The shift of business applications and on-premises infrastructure to the cloud has resulted in cloud security teams needing to manage the cyber security risks across the workloads, cloud services, resources, users, and applications. Today, security teams must deal with a set of siloed acronym-driven point solutions, providing a fragmented view of the risk with no context and no remediation, leaving cloud applications vulnerable to attacks and increasing security costs & complexities. Enterprise customers are increasingly telling us that they need a unified and cloud-native approach to security across the cloud application lifecycle, helping them continuously assess, prioritize, and reduce risk across a multi-cloud environment.
Today we are excited to announce – Qualys TotalCloud solution with FlexScan that helps our customers extend the trusted power and accuracy of Qualys VMDR, augmented with flexible agent-based and agent-less cloud-native assessment to simplify the management of cloud-native security. Qualys TotalCloud brings both Cloud Posture Management and Cloud Workload Security into a unified view for prioritizing and reducing your cloud security risk.
What Is TotalCloud?
Qualys TotalCloud is a cloud-native security solution that provides the following benefits:
- Offers maximum security coverage of your infrastructure through agent and multiple agentless assessment options
- Provides highly accurate and trustworthy detection of vulnerabilities and misconfigurations
- Consolidates workload and cloud posture into a single risk-based metric and provides specific insights to reduce the risk
- Reduces risk by automating the remediation of your highest-risk assets
- Provides proactive security by checking for security issues before deployment
Scan and Rapidly Assess Your Posture Using Qualys FlexScan Powered by VMDR
Qualys has been scanning workloads for vulnerabilities for 20+ years for both on-prem and cloud assets. Qualys is currently performing 30+ million assessments for workloads in public clouds. Qualys FlexScan is the new zero-touch, cloud-native way of performing agent and agentless security assessments. Zero-touch means there is no need for complex configurations like IP ranges, regions, connectors, etc., or a need to set a schedule to enable scanning. FlexScan automatically uses the cloud APIs and the meta-data to determine the appropriate configuration parameters and starts scanning as soon it discovers a new workload. All you need to do as a user is check a box indicating which FlexScan method you want to use. Many scanning tools in the market lack detection accuracy, resulting in many false positives. By leveraging Qualys’ 6-sigma (Show 99.99966%) accuracy scanning capabilities in VMDR, FlexScan dramatically reduces false positives so that you can focus on the vulnerabilities that matter.
FlexScan offers four cloud-native scanning options:
- API-based Scan – FlexScan uses Cloud Service Provider (CSP)-provided APIs to collect operating system (OS) package inventory from the workloads for vulnerability analysis. API-based scanning is not suited for all scenarios because it cannot detect a certain class of vulnerabilities, like in Open Source Software (OSS), because of the limited data it can gather.
API-based assessment is quick and best suited for short-lived workloads and the initial assessment of new workloads.
- Snapshot-based Scan – FlexScan captures images of workloads, i.e., snapshots, from a cloud services provider’s (CSP) runtime block storage and then scans them. Snapshot scanning is essentially an indirect method of scanning cloud workloads by looking at this block storage instead of directly looking at them with agents. The snapshot method is expensive because of storage and scanner costs and is recommended when other assessment methods are not possible.
Snapshot-based should primarily be used to assess suspended workloads and for third-party images deployed in the cloud where an agent cannot be installed.
- Agent-based Scan – FlexScan uses the agent embedded in the workload to collect operating system, installed software, and other workload-specific metadata information for vulnerability analysis. If FlexScan does not detect the Qualys Cloud Agent on a newly created workload, it automatically installs the agent. Since agents can collect much more meta-data and workload environment data than other scan methods, this method provides the most comprehensive vulnerability coverage. The costs of agent-based are negligible because the agent is embedded in the workload and uses minimal resources.
Agents are the most flexible scanning method because they excel at detection tasks and can also do it continuously. Another significant benefit of the agent-based approach is that it can perform double duty, like immediate remediation actions such as patching vulnerabilities and fixing workload misconfigurations to protect against exploits.
- Network-based Scan – FlexScan can use network scanner appliances to assess workloads over the network. When a new workload is created, FlexScan will automatically instantiate the network scanner in the appropriate network to conduct the scan of the workload. Network scanners provide similar assessment capabilities as an agent. However, unlike agents, they cannot do any remediation actions.
Networks should be used to assess workloads facing the internet and for workloads on which agents cannot be installed. Only network scanners can detect vulnerabilities related to network protocols. They can give you an outside-in view that the other scanners can’t.
There is no single best method for scanning workloads. With each option, you will have to tradeoff cost, coverage, and ease of deployment. With Qualys FlexScan, you can choose the scanning method or a combination of methods that is best suited for your environment. FlexScan will consolidate vulnerability results from all the methods for a workload. For example, for your internet-facing workloads, you can run both network-based scans and agent-based scans to get a more comprehensive assessment of vulnerabilities – outside in and inside out. To learn more about FlexScan, refer to this blog.
Understand Your Overall Risk Using Unified Dashboard
As your infrastructure and applications footprint grows, so do your security findings. It is common for a medium-sized enterprise to have thousands of high-criticality vulnerabilities and hundreds of misconfigurations across all asset types. It can be overwhelming to figure out what to fix first. This is where TotalCloud can assist you.
Unified TruRisk – Consolidated Risk From Vulnerabilities and Misconfiguration
Today, the risks from vulnerabilities and misconfiguration are siloed from each other. TotalCloud is breaking those silos by bringing the TruRisk scoring system to cloud resources. Like VMDR TruRisk scoring, TruRisk for cloud resources is based on the criticality of the misconfiguration, asset criticality score, and asset meta-data such as whether the asset is internet-facing, has risky permissions, is connected to other high-risk assets, etc. TotalCloud Unified Cloud Dashboard provides a single risk metric – TruRisk – that accounts for the risk incurred from vulnerabilities and misconfigurations. Additionally, the dashboard provides a way to view the TruRisk for a specific application, cloud or Qualys tags, or grouping of the cloud accounts. Furthermore, the dashboard highlights specific remediation actions that would lead to lower risk.
External Attack Surface – Workloads and Cloud Resources
TotalCloud External Attack Surface dashboard shows you the highest risk elements in your environment. You can view all the workloads with critical, exploitable vulnerabilities, misconfigured cloud assets, like public S3 containing secrets, and unmanaged assets reported on Shodan. It also provides you with specific insights, along with remediation actions, to help reduce risk.
Cloud Security Posture – Compliance With the Industry Standards
Compliance with various industries’ mandates is essential for many regulated businesses. TotalCloud Compliance Posture dashboard always provides an up-to-date view of your compliance posture for any of the 20+ industry mandates. It also highlights critical misconfigurations, like MFA not being enabled, that have been used for exploits.
TotalCloud dashboard amalgamates all the critical data harvested from the Qualys platform and presents it in a single place. With the TotalCloud dashboard, you can visualize your organization’s multi-cloud security posture and gain instant insights into cloud infrastructure and workload exposures.
Reduce Your Risk Using Integrated Remediation and Qualys Flow Automation
Most security vendors perform security assessments and then stop. The remediation of the security findings is left up to the security teams. TotalCloud solution offers out-of-box one-click remediation for vulnerabilities and misconfigurations. If these out-of-box remediations don’t meet your needs, then you can build your own using Qualys Flow (QFlow), a low-code/no-code drag-and-drop product to build cloud-native workflows.
With Qualys Flow, you can build end-to-end workflows – from kickoff assessment, assessing risk, quarantining the workload, triggering change control workflow, to patching the workload. The above screenshot shows an example of a QFlow that can be used for remediating high-risk vulnerabilities. This QFlow is triggered when a new virtual machine instance is instantiated. The QFlow will then automatically install an agent in the new virtual machine, start a scan, wait for the scan results, and check whether the risk score of the virtual machine is greater than the accepted threshold. If the risk score exceeds the threshold, it will quarantine the virtual machine, create a ServiceNow ticket for patching the VM, and wait for the ticket to be approved. Once the ticket is approved, the QFlow will trigger and apply the patch for the vulnerability, and once the patch is applied, remove the virtual machine from quarantine.
TotalCloud enables you to significantly improve your MTTR and lower risk by using automated out-of-box and custom remediations.
Start Secure, Stay Secure
The discovery of vulnerabilities or misconfigurations in the production environment creates overhead for all teams involved in security – Security, Ops, Compliance, SOC, etc. Furthermore, you are vulnerable to exploitation until the vulnerability or misconfiguration is fixed. It would be much better if these security issues were detected and remediated early. TotalCloud provides full shift-left security by running security assessments on your workloads and IaC artifacts during the development, build, and pre-deployment stages. It can scan Infrastructure as Code (IaC) templates – Terraform, CloudFormation, ARM – to detect misconfigurations and deployment of venerable workloads. TotalCloud provides integrations into developer tools, like Visual Studio Code, git repositories, and CI/CD tools so that developers can receive immediate feedback. TotalCloud provides the status of IaC misconfigurations on the console so that security teams have complete visibility into pre-deployment posture. With TotalCloud, you can start secure and stay secure!
Qualys TotalCloud allows security teams to move away from the siloed, disconnected approach of cloud-native security, requiring significant manual data collection and analysis to gain insights, only slowing response time and increasing risk. Instead, Qualys TotalCloud provides a single integrated platform, not defined by industry categories but by the real-world scenarios security teams face in securing their infrastructure and cloud-native workloads.
Qualys TotalCloud easily integrates into an organization’s existing vulnerability program and provides seamless zero-touch, agent, and agentless assessments with a unified posture dashboard to view consolidated risk, prioritized by Qualys TruRisk, from critical vulnerabilities and misconfigurations. With no-code drag-and-drop workflow automation and integrated patching, TotalCloud delivers comprehensive remediation to reduce risk. Qualys TotalCloud is focused on addressing an organization’s most pressing cloud-native security challenges.
Join us for the TotalCloud launch to see it in action on how it enables security teams to address the most pressing cloud-native challenges – Wednesday, Nov. 9, at 1:45 pm PT. Register at www.qualys.com/totalcloud-live
By Parag Bajaria, Vice President, Cloud and Container Security Solutions, Qualys