Qualys Vulnerability Management and Remediation FAQ
- What are Qualys' reporting capabilities?
- What are the pre-defined scan reports and their features?
- What do the different severity levels in vulnerability assessment results mean?
- What are the benefits of distributed management with centralized reporting?
- Can users receive email notifications of security audit results?
- What ensures the privacy of subscriber information, including results from network security audits?
- What happens after Qualys detects a vulnerability? Do you provide information to help me correct the problem?
- How does Qualys assist with remediation?
- How are remediation tickets created?
- Can the Qualys service help me maintain compliance?
- Does Qualys integrate with other products?
What are Qualys' reporting capabilities?
Qualys generates detailed, easy-to-comprehend customizable reports which may be exported to HTML, MHT, PDF, CSV, and XML formats. The following types of reports can be generated:
- Map Reports — Map reports provide a network topology of a given domain or network block. You can run map reports comparing historical and current maps to obtain trend analysis and identify hosts that have been added or removed from the network. Map reports can also be used to create asset groups or initiate on demand or scheduled scans against any or all discovered assets.
- Scan Reports — Scan reports are detailed vulnerability assessment reports that provide a complete view of new, existing, and fixed vulnerabilities. Qualys provides several pre-defined scan reports that are available in all user accounts. Using report templates, you can customize reports, compare scan results, and include trend analysis and summary graphs.
- Remediation Reports — Remediation reports provide you with the most current information about remediation progress and vulnerability status. Qualys provides four default remediation reports: Executive Report, Tickets per Group, Tickets per User, and Tickets per Vulnerability.
- Asset Search Portal — Qualys also provides a real-time search area to define specific criteria, locate assets that meet those user defined filters, and then to perform asset management actions against the assets.
- Dashboard — The Qualys Dashboard provides an immediate scorecard on the security and compliance posture of your organization by displaying easy to reference charts and graphs that are customizable per user.
What are the pre-defined scan reports and their features?
There are multiple pre-defined scan reports that simplify report generation and provide immediate access to your most critical vulnerability information. These reports are available to you at any time:
- Scan Results — The default template used to produce the vulnerability assessment results returned from each scan. Included in this report are a series of bar graphs showing vulnerabilities by severity, operating systems detected, and services detected, as well as detailed host and vulnerability data, sorted by host.
- SANS Top 20 Report — The SANS Institute released a list of the top 20 most critical Internet security vulnerabilities. For each of these identified vulnerabilities, Qualys runs multiple vulnerability checks giving you valuable information about your security exposures. This report identifies whether these vulnerabilities may be exploited on your network.
- RV10 Report — The RV10 (Real Vulnerabilities Top 10) is a dynamic list of the 10 most prevalent security vulnerabilities on the Internet. The RV10 is unique to Qualys as it is based on its own research of a statistically representative sample across more than 21 million audits performed on over 2,200 different networks every quarter. The RV10 list is updated automatically and continuously. Running the RV10 report against your entire IP address range or a subset of addresses will show your exposure to these top threats.
- Executive Report — This report, appropriate for non-technical management, compares vulnerability assessment results over a period of time, giving security trend information in summary format. A bar graph shows the number of vulnerabilities by severity, and a flow graph shows the number of vulnerabilities over time. This report includes no detailed vulnerability information.
- Technical Report — This report, appropriate for technicians, displays detailed results from the most recent vulnerability scan. This report includes vulnerability information sorted by host as well as a detailed description of each vulnerability, the recommended solution to remove the vulnerability, when the vulnerability was first and last detected, the consequences if the vulnerability is exploited, as well as the scan test result, where appropriate, showing how Qualys was able to confirm the vulnerability existed, such as the existence or lack of a registry key.
- High Severity Report — This report identifies all severity level 4 and 5 vulnerabilities, the highest severity levels and thus the vulnerabilities that pose the most serious threat to network security. Included in the summary are two graphs, identifying operating systems detected and services detected. Detailed host and vulnerability data, sorted by host, is provided.
- Risk Matrix Report — This report predicts the likelihood that hosts are at risk to a selected vulnerability based on existing vulnerability assessment results (returned from previous scans). By running this report, users can quickly identify and remediate high risk vulnerabilities on critical assets, without waiting for the next scan opportunity.
- PCI Technical and Executive Reports. — Two PCI reports are available. These reports may be used to assist with remediation and achieve compliance with the Payment Card Industry Data Security Standard. When vulnerabilities and potential vulnerabilities levels 3, 4 and 5 are fixed, the PCI Executive Report can be downloaded in PDF and submitted to the acquiring bank for the merchant.
What do the different severity levels in vulnerability assessment results mean?
Each vulnerability and possible threat is assigned a severity level. The following table describes the five (5) severity levels for vulnerabilities and potential vulnerabilities.
|Minimal||Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.|
|Medium||Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.|
|Serious||Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.|
|Critical||Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host.|
|Urgent||Intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors.|
Figure 2 – Definition of Vulnerability Severity Levels
What are the benefits of distributed management with centralized reporting?
Qualys' distributed management capabilities enable enterprises to delegate vulnerability management tasks to many users within an enterprise, assigning a role with associated privileges to each user, while maintaining centralized control. Another benefit is the centralized reporting capabilities against the distributed scans performed. This functionality simplifies network security audits, facilitates policy compliance, and provides management with up-to-date reports of network security.
Can users receive email notifications of security audit results?
Yes. Users of the Qualys interface can choose to be notified via email each time an audit completes. These notifications provide valuable information about the scan or map, including a results summary and a secure link to the saved report. Upon creating user accounts within Qualys, the Manager who creates the account can choose, on a user-by-user basis, who receives email notifications based on specific criteria. These options can be changed at any time.
What ensures the privacy of subscriber information, including results from network security audits?
Subscriber information is stored on Qualys' dedicated database servers, which are protected from compromise by a defense-in-depth security architecture consisting of dedicated firewall and intrusion detection systems as well as a comprehensive set of encryption technologies. In addition, the servers are located in the center of multiple security rings on a private network that utilizes non-routable addresses. Information pulled from our databases by the subscriber is delivered via a secured 128-bit SSL connection. All subscriber data and reports are strongly encrypted in storage using a 128-bit AES encryption key that is unique to each customer. The customer key is not stored and is not accessible to Qualys or any of our employees.
What happens after Qualys detects a vulnerability? Do you provide information to help me correct the problem?
For each vulnerability detected, Qualys reports detailed information, including:
- Host Information – IP address, hostname & Fully Qualified Domain Name (where available), operating system, and asset group(s).
- Vulnerability Information – vulnerability severity, description of the threat posed by the vulnerability, recommendation for correcting the problem (including links to vendor sites), and the result, if available, which shows how Qualys verified the vulnerability. These fields can be customized for every signature in the Qualys Vulnerability KnowledgeBase.
Qualys reports can be customized so the user only views and/or prints the vulnerability assessment data that is of interest to them.
How does Qualys assist with remediation?
The Qualys solution has an embedded end-to-end remediation workflow function which can be used to assign remediation tickets and track closure status on a per host/vulnerability basis. Additionally, Qualys can be integrated with existing remediation workflow processes and technologies to provide remediation assistance.
Ticket creation and ticket state/status adjustments occur automatically, triggered by security assessment results. Tickets that have been resolved are immediately verified by Qualys upon the next vulnerability scan and closed if successfully fixed. Also, Managers can choose to permit manual ticket closure for vulnerabilities which represent acceptable business risk.
Remediation reports can be run anytime by any user with privilege to obtain the latest vulnerability status information and remediation progress.
How are remediation tickets created?
A remediation policy determines the criteria required for a remediation ticket to be created. A remediation policy can be set up so that tickets are automatically created when vulnerabilities of a certain criticality are found on certain hosts. The remediation policy also determines to whom remediation tickets are assigned as well as the expected ticket resolution date.
The remediation workflow consists of a series of remediation policies. Each policy is evaluated and action is taken using a top-down, or first to last, process flow, therefore there can be several remediation policies for each host and/or each vulnerability. The first remediation policy that is a match in the workflow is processed and the rest are ignored, much like a firewall rule base.
Can the Qualys service help me maintain compliance?
- PCI – The PCI Data Security Standard details security requirements for members, merchants, and service providers that store, process or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to conduct network security scans on a quarterly basis.
- Sarbanes-Oxley – In general, all QIDs related to file permissions, level of system access, audit logs, and passwords are good candidates for creating a scan template for SOX compliance.
The Qualys QIDs in the Vulnerability Knowledgebase can be searched and sorted so that ones appropriate to the compliance control can be identified.
Does Qualys integrate with other products?
Qualys offers a rich set of APIs (user manuals available at https://community.qualys.com/community/developer) that allow information in XML format to be pushed into Qualys or pulled from the service so that integrated solutions can be created. Sample Perl scripts have been created for customers that want to jump start an integration effort. These can be downloaded through the Qualys web interface.
Qualys Solution / Technology Partners describes integrations with over 30 best-of-breed security applications that include IDS, SIM or SEM solutions, penetration testing applications, and other software products.