Qualys Multi-Vector EDR gives a broader view beyond the endpoint, which is necessary to eliminate false positives and more effectively prevent lateral movements.Vishal Salvi CISO at Infosys
Bringing together asset management, vulnerability risk management and multi-vector EDR into a single console is very powerful.Bhupinder Singh AVP at Hughes Systique Corporation
Traditional endpoint detection and response (EDR) solutions focus only on endpoint activity to detect attacks. As a result, they lack the full context to analyze attacks accurately. This leads to an incomplete picture and a high rate of false positives and negatives, requiring organizations to use multiple point solutions and large incident response teams.
Qualys fills the gaps by bringing a new multi-vector approach and the unifying power of its highly scalable Cloud Platform to EDR, providing vital context and comprehensive visibility to the entire attack chain, from prevention to detection to response.
Qualys Multi-Vector EDR unifies different context vectors like asset discovery, rich normalized software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for accurate assessment, detection and response – all in a single, cloud-based app.
Lightweight Qualys Cloud Agents (<3MB) power the app and continuously collect and stream data to the Qualys Cloud Platform, where the information is correlated, enriched and prioritized for real-time visibility into everything that’s happening on the endpoint and the surrounding network. Whether it is killing processes, quarantining files or endpoints, patching vulnerabilities, removing exploits, fixing misconfigurations or uninstalling software, our singular agent can do it all.
Qualys goes beyond traditional EDR solutions by providing prevention, detection and response across the entire attack lifecycle. Plus, with Qualys you only need one agent to perform critical security functions and respond to and remediate incidents in real time – all from a single, integrated cloud app.
Qualys Multi-Vector EDR includes:
Why Choose Qualys EDR
Qualys Multi-Vector EDR leverages the Qualys Cloud Platform to collect and correlate vast amounts of IT, security and compliance data. By using Qualys, adding more functionality and more coverage is as easy as checking a box. Configure and administer all your tools in one place without adding complexity.
You can’t secure what you cannot see or don’t know! With Global IT Asset Inventory integrated into Qualys Multi-Vector EDR, it automatically discovers and classifies all IT assets including endpoints using multiple Qualys sensors such as cloud agents, network scanners and passive sensors, providing deep visibility into asset telemetry. Additionally, it automatically organizes assets with dynamic asset tagging, enabling organizations to quickly rollout EDR across their entire global hybrid environment – eliminating endpoint blind spots.
Supports continuous discovery of endpoints, even if they are not connected to the corporate network, via hybrid Qualys sensors such as cloud agents, network scanners, cloud connectors, container sensors and passive sensors.
Delivers deep visibility into endpoint telemetry such as, hardware and software details with their versions, end-of-life (EOL) status, last usage, licensing, geo-location, running services, processes, open ports and network traffic insights. For example, it shows how many endpoints have EOL web browsers and date of last use.
Provides rule-based dynamic tagging to automatically organize assets, enabling EDR activation based on asset tags. For example, if endpoints have a Zoom client, they can be tagged as remote endpoints and activities will be detected.
Customizable dashboard widgets to track endpoints with EDR and their health-check for information like how many endpoints have not pushed data in the last 8 hours.
Qualys passive sensors, provide valuable insights into an endpoint’s network traffic. For example, it includes ingress and egress traffic size to let you know if there is heavy incoming traffic, downloading of mining blocks and more. It also provides details into the apps and services that the endpoint communicates with, which could be vital information for identifying a bad server, app or IP.
Traditional EDR tools operate without the context of open vulnerabilities, misconfigurations and missing patches, which is often why malicious activities succeed on endpoints. By enabling Qualys VMDR® (Vulnerability Management, Detection and Response) with policy compliance add-ons, Qualys Multi-Vector EDR continuously detects CVEs with exploits available in the wild, as well as exploitable security misconfigurations, and automatically prioritizes them for one-click patching or remediation – all in a single workflow!
Provides continuous detection of vulnerabilities and automatically prioritizes them based on their threat indicators, such as zero days, high data loss, lateral movements, available exploits, malware family mapping, and more. For example, if a malicious attack has transpired through Firefox, it tells you which vulnerabilities are tied to that version of Firefox.
Monitor digital certificates deployed throughout the network to see what certificates are about to expire, which hosts they are related to, key size, and if they are associated with any vulnerabilities.
Continuous assessment of misconfigurations provides visibility into weak security hygiene areas such as encryption, credential usage, native firewall, and more. For example, if an OS credential dumping attack has occurred in the environment, it provides clear insight into LSASS setting posture through MITRE technique mappings to configuration checks.
Discover and monitor endpoints with missing patches, end-of-life or blacklisted software for malicious behavior.
With native integration of industry-leading anti-malware protection technology, Qualys Multi-Vector EDR eliminates the overhead of managing traditional anti-virus solutions. Qualys Multi-Vector EDR provides multi-layered anti-malware, anti-phishing and anti-exploit protection with application behavior scanning so that all malicious attacks are accurately detected and automatically blocked on the endpoint within seconds.
Continuous protection from malicious attacks through machine learning algorithms proven to accurately detect known and unknown malware, including the latest ransomware.
Supports proactive malware detection based on continuous application lifecycle behavioral monitoring to detect and stop attacks on applications running on the endpoint.
Sophisticated attacks often start with exploits to gain control of the target endpoint. Qualys’ advanced anti-exploit technology detects and blocks attacks exploiting zero-day and unpatched vulnerabilities with techniques such as return-oriented programming (ROP).
Enables real-time monitoring of all active processes on the endpoint and disruption of advanced malicious activities mid-stream while rolling back changes.
Consistently detects zero-day malware and file-less attacks that hijack known, running processes.
Enables device control to prevent sensitive data leakage and malware infections via external devices.
The MITRE Enterprise Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework is a curated knowledge base and a model for cyber-adversary behavior that reflects the various phases of the attack lifecycle and the platforms attackers are known to target. Threat hunters, red teamers, and defenders use this behavior model to detect and classify attacks and assess an organization’s risk. Qualys Multi-Vector EDR provides in-house researched detections and enrichments from other Qualys apps as well as native integration of threat intelligence feeds from leading third-party sources.
Includes pre-defined threat-hunting widgets such as, Advanced Persistent Threats (APTs), the latest exploit/ransomware advisories, CERT security advisories, and suspicious process usage that can be indicative of non-malware attacks, like:
Out-of-the-box MITRE driven event widgets track advisory behavior in your environment on a continuous basis, such as highlighting OS credential dumping attacks that have occurred in last 24 hours.
Includes a comprehensive library of in-house researched detections based on MITRE techniques for endpoint behavior mapping, threat hunting and threat intelligence.
Intuitive workflows for threat hunting from security incident alert emails, as well as from the dashboard for tracking new events in real-time.
Qualys’ highly scalable platform stores historical data for attack context, including raw event telemetry and post-processed attack indicators across multiple dimensions: time-series and current state indexes. This enables security analysts to quickly answer and respond to the two most important questions to speed investigation and response: “Is the attack still live in my network?” and “At what point in the past did it happen?”
Provides native integration of threat intelligence feeds from multiple third-party sources eliminating the need to manually enrich the data. This also enhances attack detection while eliminating the cost and complexity associated with deploying and integrating of other solutions to correlate events in external SIEMs that cannot scale to handle the event volume associated with modern attacks.
Visualization of malicious attack paths through process tree graphs, providing valuable insights into process details, scoring and other enrichments. For example, if a process is malicious and not blocked, it provides the option to kill the process.
Qualys Multi-Vector EDR collates vast amounts of IT, security and compliance data collected from its hybrid sensors and augments it with threat intelligence from multiple external sources. It also enriches the data with process graphs to visualize attack paths, thus enabling security teams to unify their incident investigation, reduce false positive and negatives, and prioritize incidents for the appropriate response. Security teams can also monitor and investigate threats through simple, intuitive workflows via the native UI or APIs.
Collate and harmonize inventory, vulnerability and misconfiguration, malware, exploit, network traffic information with technique-based detections for unified threat hunting that helps security teams gain insights into the true endpoint risks.
Threat hunting and investigation workflow based on multi-vector context of data.
Create rule-based alerts for automated, real-time notifications about security incidents with built-in workflows for reviewing actions or for taking appropriate suggested response. Alerting options include, email alerting, integration with ticketing systems, posting to Slack channels, creating PagerDuty incidents, and more.
Incident scoring engine intelligently prioritizes response based on how the attack is behaving in the network by leveraging the context of vulnerability, misconfiguration and network traffic data with other host telemetry data. This enables security analysts to respond to the most critical attacks first.
Gain valuable insights from exploitable vulnerabilities and misconfigurations on endpoints mapped to malicious attacks or MITRE tactics. This provides security teams with knowledge to protect all similar hosts. For example, if a malicious attack has occurred via a Firefox vulnerability, it will alert you to all hosts with that CVE.
Qualys Multi-Vector EDR’s multi-layered response strategies enable security teams to remediate threats in real-time while maintaining the business continuity of the endpoints. With zero-day exploits and ransomware attacks, it is vital to track advisories through dynamic dashboards, set email alert rules, investigate security incidents for details, and contain attacks through speedy response actions. Unlike other cloud-based EDR solutions, Qualys Multi-Vector EDR not only supports appropriate response capabilities on the endpoints, but also blocks exploits, known malware and malicious processes in real time.
Blocks attacks exploiting zero-day and unpatched vulnerabilities with techniques such as return oriented programming (ROP).
With zero-trust assumption, Qualys Multi-Vector EDR anti-malware protection disrupts suspiciously spawned processes on the endpoint, following the roll back.
Threat hunting and event investigation workflow enables security teams to take multifold actions such as:
Enables the response lifecycle throughout the investigation phase, providing an intuitive workflow to quarantine the host and releasing it to the network once malicious objects are removed.
Easily tracks the status of all endpoints, letting you know if a certain host gets repeated malware or has been a part of multiple response processes.
Qualys Multi-Vector EDR is the only platform that provides a host of prevention strategies such as automated patching, misconfiguration remediation, and removal of software to ensure endpoints cannot be victimized again. Qualys Multi-Vector EDR also provides a comprehensive list of all hosts with exploitable vulnerabilities and misconfigurations, and end-of-life and blacklisted software. Additionally, it provides the ability to orchestrate patching and remediation jobs to secure the entire environment. That way your security teams can concentrate on the advanced threats rather than the attacks happening via exploitable vulnerabilities and misconfigurations.
Gain insights into all exploitable misconfigurations per MITRE tactics, with capability to “one-click” remediate throughout the entire global hybrid environment.
See all exploitable vulnerabilities affecting the endpoints.
Map malicious attacks back to the vulnerabilities that were exploited.
Detect available patches for vulnerabilities and deploy them using the same cloud agent with one click.
Prioritizes hosts with available patches based on vulnerabilities, open ports, and end-of-life software, mapped against real-time threat indicators such as malware family, high data loss, lateral movement, and more.
Preventive controls such as USB blocking to stop sensitive data leakage and malware infections.
Qualys Multi-Vector EDR public APIs enable integration with third-party SIEM, threat intelligence platforms, incident handling/response systems, security orchestration and automated response platforms, and IT ticketing systems to automate the rapid sharing of threat information with third-party security and IT operational platforms.