What is a vulnerability management system on the example of the cloud platform QualysGuard

Why I decided to write this text.

My professional activity is related to the development of sales channels and therefore I often have to get acquainted with information security solutions and live IT in order to experience them. I decided to write about the QulysGuard vulnerability management service due to the fact that there is information in the Russian-language Internet for understanding what it is at a minimum. And the service is interesting and for the Russian market is still new.

The reasons for the need to manage vulnerabilities can be found at the link penetrationtest.ru/uslugii-resniya/preventivnoe-snizhenie-riskov , at CSO training courses and after reading the book Vulnerability Management by Park Foreman. This understanding is only beginning to be realized in Russia and the CIS countries, but this should not be surprising.

Let's go back to the service itself.

The service itself consists of several modules, access to which is carried out from a single web interface.
The main module and the most interesting is the QualysGuard Vulnerability Management module. I will try to tell about it in brief.
Its main difference from conventional vulnerability scanners is the ability to build a Vulnerability assessment process using a single product. Conventional scanners are useful for auditors. show a slice of analysis for the current moment. But companies still need a tool to build protection against external threats, and here we cannot do without a process approach. Therefore, vulnerability management systems are the next stage in the development of security analysis systems.

Vulnerability management process is described in the NIST SP 800 standard.
csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf . Its essence is that there are several stages in managing vulnerabilities and all of them are implemented in QualysGaurd VM:

1. 
   - identification of internal and external assets in the infrastructure;
   - allocation of assets, the vulnerabilities of which we want to manage, and the assignment of importance levels for the company for them;
   - self scan for vulnerabilities;
   - based on the rule of vulnerability management, tasks are distributed to eliminate vulnerabilities on objects that are critical for us;
   - re-scanning to update information on open and closed vulnerabilities by experts and, accordingly, the opening of new tasks for elimination when they are detected;
   - management receiving reports on the work of departments, employees and changes in business risks.
   

')
I know that similar elements are implemented in the product McAfee VM and partly in one or two software solutions of Western vendors.

But the main difference between QualysGuard is that it is all under the sauce of SaaS technology. Those. minimum cost of ownership, service on demand, no need for a separate engineer, etc. what we get from SaaS.

Those. to work with external assets, you need only access via a web browser (preferably not IE) and the Internet. Internal scanning requires an additionally running virtual machine on VMware \ Oralce VirtualBox. And that's all :)

I am sure that there will be questions about the protection of data on vulnerabilities transmitted and stored in the vendor's data center (this is still the SaaS technology), so I’ll only say the company builds relationships with customers on trust, spends a lot of money every year on its own audits and improvement of protection. What allows Qualys to trust large global companies (everything is on the vendor's website). It was interesting for me to find that all major IT vendors, selling their vulnerability scanners, use QualysGuard in their own way.

Also for large customers who are afraid of storing data in Switzerland, it is possible to deploy their data center.

For this I want to complete my first article about my experience with different technologies. I will try next week to talk about the free Qualys service and answer the questions I’ll receive.