Welcome to the Qualys VMDR training course.

1
To complete this course, you’ll need to download a couple of training documents:

1. The “VMDR Lab Tutorial Supplement” contains links that allow you to play the lab
tutorials for this course.
2. You can also download a copy of the course presentation slides.

Both documents are available in PDF file format from the Qualys Training and
Certification Portal (qualys.com/learning).

2
1. When you click the link to open a lab tutorial, it will open-up in your default Web
browser. If you would like to play the tutorial in a different browser, you can copy
this link and paste it into the address field of another browser.

2. When the lab tutorial opens, click the icon in the upper-right corner, to maximize
your screen size.

3. When your ready to play the tutorial, click the start button.

3
To help introduce the agenda for this course, we’ll start with a quick review of the
Qualys Vulnerability Management Detection and Response Lifecycle model.

The VMDR Lifecycle, begins (step 1) by identifying and managing all assets
throughout your business or enterprise architecture. The basic principle here is, you
stand a much better chance of protecting assets that you know about and can
identify. You’ll find this very same step or principle in the CIS Critical Controls as well
as the NIST Cybersecurity Framework.

In steps two and three, your enterprise assets are then analyzed for vulnerabilities
which are then prioritized by various criteria, including severity levels as well as
known or existing threats.

In the final step of the VMDR Lifecycle (step 4), Qualys Patch Management (PM) then
allows you to respond to detected vulnerabilities and threats, within days or even
hours, rather than weeks or months.

The agenda for this course is designed to follow (in sequence) these four steps.

4
We’ll begin our discussion with an overview of Qualys' comprehensive framework of
sensors that collect asset data and telemetry. We’ll then explore the way collected
data is categorized, normalized, and enriched in the Qualys Global IT Asset Inventory
(AI) application.

From there we'll talk about assessing your asset inventory for vulnerabilities and
managing vulnerability findings.

We'll then move to the VMDR Prioritization Report and use Real-Time Threat
indicators (and other options) to prioritize discovered vulnerabilities and focus on the
ones that really matter.

Finally, we’ll finish our VMDR discussion within the Qualys Patch Management
application, where we'll take a closer look at the patch catalog, patch assessments
and patch jobs.

The flow of our discussion today, will begin with asset discovery and asset inventory,
and then illustrate the path and progress thru vulnerability assessment &
prioritization, ending with patching & remediation.

5
While this course focuses on four applications, a quick overview of the other Qualys
applications that play a role within the VMDR Lifecycle, will be provided near the end
of this course. You’ll also find this “additional” application information in Appendix A
of the Lab Tutorial Supplement.

6
VMDR is more than just a collection of applications. It’s a framework of sensors and
back-end services, designed to continuously monitor and collect your asset telemetry.

This section provides an overview of the various Qualys Sensors that capture and
collect asset data and telemetry.

Objective:
1. Identify the numerous sensors within Qualys’ Comprehensive Framework of
Sensors.
2. Understand the basic function of each sensor.

7
Modern-day IT environments have come a long way since the use of time-sharing
terminals connected to large mainframe systems.

On-premise assets can consist of physical, bare-metal systems or virtual machines

running on hypervisor platforms. Businesses and organizations have extended their
systems and networks into the cloud (IaaS,PaaS) and mobile devices are everywhere.

The Internet of Things (IoT) has changed the landscape of many businesses and
industries. IP-enabled networks now connect the operational technology (OT) side of
business with the information technology (IT) side; creating a convergence of even
more data, processes and systems.

And on top of that, all these systems and assets have their own unique inventory of
software applications and services.

The complex and dynamic nature of modern IT environments, increase the risk of
missing assets living within or connected to your business or enterprise architecture.

8
To help you identify and secure the assets within your business and enterprise
architecture, Qualys provides a comprehensive framework of sensors, including:

§ Hardware-based as well as virtual scanner appliances.

§ Qualys Cloud Agents, which install as a local system service on the host they
protect.
§ Qualys Passive Sensors, which collect asset telemetry through network switches
and TAPs.
§ Cloud Connectors, which collect asset and configuration metadata from your cloud
platform accounts, such as Amazon Web Services, Microsoft Azure and Google
Cloud Platform.
§ Container Sensors are container applications that install alongside other container
applications, to monitor images and containers on docker hosts and registries.
§ Out-of-band sensors help to secure devices on air-gapped networks.
§ The Qualys Application Program Interfaces (APIs), shares metadata between the
Qualys Platform and Service Now CMDBs

All of these sensors come together, into one comprehensive framework to help you
stay on top of today's Hybrid IT Environments.

9
We'll begin our discussion of Qualys sensors, with Qualys Scanner Appliances.

10
Presently, Qualys scanner appliances are available in three different varieties: 1)
Internet-based appliances located within the Qualys Cloud Platform, 2) Hardware-
based appliances, and 3) Virtual Scanner Appliances.

The Qualys Cloud “Internet-based” scanners, are accessible to Qualys user accounts
that have scanning privileges. These appliances are ideal for targeting and scanning
other Internet-facing assets.

Both hardware-based and virtual scanner appliances can be deployed throughout

your network and enterpriser architecture. Qualys Virtual Scanner Appliances are
available for multiple hypervisor and cloud platforms.

11
For more information and details about scanner appliance deployment and usage,
enroll in the “Qualys Scanning Strategies & Best Practices” self-paced training course.

12
Our next sensor is the Qualys Cloud Agent

13
Cloud Agents can be installed on host assets running Cloud Agent supported
operating systems.

For a complete list of supported operating systems, see the Cloud Agent Getting
Started Guide: https://www.qualys.com/docs/qualys-cloud-agent-getting-started-
guide.pdf

14
An agent installs as a local system service on the host it protects.

Once an agent is successfully installed on a host, it will build a snapshot of the data
that is needed by the Qualys applications you have successfully activated.

The agent sends its snapshots to the Qualys Cloud for processing, where assessments
and testing are performed.

While Qualys Scanner Appliances have a ”remote” perspective of the assets you scan,
Qualys Cloud Agent provides a “local” perspective of its host.

15
Those who have been working with Cloud Agent for a while, are typically accustomed
to downloading and installing agents from the Qualys Cloud Agent application.

With Qualys VMDR, you now have one more place, the VMDR Welcome Page, to
download and install agents.

16
Your first lab tutorial today, will highlight the steps of downloading agents from the
VMDR “Welcome” page.

For those already accustomed to downloading and installing agents, you won’t see
much difference between the VMDR “Welcome” page and the Cloud Agent
application; however, one distinction between these two approaches will be
highlighted at the end of the tutorial.

17
As was demonstrated in the very last lab tutorial, the VMDR Welcome page uses the
Default VMDR Activation Key.

18
The VMDR “Welcome” page also provides the option to configure agent Activation
Keys for use with VMDR. You’ll typically see this option, if your account has multiple
Activation Keys.

19
Using the "Upgrade" option on a selected Activation Key will ensure that the Patch
Management (PM), Vulnerability Management (VM), and Security Configuration
Assessment (SCA) modules are added. All Activation Keys include the Asset Inventory
(AI) application, by default.

20
This lab demonstrate how the Activation Key upgrade process works.

21
As was demonstrated in the lab tutorial, you can replace the Security Configuration
Assessment module (within an Activation Key) with the Policy Compliance module.

Typically, you'll want to avoid including both modules (SCA and PC) in the same
activation key.

A better strategy is to create separate activation keys; one for Security Configuration
Assessment and another for Policy Compliance.

22
Design and build Activation Keys around related groups of assets or subnets within
your network or enterprise architecture. Assign a “static” tag to each agent Activation
Key to easily locate the agent hosts it will deploy.

You can then use asset Tags (assigned to agent Activation Keys) to assign patching
licenses to specific hosts and ensure these hosts are correctly assigned to their
Configuration Profile, Patch Assessment Profile, and Patch Jobs.

BEST PRACTICE: Use this strategy to assign agent host assets to their appropriate
profiles, licenses, and jobs, at the time of agent deployment.

23
For more information and details on downloading and deploying agents, please
check-out the Cloud Agent Self-paced Training Course.

24
We'll now look at Qualys Passive Sensor.
If you have ever worked with a packet sniffing application like Wireshark or tcpdump,
you already understand the tremendous amount of data that can be collected by a
network adapter operating in “promiscuous” mode. This is the basic concept behind
Qualys’ Passive Sensor. Simply deploy passive sensors at strategic network locations,
to begin monitoring network traffic and conversations.

An important advantage to capturing network traffic, comes from the bonus

information collected from network conversations (conversations between two
communicating hosts). A passive sensor not only sees the network traffic from
“managed” assets (within your account), but it also sees traffic from other host assets
and services that are attempting to communicate with your “managed” host assets
(including communications coming from unknown assets).

26
Qualys Passive Sensor sends collected data to the Qualys Cloud Platform for analysis.

Newly discovered assets (those that are not already in your account) are separated
from your managed asset and placed in the "Unmanaged" section of the Qualys Asset
Inventory application.

New data collected can potentially be merged with existing data only when:
Both IP address and MAC address have been successfully matched, or
Both IP address and hostname have been successfully matched.

**NOTE: A single asset can potentially have multiple interfaces.

27
In the "Unmanaged" assets section of Qualys Asset Inventory, confidence levels are
provided for the Operating Systems and Hardware devices, that are identified.

You can use the “Feedback” option, from the “Quick Actions” menu of an unmanaged
asset, to help Qualys researchers determine the accuracy of operating system and
hardware findings.

28
Passive Sensors can be deployed as a physical appliance or a virtual appliance. This
illustration depicts a physical appliance

There are two interfaces, one for management, one for “sniffing” traffic.

The Management interface is used to send collected data back to the Qualys
Platform. This interface gets an IP.

The traffic sniffing interface can connect to the SPAN port of a network switch or a
network TAP. This interface doesn’t get an IP.

Connecting a passive sensor to a network TAP is best when monitoring traffic

between two central traffic hubs (point A and point B), while a SPAN port allows the
sensor to potentially capture all traffic passing through a single network switch. A
combination of both technologies (TAPs and SPAN ports) is common.

29
Presently virtual appliances can be deployed on a VMware ESXi server or a Microsoft
Hyper-V Server.

Like the physical appliance, there are two interfaces, one for management, one for
sniffing network traffic. The management interface receives an IP address and the
sniffing interface does not.

Both Management and Sniffing interfaces are bound to physical interfaces on the
virtual server, via virtual switches.

Connecting a passive sensor to a network TAP is best when monitoring traffic

between two central traffic hubs (point A and point B), while a SPAN port allows the
sensor to potentially capture all traffic passing through a single network switch. A
combination of both technologies (TAPs and SPAN ports) is common.

30
You'll find details for setting-up and configuring Qualys Passive Sensor, in the Global IT
Asset Inventory and Management Self-Paced Training course.

31
Our next sensor is Qualys Cloud Connector.
You can configure Cloud Connectors for your AWS, Google Cloud, and
Microsoft Azure accounts. Cloud Connectors will then enumerate the cloud
instances associated with your AWS, Google, and Microsoft accounts, along
with pertinent metadata and configuration settings.

There's a section in your lab tutorial supplement, that will show you an easy
way to search your asset inventory for AWS, Azure, and Google cloud
instances.

AWS - inventory.source:INSTANCE_ID
Azure – inventory.source:VIRTUAL_MACHINE_ID
Google – inventory.source:GCP_INSTANCE_ID

The Qualys Security Configuration Assessment (SCA) application, leverages “out-of-

box” policies to help you identify and correct AWS, Azure and Google account
misconfigurations.

33
Next is Qualys Container Sensor
Qualys Container Sensor downloads as a Docker image and is installed on a Docker host
as a container application, right alongside other container applications.

Once installed, Container Sensor will assess all new and existing Docker images and
containers for vulnerabilities.

Presently, there are 3 different types of Container Sensors:

1. A General Sensor will scan images and containers on a single docker host.
2. A Registry Sensor will scan images in public and private Docker registries.
3. And a CI/CD Pipeline Sensor (also referred to as a "Build" sensor), scans images
within your DevOps CI/CD pipeline projects, allowing you to identify and correct
vulnerable images, during the build process.

Integrations with Jenkins and Bamboo are presently supported by the Qualys Container
Security application.
Another feature in the Qualys Container Security application is Container Runtime
Security, which provides runtime visibility and protection into container applications.

This is achieved by instrumenting images with Qualys Container Security components,

to gather functional and behavioural data about the container’s running processes;
thereby allowing you to create rules and policies that actively block or prevent
unwanted actions or events.

As one example, you could build a policy that prohibits access to sensitive system
files, such as the shadow or passwd files on a Linux host.

The Container Runtime Security instrumenter supports the following registries for
instrumentation:
Public registries: Docker Hub
Private registries: v2-private registry: JFrog Artifactory (secure: auth + https)

We use an application-native instrumentation process that provides complete

visibility of the application inside the container. The instrumentation is very
lightweight and provides configurable data collection options with low\no impact on
container applications.

36
Check-out the Container Security Self-Paced Training course for more information on
Container Sensors.

37
A significant advantage gained from Qualys’ comprehensive framework of sensors
comes from the all-inclusive asset inventory that you acquire when all the collected
data and telemetry are fed into the Qualys Global IT Asset Inventory application.

Objectives:
1. Understand how the Qualys Global IT Asset Inventory application categorizes,
normalizes, and enriches the raw data collected by Qualys Sensors.
2. Use the Global IT Asset Inventory application to search and manage your asset
and software inventory.

38
Qualys Asset Inventory (AI) collects and aggregates asset data and telemetry from all
sensors within our comprehensive framework. AI collects the raw data that would
meet many of your existing asset discovery and inventory needs, but it doesn't stop
there. It goes numerous steps further by categorizing, normalizing, and enriching the
raw data that is collected.

39
Here is just one example of the categorization and enrichment activities, performed
by Qualys Asset Inventory. In this case, we have a Dell computer (R510), running an
IBM AIX operating system, which is hosting a MySQL Server. This is the information
collected from Qualys sensors and sent to our cloud platform.

Qualys Asset Inventory takes this data and breaks it down by manufacturer, owner,
product, Version, and so on... Notice the "Category" row at the very top. Operating
Systems, hardware devices, and software applications are categorized using a 2-tier
or 2-level taxonomy. The level-1 category for the OS is: UNIX, and the level-2 category
is: Server. Level-2 categories are a subset of the level-1 categories. In a moment,
we’ll look at some category examples and demonstrate how you can leverage this
information, when performing asset searches and queries.

Finally, OS, hardware, and software data is then enriched with Lifecycle stage and
support information. This information is not only important from a security
perspective, it's also useful to the people in you company that are tasked with
hardware and software budgeting and procurement.

Notice the row at the very bottom. Qualys Asset Inventory distinguishes between
commercial and open-source software.

40
The hardware, operating system, and software categories can be handy when
performing asset searches within the Asset Inventory application.

In this example, we're looking at hardware categories. To construct a query, identify a

hardware category token, followed by a targeted value. You can use
hardware.category1 and a category1 value, hardware.category2 and a category 2
value, or you can combine category1 and category2 using the "hardware.category"
token (a slash character must separate the category1 and category2 values).

The first illustration depicts a “hardware.category1” query for all networking devices.

The second illustration depicts a “hardware.category2” query just for switch devices.

The third illustration depicts a plain “hardware.category” query for virtual devices
that are cloud-based (notice the slash that separates the category1 and category2
values).

In a moment, We'll take a look at a simple way to identify all the hardware.category1
and 2 values in your account.

41
If you would like to identify all the hardware categories in your account, navigate to
the "Assets" tab (within Qualys Asset Inventory) click "Group Assets by," select
Hardware and then Category.

42
The Lifecycle stage information for hardware includes: General Availability,
End of Sale, and Obsolete (which is equivalent to End of Service).

The term "Obsolete" was chosen, because the acronym for End of Service
(EOS) is the same as End of Sale, which would create a conflict.

Values for the hardware.lifecycle.stage token include: EOS, GA, INTRO, Not
Aplicable, OBS, Unknown

43
In this example we have operating system categories.

OS category queries are similar to the hardware category queries just demonstrated.

The first illustration depicts an “operatingSystem.category1” query for Windows

assets.

The second illustration depicts an “operatingSystem.category2” query just for client

hosts.

The third illustration depicts a plain “operatingSystem.category” query for Linux-

based servers (notice the slash that separates the category1 and category2 values).

44
If you would like to identify all the OS categories in your account, navigate to the
"Assets" tab (within the “Inventory” section) click "Group Assets by," select Operating
System and then Category.

45
Software category queries are also like hardware and OS queries, with one small
exception.

Notice the parenthesis that surround the category and value.

The first illustration depicts a “software:(category1” query for security applications.

The second illustration depicts a “software:(category2” query just for endpoint

protection applications.

The third illustration depicts a plain “software:(category” query for relational

database management systems (notice the slash that separates the category1 and
category2 values).

46
If you would like to identify all the Software categories in your account, navigate to
the ”Software" tab (within the “Inventory” section) click "Group Software by," and
select Category.

47
OS & SOFTWARE LIFECYCLE
General availability (GA) - When the product became available for purchase.
End-of-Life (EOL) - No longer marketing, selling, building new features, or
promoting product (Security patches may still be provided).
End-of-Service (EOS) - Date product is no longer serviced via upgrades,
patches, or maintenance.

Values for the “operatingSystem.lifecycle.stage” token include: EOL,

EOL/EOS, GA, Not Applicable, Unknown

Values for the “software:(lifecycle.stage” token include: EOL, EOL/EOS, GA, Not
Applicable, OS Dependent, Unknown

48
It is quite possible to find OS and hardware values of Unidentified or Unknown.

If an operating system or hardware device is displayed as Unidentified, not enough

data was discovered and collected to make some type of determination.

To help reduce the number of "Unidentified" values in your account, be sure to

perform scans in "authenticated" mode and ensure your scan traffic is not obstructed
by network filtering devices.

If an OS or hardware device is displayed as Unknown, Qualys researchers have yet to

add that OS or hardware information to our asset catalog.

49
It's common to find unidentified assets within the "Unmanaged" assets section of the
Asset Inventory application. For this reason, Qualys adds confidence levels (low,
medium, high) to the Operating System and Hardware columns. Remember, you can
use the “Quick Actions” menu of any unmanaged asset, to provide feedback to
Qualys researchers.

In this illustration, an OS name for the second asset is displayed, but its hardware is
“Unidentified.”

50
It is also common for products to undergo rebranding or name changes throughout
their lifespan. This illustration depicts the name changes and rebranding that
occurred, when Microsoft acquired Skype. Skype for Business (formerly Microsoft
Lync and Office Communicator) was eventually discontinued in in favor Microsoft
Teams.

Even without rebranding or name changes, some products simply have variations in
the names that are used to identify them.

Qualys Asset Inventory is designed to recognize these changes and variations and
make any necessary adjustments.

51
Asset Tags are now a part of the Qualys Asset Inventory application and with the new
Asset Inventory rule engine, you can build and create Asset Tags using Asset Inventory
queries and query tokens, including the “hardware.category,”
“OperatingSystem.category” and “software.category” tokens.

Other dynamic rule engines are also available.

52
From the Asset Inventory application, create a dynamic Asset Tag using the “Asset
Inventory” rule engine.

software:(category:Databases / RDBMS)

53
Traditionally, the Qualys API has been used to extract data from the Qualys Cloud
Platform; data which is then consumed by your third-party applications. However;
with the ServiceNow CMDB Sync App, metadata can move in both directions.

Asset metadata synchronization is performed only for assets already in both Qualys
and ServiceNow (i.e., not for new asset discovery).

Qualys Asset Inventory can benefit from metadata in the ServiceNow CMDB and
Service Now can benefit from Qualys categorization, normalization, and data
enrichment.

For a detailed description of the Asset Inventory CMDB Sync App, go here:
https://www.qualys.com/docs/qualys-asset-inventory-cmdb-sync.pdf

54
For complete details on managing your asset inventory, enroll in the “Global IT
Asset Inventory and Management Self-Paced Training” course
(qualys.com/learning).

55
56
Once the assets within your network and enterprise architecture have been
successfully identified, Qualys VMDR then allows you to assess host assets for
vulnerability findings.

Objectives:
1. View, query, and identify the vulnerability findings produced by Qualys Scanner
Appliances and Qualys Cloud Agents.
2. Respond to vulnerability findings from within the Qualys Global IT Asset Inventory
application and VMDR.
To perform assessments that identify vulnerability findings, deploy Qualys Scanner
Appliances, Qualys Cloud Agents, or both.

It is very common for businesses and organizations to use both scanners and agents
for this purpose.

58
With Qualys VMDR you're no longer restricted to patching by OS or patching by
subnet.

All vulnerability findings are matched with their associated: 1) Severity Level, 2) CVSS
Score, 3) CVE ID, available patches, known exploits, and more; giving you the ability
to prioritize patching and mitigation tasks, by any combination of these criteria.

As you will soon see, the VMDR Prioritization Report will add even more useful
prioritization and patching options.

59
Vulnerability findings can be viewed in multiple Qualys applications.

Qualys Asset Inventory, allows you to view the vulnerability findings of a selected
host asset and even provides patching and response options.

Using Qualys Asset Inventory, you can deploy patches on an asset-by-asset basis.

60
The VULNERABILITIES section in Qualys VMDR will allow you to deploy patches for
many host assets, simultaneously.

To deploy patches for discovered vulnerabilities, the discovered vulnerabilities must

first be patchable (notice the query condition in this illustration that uses the
qualysPatchable query token).

vulnerabilities.vulnerability.qualysPatchable:TRUE

Also, only host assets running Qualys Cloud Agent, are eligible to receive
patches. Cloud Agent is the mechanism used by the Qualys Platform to
deploy patches.

61
This lab tutorial will walk you through the steps to deploy patches from the
VULNERABILITIES section of VMDR.

62
For complete details on assessing and managing vulnerabilities, enroll in the
VM, SSBP and RSBP Self-Paced Training courses (qualys.com/learning).

63
As you saw (in the last lab tutorial) the VULNERABILITIES section of VMDR allows you
to view and patch vulnerabilities, using various search criteria.

In this section we’ll extend those capabilities using the VMDR Prioritization Report.

Objectives:
1. Identify and understand the different components of a VMDR Prioritization
Report.

2. Use the VMDR Prioritization Report to respond to vulnerability findings and

patch vulnerabilities.

3. Learn to use Dashboards and Widgets to monitor vulnerability findings.

4. Create a dashboard widget from the VMDR Prioritization Report.

The VMDR Prioritization Report is designed to help you prioritize and patch
vulnerabilities, using multiple factors, including: Asset Context, Vulnerability
Age, Threat Intelligence, and Attack Surface dynamics.

65
Not all assets within your business or enterprise architecture are the same. Some
assets are considered critical, others are not. Different assets perform different
functions (they provide different services) and are impacted by different
vulnerabilities and threats.

The very first step in building a Prioritization Report, provides context by targeting
specific host assets. This is where the Asset Tags you create play a very important
role.

The "Asset Inventory" rule engine that applies tags based on hardware, OS, and
software categories can be very useful here.

You'll want to keep the Prioritization Report in mind when building and designing
Asset Tags for you Qualys account.

Add one or more tags == OR operator

66
In the next few slides, we'll break-down the priority options by vulnerability age,
Real-Time Threat Indicators and Attack Surface.

67
When prioritizing vulnerabilities by age, you have the options of “Detection
Age” or “Vulnerability Age.”

Detection Age is calculated as the number of days, since a vulnerability scan

discovered or detected the presence of a vulnerability. Vulnerability scans are
performed by Qualys Scanners and Agents.

Vulnerability Age is calculated as the number of days, since a vulnerability

was published to the Qualys KnowledgeBase.

Notice the different perspectives we get in this illustration. Detection Age

depends heavily on the frequency in which you scan, and in this case all
vulnerabilities are recent discoveries, while Vulnerability Age may provide a
better measurement of a vulnerabilities real risk to an assets.

68
The Qualys Threat Protection application (which is part of VMDR) provides Real-Time
Threat Indicators to the Prioritization Report, that will help you identify the potential
impact of discovered vulnerabilities, as well as vulnerabilities that have known or
existing threats.

Simply select the threat indicators you want to use to prioritize vulnerabilities

If you select multiple threat indicators, be sure to select the appropriate logical
operator, in the upper-right corner.

Match Any == OR
Match All == AND

69
Potential Impact Real-Time Threat Indicators include:
1. High Data Loss
2. High Lateral Movement
3. Wormable
4. Denial of Service
5. Patch Not Available
6. Privilege Escalation
7. Unauthenticated Exploitation
8. Remote Code Execution

70
Active Threat Real-Time Threat Indicators include:
1. Active Attacks
2. Malware
3. Zero Day = Actively Attacked + Patch Not Available
4. Public Exploit
5. Predicted High Risk
6. Easy Exploit
7. Exploit Kit

71
The Attack Surface options provide one more place to apply asset context to
Prioritization Reports.

Running Kernel: It is common for Linux-based host assets to have more than one
kernel; however, only one kernel can run at a time. Leave this option on to focus on
the kernel that is running.

Running Service - likewise, leave this option on to focus on services that are running.

Not Mitigated by Configuration - Some vulnerabilities (in the Qualys Knowledgebase)

can be mitigated (or made unexploitable) by making a configuration change to the
host system. Leave this option "ON" to focus on all the other vulnerabilities NOT
mitigated by configuration changes.

Remotely Discoverable - The Qualys Knowledgebase contains some vulnerabilities

identified as "Remote Only." These vulnerabilities are discovered remotely (via Qualys
scanners) without the use of authentication. Turning this option on will cause your
report to focus only on these remotely discoverable vulnerabilities.

Internet Facing Only - likewise if you want the report to focus only on Internet-facing
host assets (those with public IPs), you can turn on the "Internet Facing Only" option.

72
Once you establish your priority options, click the Prioritize Now button to build your
report.

By default this report will produce a list of vulnerabilities that match your priority
options. If you adjust any of the priority options, the report will be automatically
updated.

You can also toggle the report view between Vulnerabilities, Patches, and Assets.

The Prioritization Report provides the option of patching vulnerabilities individually,

or you can add all Available Patches to a new or existing patch job.

Remember not all vulnerabilities are patchable. We’ll come back to this point, during
our Patch Management discussion.

73
From the PRIORITIZATION section of Qualys VMDR, build a new Prioritization Report.

74
Qualys VMDR comes with an extensive library of Dashboards and Widgets that allow
you to monitor your assets, vulnerabilities and mitigation progress.

75
You can use the out-of-box Dashboard and Widget Templates or you can create your
own custom Dashboards and Widgets.

You can even create Dashboard Widgets from the VMDR Prioritization reports you
build.

76
Widget Types:
1. Count
2. Table
3. Column
4. Pie

77
The count widget is especially useful, because it can be designed to change color,
when specific threshold conditions are met.

In this example we're comparing the result set of high severity vulnerabilities (in the
initial query) to to the result set of all vulnerabilities (in this case all severity levels) in
the reference query.

This comparison produces a percentage, which is then compared to a threshold level

you configure, to change the widget color.

Note: if you do not include a reference query, ALL vulnerabilities will be used by
default, as the reference query (demonstrated in the next lab tutorial).

78
After building a Prioritization Report, simply click the "Export to Dashboard" button to
build a Prioritization Report Widget and then add it to an existing Dashboard.

The resulting widget is dynamic, and it will be updated as conditions change.

This type of functionality is expanding within the Qualys UI. You can create similar
widgets in other Qualys applications and display them together in Qualys’ Unified
Dashboard.

79
In this lab tutorial you’ll create a Dashboard from scratch and add a count widget.
NOTE: The count widget will use a default reference query rather than having you
build one.

80
In this section, we’ll examine the requirements and steps for activating and setting-up
Qualys PM.

Objectives:
1. Identify the requirements for using the Qualys Patch Management application.
2. Understand and configure Patch License Consumption, Patch Assessment Scans
and Patch Deployment Jobs.
3. Identify and understand the various components of the Patch Catalog.

81
Although Qualys PM can successfully function independently, when combined with
Qualys Vulnerability Management, Qualys PM automatically correlates or matches
discovered vulnerabilities with their required patches, so you can prioritize patches
that fix your existing, high-risk vulnerabilities.

With Qualys Patch Management, you can extend your existing Qualys agents'
functionality by simply enabling the PM module.

Qualys PM provides both OS and application patches, including those from third-
party software vendors.

Qualys PM provides patching just about anywhere an Internet connection is available,

including airports, coffee shops, and remote offices. A VPN connection to your
corporate network is NOT required.

Qualys agents can identify superseded patches, allowing you to patch more
efficiently.

When Qualys PM is deployed as part of Qualys VMDR, you can build patch jobs that
target specific vulnerabilities, vulnerability severity levels, and even vulnerabilities
with known and existing threats.

82
Agent host assets receive their patches from Vendor Global Content Distribution
Networks (CDNs). Host assets will receive their patches directly from the vendors
that created the patches; this includes both OS and application patches.

Qualys uses digital signatures and hash values to validate downloaded patches,
which are validated again using Qualys Malware Insights.

Qualys Gateway Server (QGS) provides the advantage of caching downloaded

patches; patch downloads requested by one agent, are cached on QGS and made
available locally for other agents that need the same patch.

83
Here is the list of steps, or workflow of events, that will allow Qualys PM to
begin patch assessments and deployments on host assets:
1. The first step is to install the Qualys agent on targeted host assets.
2. In step two, you’ll then assign your targeted assets to a CA Configuration
Profile that has PM enabled.
3. If you have not already activated the PM module, you’ll perform this task in
step 3. Notice that steps 1, 2, and 3 are all performed within the Cloud
Agent application.
4. Step four is performed within the PM application. Here you’ll assign target
assets to an enabled PM Assessment Profile to perform patch assessment
scans at regular intervals.
5. To perform the task of installing (or deploying) patches and perhaps even
uninstalling patches, you’ll need to build a patch job; step number five.
6. Step six is only needed if you decide (at a later time) to deactivate the PM
module on an agent host; perhaps you would like reclaim its license and
use it on another agent host.

Steps 2, 4, and 5 in this workflow can potentially precede step number one,
when Asset Tags are strategically used to assign host assets to their
appropriate profiles and jobs.

84
An assessment profile specifies the frequency of your patch assessment
scans, which determine the installed and missing patches for your agent host
assets.

The "System Profile" is already added to your account and is used by default
for agents that do not belong to another profile.

85
Within the "Licenses" tab of the CONFIGURATION section, use Asset Tags to
specify which agent host assets are eligible for patching.

Only AGENT host assets will consume a patching license.

86
Jobs can be created to deploy and/or uninstall patches. Not all patches can
be uninstalled.

87
If you want to install patches, you'll need to build a deployment job.

88
When building or configuring a Deployment Job, you have the option of
selecting assets individually (by Asset Name) or by using Asset Tags.

Asset Tags are automatically transferred when jobs are created from a
Prioritization Report.

89
To improve efficiency, use the search field to focus on patches that have NOT
been superseded (isSuperseded: false), which can significantly reduce the
total number of patches to be installed.

By default, the Patch Selector only lists patches that are "Within Scope" of the
host assets that are targeted.

90
Patches that are “Within Scope” are those needed or missing by the host
assets targeted in a job.

To view all patches, click “All.”

91
You have the option to run a job "On-demand" or schedule it to run at another
time.

Recurring jobs can be scheduled to run daily, weekly or monthly.

Monthly jobs which are scheduled to run on the 31st of the month will be scheduled
every two months (where 31st date is available).

Recurring jobs are enabled three hours prior to their scheduled start time.

92
A job will display the “Timed out” status, if the patch installation does not start
within a specified patch window.

Select the “None” option to give patch jobs an unlimited amount of time.

93
The pre-deployment message appears at the start of a patch job. Configure
deferment options for this notification to allow end-users to postpone patching.

When patching begins, the deployment in progress message will be displayed.

The Deployment complete message will appear when the job is finished.

The "Suppress Reboot" option, can be used to prevent installed patches from
rebooting the host system.

The reboot request option will notify end-users that patch installation was
successful and a system reboot is required. You can configure deferment
options for the reboot request, as well.

You also have the option to display a reboot countdown for host systems.

94
The option to enable opportunistic patch downloads, will allow Qualys Patch
Management to attempt to download patches, before the patch job starts (which can
save time).

95
View patch jobs (both Enabled and Disabled) from the JOBS section of Qualys
Patch Management.

Use the “Quick Actions” menu to view any job’s progress.

96
Job progress status is displayed for all affected host assets.

Status types include:

• Pending – job has not started
• Job Sent – job sent to target host
• Downloaded – patches successfully downloaded
• Patching – patching in progress
• Reboot Pending – job completion is pending a host reboot
• Completed – job successfully completed (patches INSTALLED, FAILED,
and SKIPPED are displayed)
• and more...

97
Additional assets and patches can be added to a deployment job, before it is
enabled and additional assets and patches can be added to a recurring job,
both before and after it is enabled.

98
Configure patch License Consumption and build a patch Deployment Job.

99
This section provides a quick overview of the Patch Catalog.

100
The Patch Catalog contains tens of thousands of OS and application patches.
Presently you can add up to 2000 patches to a single job.

101
By default, only the latest (non-superseded) and missing patches are displayed. This is
done to help you focus on the essential patches required by your host assets.

To view ALL patches in the catalog, remove (uncheck) the “Missing” and “Non-
superseded” filter options.

102
Download patch from the vendor site
The Patches tab displays a “key” shaped icon for patches that can not be downloaded
by Qualys Agents (i.e., you must acquire the patch directly from the vendor).

If you try to add such a patch to a patch job, the system will display a message
indicating it will be not be added to the job.

103
Only “Rollback” patches in the catalog are candidates for an Uninstall Job. Not all
patches can be uninstalled.

104
Take a quick tour of the Patch Catalog.

105
For complete details on assessing and deploying patches, enroll in the “Patch
Management Self-Paced Training” course (qualys.com/learning).

106
If you would like assess the knowledge you learned in this course, we have a VMDR
Certification exam. This certification exam is optional and can be taken at any time
from your “learner” account at qualys.com/learning.

107
While this “VMDR Overview” training course has focused on four Qualys applications
(i.e., AI, VM, TP, and PM), there are more VMDR applications that address and
mitigate vulnerabilities as well as enforce security policies.

This section provides a quick overview of the remaining VMDR applications:

1. Security Configuration Assessment (SCA)
2. CloudView & Cloud Security Assessment (CSA)
3. Container Security (CS) & Container Runtime Security (CRS)
4. CertView (CERT)
5. Continuous Monitoring (CM)
6. Secure Enterprise Mobility (SEM) BETA

108
Leverage Qualys Scanners and Agents to Monitor and assess technical
security controls and security-related misconfigurations.

Provides over 400 CIS Benchmark Policies for hundreds of OS and application
technologies.

109
Qualys SCA contains a subset of the tools and features found in the Qualys Policy
Compliance application. For more information and details, please see the Qualys
Policy Compliance Self-Paced Training Course (qualys.com/learning).

110
With Qualys Cloud Connectors and the Qualys CloudView application, you can
enumerate your cloud instances and collect metadata from your AWS, Google
Cloud, and Microsoft Azure accounts.

With Qualys Cloud Security Assessment (CSA) you can leverage “out-of-box”
policies to assess technical controls and identify security-related
misconfigurations, for your AWS, Azure, and Google accounts.

111
The Qualys Container Security application uses the same KnowledgeBase as Qualys
VM and VMDR, to assess and detect vulnerabilities in Docker images and containers.
Qualys Container Sensor downloads as a Docker image and is installed on a Docker
host as a container application, right alongside other container applications.

Presently, there are 3 different types of Container Sensors:

1. A General Sensor will scan images and containers on a single docker host.
2. A Registry Sensor will scan images in public and private Docker registries.
3. A CI/CD Pipeline Sensor (also referred to as a "Build" sensor), scans images within
your DevOps CI/CD pipeline projects, allowing you to identify and correct
vulnerable images, during the build process. Integrations with Jenkins and
Bamboo are presently supported.

Container Runtime Security provides runtime visibility and protection into container
applications. This is achieved by instrumenting images with Qualys Container
Security components, to gather functional and behavioural data about the container’s
running processes; thereby allowing you to create rules and policies that actively
block or prevent unwanted actions or events. As one example, you could build a
policy that prohibits access to sensitive system files, such as the shadow or passwd
files on a Linux host.

112
For more information on Qualys Container Security, enroll in the “Container
Security Self-Paced Training” course (qualys.com/learning).

113
§ Qualys CertView leverages Qualys Scanner Appliances to provide
complete visibility into certificates and their configurations across your
network and enterprise architecture (on-premise and cloud-based).
§ Qualys Certificate Inventory collects all the certificate, vulnerability and
configuration data required for certificate inventory and analysis. It also
provides a comprehensive overview of your certificates and of Qualys SSL
Labs caliber certificate grades via the highly customizable dashboard.
§ Qualys Certificate Inventory stops expired and expiring certificates from
interrupting critical business functions and offers direct visibility of expired and
expiring certificates right from the dashboard.
§ With Qualys Certificate Inventory, you can create a baseline inventory of all
certificates in the enterprise and continuously monitor for new certificates.
§ Qualys Certificate Assessment generates certificate instance grades that allows
administrators to quickly assess server SSL/TLS configurations.
§ Qualys Certificate Assessment identifies out-of-policy certificates with weak
signatures or key lengths and shows you how many certificates were issued by
Certificate Authorities (CAs) that have been vetted and approved per your policy
and how many certificates are self-signed or were issued by CAs that have not
been authorized to issue certificates in your environment.

114
Build custom rules in Qualys CM to alert security team members when:
1. New hosts are added to your list of ”managed” assets and when these assets are
updated.
2. High Risk vulnerabilities are detected on your host assets.
3. Certificates have or are about to expire and if any certificates fail to meet your
security standards and requirements.
4. New ports or services are discovered on “managed” assets.
5. Software is added or removed from “managed” assets.
6. Vulnerability tickets are opened, resolved, or closed.

CM works in tandem with VM/VMDR:

• Deploy Qualys Scanner Appliances and/or activate the VM module for deployed
Qualys Agents.
• Schedule frequent or continuous vulnerability scans.

115
Qualys Secure Enterprise Mobility (SEM) provides visibility into your mobile devices
by collecting their inventory and configuration data.

Your company's mobile device inventory is added to the Qualys Global IT Asset
Inventory application, providing you with greater insight into mobile devices that are
managed and unmanaged (especially when combined with Qualys Passive Sensor).

Qualys SEM provides vulnerability and compliance assessments to help keep your
mobile devices hardened and secure. Vulnerability assessment tests are provided for
both OS and applications.

Compliance assessment examples include: passcode not present, encryption status,

unauthorized root access (rooted), etc...

116
Please contact the Qualys Training Team (training@qualys.com) with your questions.

117