1/3/13

QualysGuard Vulnerability Management

Copyright 2012 by Qualys, Inc. All Rights Reserved.

QualysGuard Vulnerability
Management Housekeeping
Please turn your phones to vibrate Breaks are generally every hour Free Lunch around 11:30am Introductions

1/3/13

QualysGuard Vulnerability
Management Topics Covered
Getting Started With QualysGuard Introduction to QualysGuard SaaS Architecture The QualysGuard Vulnerability Management Engine The QualysGuard KnowledgeBase Con guring a QualysGuard Solution Mapping Asset Management Scanning Reporting User Management Understanding Saved Searches Search Lists and Customizing Option Pro les Remediating EXAM

QualysGuard Software-as-a-Service
Bringing Security and Compliance together Satisfying the needs of all constituents with a single solution No Software to Deploy or Maintain!

1/3/13

QualysGuard Cloud Security Platform

QualysGuard Lifecycle
1. 2. 3. 4. 5. 6. Discover Priori.ze Assets Assessment Repor.ng Remedia.on Verica.on

1/3/13

QualysGuard
Vulnerability Management (VM) Engine

QualysGuard VM Engine
Key Concepts
At the end of this section, you should be able to understand: The QualysGuard Vulnerability Management Engine Work ow of the Mapping and Scanning Functions

1/3/13

QualysGuard VM Engine
Core Engine
Manages the operation

Modules
Speci c tests based on Information gathered Responsible for collecting data from the hosts

Information
Data collected by modules Used to determine necessary modules

QualysGuard VM Engine
Host Discovery Module Requires : {IP ADDRESS} Task : Checks if remote host is alive Produces : {HOST STATUS:HOST DEAD?} TCP Port Scanner Module Requires : {HOST STATUS:ALIVE} (host can be reached from Internet) Task : Finds all open TCP ports Produces : {TCP Open Ports} TCP Service Detection Module Requires : {TCP Open Ports} (at least one open TCP port) Task :Detects which service is running on an open TCP port Produces : {Services, OS}

1/3/13

Host Discovery Module

Discovery Process 13 TCP ports (con gurable to 20) 21-23, 25, 53, 80, 88, 110-111, 135, 139, 443, 445 Half-open/SYN scanning MSS set to avoid some ltering issues 6 UDP ports ICMP

Port Scanning Module

Scan Process Port Scan 1900 TCP ports
Con gurable to 65535

180 UDP ports

Con gurable, but will fall-back with slow-responding stacks

1/3/13

Service Detection Module

Service Discovery Engine

. . . TELNET . . . HTTP . . . SNMP

23/tcp 80/tcp 162/udp

Service Discovery Detection by valid protocol negotiation Non-destructive tests Exceptions Services running on non-standard ports Services using non-standard (unpredictable) banners

Note: QualysGuard VM can detect more than 600 different services on TCP and UDP ports. To review these services go to the Help > About Section.

Service Detection Module

Uses IANA as a guideline, but not dependent upon it. Port 80 is open: Do you speak HTTP? Port 22 is open: Do you speak SSH? If you're going to see a service impact, it will happen here.

1/3/13

Service Detection Module

What OS are you?
1 2 3 4 5 6 7 8 9 0.000000 0.000052 0.000095 0.000132 0.000171 0.000505 0.000537 0.000587 0.000601 qualys -> target qualys -> target qualys -> target qualys -> target qualys -> target target -> qualys qualys -> target target -> qualys qualys -> target TCP 3344 > ssh [SYN] Seq=0 Len=0 TCP 3345 > ssh [SYN] Seq=0 Len=0 MSS=237 TCP 3346 > ssh [SYN] Seq=0 Len=0 MSS=1011 TCP 3347 > ssh [SYN] Seq=0 Len=0 MSS=4073 WS=3 TCP 3348 > ssh [SYN] Seq=0 Len=0 MSS=4073 WS=0 TSV=2841121084 TSER=0 TCP ssh > 3344 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 TCP 3344 > ssh [RST] Seq=1 Len=0 TCP ssh > 3345 [SYN, ACK] Seq=0 Ack=1 Win=16590 Len=0 MSS=1460 TCP 3345 > ssh [RST] Seq=1 Len=0

10 0.000689 target -> qualys TCP ssh > 3346 [SYN, ACK] Seq=0 Ack=1 Win=17187 Len=0 MSS=1460 11 0.000708 qualys -> target TCP 3346 > ssh [RST] Seq=1 Len=0 12 0.000742 target -> qualys TCP ssh > 3347 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 13 14 15 16 17 18 0.000751 0.000845 0.000864 3.000233 3.000682 3.000705 qualys -> target target -> qualys qualys -> target qualys -> target target -> qualys qualys -> target TCP 3347 > ssh [RST] Seq=1 Len=0 TCP ssh > 3348 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 TCP 3348 > ssh [RST] Seq=1 Len=0 TCP 3349 > ssh [SYN] Seq=0 Len=0 MSS=4073 WS=0 TSV=2841124084 TSER=0 TCP ssh > 3349 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 TCP 3349 > ssh [RST] Seq=1 Len=0

Service Detection Module

Scan Process 5 packets (excluding RSTs and responses) ! Analyzing packet characteristics (similar to other tools).
TTL MSS Window Size TCP Options Etc

Authenticated scanning is obviously more accurate, as the host simply tells us what it is (uname -a, Windows registry, cat /etc/redhat-release, etc).

1/3/13

QualysGuard VM
Main Goals
Asset Discovery Map (Domains and/or Netblocks)
Provides full information on your domains (DNS records, topology) Identi es all active hosts located in your Internet/Intranet perimeter

Vulnerability Scan (IP Addresses)

Reports Con rmed and Potential Vulnerabilities on your hosts Provides complete information related to your hosts

QualysGuard VM
Asset Discovery Map

3 Step Process
Network Discovery
Domain or Netblock

Host Discovery
Detects all active hosts

Device Identi cation

Basic information gathering on active host

1/3/13

QualysGuard VM
Asset Discovery Map Network Discovery Methodology
Domain Lookup <whois> DNS Zone Transfer DNS Brute Force (www.qualys.com, ftp.qualys.com, mail.qualys.com) Reverse DNS Lookups in class C range Router and Firewall detection

Option Pro le Settings

Perform live host sweep (enabled by default) Ignore rewall generated RST and SYN-ACK packets

QualysGuard VM
Vulnerability Scan First Steps Similar to Mapping
Host Discovery Checks for availability of target hosts. One response from the host indicates the host is "alive" Port Scanning Finds all open TCP and UDP ports on target hosts Based on Scan settings Device Identi cation Attempts to identify the operating system on the rst open port

10

1/3/13

QualysGuard VM
Vulnerability Scan
Vulnerability Detection Module launching
Speci c vulnerability modules loaded based on information gathered in previous phases

Signatures
Template-based vulnerability signatures Active (but non-intrusive) tests for almost all detections Specially crafted request to distinguish between patched and un-patched versions Multiple tests validate each others results to con rm the vulnerability

The KnowledgeBase

11

1/3/13

KnowledgeBase Key Concepts

At the end of this section, you should be able to understand: Con rmed vs. Potential Vulnerabilities QualysGuard Severity Levels Anatomy of a QID

KnowledgeBase
The Central Repository

All QIDs are stored here

12

1/3/13

KnowledgeBase
Severity

KnowledgeBase
Severity Levels

Severity 5 Most Urgent Severity 1 Least Urgent

13

1/3/13

KnowledgeBase
CVSS
Remotely exploitable vulnerabilities get priority using CVSS http://www. rst.org/cvss/ Common Vulnerability Scoring System allows the vulnerability to include additional metrics to determine if there is a greater potential for risk Defacto rating system for PCI

KnowledgeBase
Mitre
The KnowledgeBase correlates Vulnerabilities and CVE
http://cve.mitre.org/ OVAL (Write your own Vulnerabilities and import them) is available at http://oval.mitre.org

14

1/3/13

KnowledgeBase
Anatomy of a QID
What is a QID? A numeric identi er given to vulnerabilities, potential vulnerabilities or information gathering items. Used by other QualysGuard components:
Option pro les Report Templates Remediation Rules Asset Search Risk Analysis

KnowledgeBase
Anatomy of a QID
Threat de nes the inherent threat within the vulnerability Impact de nes what could happen should the vulnerability be exploited Solution how to x the issue Compliance if there are compliance concerns Results what was returned when we probed for information

Disabled Vulnerabilities are still scanned but they are not reported or ticketed

15

1/3/13

KnowledgeBase
Editing Vulnerabilities

Change Severity Levels Threat Impact Solution have user comments eld Updates from the service not overridden Edited Vulnerabilities are noted in Scan results

KnowledgeBase
Search
Use the search functionality to nd vulnerabilities by QID, title, user con gurations and other criteria

16

1/3/13

KnowledgeBase
Demo

Mapping and Scanning

17

1/3/13

QualysGuard Key Concepts

At the end of this section, you should be able to complete the main functionality of QualysGuard: Mapping Asset Management Scanning

Asset Mapping

18

1/3/13

Mapping Con guration

Map (On-Demand or Scheduled)

Option Profile (the how)

Assets (the what)

Map Preferences

Domains/Netblocks

Asset Groups

QualysGuard Basics
Why Map the Network? Shows an overall view of your corporate assets

Mapping is the foundation for proper asset management

19

1/3/13

Asset Discovery Map

Asset Management
Asset Groups
Logical or physical divisions of the enterprise architecture Asset groups can be based on:
Device type Priority or criticality Geographic location Ownership (department)

20

1/3/13

Conventional Asset Management

Scanning vs Reporting Asset Groups
For scanning, work with Asset Groups based on location Asset Groups:
Scan_Chicago Scan_London Scan_Tokyo

(Workstations / Desktops)

(Workstations / Desktops)

(Workstations / Desktops)

CHICAGO

LONDON

TOKYO

Conventional Asset Management

Scanning vs Reporting Asset Groups
Asset Groups for Reports have different requirements. Each department needs information about their responsibilities(Server Admin vs. Desktop Admin) Asset Groups:
Servers Desktops

(Servers)

(Servers)

(Servers)

(Desktops)

(Desktops)

(Desktops)

CHICAGO

LONDON

TOKYO

21

1/3/13

Asset Management
Asset Groups Extending their use Business Info allows for your enterprise to expand the use of the Asset Groups.
Set the Business Impact for the Risk Analysis Set the Asset Tags for further categorization Allows for more granular Scorecard Reports

Asset Management
Risk Management

Security Risk is a technical security score, calculated using Vulnerability Severity Levels Number of Con rmed/Potential Vulnerabilities Average or Highest Severity Business Risk is displayed in status (auto) reports for each asset group (typically requires sorting by asset group) Combines Security Risk and Business Impact. Helps prioritize vulnerabilities among your hosts.

22

1/3/13

Asset Management
Risk Management
Two factors
Security Risk Business Impact Business Impact is a con gurable attribute of an Asset Group

Five levels
Titles are freely con gurable For each Business Impact level, a weight is assigned for each Security Risk

Asset Management and Tagging

Asset Tagging provides the following capabilities*:

Support for multiple hierarchies (OS, region, line of business, etc..) Custom attributes such as location, business function, and owner Dynamic tags automatically assigned base on any detectable attribute Available for Scanning, Reporting, Asset Searches, and more

* Asset Tagging feature must be added to your subscription

23

1/3/13

Host Info

Automated discovery and tagging

IP Address: 10.0.30.18 OS: Windows 2008 Tags: Server 10.0.30.16/28 TELNET ON
(IT Security)

(Scanner)

Network 10.0.30.16/28

01001

10.0.30.20

?
10.0.30.19 10.0.30.17 10.0.30.18

Workstation 10.0.30.16/28

Server 10.0.30.16/28

Server 10.0.30.16/28 TELNET ON

Workstation 10.0.30.16/28

Initial Asset Tags

The service creates some initial asset tags based on existing objects in your account: Asset Groups Business Units Malware Domain Assets Web Application Assets

24

1/3/13

Creating and Assigning Tags

Edit and create new tags using the Asset Search Portal and the Asset Management application.

Asset Tag Rule Engine

Although tags can be created statically (No Dynamic Rule), Dynamic Asset Tags provide the most exible and scalable way to automatically discover, organize and manage your assets.

25

1/3/13

Asset Search Portal

Utilizes the results of your Vulnerability Scans to locate or identify speci c assets within your organization
Find all hosts of a speci c operating system Finds hosts aected by a speci c vulnerability Find hosts with an open TCP or UDP port Find hosts running a speci c service

Centralized location for asset management

Perform bulk actions on selected results Create new asset groups Create new asset tags

Asset Search Portal

Choose the Search Criteria

26

1/3/13

Asset Search Portal

Choose multiple Assets and select any action from the Actions dropdown menu.

Applications, Ports and Services Inventory

27

1/3/13

Vulnerability Scanning

Scan Con guration

Scan (On-Demand or Scheduled)

Option Profile (the how) Scanner appliance? Scan Preferences

Assets (the what)

Asset Groups

IP addresses Authentication (optional) Auth Record

Asset Tag

28

1/3/13

Launch Vulnerability Scan

Scan Settings

Vulnerability Scan
On Demand

29

1/3/13

Vulnerability Scan
Scheduled
Allows the automation of the scanning process

Schedules can be paused to comply with maintenance windows

The data from a scheduled scan is not available within the subscrip.on (scan reports and .ckets) un.l a user logs in.

QualysGuard Scan Calendar

30

1/3/13

Vulnerability Scan Results

Unltered, raw data of your scan targets

QualysGuard VM
How often to Map? How often to Scan?
How Often Should I Map? Discovery is not a one time process. A Discovery strategy assists in overall asset management.

How Often Should I Scan? Qualys updates its vulnerability database as vulnerabilities emerge.

How often to either map or scan your environment should be determined by your security team and added to your corporate Security Policy

31

1/3/13

Demonstration and Labs

QualysGuard Reporting

32

1/3/13

QualysGuard
Key Concepts
At the end of this section, you should be able to: Understand Reporting Basics Create Report templates for your audience: Sort data in the most ecient manner for your audience

Reporting Con guration

Report (On-Demand or Scheduled) Report Template Run Time vs. Auto (Scan Templates)

Assets

Search Lists

IP addresses

Asset Groups

Assets

Graphics and Filtering

Asset Tags

33

1/3/13

QualysGuard Reporting
Makes Map and Scan data readable Create a report of pertinent data Raw data is cumbersome Many Report Types: Scan Reports Remediation Reports Patch Reports Map Reports Scorecards Uses a central repository for users to store reports for multiple viewers

QualysGuard Reporting
Report Templates
QualysGuard has a set of standard templates that assist in reporting on scans, maps, and remediation

34

1/3/13

Customized Reporting
Data Types
Status vs. Run Time Data
Status reports (Auto) utilize all cumulative (normalized) scan data for the reports - Vulnerability Management Run Time (Manual) allows user to choose speci c scan data. Suggested for PCI reports

Customized Reporting
Display Options
This: Produces:

35

1/3/13

Customized Reporting
Display Options

What do you want to see in the detailed results?

Do you need to have the Threat de ned and the results of the test, or do you need to know how to solve it? The information will be pulled from the QID.

QualysGuard Patch Report

Actionable and prioritized list of patches to apply
KB supersede information included, so only the most relevant patches displayed

New Online Format

Uses New Platform UI components for more interactivity (sorting, ltering)

Automation-friendly output for future integration with patch management systems

36

1/3/13

QualysGuard Scorecard Reports

Provide vulnerability data and statistics appropriate for dierent business groups and functions Search for data by business unit, business info tag, or asset group Display is con gurable View is con gurable Filter by OS and/or vulnerability type

Scheduled Reporting

Several report types that can be scheduled:

Template-based scan reports (using auto data) Scorecard reports Patch reports Template-based compliance reports Remediation reports

37

1/3/13

Scheduling and Report Noti cation

Scheduled Reports Setup

38

1/3/13

Subscription Set Up
Report Share
Report Share is a centralized location for storing and sharing reports When enabled for subscription, Managers specify the maximum amount of report data that each user may save Managers have the option to enable secure PDF distribution of reports

Reporting Use Cases

I need to see how vulnerable my production Web Servers are, and how to x them. How do I do this?
Scenario: Scenario: I run a weekly report of all the vulnerabilities

found within my workstation network. My support team says the report is too long, but they need to know what the vulnerability is and how to x it, in terms of priority how can we accomplish this?

39

1/3/13

Reporting Use Cases

What type of vulnerability is more prevalent in my network? How can I tell?
Scenario: Scenario: My manager wants to

see what we have accomplished with QualysGuard. Where can I nd that?

Reporting Use Cases

Scenario: I am running authenticated scans. How can I tell, if my

authentication attempts are successful?

Scenario: Do my Windows desktops have antivirus software?

40

1/3/13

iDefense Threat Intelligence

Get customized alerts about zero-day threats % at Risk is the percentage of hosts at risk for each vulnerability listed Authenticated scan is required (QIDs 45141 and 90235, speci cally)

Zero-Day Risk Analyzer

Correlations

Adobe

Reade

r 9.1

Host A

Windows 7

iDefense Feed

DCOM

enable

Predictive Engine
Host B

41

1/3/13

Demonstration and Labs

QualysGuard User Management

42

1/3/13

User Management
User Roles & Permissions
Dierent Roles Each Role has its own permission set Each User can get extended permissions
Types of Roles
Manager Unit Manager Scanner Reader Contact

User Management
User Permission Hierarchy
Most privileged Managers Unit Managers Scanners

Subscription Setup Management Vulnerability Scans Network Discovery Maps

Readers

Remediation Reporting

Least privileged

43

1/3/13

Adding and Removing IPs

We can now add or subtract assets from our account

as Manager.

User Management - VIP

Two Factor Authentication

44

1/3/13

Subscription Set Up
Security
Set security to prevent unauthorized users Set security options related to how users access the system, user-de ned passwords, and session time outs

User Management
Business Units
New User Role: Business Unit Manager Not Mandatory Business Units cannot include other business units Business Unit attributes: Business Unit Manager(s) Asset Groups Users Comments

45

1/3/13

User Management
Business Units
Create Business Unit in Users Section Add Asset Groups to the Business Unit Assign Scanner & Reader Users (optional) First User is promoted to BU Manager

User Management
Business Unit Manager
Privileges: Perform all vulnerability management functions:
Map, Scan Remediation Reporting

Manage assets, add users, and publish template reports within their Business Unit Extended Permissions : Add assets Create pro les Purge host information Create/edit con guations (remediation policy, authentication records/vaults, virtual hosts) Manage compliance, web applications Manage virtual appliances Restrictions: Can only be in one Business Unit Can only be created if the Business Unit has been established Limited to Asset Groups de ned in their Business Unit May not have rights to run speci c reports via the API

46

1/3/13

User Management
Business Units

Demonstration and Labs

Create New User Account Dashboard

47

1/3/13

Understanding Search Lists

QualysGuard Key Concepts

At the end of this section, you should be able to understand: The Dierences between a Static Search List and a Dynamic Search List In which cases a search list should be used

48

1/3/13

Search List Locations

Option Profile For which vulns are we scanning?

Search Lists

Report Template On which vulns do we want to report?

Remediation Policy On which vulns and devices do we want a ticket?

Search Lists Overview

User-de ned Groups of QIDs
Static search list
Manually de ned

Dynamic search list

De ned based on search criteria

Bene ts
Dynamic List updates when new QIDs meet the search criteria No limitation to the number of QIDs in search list

49

1/3/13

Search Lists
Static Saved Searches
Static searches are good in cases where a speci c set of QIDs needs to be excluded

Search Lists
Saved Search Object Information
Detailed information about a saved search is available anywhere the is shown General Info, the KB criteria, and all QIDs that match the criteria are shown Also shown is a list of all report templates, option pro les and remediation rules where the list is used

50

1/3/13

Search Lists
Use Cases
Create an automatically updated report for Microsofts Patch Tuesday vulnerabilities Create remediation rules that link the application having the vulnerability with the right person to x it Exclude vulnerabilities from scanning when they may interrupt normal operation of a host Create a self updating report on only vulnerabilities that have a patch available Create a report that contains a static list of authentication QIDs to validate successful QualysGuard authentication.

Fine Tuning the Scan Process with Option Pro les

51

1/3/13

QualysGuard Key Concepts

At the end of this section, you should be able to ne tune QualysGuard by: Creating custom option pro les for mapping and scanning Limiting scans to certain vulnerabilities Using Authentication Records

Option Pro les Bene ts

Customize scanning and mapping parameters
Choose TCP and UDP port numbers Enable authentication Scan for speci c vulnerabilities Exclude certain vulnerabilities from scans Throttle or increase scan performance Password Brute Forcing Enumerate Windows shares

Best prac.ce: Authen.cated scans should be done via internal scanners

52

1/3/13

Option Pro les Overview

Option Pro les Con gure map & scan launch options Unlimited (per-user) number of pro les

Option Pro les

Advanced Con gurations - Mapping

53

1/3/13

Option Pro les

Advanced Con gurations - Scanning

Option Pro les

Advanced Con gurations - Scanning
Add a saved search

Although recommended in some cases, in general it is better to attach a saved search to a Report or Remediation Rule.

54

1/3/13

Option Pro le
Authenticated (Trusted) Scanning
Connect to service to extract more meaningful data Discover vulnerabilities not detected by untrusted scan Con rm Potential Vulnerabilities

Requires Authentication Record

Authentication Vaults
In large organizations where thousands of machines are scanned regularly for vulnerabilities, managing passwords is a challenge. Some organizations are reluctant to let their credentials leave the network

55

1/3/13

Demonstration and Labs

Saved Search Lists OpSons Proles

Vulnerability Management Remediating Risk

56

1/3/13

QualysGuard Key Concepts

At the end of this section, you should be able to: Create remediation policies Understand the implications of whom the ticket is assigned to

Remediation Ticketing Basics

QualysGuard automatically creates remediation tickets when you create at least one Remediation Policy.
o One ticket for each vulnerability discovered.

Remediation tickets can be created/viewed from within reports that contain the work ow action icon (e.g., High Severity and Technical Reports). QualysGuard automatically marks Open tickets as Closed/Fixed (when vulnerability is no longer detected).

57

1/3/13

Remediation
Create a new Rule
Ticket Assignment A speci c user Asset Owner The user who launched the scan Set Deadline for remediation

Ignore - do not create a ticket

Remediation Policy Rules

Rules can be speci c to Business Units System matches rules from top to bottom First matching rule stops the system check

58

1/3/13

Remediation
Manual Ticket Creation & Veri cation
Manual Trouble ticket generation
From Automatic Report From Host Information

Launching Veri cation Scans

Demonstration and Labs

OpSonal

59

1/3/13

Thank You

60