Vulnerability Management Foundation

Agenda

By the end of this course, you will be able to:

1. Define a vulnerability
2. Explain the need for Vulnerability Management
3. Set the scope of Vulnerability Management
4. Identify different options for Vulnerability Management
5. Describe the effectiveness of VM solution in terms of network monitoring,
identifying risks
6. List the best practices of Vulnerability Management

Introduction

Course Description

Globally, almost all businesses are linked to the Internet in some way or another.
However, connecting with the global internet exposes your organization's network to
many threats. Tech-savvy criminals can use the Internet to break into your network,
sneak malware onto your computers, extract proprietary information and abuse your IT
resources. In order to address these threats, organizations need to have a Vulnerability
Management (VM) program. VM enables you to monitor your network infrastructure
continuously, allowing you to address vulnerabilities as they are discovered in your
network. In this course, you will understand what vulnerabilities are and the importance
of having a program to address them.

Importance of
Vulnerability Management
Introduction

In cybersecurity, a vulnerability is a weakness that Cybercriminals or Attackers can exploit to gain

unauthorized access to a computer system. Cybercriminals can target vulnerabilities and gain
personal, credit card, and health accounts information, plus business secrets and intellectual
property. In short, anything that can be sold on the black market can be exploited. Attackers can also
use your network as a platform to attack the network of other organizations.

Lesson Objectives:
At the end of this lesson, you will be able to:

 Identify threats posed by Cybercriminals

 Find sources of software vulnerabilities
 Analyze international trends in vulnerabilities
 Define methods to eliminate risks applying Vulnerability Management

Vulnerability Management and Risk

Mitigation
Vulnerabilities and Network Risk
How do vulnerabilities expose your network to danger?

Cybercriminals have realized the monetary payback of vulnerability

exploitation, and now they successfully attack the Internet almost every day.

In a University study, it was found that attackers scanned servers with open

ports and other vulnerabilities within about 23 minutes of being attached to

the Internet, and vulnerability probes started in 56 minutes. The first

exploitation was made within the average time of fewer than 19 hours. Any

business that doesn't proactively identify and fix vulnerabilities is susceptible

to abuse and information theft. They also need to identify and prioritize

vulnerabilities that are at high risk.

Sources of Vulnerabilities
Flip the cards to learn more.
Programming Errors:
Software Misconfiguration:
1. Front of card

No image alternative text

Click to flip
Back of card
Programming mistakes, or bugs, cause most vulnerabilities in software.
Computer scientists estimate that every thousand lines of software
code in well-managed software products contain about one bug, with
that number rising to 25 per thousand for unscrutinized code. Modern
software projects typically have millions of lines of code. Attackers do
not exploit all published vulnerabilities, but they constantly scrutinize
 critical vulnerabilities in widely installed software packages. The best
way to counter this threat is to identify and eliminate all vulnerabilities
quickly – and continuously.
Another major cause of vulnerabilities is software misconfiguration. Improper
configuration of security applications, such as a firewall, may allow attackers
to slip through ports that should be closed. Even just clicking on an email
attachment or website link infected with malware can be enough to trigger an
attack. The exploitation of vulnerabilities via the Internet is a huge problem
that requires immediate proactive control and management. Hence,
companies need to use Vulnerability Management—to proactively detect and
eliminate vulnerabilities to reduce overall security risk and prevent exposure.

A look at Attack Trends

If customers' confidential data is being exploited, it can damage the

organization’s reputation and can have an impact on the business. Over the

last few years, a fundamental change in the nature of attacks reveals a

movement away from nuisance and destructive attacks towards more

stealthy, hard-to-detect activity motivated by financial gain.

This type of attack has the following five characteristics:

1. 1

Increased professionalism and commercialization of

malicious activities, allowing non-technical criminals to
enter the market.

2. 2

Attacks that are increasingly tailored for specific regions

and interest groups.

3. 3

Increasing numbers of multi-staged attacks.

4. 4

Attackers that target victims by first exploiting trusted

entities.
5. 5
 Increasing numbers of attacks against browser
vulnerabilities mirroring the rise in browser usage in
people's day-to-day activities.

Detecting and Removing Vulnerabilities

The primary objectives of VM are to:

 •

Maintain a database of devices connecting to your network and

prioritize how they should be remediated.

 •

Compile a list of installed software – your software assets.

 •

Change software configurations to make them less

susceptible to attack.

 •

Patching and fixing operating system-related security flaws

in installed software.

 •

Alert to additions of new devices, ports, or software to the

databases to analyze the changed attack surface and detect
successful attacks.

 •

Indicate the most effective workflow for patching and

updating your devices to thwart attacks.

 •

Enable the effective mitigation and management of security

risks.

 •

Document the state of security for audit and compliance

with laws, regulations, and business policy.
 •
 Continuously repeat the preceding steps to ensure the
ongoing protection of your network security.

Executing Vulnerability Management

Introduction
Vulnerability Management (VM) means systematically and continuously
finding and eliminating vulnerabilities in your computer systems. Many of the
steps or processes involved in VM use technology; other steps need IT staff to
implement patches, software updates, and follow-ups. The integration of
these processes produces more robust computer security and protects your
organization's systems and data. In this lesson, you will learn six steps for
laying the foundation of a successful VM program.
At the end of this lesson, you will be able to:

Discover, categorize, and prioritize assets for VM

Scan systems and remediate vulnerabilities by adopting the right solution

Repeat the VM scan and provide reports to the security team, auditors, and management

Scoping Systems to Identify Inventory

To find vulnerabilities, you must first understand what assets (such as

servers, desktops, copiers, and mobile devices) are running on your network,

which involves uncovering forgotten devices. You cannot secure what you do

not know. You also need to identify the people who are responsible for

maintaining these assets (the owners).

The primary purpose of scoping, also called asset discovery, is to organize

your computer systems according to their role in your business to establish

an evaluation baseline. Scoping starts with a vulnerability scan – usually done

by directing the scanner at a particular Internet Protocol address or range of

addresses, so it's helpful to organize your database by IPs.

The primary purpose of scoping, also called asset discovery, is to organize

your computer systems according to their role in your business to establish

an evaluation baseline. Scoping starts with a vulnerability scan – usually done

by directing the scanner at a particular Internet Protocol address or range of

addresses, so it's helpful to organize your database by IPs.

Internet-facing assets are at high risk for attacks. Always begin asset scoping
with internet-facing assets. Scoping starts with a vulnerability scan—usually
done by directing the scanner at a particular IP address or range of
addresses, so it's helpful to organize your database by IPs; this is one way. In
addition to an active vulnerability scanner, various sensor types used for
asset discovery and vulnerability detection may be needed, depending on
your environment.

Assessing the Security Posture of the IT infrastructure

Assessments are done through vulnerability scanning, which is the

fundamental process for identifying and remediating vulnerabilities on your
computer systems. You can assess this in two ways:

1. A one-off scan gives you a snapshot of the security status of your

computer systems at a particular moment in time.
2. A recurring scheduled scan using a vulnerability scanner or agent
allows you to track the speed of applying patches and software
updates and assess how your security status improves. This level of
assessment provides you with more information that is useful for an
effective VM.
3. In both cases, making a scan involves two steps:

4. I. The scanner uses its library of vulnerabilities to test and analyze

computer systems, services, and applications for known security holes.

5. II. A post-scan report organizes and prioritizes the actual vulnerabilities

and gives you information for applying patches and updates.

Launching a Scan
–
You can schedule a vulnerability scan to run repeatedly or run it on demand, using a scanner or
agent. The scanning is performed by your VM application based on your computer system or
network selection. To avoid unnecessary alerts, request your system owner to 'whitelist' the IP
addresses of your scanner and VM scanning solution.
Reviewing Options for Scanning Tools
–
1. It can check for a comprehensive and continuously updated database of vulnerabilities.
2. The ability to scale to the size of your organization.
SaaS allows you to do both of these things.

Knowing what to scan

–
All the devices that are connected to your organization's network and are Internet facing should
be scanned.

Mobile workforce
Today, many employees work remotely, which can cause severe challenges for your
Vulnerability Management program. One way to scan remote users is to ensure they are
connected to your VPN and scanning them over the tunnel, assuming the network and VPN can
handle the traffic. The better solution is an agent-based approach. Scanning is performed by a
local agent that runs on the host machine and provides the information necessary to evaluate the
security state of the machine, with little effect on processing, memory, and bandwidth.

When you evaluate agent-based technologies for mobile VM scanning, consider:

 Integration of results: Results from agent-based scans and normal VM scans must
provide the same data and are used in the same reporting, ticketing and asset
management systems.
 Always-on: Agents should transmit results continuously, as soon as they are connected
to the Internet, without need for a VPN network.
 Minimal footprint: The need for zero impact on the target machine favors an approach
where no VM scan is run directly on the notebook computer. Instead, data on the state
of security changes is collected and transferred to an Internet-facing system for
evaluation of vulnerability signatures.
 Update speed: Signatures for scanner and agent-based scans should be the same or
released in a way that prevents result skew. Updates to them should be done
automatically and scalable.

Agent-based scanning provide 100% coverage of your installed infrastructure.

Virtualization
–
Virtualization has led to gains in flexibility. With virtualization technology, a server can be set up
on demand, often within a few minutes.
To scan virtualized servers efficiently in your VM program, evaluate:
 Virtual scanners: Scan engines are available for your virtualization platforms, allowing
you to seamlessly integrate the scanner into your virtualization setup.
 Monitoring: In virtual environments, the creation of new servers tends to be dynamic.
This is especially true for virtualization service providers and may result in the creation
of new server networks. The downside for you is that your virtual servers on these
networks are not automatically scanned by many VM solutions. Be sure your VM
 solution provides monitoring capability to automatically scan virtual servers. This
requirement is mandatory.
 Authorization: Service providers frequently restrict scanning to pre-approved hosts.
Consider pre-approved scanning solutions to eliminate this manual and time-consuming
requirement.

Options for Continuous

Vulnerability Management
Introduction
Vulnerability Management (VM) is critical for every business to prevent mass
and targeted attacks that take advantage of weaknesses in your computing
infrastructure. VM also helps to demonstrate compliance of your security
requirements to auditors.
The steps of VM are fundamental, but so are the ways in which you
implement solutions to meet operational requirements. This lesson will
provide you preparatory ideas for choosing and implementing continuous VM
solutions.

Lesson Objectives:

At the end of this lesson, you will be able to:

 Choose the best path for eliminating vulnerabilities

 Identify and select the best option for vulnerability assessments
 Compare the attributes of cloud and traditional VM software

Choosing the Best Path to Eliminate

Vulnerabilities
The choice of what solution you implement for VM will directly affect your

company’s actual state of security and compliance.

As you weigh options for each step of VM, consider these tips:
Automate As Much As You Can
–
Many of the steps to VM are repetitive and applied to all networked devices in the enterprise. VM
automation is economical, rapid, systematic, comprehensive, and continuous. Manual
intervention should be limited only to prioritize patches and negotiate the proper window to apply
those patches.
Use Solid, Safe Technology
–
VM is concerned with preserving the safety and security of your data, applications, and network.
Do not compromise; use only VM technology that has a solid track record and is used globally.

Select A Solution That Grows With Your Business

–
Change is the only particular aspect of business, so check out a proposed VM solution’s ability to
scale as your organization’s requirements grow more complex and demanding.

Option 1—Paying a Consultant

Consultants are a great resource to assist you in protecting your network and

are experts in identifying weaknesses. However, there’s a big difference

between continuous VM and simply identifying issues or proving weaknesses.

You will want to understand what you are getting and not getting from the

consultant. Is it going to be an ongoing relationship or a single assessment?

The shelf life of a point-in-time vulnerability assessment is fleeting:

 Results are valid only until the environment changes or until new
threats arise – which is daily!
 Networks and devices are reconfigured regularly. Vulnerabilities are
found daily, and vulnerability assessments are quickly outdated. If you
want VM to help strengthen security, it’s more appropriate to do
consistent, daily scans or use an agent which provides near real-time
results.

Option 2—Run Software Yourself

Software-based solutions enable you to install software for Vulnerability

Management on your internal network and run them yourself.

Tasks for running and maintaining VM software include:

 Buying and maintaining the servers and infrastructure to run the VM

software applications reliably.
 Ensuring the VM applications and infrastructure are always 100 percent
secure and performing at Operational peak efficiency.
  Integrating the required data exchange between component software
used for VM solutions.
 Keeping software maintenance up-to-date with the latest updates and
patches from each vendor.
 And, of course, continuously responding to alerts and managing the
vulnerabilities spotted by your system.

Do-it-yourself has two choices. You can download Open-Source software or

buy commercial solutions.
Open-Source software—Often free, but not cheap
Open-Source software is developed in an open, collaborative manner. The
software is often free, and users can use, change, or improve it and share it.
However, two considerations about Open-Source software need to be
considered for VM:

 Open-Source software may be free, but it’s not

inexpensive. Open-Source software carries the exact operational
costs as commercial software. It has a vast list of requirements like
equipment space, rack and air conditioning, system administration,
deployment and configuration, maintenance and patching, backup and
restore, redundancy, fail-over, uninterrupted power, audit logs, and VM
application security and maintenance, capacity planning, and event
monitoring.
 Training and support are inadequate. Your security staff must
know how to operate the tools and capabilities of VM and quickly
eradicate vulnerabilities found on the network. With Open-Source
software, it’s rare to find packaged training and support information.
While many experts collaborate on sharing their tips, it helps to know
the people who program the software because they’re often the only
source of information – especially for Open-Source modules or plug-ins
that may not work as described. When you rely on Open Source for VM,
experts are essential for handling technical aspects of the job.

Commercial software—Initial cost-plus maintenance

The other option for running VM software yourself is to use commercial
software. Most of us automatically think of commercial software as a ‘safe’
option, and it usually constitutes the bulk of installed applications. But
commercial software has its drawbacks, so consider these points:

 Commercial software costs real money.

 You must pay every year for the right to receive updates and support.
 Maintenance brings higher assurance, but you still need to check for
yourself. Check on the provider’s training and support programs to
ensure that your security staff can deploy and use the solution.
 Option 3—Use a Cloud Solution

 With fast implementation, low maintenance, and pay-as-you-go, cloud-

based solutions have become a mainstream way to use software

solutions. With SaaS, vendors have specialized teams that operate

 entire applications for you. These applications run in a multi-tenant

architecture that is constantly updated and offers plenty of computing

capacity to spare. A cloud provider handles all the technical ‘heavy

lifting’ of infrastructure behind the application. You can use it right

away without requiring special technical expertise or training to deploy

and use it.

 Cloud vs Traditional Software

 As you choose a VM solution, weigh the pros and cons of each against
four key factors: Design, Deployment, Management, and Compliance.
Each of these plays a crucial role in determining the successful
deployment of VM.
Continuous Vulnerability
Management
Introduction
The growing deluge of documented data breaches has spurred a considerable
amount of rethinking within computer security circles. Virtually all industry
analysts now agree that computer security should be based on multiple
layers and that fast remediation of exploitable vulnerabilities is of critical
importance. The independent Council on CyberSecurity’s Critical Security
Controls recommends that to be successful a security strategy should involve
accurately configuring software applications, rapidly patching software
vulnerabilities and keeping software updated.
In this lesson you will learn, how Qualys VM along with other Qualys
applications like PCI, Web Application Security, Policy Compliance, Malware
detection and more, play a vital role in in computer security and supports
related requirements in Compliance Management.

Lesson Objectives:

At the end of this lesson, you will be able to:

 Provide continuous VM with the cloud

 Prioritized remediation
 Automate document compliance
 Perform steps to setup Qualys VM trial software
 Understanding CM and VM
 Qualys Continuous Monitoring provides organizations with a
comprehensive, always‐on view of security holes, empowering them to
immediately identify and proactively address vulnerabilities before
they are exploited into breaches. Built on the Qualys Cloud Platform,
Qualys CM uses its elastic scanning capacity to scale to networks of
any size and scope dynamically. The key benefit of Qualys CM is that it
instantly alerts first responders on operational teams as soon as an
unauthorized change is detected. CM is the next step of immediately
putting this information into the hands of first responders for judgment
and action.
Discovering Continuous VM
Non-cloud-based VM involves acquiring, installing, supporting, and
maintaining a software-based solution. In contrast, cloud based continuous
VM brings in a trusted third party VM. VM should include the following
criteria. Continuous VM should:

 •
 Identify both external and internal weaknesses.

 •

Automatically scan using a continually updated database of

known attacks.

 •

Be highly accurate, essentially eliminating false positives

and false negatives – and be non-intrusive.

 •

Use inference-based scanning to ensure that only applicable

vulnerabilities are tested for each scan.

 •

Generate concise, actionable, customizable reports,

including vulnerability prioritization using severity levels
and trend analysis. Many large organizations use their
scoring based on what threat indicators such as zero-day or
easily exploitable are important to them and an asset’s
business criticality classification.

 •

Provide tested remedies and workarounds for cases where

no remedy as yet exists.

 •

Provide distributed scanning capabilities with consolidated

reporting and centralized management capabilities.

 •

Offer both authenticated (credential-based) and simple non-

authenticated techniques for scanning.

 •

Provide user access management to restrict users’ roles and

privileges to their organization and network responsibility.

 •

Supply workflow capabilities for prioritizing and tracking

remediation efforts.
  •

Enable customers to build compliance reporting.

 •

Integrate seamlessly with customers’ Security Information &

Event Management (SIEM), Intrusion Detection System
(IDS), patch management, and help desk systems.
 •
Automatically execute the steps of VM in a continuous,
ongoing process.
Accessing Qualys VM

User’s access Qualys VM by simply logging in via a web browser. Users can
immediately use the service and audit the security of their external and
internal networks.

Qualys VM:

1. Discovers all systems attached to your network.

2. Identifies and analyzes vulnerabilities on all discovered systems.
3. Report’s findings of discovery and vulnerability analysis.
4. Shepherds the vulnerability remediation process.
5. Confirms that remedies or workarounds have been applied.
6. Provides documentation to verify security compliance.
7. Automatically repeats the VM-for-continuous-protection steps.
8. Alerts on variances from expected configurations in vulnerabilities,
exposed services, installed software and certificates.

A user can access Qualys Vulnerability Management Detection and Response,

Security Operations Centers, Internet scanners, scanner appliances and a
secure web interface. Qualys VMDR also includes agents—These are
deployed across workstations and servers to provide a regularly updated
view of your vulnerability data.

KnowledgeBase
–
The core of Qualys VM is its KnowledgeBase. The KnowledgeBase is the continuously updated
and comprehensive database of vulnerabilities signature.

Security Operations Centers

–
Qualys Security Operations Centers (SOCs)—The vulnerability data detected by Qualys sensors
using the KnowledgeBase is stored in the Qualys Platform.
Internet Scanners
–
Qualys VM Internet scanners carry out perimeter scanning for customers. These remote scanners
begin by building an inventory of protocols found on each machine undergoing an audit. After
discovering the protocols, the scanner detects which ports are attached to services, such as web
servers, databases, and e-mail servers. At that point, the scanners initiate an inference-based
vulnerability assessment based on vulnerabilities that could be present (due to operating system
and configurations) to identify actual vulnerabilities and minimize false positives quickly.

Scanner Appliances
–
To map domains and scan IPs behind the firewall, Qualys VM Scanner Appliances are installed
by customers. These are virtual or physical devices that install within minutes, gather security
audit data inside the firewall, and communicate securely with Qualys SOCs. These devices poll
the SOCs for software updates and new vulnerability signatures and process job requests.

Secure Web Interface

–
Users interact with Qualys VM through its secure web interface. Any standard web browser
permits users to navigate the Qualys VM user interface, launch scans, examine audit report data
and manage the account. Secure communications are assured via HTTPS encryption. All
vulnerability information and report data are encrypted with unique customer keys to
guaranteeing that your information remains confidential and makes the vulnerability information
unreadable by anyone other than those with proper customer authorization.
Prioritizing Remediation
Threat protection is methods and solutions that enhance an organization's

defenses against cyber threats such as malicious code, bot attacks, social

engineering, DDoS attacks, MitM attacks, malware, and ransomware. Threat

Protection helps to pinpoint your assets that have the highest exposure to

the latest known threats so that you can prioritize and mitigate the high-risk

vulnerabilities quickly. When host assessments are processed, they are

evaluated against your remediation rules. Qualys service will automatically

open tickets based on what’s discovered via scan or cloud agent detection.

Think of a ticket as an audit trail for each detected vulnerability. This audit

trail identifies the specific Qualys user assigned to this vulnerability and the

deadline (in the number of days) for this user must fix or mitigate the

associated vulnerability.
Reports from Qualys VM automatically identify and rank vulnerabilities with
the Qualys VM Scanning Engine. This engine assigns one of five severity
levels to define the urgency associated with remediating each vulnerability.
Rankings are based on a variety of industry standards, such as Common
Vulnerabilities and Exposures (CVE) and National Institute of Standards and
Technology (NIST).
These levels are:

Automating Reporting
Qualys VM is a flexible, comprehensive, and intelligent reporting capability.
Qualys VM reports come with filtering and sorting that enables you to view
data any way you want.
Components of Qualys VM reporting are:

 Network assets (IPs and/or asset groups) are included in the report.
 Graphs and charts showing overall summaries and network security
status.
 Trending analysis for a given network.Vulnerability data with detailed
specificity.
 Filtering and sorting options to provide other flexible ways to view your
network’s data.

Qualys customizable templates automatically generate reports such as:

 Unremediated vulnerabilities with the highest level of severity.

 Rogue devices discovered on the network.
  Technical compliance with a specific regulation, such as requirements
of PCI DSS.
 Trouble-ticket status for a particular department or business processes,
such as a financial reporting system or an order processing system.
 Trend analysis for use in job performance appraisals of network
security staff.

Qualys Dashboards:

 Comes with an extensive library of Dashboards and Widgets that allow

you to monitor your assets, vulnerabilities, and mitigation progress.
 Allows you can create your own custom Dashboards and Widgets.
 Are designed to display query results as counts, tables, columns, or pie
charts.
 Contrasting Cloud-Based Audits Against Costly
Vulnerability Assessments
 Contrasting cloud-based audits against costly vulnerability
assessments Vulnerability assessment is the term for computer
security auditing performed by outside consultants. Essentially, the
consultant identifies vulnerabilities and prioritizes them for your
organization. While a vulnerability assessment captures vulnerability
information at a single point in time, its shelf life is fleeting. The results
are valid only until the environment changes or new threats arise. In
short, vulnerability assessments are valid for just days. With network
administrators reconfiguring networks and devices daily and
vulnerabilities emerging at the rate of 25+ per week, computer
security requires frequent, continuous assessment.
 Another computer security discipline called penetration testing is a
supplement to VM. Penetration testing executes an attack against
found vulnerabilities and gives computer security teams a chance to
exercise their defensive and detection capabilities.
 Cloud-based vulnerability assessments are the ideal supplement to or
replacement for penetration tests. Qualys VM provides subscribers with
unlimited assessments – daily if required – at a fraction of the cost of
one penetration test. Differential reporting and trend analysis are
automatically included so you can measure your security
improvements over time.

Monitor Network Perimeter Continuously

The automation of Qualys VM provides your company with continuous VM.
This capability is automatically integrated with another offering from Qualys,
called Qualys Continuous Monitoring (CM). Qualys CM is a broader service
that provides your company with a comprehensive, always-on view of
security holes affecting the entire enterprise network perimeter, empowering
you to immediately identify and proactively address vulnerabilities before
they turn into breaches.
Counting the Qualys VM subscriber benefits
Qualys VM process, includes:

1. 1

Easy deployment with the Qualys VM cloud architecture.

2. 2

Ability to efficiently manage continuous VM, no matter how

extensive your network may be.

3. 3

A fully automated, always-updated solution that eliminates

traditional labor-intensive operations, saving time and
simplifying large-scale VM. Rapid identification and
visualization of network assets.

4. 4

Accurate vulnerability detection eliminates the time-

consuming, manual work of verifying results and
consolidating data.
5. 5
Accessible VM service to authorized users from anywhere
on the globe.

Performing an Asset Discovery Scan

After you set up a scanner, you can perform an asset discovery scan on your
known IP address ranges.
Scanning your Network
Next, assess your network for vulnerabilities by running a scan.
Reporting
Once you've deployed agents and run scans, you can use Qualys Reporting
and Dashboards to visualize and prioritize your remediation efforts.
Remediating Risks
Once you've prioritized your assets and vulnerabilities you wish to remediate,
you can use Qualys Patch Management to deploy fixes for your
vulnerabilities.

Embracing Continuous Monitoring

Introduction

Misconfigurations and new vulnerabilities appear daily and may immediately expose a computer or
network device to attacks. These threats make the job of defending networks an urgent priority for
organizations. Your network should have an always‐on, continuous dashboard of your global
perimeter to handle this responsibility and network security controls. It should automatically identify
and alert any attack, prevent operational interruptions, and protect the confidentiality, integrity, and
availability of critical applications and data. This lesson describes the need for CM and offers a
blueprint for creating a continuous security practice.

Lesson Objectives:

At the end of this lesson, you will be able to:

Distinguish the relationship between Continuous Monitoring and Vulnerability Management

Define capabilities of Continuous Monitoring

Create an always‐on approach to security with Continuous Monitoring

Understanding CM and VM
The key benefit of Qualys CM is that it instantly alerts first responders on operational teams as soon
as an unauthorized change is detected. A deep, symbiotic relationship exists between continuous
vigilance and alerting aspects of Qualys CM and the assessment and remediation aspects of Qualys
VM. Cyber threats may consist of software‐borne threats, such as exploits that install worms,
viruses, and ‘drive‐by’ infections from malware on websites; they may also target internal issues
such as those related to wrong configurations in your IT environment. Responding to threats from
both scenarios requires the integration of continuous monitoring plus assessment and remediation.

Qualys CM sends essential information quickly into the hands of the right people for immediate and
targeted action. This service accelerates the ability of first responders to stay ahead of threats to the
most critical assets.

Identifying the Capabilities of Qualys Vulnerability Management Detection and Response

Qualys CM helps you follow the guidance of the Critical Security Controls by providing you with the
ability to:

Regular scanning of all assets connecting to your network using scanners and agents.

•
Scan on demand for ad‐hoc checks or specific vulnerabilities such as ‘forbidden ports,’
recommended by CSC 4.

Scan and remediate continuously on mission‐critical systems.

Receive reports on vulnerabilities in patch‐centric views using reports and dashboards.

Inspect reports that integrate Common Vulnerabilities and Exposures (CVE) and Common
Vulnerability Scoring System (CVSS) standards for flexible analysis of results.

Track remediation over time with ticketing system and dashboards with trending data.

Receive immediate notification of vulnerabilities and remediation paths to first responders.

Continuous Vulnerability
Management—Best
Practices
Introduction

This lesson reflects the variety of Security measures required to identify and eliminate weaknesses
on your network effectively. These checks form an aggressive plan for removing vulnerabilities in
essential resources before attackers can exploit your network.

Lesson Objectives:

At the end of this lesson, you will be able to:

Verify your security level

Produce technical, management, and compliance reports

Patch and track vulnerabilities

Discover Network Assets

You can’t measure risk if you don’t know what you have on your network. In
other words, you cannot fix what you do not know. Discovering your assets
helps you determine the most susceptible areas to attacks, and Qualys
sensors detect all assets and software in your environment. Qualys sensors,
like Cloud Agent, Scanner Appliances, and Passive Sensors, give you the
capability to build an inventory across all areas of your hybrid environment.

Prioritize and Classify Assets

Most organizations have five to twenty categories of network assets whose
classification is determined by value to the overall business. Tier the
hierarchy of assets by value to the business. For example, critical databases,
financial systems, and other essential business assets should be ranked in a
higher category than clerical desktops, non‐production servers, and remote
laptops. Classify asset priority based on the value to the business and do not
give critical assets a lower categorization due to presumptions about their
safety.

Assess Vulnerabilities with Comprehensive Scans

Perform comprehensive and accurate scans on your assets, starting with the
most important ones. Doing so will give you complete visibility of the level of
risk associated with your assets. Intelligent scanning rapidly finds
vulnerabilities on your network automatically or on-demand. Scan for as
much as possible, as often as possible, so that you have a fully up to date
version of what is going on in your network.

VM Inside and Outside DMZ

Be comprehensive about your network auditing. Perform VM both on your

‘demilitarized zone’ (DMZ, or the external network boundary) and your
internal systems this helps in achieving optimal security protection.

Introduction to VMDR
Remediate by Prioritizing Patching Efforts
Prioritize application of patches, starting with the most critical vulnerabilities
on the most important assets, and proceed to the less critical ones. Set
performance goals to reduce the level of critical vulnerabilities in the
network.

Patch Management is a crucial component of the Qualys Vulnerability

Management Detection and Response (VMDR) Lifecycle, which begins with
Step 1, by identifying and managing all assets throughout your enterprise
architecture. In Steps 2 and 3, your enterprise assets are analyzed for
vulnerabilities which are then prioritized according to severity levels and
known or existing threats. In the final, Step 4 of the VMDR Lifecycle is Qualys
Patch Management (PM) that allows you to respond to detected
vulnerabilities and threats, within days or even hours, rather than weeks or
months.
You can use Qualys ticketing system to track the progress of your
remediation and use it for your exception handling process. You can also use
Qualys dashboards for the trending of your remediation efforts. Tracking
remediation through a ticketing service also helps identify deficiencies within
the remediation process that may not be easily identified without supporting
metrics. Security teams can share experiences of actions, leading to a more
rapid reduction in vulnerabilities across all areas.
Vulnerability reports should be comprehensive, with full instructions on how
to remediate vulnerabilities. Customizable reports are also desirable, allowing
technical staff to view data in the desired context while reducing information
overload.
Inform Management about VM
Use gathered metrics from scans and dashboards to communicate the status
of network security to senior management. Lines of business managers can
understand the trend of vulnerabilities and the efforts of the security team to
minimize risks to the enterprise. Use actual performance measurements to
educate your executive management team and show the value of the
Vulnerability Management program in maintaining business continuity,
reducing risks, and maintaining a secure infrastructure.
Policy Compliance
Compliance is “conformity or acting following accepted standards.” For
example, a DVD player manufacturer who adheres to technical
manufacturing specifications of the discs is complying with a set of
standards. Compliance can also entail following a set of rules or ‘guardrails’
within which your organization can ‘legally’ operate. The implementation of
such procedures for compliance may entail a variety of standards. IT policy
compliance is the implementation and management of information
technology as per accepted standards.

Inform Auditors for Policy Compliance

VM delivers trusted, third‐party auditing and reporting which meets
compliance needs of the Health Insurance Portability and Accountability Act
(HIPAA), Gramm–Leach–Bliley Act (GLBA), California Senate Bill 1386,
Sarbanes–Oxley Act (SOX), Basel II and the Payment Card Industry Data
Security Standard (PCI DSS). You can use reports from VM solutions to
document the state of security over time on systems in scope for compliance.
Vulnerability Management Program
Vulnerability Management is not a one‐time effort. Best VM practices suggest
regular, continuous scanning and remediation to proactively guard against
internal and external threats and ensure compliance. Scan as often as
possible with a systematic approach to remediating vulnerabilities of the
highest risks to the organization as a priority.
In this course, you learned :

1. 1

Importance of identifying the threat and finding sources of

software vulnerabilities

2. 2

To Discover, categorize, and prioritize assets for VM

3. 3

Importance of VM program and implementing continuous

VM solutions
4. 4

To Setup Qualys VM trial software

5. 5

Relationship between Continuous Monitoring and

Vulnerability Management
6. 6
To Identify and eliminate weaknesses on your network
effectively by following best practices of VM