Cyber Security Asset Management

1 Qualys, Inc. Corporate Presentation

Learning Resources

Page Link Description

Shows all available training. After going through
Training Page https://www.qualys.com/training/ this onboarding, enhance your knowledge on this
site.
Learning
https://qualys.com/learning Where you can enroll in all Qualys Training.
System
https://www.qualys.com/docs/qualys-
Cloud Platform Basics of the Qualys Platform
cloud-platform-whitepaper.pdf
Here is where you can find ALL Qualys
Docs https://www.qualys.com/documentation/
documentation
https://www.qualys.com/training/library/v This video series will walk you through the steps
VMDR How-to
mdr-onboarding/ for setting up Qualys Vulnerability Management,
videos
Detection, and Response (VMDR).

5 Qualys Inc. Corporate Presentation

Support Resources

Page Link Description

Shows the operational status, maintenance,
Systems Status https://status.qualys.com/
upgrades, and outages of each platform.
Find my https://www.qualys.com/platform- Shows the Qualys platform your organization is
platform identification/ using.
https://success.qualys.com/customersupport/
Useful landing page for docs, training, forums,
Support Portal s/
and managing cases.
How to
https://success.qualys.com/support/s/article/ This article tells you all the different ways you can
Collaborate with
000003610 interact with Support. Call, chat, open a case, etc.
Support
https://success.qualys.com/support/s/article/
This document tells you what you need to provide
Opening Cases 000006839
support to drive faster resolution for your cases.

Keep up to date with changes to the Qualys

Blog https://blog.qualys.com
platform, including subscribe to notifications.

6 Qualys Inc. Corporate Presentation

Course Objective

You will understand how to use Qualys CSAM effectively to

provide a unified inventory of the cyber-attack surface of your
organization.
You will learn how to use CSAM to discover and manage assets
and reduce risk.

Topics:
• How to use CSAM to discover and manage assets.
• How to manage security gaps.
• How to use CSAM to implement data hygiene.
• How to report and respond to inventory risks.

9 Qualys Inc. Corporate Presentation

Agenda

01 Why CSAM?

02 Use Case 1: Discover & Inventory Assets

Discover & Inventory Assets: Monitor your External Attack

03 Surface

Discover & Inventory Assets: Sync or Import Third-party

04 Assets in Qualys

05 Use Case 2: Detect & Monitor Security Gaps

06 Use Case 3: Report and Respond

10 Qualys Inc. Corporate Presentation
 How CSAM solves your challenges?

12 Qualys Inc. Corporate Presentation

Opinion Poll

What are your main asset inventory challenges?

Type your answer into the Zoom chat window.

Example answers:
• My asset inventory is too hard to keep up to date
• My asset inventory isn’t detailed enough
• I don’t know all of my internet-facing assets
• I am able to view asset inventory using a siloed tool, however unable to
map asset risk factors to VMDR module
• I am unable to track and manage stale assets
• My Organization is using ServiceNow CMDB for asset management, how
do I sync this information with Qualys?

13 Qualys Inc. Corporate Presentation

Inventory Challenges

The average enterprise is blind to 30% of external assets from subsidiaries,

mergers, and acquisitions

• Discovering and managing all assets

across complex, hybrid environments
• Managing security asset policies
based on the role & importance of the
assets
• Automatically identify at-risk assets
and software
• Automatically purge stale data to
fetch accurate reports

14 Qualys Inc. Corporate Presentation

Use Case 1: Discover and Inventory Assets - Complete Attack
Surface Visibility
Accurately discover and attribute internet-facing assets to
the organization
Detect vulnerabilities on frequently targeted internet-
facing assets.
Identify risky ports, expired/expiring certificates and domain
misconfigurations.

Monitor the internal attack surface with multiple Qualys'

purpose-built native sensors to continuously identify cloud,
on-prem, endpoints and OT/IoT.
Discover security blind spots such as
assets missing from your vulnerability
program and identify rogue devices.
Detect suspicious traffic proactively using Passive Sensor.

15 Qualys Inc. Corporate Presentation

Use Case 1: Discover and Inventory Assets - 3rd-party Asset
Import and Correlation

• Unified cyber asset inventory enables IT & Security teams to correlate sources of asset inventory.
• Business context from 3rd party is indexed for search, reports, dashboards, and for dynamic tagging.
• Import inventory data of third-party services within Qualys CSAM using connectors.

16 Qualys Inc. Corporate Presentation

Use Case 1: Discover and Inventory Assets - Auto-purge stale
assets

Automatically purge assets and cloud agents based on the terminated/deallocated

state of the cloud instance or time since last activity or vulnerability scan
When you purge an asset, you remove the asset and the data associated with it.
17 Qualys Inc. Corporate Presentation
Use Case 2: Detect and Monitor Security Gaps Go Beyond
Vulnerabilities

Monitor TruRisk score based on other Contributing Factors:

• Asset Criticality • Unauthorized software/Ports
• Upcoming EOL/EOS technology • Missing critical Software

18 Qualys Inc. Corporate Presentation

Use Case 3: Report and Respond Centrally
• Visualize Data Using Dashboards
• Generate Custom and Interactive Reports
• Rule-based Alerts

19 Qualys Inc. Corporate Presentation

Feature Comparison
KEY FEATURES GAV CSAM
(included with VMDR)

✓ ✓
Get complete visibility into your environment
Discover and inventory all your assets
View categorized and normalized hardware and software information
Standardize your inventory ✓ ✓
✓ ✓
Define criticality and find related assets
Add business context through dynamic tagging (Custom attributes only
available with CSAM)

✓
Setup automated purging for stale assets
Maintain asset hygiene 𝗫
✓
Find and upgrade unsupported software and hardware
Know product lifecycle and support information 𝗫
✓
Eliminate unauthorized software and identify missing security agents from
your environment 𝗫
Quickly identify risk factors

✓
Be informed about assets requiring attention
Receive notifications to review and define actions 𝗫
✓
Inform stakeholders about health of your assets
Create custom reports 𝗫
✓
Easily keep your CMDB and Qualys data up to date
Enable integration to sync with CMDBs such as ServiceNow and Webhook 𝗫
20 Qualys Inc. Corporate Presentation
 Discover and Inventory Assets

25 Qualys Inc. Corporate Presentation

Discover and Inventory Assets
1
Asset Inventory Data Collection
• Deploy Sensors cover and Inv
is ent
• External Attack Surface Management o

ry
• Configure CMDB Sync (if using CMDB
solution)

espond
Normalization, Categorization &

r
onito
Enrichment (performed automatically

R
in the Qualys Cloud Platform)

dM
an
3 2

an
or
Organize and Manage Assets Rep

ct
ete
• Configure Asset Tags and custom D
attributes

26 Qualys Inc. Corporate Presentation

Qualys Sensor Platform

Qualys sensors collect data from your IT environment and automatically beam it up
to the Qualys Cloud Platform, which continuously analyzes and correlates the
information to help you quickly and precisely identify and eliminate threats.

The Qualys Cloud Platform’s sensors are:

• Always on
• Remotely deployed
• Centrally managed
• Self-updating

27 Qualys Inc. Corporate Presentation

Scanner Appliances

A Qualys Scanner Appliance has a remote perspective of any host you target. Its ability to perform a
vulnerability assessment test, is directly impacted by the number and type of open service ports on any
given host, as well as the presence of any network filtering devices that might potentially obstruct
individual scan packets.

Qualys Internet Scanners

LAN devices Scanner Appliances
Internet Facing Servers

28 Qualys Inc. Corporate Presentation

Cloud Agent

A single agent for real-time, global visibility, risk assessment,

prioritization, and remediation of the entire attack surface.

• Light weight, extensible, self-

updating & centrally managed.
Qualys Cloud Agent
• Real-time actionable delta
collection with
customizable configuration Qualys Cloud Agent

profile Qualys Enterprise TruRisk Platform

• Continuous evaluation and

data enrichment on platform, Qualys Cloud Agent
seamless API integration

29 Qualys Inc. Corporate Presentation

Network Passive Sensor
Qualys Network Passive Sensor helps you to detect automatically, and profile
devices connected to your network, eliminating blind spots across your IT
environment and gaining visibility to all known and unknown assets in your
network.
Network Passive Sensor monitors network activity without any active probing of
the device in order to detect the active assets in your network.
Consumes (“sniffs”) the mirrored traffic from your switch’s TAP or SPAN port.
Network Passive
Sensor

Qualys Enterprise TruRisk Platform

30 Qualys Inc. Corporate Presentation

Network Passive Sensor (NPS) Use Cases

• Continuously discover and profile network-connected

devices
• Continuously enrich existing inventory details in real time
• Monitor your internal attack surface by discovering new
unmanaged devices
• Eliminate blind spots
• Flexible deployment in either physical or virtual
appliances
• Traffic analysis to proactively detect conversations
between managed and unmanaged devices
31 Qualys Inc. Corporate Presentation
Qualys Cloud Agent Passive Sensor (CAPS)
Operationalize CAPS faster than traditional Network Passive Sensor

Single, Lightweight, extensible, self-

updating & centrally managed Agent
Customizable Qualys Agent for various systems, filters
data from public or home networks

Get away from the limitation of network

taps
Non-intrusive network reporting with auto-elected Master
Reporter per domain, showing managed/unmanaged
assets in Qualys platform

Passive sensing
Data will be sniffed passively in the subnet by listening to
broadcasts and multicasts Identify Rogue Devices even in IOT environment without a
• Collect rich asset metadata using ARP, massive investment in sensors and new systems
DHCP, SSDP, NetBios, mDNS, CDP/LLDP, LLMNR, WSD and
more.

32 Qualys Inc. Corporate Presentation

Asset Inventory

You can filter the inventory, based

on your requirements

You can see which sensors

have discovered the asset.

There isn’t enough data to determine the

Hardware / OS
33 Qualys Inc. Corporate Presentation
Unmanaged Assets

It is common to find unidentified or unknown values within the ”Unmanaged”

assets section of CSAM.
Confidence levels are provided (LOW, MEDIUM, HIGH) for OS and hardware
findings.

34 Qualys Inc. Corporate Presentation

Unidentified OS / Unknown Hardware
operatingSystem.category1:`Unidentified`

This means there isn’t enough discovered data for Qualys to determine the
hardware/OS/software.
• Example: If you ran an unauthenticated scan, but we could not fully fingerprint the OS
• Example: Firewall that prohibits certain scan traffic from fully enumerating host

Hardware.category1:`Unknown`

• There likely is enough data for Qualys to categorize the host, but it’s not catalogued yet.
• It is currently being processed against rules and Qualys lab for analysis for categorization.
• This processing happens daily across all asset data.

35 Qualys Inc. Corporate Presentation

Traffic Analyzer
Traffic Analyzer provides a detailed and consolidated view for the traffic in your network. This helps you
to understand the communication between different assets in your environment.
It shows all traffic flow details for both managed and unmanaged assets.

36 Qualys Inc. Corporate Presentation

View Certificates
View certificates for managed and unmanaged assets discovered from Cloud Agent, IP, and EASM
inventory sources.
Track expired, expiring, low grade and Qualys renewable certificates.

37 Qualys Inc. Corporate Presentation

 Normalization, Categorization, and
Enrichment

44 Qualys Inc. Corporate Presentation

The ambiguity of IT Asset Data

High Volume High Variance

Acquisitions Skype → Microsoft

Product Communicator → Lync →

rebranding Skype for Business → Teams

“A” means “B” lync.exe = Skype for Business

Name MSFT, Microsoft Corporation,

variance Microsoft, microsoft corp, …
High Velocity

8→1 20 → 1
Manufacturer Product

45 Qualys Inc. Corporate Presentation

Categorization, Normalization & Enrichment

OPERATING SYSTEM
Microsoft Windows Server 2022
Raw Data
Raw Data Datacenter (21H2 Insider Preview
Build 20348.169 64-Bit)
Category Windows / Server
OS Publisher Microsoft
Name Windows Server 2022
Market Version 2022
Normalization and Categorization
Edition Datacenter
Microsoft Windows Server 2022
Release Datacenter (21H2 Insider Preview
Build 20348.169)
Architecture 64-Bit
Lifecycle Stage GA
End of Service Oct 14 2031 Advanced Asset Information
License Type Commercial

46 Qualys Inc. Corporate Presentation

Categorization, Normalization & Enrichment

HARDWARE
Raw Data
IBM Power System S924 9009-
Raw Data
42G

Category Computers / Server

Manufacturer IBM

Normalization and Categorization

Name Power System

Model S924

Lifecycle Stage Generally Available

Advanced Asset Information
End of Support Not Announced

47 Qualys Inc. Corporate Presentation

Categorization, Normalization & Enrichment

SOFTWARE
Raw Data openssl-1.1.1c-2.el8.x86_64 Raw Data

Category Security / Authentication

Publisher OpenSSL

Name OpenSSL 1.1.1c 64-bit

Version 1.1.1 Normalization and Categorization

Update 1.1.1c

Architecture 64-bit

Lifecycle Stage Generally Available

End of Life Sep 11, 2023

Advanced Asset Information
End of Service Sep 11, 2023

48 Qualys Inc. Corporate Presentation

Normalize Searches with Asset Categories

Use hardware, software, and OS tokens to help “normalize” your query conditions to uncover more
precise asset details.

Examples:
hardware.category1: `Networking Device`
hardware.category2: `Switch`
hardware.category: `Networking Device / Switch`

operatingSystem.category1: `Windows`
operatingSystem.category2: `Server`
operatingSystem.category: `Windows / Server`

software:(category1: `Security`)
software:(category2: `Endpoint Protection`)
software:(category: `Security / Endpoint Protection`)
software:(license.category:`Commercial`)
software:(license.category:`Open Source`)

49 Qualys Inc. Corporate Presentation

 Organize and Label Assets

54 Qualys Inc. Corporate Presentation

Organizing & Labelling Assets – Use Cases

Groups and Tag are used for:

1. Setting up vulnerability and compliance scans
Good Practice: Use Asset Groups
2. Building reports
Good Practice: Use Asset Tags
3. Creating queries, widgets, and dashboards
Good Practice: Use Asset Tags
4. Assigning Qualys user access and scope on
assets in your subscription
Good Practice: Use Groups or Tags depending
on the application

Operating System

Location

Cloud Demo Hosts

55 Qualys Inc. Corporate Presentation

Asset Tags
Asset Tagging provides a more flexible and scalable way to label and organize the assets in your
subscription.

Static Tags:
Assigned manually to host assets
Commonly used as the starting point of an Asset
Tag Hierarchy

Dynamic Tags:
Host assignment is determined by Asset Tag Rule
Engine
Tags dynamically change with updates to host

Asset Tag Hierarchy:

Tags are typically nested, creating various
parent/child relationships
Targeting a parent tag automatically includes its
child tags

56 Qualys Inc. Corporate Presentation

System Created Tags
Qualys will automatically create some tags for you:

• Business Units
• Asset Groups
• Asset Search
• Cloud Agent
• Internet Facing Assets
• Passive Sensor
• EASM

57 Qualys Inc. Corporate Presentation

Dynamic Rule-Based Tags
The “Asset Inventory” rule engine allows you to
build tags using query tokens, including the
Hardware, OS, and Software category tokens

Other “dynamic” rule engines are also available

58 Qualys Inc. Corporate Presentation

Asset Tag Hierarchy

• Child tags do not inherit attributes

of their parent tags.

• Tags should be limited to a single

attribute, not multiple (i.e. ”Dallas
Workstations” is both a location
and a device type)

• Multiple tags can be combined

when selecting targets for
scanning and reporting

59 Qualys Inc. Corporate Presentation

Tag Sets
Aggregate assets based on different static/dynamic tags

60 Qualys Inc. Corporate Presentation

Tagging - Starter Checklist

• OS - Specific Operating Systems

• Host Type - Workstation vs Server
• Authentication Results
• Windows Registry - See where Qualys didn’t get the right access
• Stale Assets - Old Assets that haven’t been assessed in X days
• Cloud Based Tags
• Activation Keys - For Cloud Agents
• Firewall Detected - To see if a firewall is impacting your scan results

61 Qualys Inc. Corporate Presentation

 Asset Tag Examples

62 Qualys Inc. Corporate Presentation

Dynamic Asset Tags - IP Subnet

A dynamic tag based on an IP subnet. This tag could then be used as the target for vulnerability scans.

63 Qualys Inc. Corporate Presentation

Dynamic Asset Tags - Operating System

Dynamic tags based on likely patch targets. These might be combined in a patch deployment job, such
as deploying patches to Windows servers in the production DNS domain.

64 Qualys Inc. Corporate Presentation

Dynamic Asset Tags - Hardware Type

Dynamic tags based on asset hardware. You could use this to identify all laptops in the organization and
confirm that each laptop has appropriate client software installed (including the Qualys Cloud Agent).

65 Qualys Inc. Corporate Presentation

Dynamic Asset Tags - TruRisk Score

A dynamic tag based on TruRisk score of the asset.

The logic of this type of tag might be to report on or patch on critical-risk assets:

66 Qualys Inc. Corporate Presentation

Dynamic Asset Tags - Unwanted Software

A dynamic tag based on the presence of end-of-life software.

The assets identified with this tag might then be targeted by the infrastructure team to update or
remove the unwanted software. Qualys Patch Management and Qualys Custom Assessment and
Remediation (”CAR”) can be used for such a purpose.

67 Qualys Inc. Corporate Presentation

Dynamic Asset Tags - Reporting Example

A dynamic tag based on business purpose

The logic of this type of tag might be to report to the business the risk level of a particular business
process. This is to help the business owner to understand “Is our Customer Payments System at risk
today?”
This might be identified by installed software, IP range, asset name contains, business information (from
a CMDB), cloud provider tag, or custom attribute.

68 Qualys Inc. Corporate Presentation

Static Tag - Maintenance

The following is an example of a static tags. It can be used to exclude assets from a scan or patch job.

69 Qualys Inc. Corporate Presentation

Asset Tags - Are you getting the best value?

Further information about creating Asset Tags can be found in this blog article:

Asset Tags - Are you getting the best value?

70 Qualys Inc. Corporate Presentation

Add Unique Asset Context with Custom Attributes

Handle certain fringe cases of valuable “high cardinality data”

73 Qualys Inc. Corporate Presentation

Purge Rules

Purging: Irreversible

76 Qualys Inc. Corporate Presentation

 Risk Assessment of External Attack
Surface

77 Qualys Inc. Corporate Presentation

Dynamic External Attack Surface creates blind-spots

• Attack surface is more dynamic than ever

• 20-40% of internet-facing organization’s assets
are unknown to security teams
• Many IT and security teams still depend on
spreadsheets to inventory their internet assets

78 Qualys Inc. Corporate Presentation

EASM Use Cases

• Continuously discover and profile Internet-exposed devices

• Continuously enrich existing inventory details in real-time

• Monitor your external attack surface by discovering new unmanaged devices

• Discover domains, subdomains, unresolved domains and subsidiaries

• Discover open ports, certificates, and applications running on Internet-exposed assets

• Reduce false positives to isolate risk on the external attack surface using EASM lightweight scan

• Identify potential vulnerabilities from an outside-in perspective

• EASM uses the same tools an attacker would use for doing recon against your organization

79 Qualys Inc. Corporate Presentation

Discovering Unmanaged External Assets

80 Qualys Inc. Corporate Presentation

Actions for Newly Discovered Devices
Activate Assets will add the IP into the subscription to launch vulnerability scans using Qualys external
scanners.
Exclude IP from EASM Discovery will update the EASM filter profile. The use case would be to prune
false positives.

81 Qualys Inc. Corporate Presentation

Discovery Path

82 Qualys Inc. Corporate Presentation

Resolved/Unresolved Domains
Domains tab lets you view the EASM discovered resolved and unresolved domains and subdomain
details in one place. These details include Registrar, Registrant Org, and Registrant Email ID.
Decide on the candidates for domain takeover

83 Qualys Inc. Corporate Presentation

EASM Lightweight Scan
• The latest EASM scanner includes lightweight vulnerability scanning upon discovery.
• Three times more critical vulnerabilities detected and a 60% reduction in irrelevant, unconfirmed
vulnerabilities when compared with traditional external scanning methods, which rely on stale data
snapshots.

84 Qualys Inc. Corporate Presentation

Vulnerabilities Detected Using EASM Lightweight Scan
Contact your TAM or Qualys Support to get this feature enabled

85 Qualys Inc. Corporate Presentation

 ServiceNow CMDB Integration
(2-way sync of
key CMDB business data
For existing assets)

90 Qualys Inc. Corporate Presentation

Certified ServiceNow CMDB Sync App

• Supports 2-way sync (Qualys to ServiceNow and ServiceNow to Qualys)

• Up-to-date, complete, structured, and enriched ServiceNow CMDB

• Enrich Qualys assets with key CMDB business data

• Synchronization schedules can be configured and saved

• Asset metadata synchronization is performed only for assets already in both Qualys and ServiceNow

• Optionally, asset information is staged for user approval before being written to CMDB

• Preconfigured reports

91 Qualys Inc. Corporate Presentation

ServiceNow Store Apps

92 Qualys Inc. Corporate Presentation

Initial Configuration and Setup

1. Install the Qualys App (available in ServiceNow Online Store)

2. Add API source (Add Qualys API user credentials and API Server and Gateway URL)

3. Create schedules, define what data is to be synced and configure mapping for Business Criticality
to Qualys Asset Criticality Score

4. Update Qualys App configuration / property values

93 Qualys Inc. Corporate Presentation

Business Attributes
CMDB Sync automatically imports business context attributes into Qualys CSAM from ServiceNow
CMDB.

Business Attributes • Security teams gain a better understanding of

the overall IT and business environment
• Status (e.g., in-repair, lost/stolen)
• Design scanning strategies to meet
• Organization (Company, Business Unit, environmental objectives
Department)
• Prioritize remediation tasks by asset and
• Owned By - Who owns the asset business criticality
• Managed By - Responsible person • Accurately identify the scope and business
impact of remediations tasks
• Supported By – Supporting person
• Environment (e.g., Prod/Lab/Test)
• Assigned Location (Country, City)
• Business App/Service name
• Business Criticality

94 Qualys Inc. Corporate Presentation

View Business Information in Asset Details
Derive relevant context on the way the asset is being used, who owns it, what department and business
service it belongs to, business criticality, etc

95 Qualys Inc. Corporate Presentation

Use Business Attributes to Search Assets

96 Qualys Inc. Corporate Presentation

Public APIs for CMDB Sync

• Public APIs are for use with other CMDBs (not ServiceNow)
• Qualys Cloud Suite API provides many ways to integrate your programs and API calls with Qualys
capabilities
• CSAM now supports the import of Asset business metadata and Business app metadata from your
CMDB into your Qualys asset inventory using v2 APIs
• Currently supports a maximum of 250 records for import in one API call for both Asset and Business
app metadata
• The user must have access to the CSAM module with API enabled for that role
• Imported business attributes are listed on the Asset Details page

97 Qualys Inc. Corporate Presentation

 Third-party Asset Import Workflow

101 Qualys Inc. Corporate Presentation

Third-party Asset Import Workflow

1. Feature Activation
2. Asset Identification Rules Creation
3. Connectors Creation
4. Asset Identification Rule Selection for Connector (Optional)
5. Asset Identification
6. Asset Import in CSAM Inventory
7. Reconciliation Rules Configuration
8. Purge Rule Creation

102 Qualys Inc. Corporate Presentation

Third-party Asset Import Workflow (1)
1. Activate the “Third-Party Asset Import”

2. Create Asset Identification Rule(s)

103 Qualys Inc. Corporate Presentation

Third-party Asset Import Workflow (2)

3. Create connectors for third-party services, discover resources, and pass the information to the
required Qualys modules, such as CSAM.

4. Specify the Asset Identification rules to determine which attributes must be fetched and in which
order. (Optional)

5. Based on ‘single-match’ and ‘multi-match’ logic, asset identification is done by connectors.

6. After the assets are discovered based on the asset identification rules selected for the respective
connector, they are merged and imported into the CSAM inventory.

104 Qualys Inc. Corporate Presentation

Merge Asset Information

Reconciliation Rules: are essential when you want to merge assets that come from Qualys native
sensors like Qualys agent or scanner when there are assets already identified by the third-party sources
before they are discovered again through a different schedule.

105 Qualys Inc. Corporate Presentation

Purge Data for Third-Party Assets

You can create purge rules to purge, i.e. remove data, for some third-party assets discovered by various
connectors.
Note: Purging can be done for assets being discovered/scanned by various sensors.

106 Qualys Inc. Corporate Presentation

 Detect and Monitor Security Gaps

112 Qualys Inc. Corporate Presentation

Detect and Monitor Security Gaps
1

scover and Inve

Asset Prioritization (Define Asset Criticality Score)
i nto

ry
Product Lifecycle Management
(EOL/EOS/Obsolete hardware and software
automatically identified
Software Authorization (configure rules to identify

espond
authorized/unauthorized software)

n it o r
You can extend TruRisk to include Inventory Risk
Assessment, with CSAM detections of EoL/EoS,

Mo
unauthorized software & ports, and missing

d
required software. Each vector has a Qualys

an

nd
Detection Score (QDS 1 to 100), to measure 3 2

t
or
severity.

ta
Rep

ec
t
De

113 Qualys Inc. Corporate Presentation

 Asset Criticality and Risk

114 Qualys Inc. Corporate Presentation

Risk-based Vulnerability Management

Qualys TruRisk helps you to prioritize vulnerabilities, assets, and

groups of assets based on the actual risk they pose to the
organization.
This helps organizations quantify cyber risk so that they can
accurately measure it, take steps to reduce exposure, track risk
reduction trends over time, and better measure the effectiveness of
their cyber security program.

115 Qualys Inc. Corporate Presentation

Qualys TruRisk

Qualys TruRisk places detected vulnerabilities within the context of your critical
and non-critical host assets to help you remediate and fix the vulnerabilities that
count

Qualys TruRisk has three components:

• Qualys Detection Score (QDS) token = vulnerability.detectionScore

• Asset Criticality Score (ACS) token = criticalityScore

• Asset Risk Score (ARS) token = riskScore

Both QDS and ARS are calculated values, while ACS is assigned to assets via Asset
Tags

116 Qualys Inc. Corporate Presentation

Asset Criticality Score

• An assets criticality score is determined by its assigned Asset Tags.

• A default score of 2 is used for assets without assigned tags.
• Asset Criticality Score (1-to-5) assigned to Asset Tags by users.

117 Qualys Inc. Corporate Presentation

Asset Criticality Score Calculation

Assets are then assigned the highest criticality score (evaluated across all Asset Tags presently assigned
to the asset).

118 Qualys Inc. Corporate Presentation

Qualys Detection Score

• Qualys Detection Score (QDS) begins with the CVSS base score of detected vulnerabilities (i.e.,
technical vulnerability details)
• It then adds temporal factors such as Threat Intelligence (including exploit code maturity, associated
malware, active threat actors, and vulnerabilities trending on the dark web)
• Mitigating and remediating controls related to the exposure are included in the QDS calculation
• The critical range indicates CVSS score is critical, there is a weaponized exploit available, and there is
evidence of exploitation by threat actors

119 Qualys Inc. Corporate Presentation

TruRisk: CSAM Contributing Factors

Create rules to associate Qualys Detection Scores (QDS) with:

• EOL/EOS technology
• Unauthorized Ports
• Unauthorized Software
• Missing Software

120 Qualys Inc. Corporate Presentation

Asset Risk Score

Asset Risk Score (ARS) combines the Criticality Score of a single host with a weighted average of its
combined vulnerability detections.

While the Qualys Detection Score provides a useful metric for measuring the impact of a single
vulnerability, the Asset Risk Score places the vulnerability in the context of other vulnerabilities
discovered on the same host.

ARS = ACS * {wc(Avg(QDSc)) + wh(Avg(QDSh)) + wm(Avg(QDSm)) + wl(Avg(QDSl))}

121 Qualys Inc. Corporate Presentation

 Product Lifecycle Management

124 Qualys Inc. Corporate Presentation

Identify Unsupported Software and Hardware
Identify EOL/EOS software and hardware
Plan hardware refresh and software upgrades
Secure your environment by eliminating unsupported software and hardware

125 Qualys Inc. Corporate Presentation

Lifecycle Stage

hardware.lifecycle.stage:value

operatingSystem.lifecycle.stage:value

software:(lifecycle.stage:value)

Hardware OS Software Associated Risk

Generally Available (GA) Generally Available (GA) Generally Available (GA) Low - Product updates and security
patches are readily available.
End-of-Sale (EOS) End-of-Life (EOL) End-of-Life (EOL) Elevated - While product
enhancements and updates have
ended, security patches may still be
provided.
Obsolete (OBS) End-of-Service (EOS) End-of-Service (EOS) High – Product features and updates as
well as security patches have ended.

126 Qualys Inc. Corporate Presentation

 Software / Port Authorization Rules

127 Qualys Inc. Corporate Presentation

Tracking Authorized & Unauthorized Software

• Define, track, and alert installations of authorized / unauthorized software

• Define software rules for specific scope by asset tags

• Rules can include list of authorized and unauthorized software products, including
software that needs review

• Identify and track assets with unauthorized software installations

• Establish structured alerts for at-risk applications

128 Qualys Inc. Corporate Presentation

Create Software Rules
Software Rules can be created in the Rules section of CSAM

129 Qualys Inc. Corporate Presentation

Create Port Rules
Port Rules can be created in the Rules section of CSAM

130 Qualys Inc. Corporate Presentation

Rule Precedence
Rules at the top of the list have precedence over the rules below.

131 Qualys Inc. Corporate Presentation

 Report and Respond

137 Qualys Inc. Corporate Presentation

Report and Respond

scover and Inve

i nto

D
Visualize Data (use dashboards to identify at risk

ry
assets)

Reports (configure reports for IT and compliance

espond
requirements)

r
onito
R
Configure Rule-Based Alerts (define criteria for

d
alert notifications)

dM
t an

an
3

or
Rep 2

ct
ete
D

138 Qualys Inc. Corporate Presentation

 Visualize Data Using Dashboards

139 Qualys Inc. Corporate Presentation

Use Dashboards for Better Visualization

• Dashboards are interactive reports and offer a powerful way to

visualize data in one place
• CSAM supports the Unified Dashboard Framework (UDF) which
brings together information from multiple Qualys applications into
a single place for visualization

Create Dashboards using Templates (least effort)

Import Dashboards and Widgets from Qualys Community (some effort)

Create Dashboards and Widgets from scratch (most effort)

140 Qualys Inc. Corporate Presentation

Subscription Health Dashboard

141 Qualys Inc. Corporate Presentation

CSAM - CISO Dashboard

142 Qualys Inc. Corporate Presentation

External Attack Surface Management Dashboard

143 Qualys Inc. Corporate Presentation

CSAM Unmanaged Assets Dashboard

144 Qualys Inc. Corporate Presentation

CSAM Tech Debt Dashboard

145 Qualys Inc. Corporate Presentation

 Reports

148 Qualys Inc. Corporate Presentation

Reporting
Generate reports to meet industry and standards compliance needs

Two types of reports are available:

• Custom Inventory and Compliance Reports – Focused on showing details and attributes of your asset
and software inventory
• Interactive Report – Focused on identifying security gaps

149 Qualys Inc. Corporate Presentation

Custom Inventory and Compliance Reports

• Select from out-of-the-box report templates

• Define asset scope and filter attributes
displayed in the report

150 Qualys Inc. Corporate Presentation

Report Source

Select Assets with

Asset Names

Select Assets with

Asset Tags

Select Assets with

Asset Source Type

Select Assets with

QQL Query

151 Qualys Inc. Corporate Presentation

Display Options
The report type determines the selectable column headers in the CSV report.

152 Qualys Inc. Corporate Presentation

Interactive Report
• Identify security and configuration gaps on critical assets.
• Like the VMDR Prioritization Report.

153 Qualys Inc. Corporate Presentation

View Matching Security Gap Results

• Asset-Centric – a result list of assets matching all the security gaps

• Software-Centric – a result list of software security gaps
• Missing Software-Centric – a result list of missing required software

154 Qualys Inc. Corporate Presentation

Security Gaps Widget
The Interactive Report can be exported as a widget to visually monitor security gaps on a dashboard.

155 Qualys Inc. Corporate Presentation

 Rule Based Alerts

159 Qualys Inc. Corporate Presentation

Alerting
Immediately notify your teams of important security gaps impacting the overall health and security
hygiene of critical assets.

• Rule/QQL-driven alerts
• Out-of-box templates
• Email, Slack, or PagerDuty notifications

160 Qualys Inc. Corporate Presentation

Configure New Action
Configure a rule action that will be referenced in the alert rule

161 Qualys Inc. Corporate Presentation

Action Type

162 Qualys Inc. Corporate Presentation

Configure New Rule

Configure a rule specifying events you want to monitor, criteria for triggering the
rule, and actions to be taken on those events.

163 Qualys Inc. Corporate Presentation

Rule Configuration

164 Qualys Inc. Corporate Presentation

Manage Alerts
Monitor all the alerts that were sent after the rules were triggered

165 Qualys Inc. Corporate Presentation

 Activating Unmanaged Assets
Web Applications

170 Qualys Inc. Corporate Presentation

Activate Unmanaged Assets

171 Qualys Inc. Corporate Presentation

Activate Cloud Assets

172 Qualys Inc. Corporate Presentation

 Add newly discovered Web Apps to WAS
1

2 4

173 Qualys Inc. Corporate Presentation

Review

This course has shown you the CyberSecurity Asset Management(CSAM)

application.

You have seen how to :

• get central visibility across complex, hybrid environments​ (internal or
external)
• organize assets
• report/respond
• pinpoint the cyber risk from vulnerabilities and other cyber risk factors to
drive TruRisk prioritization

174 Qualys Inc. Corporate Presentation