QualysGuardRoadMap in the Cloud …Marek Skalicky, CISM, CRISC                                      June 15, 2011Regional Ac...
QualysGuard SuiteIT Security Risk & Compliance Platform and Applications                 New definition of QG Security & C...
Migration Plan to new platform                                          Web 2.0 UI (EXT)                                  ...
Major Enhancements:JavaScript Interface with Web Services for Actions & Data Highly Dynamic Interface   −   ExtJS Library...
Major Enhancements:Tag-Based Organization & Security Dynamic Tags  −   Many Rule Engines & Customization Options  −   Fas...
First Public Implementations:Qualys SECURE Seal & Malware Detection Services                          5
Next Implementations:Web Application Scanning & Policy Compliance                           6
Roadmap SummaryProducts                H1 2011                     H2 2011                      2012 +               • WAS...
Qualys + Cyber-Ark PIMIntegrationCyber-Ark Privileged Identity Management For GQ authenticated scanning Using Cyber-Ark ...
VeriSign VIP Two-factorAuthentication1) Download free SW Token                          2) Edit user settings in QGhttps:/...
Virtualization Roadmap Purpose: develop software-based scanner appliances which  run under irtualization engines (VMware,...
ScreenshotvScanner Console                   11   COMPANY CONFIDENTIAL
QG Vulnerability Management Module
Exploits KnowledgebaseInformation added for Exploit AvailabilityFollowing resources used:  −   Exploit-DB  −   Metasploit ...
Malware KnowledgebaseInformation added for Malware Code AvailabilityFollowing resources used: Trend Micro Malware Knowled...
3 Solution categoriesSolution description categories: Vendor Patch available Workaround available Virtual Patch availab...
VM Report TemplatesMap Reports:                                       Remediation Reports:   Map Result (list / graphical...
Asset Tagging Organize assets via multiple hierarchies  − By technology (Windows, Unix)  − By business unit (Consumer Pro...
QG Policy Compliance Module
QualysGuard Policy ComplianceContent Growth                                Policy Compliance Content8000700060005000      ...
POL Report TemplatesPolicy Compliance Reports   Summary Compliance report with trends   Technical Compliance report with...
QualysGuard Policy Compliance 3.0Roadmap: Configuration ContentConfiguration Content                  Importable Policies ...
QG PCI Compliance Module
QG PCI Compliance WorkflowQualys provide full ASV service:   Network mapping & Vulnerability scanning attestation   ASV ...
QualysGuard PCI2011 Roadmap PCI 5.4  − PCI Mobile app (iPhone, iPAD, Android)  − Consolidated Action Plan Updates PCI 5....
PCI Mobile Screenshots              25         Company Confidential
QG WAS Module
Roadmap 2011 Cross-Site Request Forgery (CSRF) detection  − Identify forms with a security context Improved crawling cap...
QualysGuard WAS 2.0 ApplicationNew User Interface New interface style – new platform technology − Clarity for WAS interac...
QualysGuard WAS 2.0 ApplicationWAS Dashboard Dedicated dashboard for WAS application  −   Offers graph, chart and grid wi...
QualysGuard WAS 2.0 ApplicationWeb Application Catalog Web Application Discovery and Management  −   Automatically discov...
QualysGuard WAS 2.0 ApplicationWeb Application View Web application full overview  −   Web application summary and curren...
QualysGuard WAS 2.0 ApplicationEnhanced scan results Interactive scan results  −   Vulnerabilities, Sensitive Contents an...
QualysGuard WAS 2.0 ApplicationNew Features & Enhancements Management  − User-Defined Password Bruteforcing Lists  − Full...
QG Malware Detection Service
QualysGuard Malware DetectionIntroducing  New FREE Malware Detection Service    - Daily scans that provide immediate insi...
QualysGuard Malware DetectionStatic and Behavioral DetectionTwo-pronged approach for detecting malware:      - Static Anal...
QualysGuard Malware DetectionIdentification of Malicious Code                              37                             ...
QualysGuard Malware DetectionPricing and Availability  Pricing        FREE for ALL (up to 10 domains per user account) ...
QG Secure GO Service
Qualys GO SECURE Service and SealIntroducing                 40                           COMPANY CONFIDENTIAL
Qualys GO SECURE Service and SealTypes of Scans① Malware Detection (Daily)        Detects malicious software that could b...
Qualys GO SECURE Service and SealReview and Remediation of Malware & Vulns                          42                    ...
Qualys GO SECURE Service and SealQualys SECURE Seal – How It Works?  Merchant adds SECURE seal code to   their web site t...
Qualys Freemium ServicesMore than just “free” services …    freescan.qualys.com    www.qualys.com/stopmalware    www.sslla...
Q&A       Thank you      mskalicky@qualys.com
Upcoming SlideShare
Loading in …5
×

RoadMap in the Cloud (2011)

1,283 views
1,163 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,283
On SlideShare
0
From Embeds
0
Number of Embeds
34
Actions
Shares
0
Downloads
40
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

RoadMap in the Cloud (2011)

  1. 1. QualysGuardRoadMap in the Cloud …Marek Skalicky, CISM, CRISC June 15, 2011Regional Account Manager for Central & Adriatic Eastern Europe
  2. 2. QualysGuard SuiteIT Security Risk & Compliance Platform and Applications New definition of QG Security & Compliance Suite QualysGuard On Demand Portal Analyze Comply Protect Vulnerability Management Policy Compliance / FDCC Web Application Firewall* Web Application Scan PCI Compliance IDS/IPS Signatures* Malware Detection Qualys Seal Self-Service Scan* Compliance Management* QualysGuard SaaS Technology Platform Scanners & Sensors Open APIs & Integrations
  3. 3. Migration Plan to new platform Web 2.0 UI (EXT) Application Optimized & Integrated JSON API Web Services API (Qualys Platform Services) Q2/Q3 Current PHP Q3/Q4 Next Generation Platform Java Platform Q4/Q1 New Scanner Interface Virtual Scanner Existing & New Scanners platform 2011 2
  4. 4. Major Enhancements:JavaScript Interface with Web Services for Actions & Data Highly Dynamic Interface − ExtJS Library Based Widgets − JS Compression and Compilation − Separated Display-and-Service Architecture Single Service / Any UI / Export − Allows Easy Re-Use − Easily Scriptable & Highly Accessible − Wide Range of Outputs (doc, xls, pdf, xml, ppt) Easily Leveraged in Other Applications − QualysGuard-accessible − Customer-accessible − Partner-accessible 3
  5. 5. Major Enhancements:Tag-Based Organization & Security Dynamic Tags − Many Rule Engines & Customization Options − Fast Re-Evaluation − Manual and Scan-Based Updates Hierarchical Tags − Allow for Inheritance in Security − Allows Easy Roll-Up Grouping − Works in all Modules (Reporting, etc…) Security-by-Tag − Allow Access Based on one or More Tags − Dynamic & Static Security, Easier Maintenance 4
  6. 6. First Public Implementations:Qualys SECURE Seal & Malware Detection Services 5
  7. 7. Next Implementations:Web Application Scanning & Policy Compliance 6
  8. 8. Roadmap SummaryProducts H1 2011 H2 2011 2012 + • WAS 2.0 beta • WAS 2.0 GA • VM on new platformAnalyze • MAL 1.0 GA • PC on new platform • New discovery wizardVM, WAS, MAL • Exploit integrations ✓ • Reporting enhancements • New ticketing integration • Template library ✓ • Web app fingerprintingCompliance • Secure Seal GA • POL on new platform • Compliance Manager betaPOL, FDCC • PCI ASV 1.2 support ✓ • UCF supportPCI, Seal • Policy locking • IT GRC IntegrationsProtect • WAF betaWAF • IDS Signatures betaIDS • New scheduler (JobD) • vScanner for Amazon • vScanner for Data CenterPlatform • CyberArk auth records ✓ • vScanner for Consultant • Scheduled reporting • Verisign VIP 2-facto ✓ • New remediation engine • Dynamic asset tagging 7
  9. 9. Qualys + Cyber-Ark PIMIntegrationCyber-Ark Privileged Identity Management For GQ authenticated scanning Using Cyber-Ark Password Vault Local encrypted credentials storageVery easy to implement 1 day project including C-A implementation References: Rabobank, Discover, CNBVery low costs of integration Zero costs for existing Cyber-Ark customers Special discount for Qualys customers
  10. 10. VeriSign VIP Two-factorAuthentication1) Download free SW Token 2) Edit user settings in QGhttps://vipmobile.verisign.com/supportedphones.v3) Login with VeriSign VIP
  11. 11. Virtualization Roadmap Purpose: develop software-based scanner appliances which run under irtualization engines (VMware, Xen, HyperV) Multiple versions: − Consultant & Express: based on VMware Workstation/Player, to be run on laptops and SMB servers; − Enterprise versions: Intended for data centers, integrated with centralized management systems as VMware vSphere, Xen, HyperV − Amazon EC/2 version: Intended for scanning EC/2 targets − Amazon VPC version: Intended for scanning VPC targets 10
  12. 12. ScreenshotvScanner Console 11 COMPANY CONFIDENTIAL
  13. 13. QG Vulnerability Management Module
  14. 14. Exploits KnowledgebaseInformation added for Exploit AvailabilityFollowing resources used: − Exploit-DB − Metasploit − Core Security − Immunity − Others…
  15. 15. Malware KnowledgebaseInformation added for Malware Code AvailabilityFollowing resources used: Trend Micro Malware Knowledgebase Others malware resources coming…
  16. 16. 3 Solution categoriesSolution description categories: Vendor Patch available Workaround available Virtual Patch available  Trend Micro Deep Inspection signatures  Other IDS/IPS vendors coming…
  17. 17. VM Report TemplatesMap Reports: Remediation Reports: Map Result (list / graphical map) • Tickets per Asset Group / Business Unit Unknown Device Report • Tickets per UserAsset Reports: • Tickets per Vulnerability Assets for selected OS / SW / Port / Service • Executive Remediation Report Assets at risk of Malware v.1 • Patchable High-priority Vulnerabilities v.1 Assets at risk of Exploits v.1 • Disabled/Ignored Vulnerabilities v.1 Assets with Obsolete Software v.1 • Patchable High-priority Vulnerabilities v.1 Virtually Patchable Assets v.1 • Remediated Vulnerabilities Last 30 Days v.1Scan Reports: • Qualys Patch Report per IP / Asset Group / BU Scan Result (full technical report) • Critical Patches Required v.1 Executive Scan Report • Tickets ScoreCard Reports Technical Scan Report • The Most Prevalent Vulnerabilities Report High Severity Report • The Most Vulnerable Hosts Payment Card Industry Executive Report Payment Card Industry Technical Report Additional Qualys Reports Vulnerability ScoreCard Reports • Qualys TOP 20 Benchmark report • SANS TOP 20 Benchmark report • Authentication Verification Report
  18. 18. Asset Tagging Organize assets via multiple hierarchies − By technology (Windows, Unix) − By business unit (Consumer Products, Commercial, etc.) − By business processes (Accounting, Controlling, Clearing.. Assets can have multiple tags − 10.1.1.1 is “NY SOC”, “Unix Servers”, and “Finance Servers”, Accounting process, Controlling process, … Both static and dynamic tags − Rules-based engine for assigning tags on attributes User access is defined by tags − Permissions can be grouped into user-defined Roles 17
  19. 19. QG Policy Compliance Module
  20. 20. QualysGuard Policy ComplianceContent Growth Policy Compliance Content8000700060005000 Controls4000 Configuration Checks300020001000 0 Q1 09 Q2 09 Q3 09 Q4 09 Q1 10 Q2 10 Q3 10 Q4 10 Q1 11
  21. 21. POL Report TemplatesPolicy Compliance Reports Summary Compliance report with trends Technical Compliance report with control description and evidence Compliance status by Hosts (Pass / Fail / Exceptions / All) Compliance status by Policy and Controls (Pass / Fail / Exceptions / All) Individual Policy & Control status over company Individual Host compliance statusOther Compliance Reports Authentication Verification Report Payment Card Industry Executive Report Payment Card Industry Technical Report
  22. 22. QualysGuard Policy Compliance 3.0Roadmap: Configuration ContentConfiguration Content Importable Policies  Q2 2011  Q2 2011 − Oracle 9i/10g/11g (updates) − CIS Windows 2008 v.1.1.0 − MS SQL 2000/2005/2008 − CIS Windows 7 v.1.1.0 (updates)  Q3/Q4 2011 − DB2 9.x LUW − CIS Solaris 2.5.1-9 v1.3.0 Q3/Q4 2011 − CIS Solaris 10 v.2.1.3 − VMWare ESX 4.x − CIS AIX 4.3.2/4.3.3/5L/5.1 − SharePoint 2007/2010 v.1.0.1 − Sybase ASE 15.x − CIS AIX 5.3-6.1 v1.0.0 21 COMPANY CONFIDENTIAL
  23. 23. QG PCI Compliance Module
  24. 24. QG PCI Compliance WorkflowQualys provide full ASV service: Network mapping & Vulnerability scanning attestation ASV Scan Final Certification report (Executive and Technical) PCI Self Assessment Questionnaire ASV insurance ASV support
  25. 25. QualysGuard PCI2011 Roadmap PCI 5.4 − PCI Mobile app (iPhone, iPAD, Android) − Consolidated Action Plan Updates PCI 5.x − User Roles / Permissions − Scan Progress Indicator − General Comments in Certified Reports 24 COMPANY CONFIDENTIAL
  26. 26. PCI Mobile Screenshots 25 Company Confidential
  27. 27. QG WAS Module
  28. 28. Roadmap 2011 Cross-Site Request Forgery (CSRF) detection − Identify forms with a security context Improved crawling capabilities − XmlHttpRequest object and "AJAX" to better handle asynchronous requests and DOM updates − Web service interfaces Cross-Site Scripting (XSS) improvements − Better analysis of "DOM verification failed" results Improved reporting − Click paths to reproduce vulnerabilities − Screenshots of landing pages, vulnerabilities 27
  29. 29. QualysGuard WAS 2.0 ApplicationNew User Interface New interface style – new platform technology − Clarity for WAS interactions − New functions:  Web Application Dashboard  Web Application Catalog  Web Application View Enhanced user experience − Interactive views to meet user expectations − Direct access to meaningful information − New Wizards to guide application creation & management 28
  30. 30. QualysGuard WAS 2.0 ApplicationWAS Dashboard Dedicated dashboard for WAS application − Offers graph, chart and grid widgets for all WAS data points − Provides direct and global overview of Web Application inventory − Modular architecture allows seemless introduction of new widgets 29
  31. 31. QualysGuard WAS 2.0 ApplicationWeb Application Catalog Web Application Discovery and Management − Automatically discover web applications, using existing VM scan and map results − Management workflows guide users to gather additional information and comments and associate them with the web application 30
  32. 32. QualysGuard WAS 2.0 ApplicationWeb Application View Web application full overview − Web application summary and current security exposure − Web application current vulnerabilities, sensitive contents and information gathered − Associated scan results and schedules All web application workflows directly available − Edit Settings − Launch Scan − Schedule scan… 31
  33. 33. QualysGuard WAS 2.0 ApplicationEnhanced scan results Interactive scan results − Vulnerabilities, Sensitive Contents and Information Gathered can be dynamically searched and filtered − Better user experience to prevent long results to be scrolled 32
  34. 34. QualysGuard WAS 2.0 ApplicationNew Features & Enhancements Management − User-Defined Password Bruteforcing Lists − Full-text search in all datalists Scan Workflows − Relaunch scan workflow − Include vulnerability count in scan summary emails Scan Results − Authentication status available immediately − Integration of OWASP, WASC and CWE Ids − Highlight proof in scan results 33
  35. 35. QG Malware Detection Service
  36. 36. QualysGuard Malware DetectionIntroducing  New FREE Malware Detection Service - Daily scans that provide immediate insight into malware issues - Automated alerts - Identifying vulnerable code snippets for quick and easy removal of malware 35 COMPANY CONFIDENTIAL
  37. 37. QualysGuard Malware DetectionStatic and Behavioral DetectionTwo-pronged approach for detecting malware: - Static Analysis – using a “signature-based” approach, the service identifies potential source code that is typically used in malicious attacks. - Behavioral Analysis – the service visits the web site with a vulnerable browser and operating system and runs tests to determine if the web site behaves outside of normal operating guidelines. 36 COMPANY CONFIDENTIAL
  38. 38. QualysGuard Malware DetectionIdentification of Malicious Code 37 COMPANY CONFIDENTIAL
  39. 39. QualysGuard Malware DetectionPricing and Availability  Pricing  FREE for ALL (up to 10 domains per user account)  Availability  Available today in Beta: http://www.qualys.com/STOPMALWARE 38 COMPANY CONFIDENTIAL
  40. 40. QG Secure GO Service
  41. 41. Qualys GO SECURE Service and SealIntroducing 40 COMPANY CONFIDENTIAL
  42. 42. Qualys GO SECURE Service and SealTypes of Scans① Malware Detection (Daily)  Detects malicious software that could be hosted by the web site and infect visitors② Perimeter Scanning (Weekly)  Identifies externally facing vulnerabilities of the web server that could give attackers access to information stored on the host③ Web Application Scanning (Weekly)  Crawls and injects HTTP requests to the web application to identify vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)④ SSL Certificate Validation (Weekly)  Verifies the web site is using an up-to-date SSL certificate from a trusted certificate authority (CA) for encryption of sensitive information during online transactions 41 COMPANY CONFIDENTIAL
  43. 43. Qualys GO SECURE Service and SealReview and Remediation of Malware & Vulns 42 COMPANY CONFIDENTIAL
  44. 44. Qualys GO SECURE Service and SealQualys SECURE Seal – How It Works?  Merchant adds SECURE seal code to their web site to display seal to visitors  Remediation and Removal  Merchant schedules the scans to run automatically on web site on a recurring basis (daily for malware, weekly for vulns and SSL cert validation) - Merchant is notified once malware or vulnerabilities are identified, or SSL cert no longer valid  Customer resolves the malware/vulnerabilities found to continually show the seal to customers - Seal is removed within 72 hrs if malware or a critical vulnerability is identified - Merchant can fix and rescan to revalidate the seal at any time 43 COMPANY CONFIDENTIAL
  45. 45. Qualys Freemium ServicesMore than just “free” services … freescan.qualys.com www.qualys.com/stopmalware www.ssllabs.com https://browsercheck.qualys.com https://community.qualys.com/docs/DOC-1351
  46. 46. Q&A Thank you mskalicky@qualys.com

×