What are vulnerability management systems using the QualysGuard cloud platform as an example?

Why I decided to write this text.

My professional activity is connected with the development of sales channels and therefore I often have to get acquainted with IB and IT solutions live in order to feel them. I decided to write about the QulysGuard vulnerability management service due to the fact that there is information on the Russian-speaking Internet for understanding what it is at a minimum. And the service is interesting and for the Russian market is still new.

The reasons for the need for vulnerability management can be found at penetrationtest.ru/uslugi-i-resheniya/preventivnoe-snizhenie-riskov , in CSO training courses and after reading the book Vulnerability Management by Park Foreman. This understanding is only beginning to be realized in Russia and the CIS countries, but this should not be surprised.

Let's get back to the service itself.

The service itself consists of several modules, access to which is carried out from one web interface.
The main module and the most interesting is the QualysGuard Vulnerability Management module. I’ll try to briefly talk about him.
Its main difference from conventional vulnerability scanners is the ability to build a Vulnerability assessment process with a single product. Conventional scanners are useful for auditors as show the analysis slice at the current moment. But companies still need a tool to build protection against external threats, and here we can not do without a process approach. Therefore, vulnerability management systems is the next stage in the development of security analysis systems.

Vulnerability management process described in NIST SP 800
csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf . Its essence is that there are several stages for managing vulnerabilities and all of them are implemented in QualysGaurd VM:

1. 
   - identification of internal and external assets in the infrastructure;
   - allocation of assets whose vulnerabilities we want to manage, and assigning them levels of importance for the company;
   - scanning itself for vulnerabilities;
   - Based on the rule of vulnerability management, tasks are given to eliminate vulnerabilities at objects that are critical for us;
   - re-scanning to update information on open and closed vulnerabilities by specialists and, accordingly, opening new tasks to eliminate when they are identified;
   - receipt by management of reports on the work of departments, employees and changes in business risks.
   

I know that similar elements are implemented in the McAfee VM product and partially in one or two software solutions of western vendors.

But the main difference between QualysGuard is that it is all under the influence of SaaS technology. Those. minimum cost of ownership, service on demand, no need for a separate engineer, etc. what we get from SaaS.

Those. To work with external assets, you only need access through a web browser (preferably not IE) and the Internet. For internal scanning, you need an additionally running virtual machine on VMware \ Oralce VirtualBox. And that’s all :)

I’m sure that questions will arise about the protection of vulnerability data transmitted and stored in the vendor’s data center (it’s still SaaS technology), so I’ll say only the company builds trust with customers, spends a lot of money on its own audits and improvement of protection every year. That allows Qualys to trust large global companies (everything is on the vendor's website). It was interesting for me to discover that all major IT vendors, selling their vulnerability scanners, use QualysGuard themselves.

Also, for large customers who are afraid to store data in Switzerland, there is the possibility of deploying their own data center.

On this, I want to complete my first article about my experience with different technologies. I will try next week to talk about the free Qualys service and answer the questions that I get.