73

Qualys Reporting
Report Templates

Qualys has a set of standard templates that assist in reporting on scans,

maps, and remediation

74

Customized Reporting
Data Types

Host Based Findings vs. Scan Based Findings

Host Based Findings utilize all cumulative (normalized) scan data
for the reports Vulnerability Management
Scan Based Findings allows user to choose specific scan data.
Suggested for PCI Reports

75

Customized Reporting
Display Options

Produces:

This:

76

Customized Reporting
Display Options

What do you want to see in the detailed results?

- Do you need to have the Threat defined and the results of the
test, or do you need to know how to solve it?
- The information will be pulled from the QID.
77

Qualys Patch Report

Actionable and prioritized list of patches to apply - KB supersede information included, so only
the most relevant patches displayed
Online Format - Provides more interactivity (sorting, filtering)
78

Qualys Scorecard Reports

Provide vulnerability data
and statistics appropriate
for different business
groups and functions.

Easy to create and
customize (quickly)
Customizable display and
filtering options
Reports can be
downloaded into multiple
file formats
Filter by OS and/or
vulnerability type

79

Qualys Authentication Report

The Authentication Report shows
the authentication status for each
scanned host:
- Passed
- Failed
- Passed with insufficient privileges
- Not Attempted.

* Run this report after an

authenticated scan to verify that
authentication was successful to
the target hosts.

Authentication Reports can also be scheduled

80

Scheduled Reporting

Several report types that can be scheduled:

Template-based scan reports (using Host Based Findings)

Scorecard reports
Patch reports
Template-based compliance reports

Remediation reports
81

Scheduling and Report Notification

82

Scheduled Reports Setup

83

Subscription Set Up
Report Share

Report Share is a
centralized location for
storing and sharing
reports
When enabled for
subscription,
Managers specify the
maximum amount of
report data that each
user may save
Managers have the
option to enable
secure PDF
distribution of reports
84

Reporting Use Cases

Scenario: I need a weekly report of all the new vulnerabilities found
on my Windows desktops. My Windows admins complain, the
reports are too long. They just want to know what the vulnerability
is and how to fix it. They are also only interested in the vulnerabilities
that can be confirmed, and those that have the greatest security risk
(severity level) how can we accomplish this?



85

Reporting Use Cases

Scenario: What type of
vulnerability is more
prevalent in my network?
How can I tell?

Scenario: My manager
wants to see what we have
accomplished with Qualys.
Where can I find that?
86

Zero-Day Risk Analyzer

iDefense Threat Intelligence

Read
Adobe

0 Day

Windows 7
DCOM

Host A

er 9.1

enable

Predictive
Engine

Get customized alerts about zero-day threats.

Authenticated scan is required (QIDs 45141 and 90235, specifically).
Predictive Analytic Engine does not rely on vulnerability signatures.

87

Host B

Demonstration and Labs

88

C O N T I N U O U S S E C U R I T Y

USER MANAGEMENT

Qualys, Inc. Confidential

89

User Management
User Roles & Permissions

Different Roles
Each role has its own permission set
Each user can get extended
permissions
Role Types:

Manager
Unit Manager
Scanner
Reader
Contact

Extended permissions vary based on base role chosen.

90

User Management
User Permission Hierarchy

Most privileged
Managers

Subscription Setup

Unit Managers

Management

Scanners

Vulnerability Scans
Network Discovery Maps

Readers

Remediation
Reporting

Least privileged
91

User Management - VIP

Two Factor Authentication!

92

Subscription Setup
Security

Set security to
prevent !
unauthorized users !
Set security
options related to
how users access
the system,!
user-defined !
passwords, and !
session time outs!

93

Business Unit

Create Business Unit

in Users Section

Add Asset Groups to

the Business Unit

Assign Scanner &

Reader Users
(optional)

94

Business Unit Manager

Privileges:
Perform all vulnerability management functions:
Map, Scan
Remediation
Reporting
Manage assets, add users, and publish "
template reports within their Business Unit

Extended Permissions :
Add assets
Create profiles
Purge host information
Create/edit configurations (remediation policy, "
authentication records/vaults, virtual hosts)
Manage compliance, web applications
Manage virtual appliances

Restrictions:
Can only be in one Business Unit
Can only be created if the Business Unit has been established
Limited to Asset Groups defined in their Business Unit
May not have rights to run specific reports via the API

95

Business Unit Illustration

96

C O N T I N U O U S S E C U R I T Y

REMEDIATION

Qualys, Inc. Confidential

97

Remediation Basics

Remediation Policy can be used to assign a vulnerability to a

specific user account (for mitigation).

Remediation Policy can be used to ignore specific lists of

vulnerabilities.

Qualys automatically updates Fixed vulnerabilities (when no

longer detected).

Resolved Date indicates when a vulnerability has been

resolved, ignored, or fixed (the earliest of the three)

98

Remediation
Create a new Rule

Assignment
A specific user
Asset Owner
The user who launched "
the scan
Set Deadline for remediation
Ignore - do not create a ticket

99

Remediation Policy Rules

Rules can be specific to Business Units

System matches rules from top to bottom

First matching rule stops the system check

100

Remediation

Manual Ticket Creation & Verification

Manual Trouble ticket generation
From Automatic Report
From Host Information

Launching Verification Scans

101

Demonstration and Labs

102

Exam Tips and CPE

You have five attempts to pass
The test is linear, no going back to an older question
Passing score: 75% and above
No negative marking
Test can be taken anytime
30 questions (Multiple choice included)
You may use presentation slides, lab exercises, Qualys Community, and you
may have an active Qualys session open while attempting the exam.
No set time limit (please start a new LMS session, before launching the exam.
A CPE credit is earned for each hour of attendance.

103

Useful Resources

-
-
-
-

Your LMS account does not expire

Register for training sessions on www.qualys.com/training
Qualys Community and Qualys LMS are not SSO logins
Qualys Architecture : http://www.qualys.com/enterprises/architecture/
Free Tools & Trials
- BrowserCheck
- SSL Server Test
- FreeScan
- Patch Tuesday Audit
- SCAP Scan
104

C O N T I N U O U S S E C U R I T Y

Thank YOU!
training@qualys.com

105