Qualys has announced the Qualys Enterprise TruRisk Platform at the Qualys Security Conference (QSC) taking place in Orlando, Florida. The announcement was made by CEO, Sumedh Thakar during his keynote and in a blog.
Thakar told the audience, “Cybersecurity is at a crossroads because we cannot continue to do the same things that we have been doing because it’s going to give us the exact same result, which is just leading to a guaranteed increase in the amount of risk that we’re taking, the amount of threats that we are facing.”
What is the Enterprise TruRisk Platform?
According to Thakar, “The Qualys Enterprise TruRisk Platform aggregates cyber risk signals from a wide array of disparate sources and correlates them into measurable risk insights using the unified TruRisk risk scoring framework.”
What is central to this, is that the risk is related to the assets an organisation has. Those assets, however, are constantly changing. It means that TruRisk will have to identify and track existing assets and know when new assets appear. That is far more complex than it appears, given that business units are constantly adding new assets outside of IT control.
In terms of the risk to those assets, TruRisk will use as many sources as can be provided. Those could include things like threat intelligence and alerts, CVSS notifications, patch notifications from vendors, the enterprise and Qualys’ own systems.
How is the risk calculated?
Qualys is not giving away too much here. It talks openly about pulling in the most information possible and comparing that to the enterprise. In some ways, it could be argued that TruRisk is an extension of what Qualys has said for several years.
The challenge most organisations face is what to patch and when. If IT Ops teams were to patch everything as soon as a patch was issued, it would cause two problems. The first, is a constant disruption to the business due to the patching process. The second is an inability to ensure that patching any one item will not have unintended consequences for something else.
What Qualys has consistently talked about is the need to prioritise patches based on risk. For most organisations, risk can be reacting to a vendor claim, a CVSS score, an article saying a vulnerability has been weaponised or any of several other factors. While these are all good reasons to act, they still need to be prioritised to understand how or if they affect the business.
In 2019, Qualys introduced Qualys Vulnerability Detection Management and Response (VMDR). TruRisk appears to be the next step on from that. It is aimed at removing any questions over the risks and how to manage them.
What isn’t clear is how it assesses the risk. It appears, at first glance, to be using the asset register as a core component, and it integrates with the CMDB. The question with that is accuracy. Fixed assets on a register are relatively easy to track.
Software assets are not. This has to be about more than enterprise IT software solutions. It has to find and identify open-source software and all those low-code, no-code apps built by users. It has to identify all cloud assets being used by teams that have been acquired outside the standard IT process. Does it do that? We will have to wait for more information to find out.
What happens when the risk is assessed?
Interestingly, Qualys has designed TruRisk to make it easier for the business to understand the risks it finds. It provides the CISO with a dashboard in real-time that tracks TruRisk across the enterprise. More importantly, TruRisk delivers compliance reports that show risk. This is not a replacement for existing audit processes, but should be considered additional material.
TruRisk also automates the patching using its own risk-based patching approach. This includes the use of what the company terms AI-adaptive mitigation. It also has an integrated workflow for the IT Ops and Cyber teams. But should it also be extended to deal with other teams, such as data scientists and citizen developers building low-code, no-code applications?
Qualys also talks about the ability to continuously eliminate cyber-risk with minimal impact to the business. That is important. If the automation is to be trusted, it has to do no harm and only deliver benefits. The challenge here will be in the design and configuration of the processes and how the AI component assists with automation.
Enterprise Times: What does this mean?
Too many organisations struggle to know how to patch effectively. The IT Security team draws up its list of priorities and expects IT Ops to implement it. The question for many is, how accurate is that list from IT Security?
Even if the list is accurate, IT Ops has to deal with other priorities when patching. When is the patch available? How to mitigate if there is no patch? How long will it take to test the patch before pushing it into deployment? What is the likely downtime to apply the patch and how does that impact the priorities of the business?
What Qualys is offering with TruRisk, is a solution that takes the guesswork out of what needs patching and when. It is also doing so continuously, which should, in theory, catch systems that suddenly become risky.
But, there are hurdles to overcome, such as those associated with software, cloud and open-source sprawl. It needs to show how it will identify things that are not in the CMDB and how it will do so effectively. That does not take away from what it is offering here which is, on the face of it, a hugely valuable solution.
We all need better and more effective patching and remediation, and Qualys is determined to be the vendor that helps deliver that.