IT Security solution providers know how hard it is to get customers to talk on the record about the solutions they use. Case studies and customer feedback, however, are the only way in which cybersecurity solution providers can tailor their product to the needs of their buyers. They are also a valuable source of insight for other organisations, who can look at which tool can solve which problem and make an informed decision on the basis of what worked well for others.
When it launched its VMDR platform a couple of weeks ago, Qualys was able to interview their customers, who provided their opinion on the challenges their organisations are facing and how they are tackling them.
So, thanks to Daryl Peterson, vulnerability manager at ATN International, and George Bellefontaine, manager of vulnerability management at Toyota Financial Services, here’s all your most burning VMDR questions, answered.
Daryl Peterson – ATN International
What are the main security challenges you are facing currently?
One of the biggest challenges from a security perspective right now is making sure that all employees’ endpoints are secure, even as they work from home.
For the nature of our company, we have a lot of remote users. This means that, even before the lockdown, there were some employees that didn’t check into the corporate network for months at a time. By not doing that, they were not getting the automatic updates, which meant we had to find a different solution to secure endpoints off premise. To further complicate the picture, our VPN will not allow users whose machines are not up-to-date on the patches, to connect.
We really needed a cloud-based solution that would help us achieve protection for these users.
Currently, we don’t have a CMDB that keeps assets realistically up to date. We are leaning towards going with Qualys also for that function, as another application we were using does not have remote agents and would still require users to be on-prem or to run a VPN to run updates.
How long have you been using Qualys?
We have been using Qualys for vulnerability detection for quite some time, but the main feature that VMDR would introduce is the deployment of cloud agents to my endpoints and allow our security team to track them and maintain an active asset inventory.
In terms of prioritisation, Qualys spares us a lot of trouble. At my previous position, my team and I were working overnight to patch systems manually, and we had to provide an executive report that we were recording on Excel. With VMDR, we would have been able to let a dashboard do that for us.
What do you think of the approach of having fewer agents?
I was never a fan of having multiple agents running on a machine. Many agents require more resources, and getting asset inventory, vulnerability and patch management all in one agent is something that makes me, my team and my end-users happy.
What has changed in your approach to patch deployment since you’ve adopted VMDR?
We used to receive vulnerability reports from Qualys and we would go out and patch manually. With VMDR, I’ve been able to work on machines that I previously was never able to patch. I haven’t been using the solution for very long, but it has improved my visibility significantly, allowing me to deploy patches quickly and efficiently and ultimately reducing the window of exposure.
What are your thoughts on the dashboard?
The dashboard is very intuitive. With the cloud agent, it allows to keep a real-time inventory of machines that are running or that have been patched, according to how you choose to customise it, which is something I find very useful.
The fact that the cloud agent checks in every couple of hours is also valuable, as it can track our progress and how we increasingly reduce our risk.
As I had never used dashboards on Qualys before, I received a lot of support from the Qualys team to set it all up. Engineers were incredibly helpful and are constantly creating ad hoc dashboards for newly discovered vulnerabilities or to suit what I wish to monitor.
Georges Bellefontaine, Toyota Financial Services
When did you start using Qualys?
Toyota Financial services is spread across multiple countries, and my team is leading security efforts from the US. To support all the other locations, we are offering Qualys to all of them, and we manage it from our central headquarters. We originally used Qualys just for patch management, but Qualys VMDR provide us with the data that we need to improve our risk posture across the organisation.
Where do you get the most value from Qualys?
Qualys has given me an asset management tool that is more accurate than I’ve ever had. It doesn’t only perform authenticated scans, but it allows us to deploy agents over 10,000 of our devices, servers, and mobile devices. That is a valuable capability, as we can actually see if we need to patch a piece of software – even something as simple as Wireshark. There are so many small pieces of software that are used only by engineers and architects that would otherwise not be maintained as part of an organisation’s patch management programme. With Qualys, we are able to identify those outliers, as we have more data and organised in a better way so as to be more actionable.
Another upside of using Qualys is that it makes it easier to understand and better break up the organisation across our many locations. For example, each one of our countries is in their own business unit. We’ve also set up networks within each one of those, if there’s overlapping IT space. With the data Qualys provides, we’re able to do a measured key risk indicator, KRI, for each country, which in turn allows us to compare successes and motivate those that are falling behind.”
But before getting into any complicated calculation of risk, the most basic requirement of a successful security posture is knowing what you have on the network, managing assets effectively, and there is no magic bullet to doing that. It is a dynamic, ever changing process that many organisations struggle to achieve, especially since it’s not only about the hardware, but the software, too. Qualys has stepped up the game when it comes to identifying pieces of software that need patching, effectively improving the visibility I have over the assets we need to protect.
We are now able to put much more context in the metadata, using Qualys’ tools to better associate things. We use tagging to the extreme, which allows us, for instance, to relate the cloud assets that we have to a particular business unit. This means that any security issue with those assets can be reported to the right owners, who would then take the necessary action. We don’t want to simply help people with their patching, we want to influence change in the environment and assist in rearchitecting with security in mind. Qualys lets us see our weak points and provides the data we need to harden and to inform our security strategy.
How do you deal with cloud environments?
In the cybersecurity space, things change fast. Qualys’ connectors give us full visibility even on cloud environments such as AWS and Google Cloud, providing us with a true representation of these, even as they are deployed and teared down in a matter of hours or days. We would not be able to stay on top of scripts – in our case, terraform scripts – if it weren’t for Qualys, we would be playing whack-a-mole in such an ephemeral environment.
How are you looking at prioritisation?
I’m providing the security operation centre with access to the, threat protect, and also to Indicators of Compromise (IOC). Because we’re providing that kind of information, if the vulnerability is identified from a feed, Qualys actually tells us what assets have that vulnerability, so it takes much less time for the analyst to go and start investigating, as she/he has a list to work from.
This makes the solution more scalable, as we can provide the single business units with clear actionable data. It allows smaller units that have limited resources to get a better understanding of their environment.
How do you bring multiple tools together? Do you find it easy to integrate the response with the detection and asset scanning?
“The response part is not usually an issue for the bigger business units, as we have a well-oiled patching machine that runs on monthly updates and can step up when a vulnerability is detected. What concerns me more is the smaller business units I mentioned earlier, which can really benefit from having an automated response through Qualys. One of the greatest benefits we found in VMDR is that once a patch is deployed, it also immediately checks that the issue has been resolved, unlike other solutions that ask you to reboot the machine. There are many things that can go wrong when applying software patches, which is why this feature gives a quicker turnaround and reduces the time of exposure.”
You can hear more of what the first VMDR adopters think of Qualys’ latest solution here.