A new multi-vector approach to Endpoint Detection and Response

Traditional endpoint detection and response (EDR) solutions focus only on endpoint activity to detect attacks. As a result, they lack the full context to analyze attacks accurately. This leads to an incomplete picture and a high rate of false positives and negatives, requiring organizations to use multiple point solutions and large incident response teams.

Qualys fills the gaps by bringing a new multi-vector approach and the unifying power of its highly scalable Cloud Platform to EDR, providing vital context and comprehensive visibility to the entire attack chain, from prevention to detection to response.

Qualys Multi-Vector EDR unifies different context vectors like asset discovery, rich normalized software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for accurate assessment, detection and response – all in a single, cloud-based app.

Lightweight Qualys Cloud Agents (<3MB) power the app and continuously collect and stream data to the Qualys Cloud Platform, where the information is correlated, enriched and prioritized for real-time visibility into everything that’s happening on the endpoint and the surrounding network. Whether it is killing processes, quarantining files or endpoints, patching vulnerabilities, removing exploits, fixing misconfigurations or uninstalling software, our singular agent can do it all.

PREVENTION

Pre Attack

Asset Discovery & Inventory
Asset Tagging
Ransomware Attacks
Anti-malware
Exploit Blocking
Anti-Phishing
Behavior-based Attacks
File-less Attacks
Volume Encryption
Add ons
Vulnerability Management
Misconfiguration Assessment
Patch Management

DETECTION

Breach

MITRE (ATT&CK^TM) Techniques and Tactics Driven Detections
File, Process & Registry Events
Memory Scan
Threat Intelligence Enrichments
Proprietary Event Risk Scoring
Insights Into Open Ports, Running Processes, Services & Installed Software
Add ons
File Integrity Monitoring
Exploitable Vulnerabilities
Exploitable Misconfigurations

RESPONSE

Post Breach

File Quarantine/Deletion
Process Termination
Endpoint Containment
User-defined PowerShell Response
Restore Files/Systems
Add ons
Configuration Remediation
Vulnerability Patching
Unwanted Software & Service Removal

Why Choose Qualys EDR

Consolidate your stack

Qualys Multi-Vector EDR leverages the Qualys Cloud Platform to collect and correlate vast amounts of IT, security and compliance data. By using Qualys, adding more functionality and more coverage is as easy as checking a box. Configure and administer all your tools in one place without adding complexity.

Unparalleled visibility, speed and scale

Get instant, real-time visibility and control of all your global IT assets and endpoints at infinite scale! Automatically find any known, unknown or unauthorized asset that connects to the network, and search for detailed IT, security and compliance information on the asset, in seconds, for immediate answers.

Protect against a broad set of attack vectors in one place!

Get complete protection with a unified solution that combines prevention with endpoint detection and response (EDR). Automatically detect unknown or unmanaged devices and software, critical vulnerabilities, misconfigurations, malware and suspicious activity on all endpoints, and ensure stealthy attacks and breaches are stopped.

Detect and stop advanced attacks

Delivers unparalleled visibility, multi-vector IT and security context and threat intelligence to automatically detect suspicious activity and ensure advanced attacks and breaches are stopped. Map alerts to the MITRE ATT&CK™ framework to easily hunt for threats and conduct investigations.

End alert fatigue and false positives with multi-vector context

Accurately define the entire risk profile of an endpoint and eliminate false positives by unifying different context vectors like asset discovery and inventory, vulnerability management, configuration management, file integrity monitoring, web application scanning and more.

Understand the complete attack story

Quickly get the complete story of the attack from start to finish, and see all of the related attack elements, including the root cause, all affected machines and users, incoming and outgoing communications, file, registry, process, network and script events, and a timeline of the attack.

Respond to and remediate incidents in real time

Use the Qualys Cloud Agent to patch vulnerabilities, remediate configuration issues, quarantine endpoints, or take remote access of a device to terminate processes, remove exploits, restore files/systems, and re-issue credentials.

Use a single, holistic Cloud Agent for everything

The Qualys Cloud Agent is ultra-lightweight (<3MB) with no performance impact to the endpoint. It can be deployed immediately and works everywhere, including virtual machines, containers, OT and IoT devices, providing endpoint security even when endpoints are offline. Not only does the agent continuously collect IT, security and compliance data, but it allows for on-the-fly remote access to take immediate action.

24x7 managed threat detection and response from Qualys

Use Qualys’ 24x7 team of threat hunters and response experts to recommend or take targeted actions on your behalf, and swiftly identify and stop sophisticated attacks that would otherwise go undetected – days, weeks or months before.

Real-time visibility into asset inventory and telemetry

You can’t secure what you cannot see or don’t know! With Global IT Asset Inventory integrated into Qualys Multi-Vector EDR, it automatically discovers and classifies all IT assets including endpoints using multiple Qualys sensors such as cloud agents, network scanners and passive sensors, providing deep visibility into asset telemetry. Additionally, it automatically organizes assets with dynamic asset tagging, enabling organizations to quickly rollout EDR across their entire global hybrid environment – eliminating endpoint blind spots.

Supports continuous discovery of endpoints, even if they are not connected to the corporate network, via hybrid Qualys sensors such as cloud agents, network scanners, cloud connectors, container sensors and passive sensors.
Delivers deep visibility into endpoint telemetry such as, hardware and software details with their versions, end-of-life (EOL) status, last usage, licensing, geo-location, running services, processes, open ports and network traffic insights. For example, it shows how many endpoints have EOL web browsers and date of last use.
Provides rule-based dynamic tagging to automatically organize assets, enabling EDR activation based on asset tags. For example, if endpoints have a Zoom client, they can be tagged as remote endpoints and activities will be detected.
Customizable dashboard widgets to track endpoints with EDR and their health-check for information like how many endpoints have not pushed data in the last 8 hours.
Qualys passive sensors, provide valuable insights into an endpoint’s network traffic. For example, it includes ingress and egress traffic size to let you know if there is heavy incoming traffic, downloading of mining blocks and more. It also provides details into the apps and services that the endpoint communicates with, which could be vital information for identifying a bad server, app or IP.

Continuous detection of exploitable vulnerabilities and misconfigurations

Traditional EDR tools operate without the context of open vulnerabilities, misconfigurations and missing patches, which is often why malicious activities succeed on endpoints. By enabling Qualys VMDR® (Vulnerability Management, Detection and Response) with policy compliance add-ons, Qualys Multi-Vector EDR continuously detects CVEs with exploits available in the wild, as well as exploitable security misconfigurations, and automatically prioritizes them for one-click patching or remediation – all in a single workflow!

Provides continuous detection of vulnerabilities and automatically prioritizes them based on their threat indicators, such as zero days, high data loss, lateral movements, available exploits, malware family mapping, and more. For example, if a malicious attack has transpired through Firefox, it tells you which vulnerabilities are tied to that version of Firefox.
Monitor digital certificates deployed throughout the network to see what certificates are about to expire, which hosts they are related to, key size, and if they are associated with any vulnerabilities.
Continuous assessment of misconfigurations provides visibility into weak security hygiene areas such as encryption, credential usage, native firewall, and more. For example, if an OS credential dumping attack has occurred in the environment, it provides clear insight into LSASS setting posture through MITRE technique mappings to configuration checks.
Discover and monitor endpoints with missing patches, end-of-life or blacklisted software for malicious behavior.

Built-in anti-malware technology

With native integration of industry-leading anti-malware protection technology, Qualys Multi-Vector EDR eliminates the overhead of managing traditional anti-virus solutions. Qualys Multi-Vector EDR provides multi-layered anti-malware, anti-phishing and anti-exploit protection with application behavior scanning so that all malicious attacks are accurately detected and automatically blocked on the endpoint within seconds.

Continuous protection from malicious attacks through machine learning algorithms proven to accurately detect known and unknown malware, including the latest ransomware.
Supports proactive malware detection based on continuous application lifecycle behavioral monitoring to detect and stop attacks on applications running on the endpoint.
Sophisticated attacks often start with exploits to gain control of the target endpoint. Qualys’ advanced anti-exploit technology detects and blocks attacks exploiting zero-day and unpatched vulnerabilities with techniques such as return-oriented programming (ROP).
Enables real-time monitoring of all active processes on the endpoint and disruption of advanced malicious activities mid-stream while rolling back changes.
Consistently detects zero-day malware and file-less attacks that hijack known, running processes.
Enables device control to prevent sensitive data leakage and malware infections via external devices.

MITRE ATT&CK™ driven threat detection, analytics and threat intelligence

The MITRE Enterprise Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework is a curated knowledge base and a model for cyber-adversary behavior that reflects the various phases of the attack lifecycle and the platforms attackers are known to target. Threat hunters, red teamers, and defenders use this behavior model to detect and classify attacks and assess an organization’s risk. Qualys Multi-Vector EDR provides in-house researched detections and enrichments from other Qualys apps as well as native integration of threat intelligence feeds from leading third-party sources.

Includes pre-defined threat-hunting widgets such as, Advanced Persistent Threats (APTs), the latest exploit/ransomware advisories, CERT security advisories, and suspicious process usage that can be indicative of non-malware attacks, like:
- Use of known applications for malicious purposes.
- Malware detection evasion techniques such as processes running from the recycle bin, or processes running from the anti-virus program’s quarantine folder.
Out-of-the-box MITRE driven event widgets track advisory behavior in your environment on a continuous basis, such as highlighting OS credential dumping attacks that have occurred in last 24 hours.
Includes a comprehensive library of in-house researched detections based on MITRE techniques for endpoint behavior mapping, threat hunting and threat intelligence.
Intuitive workflows for threat hunting from security incident alert emails, as well as from the dashboard for tracking new events in real-time.
Qualys’ highly scalable platform stores historical data for attack context, including raw event telemetry and post-processed attack indicators across multiple dimensions: time-series and current state indexes. This enables security analysts to quickly answer and respond to the two most important questions to speed investigation and response: “Is the attack still live in my network?” and “At what point in the past did it happen?”
Provides native integration of threat intelligence feeds from multiple third-party sources eliminating the need to manually enrich the data. This also enhances attack detection while eliminating the cost and complexity associated with deploying and integrating of other solutions to correlate events in external SIEMs that cannot scale to handle the event volume associated with modern attacks.
Visualization of malicious attack paths through process tree graphs, providing valuable insights into process details, scoring and other enrichments. For example, if a process is malicious and not blocked, it provides the option to kill the process.

Unified security incident investigation and alerting

Qualys Multi-Vector EDR collates vast amounts of IT, security and compliance data collected from its hybrid sensors and augments it with threat intelligence from multiple external sources. It also enriches the data with process graphs to visualize attack paths, thus enabling security teams to unify their incident investigation, reduce false positive and negatives, and prioritize incidents for the appropriate response. Security teams can also monitor and investigate threats through simple, intuitive workflows via the native UI or APIs.

Collate and harmonize inventory, vulnerability and misconfiguration, malware, exploit, network traffic information with technique-based detections for unified threat hunting that helps security teams gain insights into the true endpoint risks.
Threat hunting and investigation workflow based on multi-vector context of data.
Create rule-based alerts for automated, real-time notifications about security incidents with built-in workflows for reviewing actions or for taking appropriate suggested response. Alerting options include, email alerting, integration with ticketing systems, posting to Slack channels, creating PagerDuty incidents, and more.
Incident scoring engine intelligently prioritizes response based on how the attack is behaving in the network by leveraging the context of vulnerability, misconfiguration and network traffic data with other host telemetry data. This enables security analysts to respond to the most critical attacks first.
Gain valuable insights from exploitable vulnerabilities and misconfigurations on endpoints mapped to malicious attacks or MITRE tactics. This provides security teams with knowledge to protect all similar hosts. For example, if a malicious attack has occurred via a Firefox vulnerability, it will alert you to all hosts with that CVE.

Real-time, multi-layered mitigation and response

Qualys Multi-Vector EDR’s multi-layered response strategies enable security teams to remediate threats in real-time while maintaining the business continuity of the endpoints. With zero-day exploits and ransomware attacks, it is vital to track advisories through dynamic dashboards, set email alert rules, investigate security incidents for details, and contain attacks through speedy response actions. Unlike other cloud-based EDR solutions, Qualys Multi-Vector EDR not only supports appropriate response capabilities on the endpoints, but also blocks exploits, known malware and malicious processes in real time.

Blocks attacks exploiting zero-day and unpatched vulnerabilities with techniques such as return oriented programming (ROP).
With zero-trust assumption, Qualys Multi-Vector EDR anti-malware protection disrupts suspiciously spawned processes on the endpoint, following the roll back.
Threat hunting and event investigation workflow enables security teams to take multifold actions such as:
- Quarantining a host from the network
- Quarantining or killing malicious file/process/registry/mutex
- Deleting malicious files and cleaning up the residuals
- Custom PowerShell script execution
- Remote device control
Enables the response lifecycle throughout the investigation phase, providing an intuitive workflow to quarantine the host and releasing it to the network once malicious objects are removed.
Easily tracks the status of all endpoints, letting you know if a certain host gets repeated malware or has been a part of multiple response processes.

Orchestration of prevention such as patching, remediation and more!

Qualys Multi-Vector EDR is the only platform that provides a host of prevention strategies such as automated patching, misconfiguration remediation, and removal of software to ensure endpoints cannot be victimized again. Qualys Multi-Vector EDR also provides a comprehensive list of all hosts with exploitable vulnerabilities and misconfigurations, and end-of-life and blacklisted software. Additionally, it provides the ability to orchestrate patching and remediation jobs to secure the entire environment. That way your security teams can concentrate on the advanced threats rather than the attacks happening via exploitable vulnerabilities and misconfigurations.

Gain insights into all exploitable misconfigurations per MITRE tactics, with capability to “one-click” remediate throughout the entire global hybrid environment.
See all exploitable vulnerabilities affecting the endpoints.
Map malicious attacks back to the vulnerabilities that were exploited.
Detect available patches for vulnerabilities and deploy them using the same cloud agent with one click.
Prioritizes hosts with available patches based on vulnerabilities, open ports, and end-of-life software, mapped against real-time threat indicators such as malware family, high data loss, lateral movement, and more.
Preventive controls such as USB blocking to stop sensitive data leakage and malware infections.

Powered by the Qualys Cloud Platform

Easy deployment

Deploy from a public or private cloud — fully managed by Qualys. With Qualys, there are no servers to provision, no software to install, and no databases to maintain. You always have the latest Qualys features available through your browser, without setting up special client software or VPN connections.

Centralized & customized

Centralize discovery of host assets for multiple types of assessments. Organize host asset groups to match the structure of your business. Keep security data private with our end-to-end encryption and strong access controls. You can centrally manage users’ access to their Qualys accounts through your enterprise single sign-on (SSO). Qualys supports SAML 2.0-based identity service providers.

Scalable and extensible

Scale up globally, on demand. Integrate with other systems via extensible XML-based APIs. You can use Qualys with a broad range of security and compliance systems, such as GRC, ticketing systems, SIEM, ERM, and IDS.

Learn more about the Qualys Cloud Platform

Asset Management

IT Security

Compliance

Cloud / Container Security

Web App Security

Solutions

Customers

Partners

Company

Support

Asset Management

IT Security

Compliance

Cloud & Container Security

Web App Security

Qualys Cloud Platform

Free Services

Qualys Multi-Vector EDR

Bringing the scale, accuracy and unifying power of the Qualys Cloud Platform to EDR