Vulnerability Management

We recommend Qualys for both Internet and internal vulnerability scanning, particularly if you have credit card processing and PCI environments.  This recommendation is valid unless/until all your services are in the cloud and all your client devices are no long inside the "perimeter".
  • The old way to scan
    • In the olden days we would build laptop and fixed computers to run scans. a SMB could have one, but usually, (because of network segmentation) almost always had two, but could easily have five or ten scanners. That would mean our scanning engineers would be busy maintaining operating systems and hardware instead of producing value. In fact, it took longer to maintain this infrastructure than for the engineers to kick off the scans and distribute the reports!
  • The Qualys way
    • Qualys stores most of what was our infrastructure in their cloud. Scan data and reporting engines are maintained by them.
      • Eliminates capital expenses for this infrastructure
      • Eliminates most support and administration tasks
    • One of the common arguments against vulnerability scanning is that it will "bring down" things.
      • This is a rather funny argument since it seems to us its better for the good guys to bring something down when it could be fixed rather than wait for the bad guys to bring it down at an inopportune time.
      • In modern times it's quite unusually for systems to be so bad that they can be remotely broken by a scan. I can't point to a recent example for any modern operating system or service. 
      • Qualys provides additional protections. Every one of their customers gets the same scan that we do. If they could knock us down then they could knock down a good portion of the Fortune 100. We don't see that happening.
      • Qualys is very motivated to investigate false positives/negatives or incidents of causing problems. If we have a problem then everyone has a problem and they understand that.
    • We can't stress this enough, Qualys is one of the most responsive vendors we deal with.  This is true with their help desk as well as sales and engineering.
    • External (Internet) Scanning is done using scanners in Qualys' infrastructure. No footprint in our data centers.
    • Internal scanning requires some equipment inside the network to be scanned.
      • Qualys offers appliances to fulfill this requirement. The appliances are managed, patched and updated by Qualys. They don't require any firewall changes or opening incoming ports. 
      • If one of these appliances happens to have a problem we contact their support desk and they ship us a new one, its incredibly simple to deal with. 
  • The Future
    • The role in vulnerability scanning in the vulnerability management process
      • Vulnerability scanning by itself does not change how secure anything is.
      • Scanning simply measures the effectiveness of the vulnerability management process.
      • There is only four things you can do if scanning identifies a vulnerability
        • Do nothing, but then why scan?
        • Try mitigating the vulnerability with perimeter services, but, as we will show below, the concept of perimeter protection is obsolete. Fewer and fewer client devices and enterprise services live behind what can be called a perimeter.
        • Change device configurations to mitigate vulnerabilities.
          • Vulnerability scanning of devices can be a great way to find configuration problems only if the scanners have administrative access. This is increasingly not the case for mobile devices, BYOD devices or cloud services.
        • Apply patches 
          • That only works for devices you own, have administrative access to, and are at least sometimes in a network you control.
            • That works for devices you own but not too well for BYOD devices
            • Many appliances and client devices cannot be patch by consumers (administrators)
            • Many laptops are never "home" to be patched
            • Public cloud services cannot be patched or updated. (Virtual machines at places like Rackspace or Amazon being an exception)
    • It seems to us their are four interesting IT trends that will directly impact vulnerability management and measurement in the future.
      • The mobile workforce and BYOD devices has destroyed any pretense that anything inside the perimeter is safe or even that there is such a thing as a perimeter anymore. 
        • There is no perimeter around client devices anymore. Everything is communicating on port 80 and 443 (the web). 
        • Most devices won't be "inside" anymore, the pesky things keep moving around.
        • We don't own, nor are we authorized to administer, many of the client devices connecting to our services.
        • There is approximately 200 million businesses in the world. ISP's probably won't want them to start scanning across their networks all at once.
      • Automated client device management by third parties
      • Moving on-premise IT services to the cloud
      • Cloud email providers are getting better at recognizing spam, malware and dangerous sites 
    • Does this mean that Vulnerability Scanning is obsolete? No!
      • Traditional Scanning will still be around.
        • Legacy client networks will be around for a while
        • Legacy services have a way of hanging around but still need monitoring