Qualys is a cloud-based compliance and web application, security provider. Qualys was the first company to deliver vulnerability management solutions as applications through the web using a “Software as a Service” (SaaS) model. We’ve talked with Ben Carr, CISO of Qualys about cybersecurity and future plans of the company.
Can you tell us about the story of Qualys? What were the most important milestones?
Qualys started twenty years ago, and the company took a cloud approach to security before the concept of the cloud existed. Since then, the company has expanded to cover vulnerability management and response across multiple IT platforms, from endpoints through to traditional IT assets like servers and networks and modern application services like cloud and containers.
Our approach is based on helping companies understand what they have, whether it is secure and up to date, and how to prioritize fixing issues that exist. IT asset management has been a challenge for years – with the combination of automation, cloud and vulnerability management, it’s possible to get this asset data and keep it up to date continuously.
Today, we have more than 19,000 customers that rely on us for their security and we run more than six billion security scans across their assets a year.
When we started, we knew that we would have to scale up our platform overtime to cope with the amount of data created from the assets that customers have in place. We looked at open-source technologies that could manage the sheer volume of data that we had to manage in the future, as those would be at the heart of our Cloud Platform.
Today, we have more than eight trillion data points stored in our ElasticSearch clusters, and we process more than fifteen billion Kafka messages per day. We manage more than six billion IP scans and audits per year. With all this data held in our Qualys Cloud Platform, we can help customers to get a continuous update on their security over time. We can automate finding vulnerabilities, applying patches, and reporting on issues and priorities all from the same product, so teams can be more productive. With Qualys Cloud Platform, companies can consolidate their tools and integrate and automate their workflows around security.
Due to the COVID-19 pandemic, the shift to cloud has increased. How did COVID-19 affect the types of cyber-attacks and security needs?
The pandemic has created uncertainty for individuals and organizations. Many companies accelerated their remote working plans to cope, and there has been an explosion of remote endpoints connected to critical assets.
What does this mean for security? IT teams have to ensure that employees are able to work productively and securely from remote locations and it is clear that traditional enterprise security solutions deployed inside organizations’ networks are ineffective for protecting these remote endpoints. We believe that Qualys is one of the few companies well-positioned in this security market evolution due to our focus on investing in the extensibility and capabilities of our platform and our cloud-based architecture.
Upon the onset of COVID-19, we released a remote endpoint protection service that would help customers address this challenge. This service was launched free for 60 days and delivered instant visibility of those remote computers as well as their installed applications. Patches would be delivered securely and directly from vendors’ websites and content delivery networks, ensuring there is little to no impact on external VPN bandwidth.
Our approach is based on providing customers with more value from their data through our Cloud Agents. With COVID continuing, more people will be working remotely, and they will have to be kept secure.
Could you please give detailed information about your new Vulnerability Management, Detection, and Response solution?
VMDR is the next generation of vulnerability management approach. Previously, vulnerability management was split across different teams and point tools – while your security team might spot an issue, they would not have insight into all the assets that had that issue, and they would not be responsible for patching each and every asset. Today, when you have so many potential vulnerabilities coming through, that is just not scalable.
Instead, we have to automate the process and make it more connected and collaborative. VMDR delivers this by automating the process for rolling out patches to all your assets and then reporting on success levels. Getting that complete cycle in place, so you can respond effectively, is essential.
VMDR covers asset discovery and inventory management, so you can see all the assets that your company has whether they are on the network, in the cloud or on individual devices such as endpoints or mobile devices. Next, you have vulnerability management, where you can assess your assets for potential threats or risks, as well as checking for issues caused by poor configuration or out-of-date security certificates.
With these in place, you can carry out continuous monitoring and threat protection scanning, so you can be aware of issues as they come up. This can help you prioritize issues for patching, as well as automating the processes for delivering and applying patches where that makes sense for your team.
What are the advantages of a unified platform that brings all security and scan solutions together?
There are two main benefits, one for the security analysts and one for the CISO. Firstly, the security team can carry out actions faster, or use automation to achieve their goals. Rather than having to manually carry out tasks or rely on scripting or integrations, you have one tool to support your team.
The second benefit is more financial. As a CISO, if you can consolidate your security tools and work with fewer vendors, you can reduce your spend and concentrate on providing better services to your organization. CISOs want to work with companies that can provide them with more value, that they can work with as trusted partners, and that they can rely on to support their goals and their vision. At Qualys, we work with enterprises to provide data that they can use for their security analytics teams and for their leadership teams as well.
Do you have any plans for new products or features in the near future?
We have been working on several new projects, including our newly introduced approach to container security. With many modern applications getting built in software containers, having security for containers implemented as part of your overall security and vulnerability management approach makes a lot of sense. However, you have to think about container security differently than traditional IT platforms like endpoints or servers; instead you have to check your container libraries to ensure that they don’t contain any issues, you have to monitor your container runtimes so that they remain secure over time, and you have to track all these ephemeral images as they get created, so you have a complete understanding of what is being used at any point in time.
We also recently introduced our Multi-Vector Endpoint Detection and Response (EDR) product. This offers a holistic approach to prevention as it combines standard EDR functionality with vulnerability and system visibility, and in turn correlates those endpoints against an external threat feed. Traditional EDR solutions focus solely on endpoint activity which lack the full context to enable accurate threat analysis. Without a comprehensive analysis, teams often receive a large number of false positives and negatives which require multiple point solutions and large incident response teams to re-analyse.
By utilising and unifying a multitude of different context vectors such as asset discovery, end-of-life visibility and network reachability, we are able to offer prevention, detection and response across the entire attack lifestyle. This also means that teams can manage and respond to incidents from a single, integrated cloud app.
Looking ahead, we have been reviewing our data. We have a huge data lake going back years, and we have created XDR to use this data to help our customers over time. XDR will include plug-n-play analytics, built-in threat storylines for users and assets and platform-level built-in integration. We plan to release XDR in a few months’ time.