Qualys Asset Management

VMDR Applications:

  • Security Configuration Assessment (SCA)

  • Container Security and Container Runtime Security, (CS) and (CRS)

  • CloudView (CV) & Cloud Security Assessment (CSA)

  • CertView (CERT)

  • Continuous Monitoring (CM)

  • VMDR for Mobile Devices

Sensors:

  • Cloud agent: Installs to endpoints as a system service

  • Passive sensors: Collect asset telemetry through TAPs and Switches in promiscuous mode

  • Scanners: Scanner appliances

  • Cloud connectors: Collect and pipe data from services

  • API: Integration between Qualys and CMDBs like ServiceNow

  • Container Sensors: Docker Containers that install alongside the containers to watch.

  • Out-of-band sensors: Typically for air-gapped networks portions.

Scanner Appliance:

This can be cloud based (good for scanning internet edge nodes). Hardware based for internal asset scans. And Virtual Scanners for Hybrid or Cloud based networks.

Cloud Agent:

You can distribute the agent with management software or group policies:

When viewing the Keys you can also edit or use multiple keys if you need different functionality outside of the default lifecycle.

In this case we see Asset inventory is left out:

Qualys warns against using Policy Compliance and Secure Configuration Assessment modules in the same key.

Key Management Best Practice:

It is recommended to use a different key set for each subnet/logical grouping of hosts and then to assign static tags to the keys to keep track of the assigned grouping that the keys manage.

Passive Sensors:

Can be installed as virtual or hardware appliances, both require port mirroring to be sent to them. Collect data on NIC in promiscuous mode. These packet captures are then sent to Qualys Cloud Platform. The data is analyzed and sorted to its asset and new assets are sorted into the Unmanaged set.

Qualys Cloud Connector:

Connectors for AWS, GCP, and Azure. Pipes Qualys to these cloud platforms to scan for misconfigurations using the setup accounts.

Container Sensor:

  • General: Scans containers on a docker host

  • Registry: Scans images in public and private docker registries

  • CI/CD Pipeline (aka: build sensor): Scans images within DevOps CI?CD pipeline projects to allow those teams to correct vulnerabilities in the build process.

Qualys Container Runtime Security (CRS):

Rules for hive control to block real time processes based on the docker sensors visibility.

Global IT Asset Inventory:

All of the collected data and telemetry from sensors can be fed into Global IT Asset Inventory application. Qualys will normalize and categorize the scan data and then enrich it for viewing. It uses similar normalization and categorization taxonomy as you might have seen in SIEM platforms. Below is a sample of this. In Blue is normalization/categorization and in Green is the enrichment.

Qualys Searching:

A search for any logs from switches..

A search for hardware that is virtualized in the cloud..

You can get a table of all category items via the UI:

GITAI Terms:

  • General Availability: The product is still sold, maintained, and patched

  • End-of-Sale: No longer sold

  • End-of-Life: The product is no longer sold nor new features added, but is still maintained

  • End-of-Service: The product is no longer maintained or patched

  • Unidentified: There is insufficient data collection to determine what the node is

  • Unknown: There is sufficient data to determine the asset but it does not match cataloged assets

PreviousVMDRNextQualys Vulnerability Management

Last updated