You are on page 1of 67

QUALYSGUARD EVALUATORS GUIDE

VERSION 6.24
January 23, 2012

Copyright 2005-2012 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. Qualys, Inc. 1600 Bridge Parkway Redwood Shores, CA 94065 1 (650) 801 6100

Dear Evaluator, First, thank you for taking the time to evaluate QualysGuard. Today you must do everything to protect your network from the myriad of new threats, discovered almost every day, and meet compliance. Although you need to fully evaluate a solution for your enterprise time is not on your side. You need a solution now and your risk increases every day you wait. We have produced this Evaluators Guide to help you use your time more efficiently. Toward that end, we had several objectives for this document. One was for it to be reasonably concise. In addition, it had to be structured to enable you to apply the primary functions mapping, scanning, reporting, remediation, and policy compliance while offering you the option to explore deeper into sub-functions. The Evaluators Guide helps you test the product highlights without limiting your options. We urge you to apply QualysGuard to a network of your choice. That is the only way to get a true sense of its capabilities. For demonstration purposes, Qualys has an Internet facing network with a handful of IP addresses that you may want to scan first before scanning your chosen network. Please feel free to do that. We will be happy to provide you with the current IP addresses. At various steps in the Evaluators Guide, you will see procedures and screen shots designed to simplify every aspect from authentication to remediation. Also there will be references to sections in the QualysGuard online help, which is available from every location in the user interface, for more details. One of the biggest hurdles in using an enterprise information security management solution is the installation and deployment. With QualysGuard, this is eliminated. You interact with the solution using a Web browser that allows you to log onto QualysGuard to start the mapping, scanning, reporting, remediation, and policy compliance processes. Should you have any questions during this process please contact your Qualys representative or Qualys Support by email at support@qualys.com or by phone at +1 (866) 801 6161. Again, thank you for evaluating QualysGuard.

Sincerely, Qualys, Inc.

Table of Contents
QualysGuard in Perspective ........................................................................... 6
Vulnerability Management Solution .................................................................................................... Can Be Deployed Immediately ............................................................................................................. A Look At How QualysGuard Works ................................................................................................. Security Operations Centers .................................................................................................................. Internet Scanners ..................................................................................................................................... Scanner Appliances................................................................................................................................. Secure Web Interface .............................................................................................................................. 6 6 7 8 8 8 8

Getting Started................................................................................................ 9
Logging In ................................................................................................................................................ 9 Navigating the UI.................................................................................................................................. 10 Installing Your Scanner Appliance..................................................................................................... 12 Creating Network Domains ................................................................................................................ 12 Adding Hosts for Scanning ................................................................................................................. 12 Asset Management................................................................................................................................ 13 User Management ................................................................................................................................. 14 Youre Now Ready................................................................................................................................ 17

Step 1: Mapping Your Network ................................................................... 18


Running a Map ...................................................................................................................................... Map Results............................................................................................................................................ Scheduling Maps ................................................................................................................................... Map Targets ........................................................................................................................................... Comparing Maps................................................................................................................................... Mapping Summary ............................................................................................................................... 18 20 22 22 22 24

Step 2: Scanning for Vulnerabilities............................................................ 25


Starting a Scan ....................................................................................................................................... Scan Results............................................................................................................................................ Scheduling Scans ................................................................................................................................... Scanner Parallelization ......................................................................................................................... Selective Scanning using Search Lists ................................................................................................ PCI Scans and Compliance .................................................................................................................. Vulnerability KnowledgeBase............................................................................................................. Scanning Summary ............................................................................................................................... 26 28 32 32 33 34 36 37

Contents

Step 3: Reporting .......................................................................................... 38


Report Share........................................................................................................................................... Report Templates .................................................................................................................................. Trend Analysis and Differential Reporting....................................................................................... Scorecard Reports.................................................................................................................................. Patch Reports ......................................................................................................................................... Consultant Reports ............................................................................................................................... Asset Search ........................................................................................................................................... Risk Analysis.......................................................................................................................................... Reporting Summary.............................................................................................................................. 38 41 42 48 50 51 53 54 55

Step 4: Remediation...................................................................................... 56
Remediation Policy ............................................................................................................................... Ticket Creation....................................................................................................................................... Remediation Reporting ........................................................................................................................ Remediation Ticket Update Notification........................................................................................... Remediation Summary......................................................................................................................... 56 58 60 61 61

Step 5: Policy Compliance ............................................................................ 62


Policy Compliance Workflow ............................................................................................................. 62 Accessing Policy Compliance Features.............................................................................................. 64 Policy Compliance Summary .............................................................................................................. 64

Wrap-up.......................................................................................................... 65
Secure Operations Centers................................................................................................................... Global Scanning Infrastructure ........................................................................................................... Prioritized Remediation ....................................................................................................................... Compliance Reporting.......................................................................................................................... Interoperability ...................................................................................................................................... Software-as-a-Service (SaaS) Solution................................................................................................ 65 65 65 66 66 66

Contact Support ............................................................................................ 67

QualysGuard Evaluators Guide

QualysGuard in Perspective
QualysGuard IT Security and Compliance Suite, the Software-as-a-Service (SaaS) solution from Qualys, plays a vital role in network security and compliance management. The prospect of malfeasance via a network has spurred considerable innovation in network security. Virtually all industry analysts agree that network security should be a product of multiple interventions virus detection, firewalls, and vulnerability management. Most analysts also agree that vulnerability management is a critical intervention without which virus detection and firewalls may offer a false sense of security. One leading analyst wrote Security demands will drive a new focus on highly proactive vulnerability management. Near-continuous scanning will rapidly become a standard enterprise requirement as security administrators struggle to stay ahead of vulnerabilities that are introduced by software vendors, as well as configuration errors committed by internal personnel.1 As you will see, QualysGuard is designed to meet all the needs this analyst describes for enterprise deployments.

Vulnerability Management Solution


Vulnerabilities are weaknesses in process, administration, or technology that can be exploited to compromise your IT security. Vulnerability Assessment, a key element of Vulnerability Management, is a preemptive attempt to find such vulnerabilities and to eliminate or mitigate them before they can be exploited. Vulnerability Management is broader than Vulnerability Assessment. At a minimum, it is a process that involves discovery of all systems attached to a network, vulnerability identification and analysis of all or portions of the discovered network, reporting of findings, remedy of weaknesses, and confirmation that remedies or workarounds have been applied. Vulnerability Management is a continuous process. Any changes to policies or network configurations will inevitably create new weaknesses. And, even in the event of no change, new vulnerabilities are being uncovered daily, and must be acted upon to maintain a high level of security.

Can Be Deployed Immediately


A service-based solution involves a trusted third-party as opposed to acquiring, installing, supporting, and maintaining a product-based solution. QualysGuard is a service-based vulnerability management and policy compliance solution. Users access QualysGuard through authorized access to its Web service-based delivery architecture, allowing users to immediately direct its action and to hit the ground running. QualysGuard secure architecture is updated daily with new vulnerability audits, and quarterly with new product features seamlessly to subscribers. The cost of ownership is assumed by Qualys and distributed across a large subscriber base. Thus, users benefit from an immediately deployable security capability at much below the cost of an internal, product-based solution.
1. Gartner Research, SPA-21-3634, 19 November 2003

QualysGuard in Perspective A Look At How QualysGuard Works

A Look At How QualysGuard Works


The following diagram depicts the QualysGuard Global Infrastructure for security and compliance scanning.

Enterprise Security and Compliance


Industry experts defined enterprise security and compliance management to include the following criteria: It must identify both perimeter and internal weaknesses, It must automatically scan using a continually updated database of known attacks, It must be highly accurate, essentially eliminating false positives, and be non-intrusive, It should use inference-based scanning ensuring that only applicable tests are run for each scan, It should generate concise, actionable, customizable reports, including vulnerability prioritization and trend analysis, It should provide tested remedies and workarounds for cases where no remedy as yet exists, It should provide distributed scanning capabilities with consolidated reporting and centralized management capabilities, It should provide both trusted (credential based) and un-trusted scanning techniques, It should provide user access management to restrict users roles and privileges to their function in the organization and network responsibility, It should provide workflow capabilities for prioritizing and tracking remediation efforts, It should enable customers to build compliance reporting, and It should integrate seamlessly with customers SIM, IDS, Patch Management, and Help Desk systems.

QualysGuard Evaluators Guide

QualysGuard in Perspective Security Operations Centers

There are special benefits when using the Web as a deployment system. It is accessible from any Web browser. It can scale instantly as a customers network grows. It enables distributed scanning for all locations. It delivers immediate updates for new threats. It results in highest accuracy of scans. And it eliminates software installation and maintenance burdens.

Security Operations Centers


Our Security Operations Centers (SOCs) at remote locations provide secure storage and processing of vulnerability data on an n-tiered architecture of load-balanced application servers. All computers and racked equipment are isolated from other systems in a locked vault.

Internet Scanners
Our Internet scanners carry out perimeter scanning for customers. These scanners are located in various worldwide locations, and they communicate with our SOCs through secure (SSL) links. These remote scanners begin by building an inventory of protocols found on each machine undergoing an audit. After discovering the protocols, the scanner detects which ports are attached to services, such as Web servers, databases, and e-mail servers. At that point, the scanners initiate an inference-based assessment, based on target hosts.

Scanner Appliances
To map domains and scan IPs behind the firewall, QualysGuard Scanner Appliances are installed by customers, in a distributed manner, for global enterprise scanning. These are client-side, plugin devices that gather security audit data inside the firewall, and provide secure communications with our SOCs. These appliances use a hardened operating-system kernel designed to prevent any attacks. In addition, they contain no services or daemons that are exposed to the network. These devices poll the SOCs for software updates and new vulnerability signatures, and process job requests. They do not retain scan results; instead, the results are securely encrypted with unique customer keys, transmitted, and stored at redundant SOCs.

Secure Web Interface


Users interact with QualysGuard through its Secure Web Interface. Any standard Web browser permits users to navigate the QualysGuard user interface, launch scans, examine audit report data, and manage the account. Secure communications are assured via HTTPS (SSLv3) encryption. All security and compliance report data is encrypted with unique customer keys to guarantee confidentiality of information and make them unreadable by anyone other than those with proper customer authorization.

QualysGuard Evaluators Guide

Getting Started
All of your interactions with QualysGuard will be through the Secure Internet Interface. After registration for the trial, you will receive an email with a secure link to a user name and password and login URL. This is a one-time-only link. Once you have connected to the Web page, neither you nor anyone else can do so a second time. This protects you in the event someone intercepts your email. Your login is fixed and assigned by QualysGuard. Your password is a randomly generated strong password to begin and you may change it at any time. To do this, go to Setup>Change Password and follow online prompts.

Logging In
Click the login URL link in your account registration email to access the QualysGuard Web application. First time users will be presented with a window to review the Qualys Terms and Conditions (Ts&Cs). Upon accepting the Ts&Cs, you will now be presented with the QualysGuard home page and a QuickStart window on top of it. The QuickStart window (see below) enables you to navigate quickly through the key QualysGuard functions.

For now, close the QuickStart window. Note the Help option on the top menu bar is available at all times and provides several forms of assistance to ensure your success. The KnowledgeBase is shown on your home page and you can change this by going to Setup>Home Page. We recommend you try our new user interface (and download the new UI version of this user guide).

Getting Started Navigating the UI

Navigating the UI
Before moving forward, lets take a quick look at the QualysGuard user interface. The QualysGuard user interface provides Enterprise Class UI capabilities in the browser including contextual search. The application style look and feel makes key user tasks easy to find, provides better support for the vulnerability lifecycle, and reduces the learning curve. UI design elements include: Simplified navigation with consistent controls and workflows, highlighted menu items when you mouse-over them, auto-complete for text entry, and the use of pop-up windows for forms so you never lose your place in the application. Instant information updates in the browser using AJAX (Asynchronous JavaScript and XML). Easy and quick access to data lists containing your security risk management data, with advanced search features and the ability to customize layouts on the fly. Central location to view and configure subscription-level settings. Sectional overview help with quick links to common tasks and related reading.

Look and Feel


Youll notice that the main application window has a consistent look and feel throughout the application with five distinct sections (highlighted as A-E in the following image). Each section is described below.

10

QualysGuard Evaluators Guide

Getting Started Navigating the UI

A. Navigation Pane The navigation pane (also referred to as the left menu) appears on the left side of the window. Its divided into two sections. The top section is the main navigation for the primary features. The bottom section is the Tools navigation for features that support the use of the primary features. When you select an item on the navigation pane, the data list is populated with results. For example, if you select Scan on the navigation pane, then your scans appear in the data list. If you select Report on the navigation pane, then your reports appear in the data list. B. Menu Bar The menu bar (also referred to as the top menu) appears across the top of the window. It contains menus needed for successfully navigating each section of the interface. The menu options in the menu bar change dynamically to reflect the section youre in. The lock icons in the menu bar next to your user name identify the modules that are enabled for your subscription: Vulnerability Management (VM), Payment Card Industry (PCI), Policy Compliance (PC) and Web Application Scanning (WAS). If a module is enabled, then a red lock appears. If a module is not enabled, then a gray lock appears. C. Data List The data list appears in the main body of the window. As you select an item on the left menu, the data list is populated with the results of your selection. For example, if you select Scan on the left menu, then your scans appear in the data list. Many data lists include an Actions menu for initiating workflows. To start a workflow, you would select the check box next to each item in the data list that the action applies to, and then select an action from the Actions menu. You can download most data lists in these file formats: CSV, XML, HTML and MHT. To do so, go to the data list youre interested in and select Download from the New menu. The data list is downloaded based on the view presented in your browser. You can filter the data list using the View menu and Search options to control the size of the data list that is downloaded. D. Preview Pane The preview pane appears below the data list. The preview pane provides a quick look at important details about a selected item in the data list. E. Open/Close Options The open/close options appear below the navigation pane in the bottom left corner of the window. These options allow you to open/close the navigation and preview panes. Hiding these panes enables you to maximize the data list view. These options along with the ability to hide columns, change data list sorting and increase the number of rows shown are also available from the View menu on the top menu bar.

QualysGuard Evaluators Guide

11

Getting Started Installing Your Scanner Appliance

Installing Your Scanner Appliance


By installing a scanner appliance within your network, you will have the ability to do vulnerability assessments for your entire network. The scanner appliance features a hardened OS kernel, is highly secure, and stores no data. Its recommended best practice that you create dedicated user accounts for installing scanner appliances, so that changes in account status do not affect scanner appliance availability. For the purpose of this review, you will simply install your scanner appliance using the same login and password you are currently using. Refer to the QualysGuard Scanner Appliance Quick Start Guide and follow the three installation steps. The QualysGuard Scanner Appliance User Guide that you received will help you resolve any installation issues.

Creating Network Domains


QualysGuard uses a domains concept for its network mapping process. Domain in this context is our name for a DNS entry, for a netblock, or for a combination. To create such a domain, you select Domain Assets under Tools on the left menu. Then go to New>Domains. Here you will specify a domain or a netblock of IPs. Once you have typed them into the New Domains pop-up, click Add. Again, a window will open reminding you that you must have permission to discover (map) the specified domains and netblocks. Click OK. You will be returned to the domain assets list, and the added domains will now be shown. When specifying domains, you may add existing registered domain names recognizable by DNS servers on your network, such as mycompany.com. Also you have the option to add a domain called none with netblocks (one or more IP addresses and IP ranges). Qualys provides a demo domain called qualys-test.com for network mapping. This domain may already be in your QualysGuard account. If not you can add it yourself. Note that the devices in the demo domain reside in Qualys Security Operations Centers, so the QualysGuard Internet scanners can be used for mapping this domain.

Adding Hosts for Scanning


The service supports network scanning and compliance scanning. Host assets are the IP addresses in your account that may be used as scan targets. In preparation for network scanning, you need to tell QualysGuard which IP addresses and/or ranges you wish to scan. Select Host Assets under Tools on the left menu. Then go to New>IP Tracked Hosts. Youll notice that you also have the option to add hosts tracked by DNS and NetBIOS hostname, which allows for reporting host scan results in dynamic networking environments. For example, you may want to use DNS or NetBIOS hostname tracking if the hosts on your network are assigned IP addresses dynamically through DHCP. The New Hosts page will appear. In the window area titled Host IPs enter the IPs for which you have permission to scan and set any additional host attributes. The policy compliance module may be enabled in your account. If so, the check box Add to Policy Compliance Module appears below the IPs field. Select this check box if you want the new IPs to also be added to the PC module, making them available for compliance scanning in addition to network scanning. Note that you can add individual IPs to the PC module at a later time.

12

QualysGuard Evaluators Guide

Getting Started Asset Management

At the bottom of the Web page, select the Add button. Another window will open asking you to verify that you are authorized to scan the IP addresses you are adding. Select OK. The host assets list will now return to your display, and the newly added hosts will be added to the list. Alternatively, you can discover the devices on your network starting from a domain or netblock. Then add the IPs to your account using the workflow from the Map Results report. For assistance with this, see the help topic Map Results under Map in the online help system. A virtual host is a single machine that acts like multiple systems, hosting more than one domain. For example, an ISP could use one server with IP address 194.55.109.1 to host two Web sites on the same port: www.merchantA.com and www.merchantB.com. To ensure that the scanning service analyzes all domains when the host is scanned, set up a virtual host configuration for this IP address and specify the port and fully-qualified domain names. Select Virtual Hosts under Tools on the left menu. Then go to New>Virtual Host to create a new virtual host configuration.

Asset Management
Asset management capabilities provide powerful tools to manage and organize assets. You can organize assets (scanner appliances, domains and hosts) into asset groups and business units, assign them business impact levels, and so on. Select Asset Groups under Tools on the left menu to view your asset groups. Go to New>Asset Group to add a new asset group. Asset grouping offers great flexibility, allowing you to assign assets to multiple asset groups.

By clicking on the Info icon ( ) to the left of an asset group, you can view the information associated with it, including the assigned IPs, domains, users with permission to the group, and business information provided for the group. You can expand and collapse different sections to view different types of asset group information. To expand all sections, go to View>Expand All. Similarly, to collapse all sections, go to View>Collapse All.

QualysGuard Evaluators Guide

13

Getting Started User Management

Optionally you may wish to go one step further and organize asset groups into business units. By doing so, you can grant management responsibilities to dedicated Unit Managers. Unit Managers are tasked with overseeing assets and users within their respective business units. See the Business Units section in the online help for more information. Select Help>Online Help and under Contents, navigate to the folder Tools>Business Units. Following is a typical example of how an enterprise might segregate their assets into user-defined business units in QualysGuard:

User Management
User management capabilities allow you to add multiple users with varying roles and privileges. The most privileged users are Managers and Unit Managers. These users have the ability to manage assets and users. The main difference between Managers and Unit Managers is that Managers have management authority for the subscription (including any business units it may have), while Unit Managers have management authority on an assigned business unit only. Scanners and Readers have limited rights on their assigned assets. Readers cannot run maps and scans, however they can view scan and map results, run reports, and view/edit remediation tickets. Auditors may be added to a subscription when the compliance module is enabled in order to perform compliance management tasks. These users have limited rights on hosts that have been defined as compliance hosts for the subscription. Auditors cannot run compliance scans, however they can define policies, create policy report templates and run reports based on compliance scan data.

14

QualysGuard Evaluators Guide

Getting Started User Management

A typical QualysGuard deployment will have multiple users with multiple business units as depicted in the following chart:

QualysGuard provides great flexibility in defining users, asset groups, and business units to reflect the organizational structure and business requirements for the enterprise.

Adding Users
On the left menu, select User Accounts under Tools. Then go to New>User. You can add users to your account, assign them roles, and associate them with business units.

QualysGuard Evaluators Guide

15

Getting Started User Management

The account creator assigns permissions. Click Advanced to see all available options. Different permissions appear for different user roles. The example below is for a Unit Manager role.

Now click the Options tab to see notification options, VeriSign Identity Protection (VIP) status and interface styles.

16

QualysGuard Evaluators Guide

Getting Started Youre Now Ready

Notification Options Select each email notification this user should receive. There are several notification options available to choose from. VeriSign Identity Protection (VIP) QualysGuard includes support for VeriSign Identity Protection (VIP) two-factor authentication. Managers have the option to require VIP authentication for all subscription users or for specific users. Any user can opt in. The check box Require VIP two-factor authentication is used to require VIP authentication for another user (by a Manager) or to opt in (any user). Note this check box does not appear when VIP authentication is required for all users. When VIP authentication is required for a user account, logging into the user interface is a twopart process. First the user provides their QualysGuard credentials (login name and password) followed by their VIP credentials (VIP credential ID and one-time security code). To get a VIP Credential please visit the following URL: https://idprotect.verisign.com/mainmenu.v. Interface Styles Select the preferred interface style for this user. There are five pre-defined color schemes to choose from. The Accessible/High Contrast option is provided for our visually impaired users.

Youre Now Ready


At this point, you should have successfully obtained authorization, logged in, created domains for mapping, added hosts for scanning, and are ready to begin mapping and scanning. If any of the preceding steps failed to provide results similar to those in this setup section, please email or call Qualys Support before continuing. The sections to follow walk you through the primary functions of QualysGuard, including mapping, scanning, reporting and remediation.

QualysGuard Evaluators Guide

17

Step 1: Mapping Your Network


Before you can map a portion of your network, you have to tell QualysGuard how you would like it to perform that mapping. This is called a Network Map Profile. Under Tools, select Option Profiles, and then go to New>Option Profile. A New Option Profile page will open. Give the new profile a title, such as Network A Map. Select the Map tab and then click the Advanced button. Scroll down to the Options section and make sure the Perform Live Host Sweep option is selected. Now select Exclude Hosts Only Discovered Via DNS. The options selected will allow you to map a domain and identify hosts in the netblock, and will exclude hosts that are solely discovered thru DNS. If youre mapping an internal domain or internal IPs, then scroll up and select the option Netblock Hosts only for basic information gathering. Feel free later to try different selections for your map profile, but for now, select the Save button to save the option profile.

Running a Map
Now youre ready to run your first map. Select Map from the left menu. The map history list appears. Go to New>Map on the top menu.

The Launch Map pop-up appears as shown on the next page.

Step 1: Mapping Your Network Running a Map

Enter the name First Map in the Title field and select your new map profile (e.g. Network A Map) from the Option Profile menu. Note that the menu Scanner Appliance appears when your account includes a scanner appliance. When present, select the name of your scanner appliance (required for mapping private use internal IPs) or External for the external scanners. In the Domains/Netblocks field, enter the domain you already added or click the Select link to choose a domain from a list of domains in your account. In the example above, the domain qualys-test.com is selected. (Note that you can also map IP addresses and asset groups. See Map Targets on page 22 to learn more.) Select Launch to start the map. The map history list is refreshed and your new map is shown with the status Running. When the mapping is complete, you will see the status change to Finished. Also, the QualysGuard service will send you a map summary email to the address with which you registered when the map summary notification option is enabled in your account.

QualysGuard Evaluators Guide

19

Step 1: Mapping Your Network Map Results

Map Results
On the map history list, select the View icon ( ) for your finished map. Your Map Results will appear online in an HTML report. The sample map below was generated for the qualys-test domain. At the top portion of the page is a Report Summary. Take a look at yours and note the information completeness.

Now scroll down the page to see the list of hosts discovered along with legend information that indicates Approved, Scannable, Live, and Netblock. This map was generated on the qualys-test domain for demonstration purposes. The discovered hosts were all live at the time of the scan but are not in the approved hosts list for the domain or in the domains associated netblock. Three of the hosts are scannable, meaning that they are already in the users account and available for scanning. Your map will have results specific to the domain that you mapped. Click the arrow ( ) next to any host to view a list of open services on the host. The discovery method used to detect each service is listed along with the port the service was found to be running on (if available).

20

QualysGuard Evaluators Guide

Step 1: Mapping Your Network Map Results

The top of your report includes an Actions drop-down menu with powerful workflow options that allow you to select hosts in the results and do any of the following: add hosts to the subscription, add hosts to groups, remove hosts from groups, launch and schedule scans on hosts, edit hosts, purge host details, and approve hosts for the domain. Lets add hosts from the map results to a new asset group for scanning. Hosts with the S indicator on the right-side legend are scannable, meaning that they already exist in your account. Select the check box next to each scannable host you want to add to the group. Then go to the Actions menu at the top of your report and select Add to a new Asset Group from the dropdown menu, and click Apply. On the New Asset Group page give your asset group a title, such as First Asset Group. Youll notice that the selected hosts are already assigned. You can add more IPs to the group using the IPs tab, and add domains to the group using the Domains tab. When there are scanner appliances in your account, add appliances using the Scanner Appliances tab. The Business Info tab is where you specify an impact level used to calculate business risk in scan status reports (automatic). The impact level High is assigned by default. Select Save. The new asset group is saved to your asset groups list and is available for mapping, scanning and reporting. Well reference this group in the next chapter when scanning for vulnerabilities.

Viewing Map Results in Graphic Mode


Now go to View>Graphic Mode from the menu at the top of your report. QualysGuard will prepare a graphical representation of the map in a separate window. Following is an example.

Double click on any host to see a table with its pertinent network information, as shown below. The table provides basic information on the discovered host, its OS, and how it was identified:

QualysGuard Evaluators Guide

21

Step 1: Mapping Your Network Scheduling Maps

Scheduling Maps
In the previous instance, you ran a map on demand. You can also schedule maps, periodically, that require no human intervention. To schedule a map, select Schedule on the left menu, and then go to New>Schedule Map. Give the scheduling task a title, such as First Map Schedule. Your name should appear in the Task Owner field and the default option profile will appear in the Option Profile field. In the Target Domains area, specify your map target. Then scroll down and pick the start date and time, duration, and any other options. Select Help in the bottom right-hand corner for assistance with available settings. When finished, select Save. Now QualysGuard will repeat that map as scheduled, and each time it completes the map, it will send you a summary email with a secure link to the Map Results report. As you will see later, repeated mapping coupled with reporting on prior map results, a Manager can quickly see any changes to the domain due to any new or rogue devices.

Map Targets
Each time you launch or schedule a map, you specify one or more map targets in the Target Domains section. You may specify any combination of registered domains, IP addresses/ranges, and asset groups. When you select an asset group for the map target, you have the option to map the domains and/or the IPs defined in the asset group. When multiple map targets are submitted in a single map request, the service automatically produces multiple map reports. The service produces a separate map report for each registered domain and for each group of IPs. For example, if you enter 2 registered domains, then the service produces 2 map reports. If you enter 2 registered domains plus a range of IPs, then the service produces 3 map reports. All of the maps produced from a single request will share the same user-provided map title. The Targets column in your map history list identifies the registered domain name or the IP addresses/ranges included in each map report.

Comparing Maps
You can easily run successive maps over some arbitrary time period and immediately see both anticipated and unanticipated changes. You can also compare maps against approved hosts, a user-defined list of hosts approved for a domain.

Configure an Approved Hosts List


Compare saved map results to a customized list of approved hosts for a domain to identify hosts that are not in the list. There can be one approved hosts list per domain. To configure an approved hosts list, select Domain Assets under Tools on the left menu. The domain assets list appears, as shown below.

22

QualysGuard Evaluators Guide

Step 1: Mapping Your Network Comparing Maps

Identify the domain youre interested in, and click the Edit icon ( ).For Managers, the Edit Domain page appears. Click Configure under Approved Hosts to view the Configure Approved Hosts page. For Unit Managers, Scanners and Readers, this page appears automatically (as shown below).

Add hosts to the approved hosts list using any of these methods: If a netblock is defined for the domain, then the IPs in the netblock appear in the Available Hosts list. Click Add All to add them to the approved hosts list. Click Manually to add hosts by manually typing or pasting them into a pop-up window. Enter the hosts you want to add and click Add. Similarly, to remove hosts from the approved hosts list, enter them into the pop-up window and click Remove. Click Asset Group to add hosts from one or more asset groups in your account. You can then remove individual hosts that you do not want to approve. Click Map to add all detected devices from one or more saved maps. The IP addresses for all devices, including systems, routers, and servers, identified in the map will be added to the approved hosts list. You can then remove individual IPs.

Now click OK to save the approved hosts list for the domain.

QualysGuard Evaluators Guide

23

Step 1: Mapping Your Network Mapping Summary

Generate the Unknown Device Report


Generate the Unknown Device Report to compare the approved hosts list for a domain with saved map results. Any host that is not in the approved hosts list is considered rogue and will appear in the report. To run this report, select Report on the left menu, and then go to New>Map Report. Click the Select link next to the Report Template field to select the Unknown Device Report template. Then select the domain you want to report on and choose 1 or 2 saved map results to compare against the approved hosts. Select Run to start the report. A sample Unknown Device Report is shown below:

Note the status indicators (Active, Added and Removed) in the Status column. To learn more about reporting options, see the Reporting chapter starting on page 38.

Mapping Summary
QualysGuard supports both on demand and scheduled mapping. Mapping profiles allow you to tailor the discovery based on your selection of mapping criteria. All mappings initiate emails with result summaries and links to the saved Map Results information.

24

QualysGuard Evaluators Guide

Step 2: Scanning for Vulnerabilities


As with mapping, scanning requires an option profile. You can create an option profile, use default profile options, or select an option profile from the library. The QualysGuard Library provides pre-configured option profiles designed specifically for vulnerability scanning. You can import these option profiles into your account and them use as-is or edit them as required. Lets create a new option profile. First select Option Profiles under Tools on the left menu, and then go to New>Option Profile.

The New Option Profile page appears. As you did with mapping, give the profile a name, such as First Scan and then select the Set this as the defaultscans check box.

Step 2: Scanning for Vulnerabilities Starting a Scan

Now click the Advanced button to see all available scan options. Keep all of the default scan options as is except scroll down to the Authentication section and select the Windows check box to enable Windows authentication. Select Save to save the new option profile. You will now be returned to the option profiles list, and the new default profile called First Scan will appear. The Windows Authentication feature enables Windows trusted scanning. QualysGuard supports trusted scanning for Windows, Unix, Oracle, Oracle Listener, SNMP, MS SQL and Cisco IOS systems. When this feature is enabled, QualysGuard has the ability to gather more system intelligence on target hosts. For vulnerability scans, trusted scanning is optional. Trusted scanning references user-defined authentication records in your account. Each record identifies authentication credentials to be used for authentication to certain hosts. For Windows authentication you may select local or domain authentication. For domain authentication QualysGuard provides methods for IP-based authentication and domain-based authentication. Trusted relationships are supported using both of these methods. If domain authentication will be used, please review our documentation for information on domain account requirements before you begin. Refer to the Trusted Scanning section under Scan in the online help or download the document Windows Trusted Scanning from the Resources section (Help>Resources>Tips and Techniques). To add a Windows authentication record, select Authentication under Tools on the left menu. Then go to New>Windows Record. On the New Windows Record page, give the record a title. Under Login Credentials, select local or domain authentication. For domain authentication its recommended you select NetBIOS, User-Selected IPs for IP-based authentication and then enter the target domain name. Enter the user name and password for the Windows user account to be used. (Optionally, select Authentication Vault if the password for the Windows user account is stored in a third party authentication vault. You must already have a vault record defined in your account to use this option.) In the IPs section, under Available IPs, select the IPs/ranges to be scanned and click Add. Lastly, select Save. The authentication records list will appear and your new record will be listed.

Starting a Scan
Now you are ready to run your first scan. Select Scan on the left menu and then go to New>Scan. (When the compliance module is enabled, you must also select the scan type Vulnerability.) The Launch Vulnerability Scan pop-up appears.

26

QualysGuard Evaluators Guide

Step 2: Scanning for Vulnerabilities Starting a Scan

Enter a title for the scan (for example Internal Asset Scan) and make sure that the Option Profile field shows your new scan profile (for example First Scan). Note the service provides a variety of pre-configured option profiles to assist you with vulnerability scanning. You can import an option profile from the Library and apply it to the scan (and the imported profile will be saved in your account for future use). Specify a target asset group (for example, First Asset Group created previously from your map results). You can also enter IPs or IP ranges in he IPs/Ranges field. You can also pick the scanner appliance for running the scan in the Scanner Appliance field, or let the system use the default scanner associated with the asset group that you are scanning. (Note: If you are scanning the demo IPs, you must select External in this field.) Now, select Launch. Once the scan begins, you will see the Scan Status pop-up which is updated every 60 seconds with scan status information. You can move this pop-up out of your way or close it. You can re-open the scan status at any time from the scan history list. During the scan, you can view the scan list in the main window and see the scan task status:

You can cancel a running scan by selecting the red cancel button ( ) or pause a scan by selecting the blue pause button ( ). When a scan is paused, results from scanned hosts are available for viewing and a green resume button ( ) appears in place of the pause button. When you resume a paused scan, the scan task will pick up where it left off. You can relaunch a previous scan by selecting the blue relaunch button ( ). The service makes a best effort to recall the previous scans settings and prefill values as a convenience. The current date is appended to the previous scans title. Select the View icon ( ) to re-open the scan status. The sample below shows a scan status display you would see, showing how you can monitor scan progress and view results for finished scans. As soon as one host has been scanned, the link View Vulnerability Results appears. Select this link to view scan results for the scanned hosts.

QualysGuard Evaluators Guide

27

Step 2: Scanning for Vulnerabilities Scan Results

When the entire scan is complete, you will see the status change from Running to Finished with a button to view the Scan Results report.

Scan Results
Scan results for completed scans are always available from the scan history list (select Scan on the left menu). The top of the report shows a Report Summary with information about the scan task like the scan date, number of active hosts, the option profile used and so on. Scrolling down, you will see the Summary of Vulnerabilities:

28

QualysGuard Evaluators Guide

Step 2: Scanning for Vulnerabilities Scan Results

Scrolling down further you will see the Operating Systems Detected:

Below are the Services Detected:

Then what follows are detailed results sorted by host and characterized by operating system. Detailed results for your internal hosts will be shown in this section of the report. The sample detailed results section below shows there were 19 total vulnerabilities associated with IP address 10.10.24.100 running Windows 2000 Service Pack 3-4.

QualysGuard Evaluators Guide

29

Step 2: Scanning for Vulnerabilities Scan Results

If you click on the title of a vulnerability, QualysGuard provides a comprehensive description of the vulnerability, including threat, impact, solution, compliance and result details. For example, by clicking on the title Remote User List Disclosure Using NetBIOS you will see vulnerability details as shown below.

If applicable, vulnerability details may include compliance information for various government and industry-specific regulations, including SOX, HIPAA and GLBA, and the CobIT information technology standard. If a vulnerability check is not associated with any of the compliance types, then Not Applicable appears under Compliance in your scan results. The example below shows compliance information for QID 45067 which has compliance information for all 4 types.

30

QualysGuard Evaluators Guide

Step 2: Scanning for Vulnerabilities Scan Results

Exploitability. QualysGuard correlates exploitability information from third party vendors and/or publicly available sources to provide up to date references to exploits and related security sources. Exploitability information enables users to perform risk-oriented analysis of vulnerabilities and to further prioritize their remediation plans. QualysGuard constantly correlates exploitability information from real-time feeds to provide up to date references to exploits and related security resources. Associated Malware. QualysGuard correlates malware information with QualysGuard-detected vulnerabilities when malware threats for vulnerabilities are published in the Trend Micro Threat Encyclopedia. This correlation allows users to prioritize and filter vulnerabilities so that they can get actionable information to administrators for remediation of vulnerabilities that can lead to malware infections. The service constantly correlates malware information obtained from Threat Encyclopedia real-time feeds to provide up to date references to exploits and related security resources.

QualysGuard Evaluators Guide

31

Step 2: Scanning for Vulnerabilities Scheduling Scans

Scheduling Scans
As you saw with mapping, scanning can also be scheduled. Select Schedule on the left menu and then go to New>Schedule Scan. Select the scan type Vulnerability if your account permits multiple scan types. The New Scheduled Vulnerability Scan page appears. This page is very similar to the New Scheduled Map page. You give the schedule a title, select scan targets, and then choose a start time, duration and occurrence frequency. You can also choose to receive an email notification each time this scheduled scan is scheduled to run. Specify when youd like the notification sent out, enter a list of email recipients, and provide custom email text. By scheduling scans in conjunction with reports that combine historical data, managers can see vulnerability trends over time. This provides a good executive-level view of current state of vulnerabilities, and progress being made in remediation a key element for regulatory compliance reporting. There are several scheduling options available as shown below. This scan task runs monthly, the first Sunday of every month, starting at 3:30 AM Pacific Time (GMT-0800). You have the option of observing Daylight Saving Time (DST). You can also schedule the scan to automatically pause or cancel after a set number of hours. Select Help in the bottom right corner for assistance with setting up your scheduled task.

Scanner Parallelization
The scanner parallelization feature increases scan speed, making a scan up to 4 times faster, depending on the size of your network, while maintaining scan accuracy. It allows you to distribute a scan task to multiple scanner appliances when the scan target includes asset groups. When enabled for a scan task at scan time, the task is distributed to multiple scanner appliances in parallel for each target asset group. The scanners in each asset group are used to scan the asset groups IP addresses. Upon completion, results are combined into a single Scan Results report. To use the scanner parallelization feature, select the option All Scanners in Asset Group from the Scanner Appliance menu when launching or scheduling a scan.

32

QualysGuard Evaluators Guide

Step 2: Scanning for Vulnerabilities Selective Scanning using Search Lists

View the scanner appliances list to see information about scanner appliances in your account. Select Scanner Appliances on the left menu under Tools. Columns show whether an appliance status is online (blank) or offline (yellow warning icon) based on the latest heartbeat check (every 4 hours), whether the appliance is busy running maps and/or scans, and whether its software is up to date. Click the Info icon ( ) to view more information on an appliance.

Selective Scanning using Search Lists


To perform a scan on individual vulnerabilities, you can tune the option profile for the scanner to only scan for selective vulnerabilities. This can be done in the Vulnerability Detection section of the scan profile using search lists. Select the Custom option and then click the Add Lists button to add one or more saved search lists to the option profile. The search lists define which vulnerabilities you want to scan for. When the option profile is applied to a scan task, the QIDs in the search list are scanned. There are 2 types of vulnerability search lists: Static and Dynamic. A Static search list includes a specific list of vulnerabilities (QIDs) that you define. A Dynamic search list consists of a set of vulnerability search criteria (severity level, category, CVSS score, patch availability, etc). When a dynamic search list is used, the service queries the KnowledgeBase to find all QIDs that currently match the search criteria and then includes those QIDs in the action. Dynamic search lists are updated automatically by the service as new QIDs are added to the KnowledgeBase and new patch information becomes available. To create and manage the search lists in your account, select Search Lists on the left menu. Note that vulnerability search lists may also be used in other business objects, including scan report templates (for selective vulnerability reporting) and remediation policy rules (for ticket creation). You can find complete information and instructions for managing and using search lists in the online help.

QualysGuard Evaluators Guide

33

Step 2: Scanning for Vulnerabilities PCI Scans and Compliance

PCI Scans and Compliance


Qualys is certified to help merchants and their consultants evaluate the security of credit card payment systems that process, transmit and store cardholder data, and achieve compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). To learn how to validate compliance with the PCI Data Security Standard, go here. The Payment Card Industry (PCI) Compliance module is available in your account only when the PCI module is enabled for your subscription.

PCI Data Security Standard


The PCI Security Standards Council requires banks, online merchants and Member Service Providers (MSPs) to protect cardholder information by adhering to a set of data security requirements outlined in the PCI Data Security Standard. Founding members of the PCI Security Standards Council are American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. The PCI Data Security Standard (DSS) represents a common set of industry tools and measurements for ensuring the safe handling of sensitive information. It details technical requirements for the secure storage, processing and transmission of cardholder data. The PCI Security Standards Council (PCI SSC) released new Approved Scanning Vendor (ASV) requirements on March 16, 2010; these changes are detailed here.

Integration with PCI Merchant


Our Vulnerability Management (VM) service is integrated with our PCI Merchant service to allow you to meet all PCI DSS certification requirements. Using the VM service, you can run PCI compliant scans on your in-scope infrastructure, perform remediation of detected vulnerabilities, and re-scan as needed to confirm you are compliant with the PCI DSS requirements. When no PCI vulnerabilities are detected by your PCI scan, use the Share with PCI option to share your completed PCI scan with your PCI Merchant account. Then log into your Merchant PCI account to generate PCI network reports and take required actions for certification: 1) submit network reports to your ASV for review and approval, and 2) once approved, submit PCI certified reports directly to your acquiring banks.

Step 1: Run PCI Scan


To run a PCI scan you select the option profile titled Payment Card Industry (PCI) Options which is provided by the service, when you define a scan. To run an on demand PCI scan, select this option profile on the Launch Vulnerability Scan page. (Select Scan on the left menu and then go to New>Scan.) To define a scheduled PCI scan, select this option profile on the New Scheduled Vulnerability Scan page. (Select Schedule on the left menu and then go to New>Schedule Scan. Select the scan type Vulnerability if your account permits multiple scan types.)

Step 2: Run PCI Technical Report and Remediate Vulnerabilities


Run the Payment Card Industry (PCI) Technical Report using the template provided. If PCI vulnerabilities were detected, perform remediation and rescan to verify these issues were fixed.

34

QualysGuard Evaluators Guide

Step 2: Scanning for Vulnerabilities PCI Scans and Compliance

Step 3: Share PCI Scan with PCI Account


To share a completed PCI scan with your PCI Merchant account follow these simple steps: 1 2 Select Scan from the left menu. Go to New>PCI Account Links. Review the PCI Merchant accounts that you have linked to. Add another account link if you wish to share a scan with a PCI account that is not listed. A Manager can create a new PCI Merchant subscription and link to it. (Note: A Manager must be the first user to link to any PCI Merchant subscription.) On the scan history list, identify the completed PCI scan (with status Finished) you'd like to share. Click the Share with PCI button in the preview pane.

3 4

Select the PCI Merchant account that you want to share the scan with. All PCI Merchant accounts that you have linked to are listed. (Note: While a scan is being shared with an account, you cant share another scan with the same account.) Click the Share button. Please note: The service always shares the full scan results, including all IPs in the scan target, regardless of whether the user who shares the PCI scan has permissions to all IPs in the scan results. Any IPs that are not already included in the destination PCI account will be added automatically.

7 8 9

Review the success message that confirms the PCI scan has been exported to your selected PCI account. Click the PCI Login button to log into the PCI service with your PCI account. Using your PCI account, you can generate a PCI network report and take required actions for PCI certification.

QualysGuard Evaluators Guide

35

Step 2: Scanning for Vulnerabilities Vulnerability KnowledgeBase

Vulnerability KnowledgeBase
QualysGuard provides highly accurate vulnerability scanning made possible by the industrys largest and most complete Vulnerability KnowledgeBase, an inventory of thousands of known vulnerabilities that covers all major operating systems, services and applications. Vulnerability checks in the KnowledgeBase are continuously added and updated. To view the KnowledgeBase, select KnowledgeBase on the left menu.

In the upper right corner youll see the total number of vulnerabilities along with navigation buttons for paging through the list. Icons in the Title column indicate the discovery method assigned by the service, patch availability, exploitability, and associated malware. Discovery Method. Each vulnerability is assigned a discovery method indicated by these icons: alone indicates Remote Only discovery. The vulnerability can be detected only using remote (unauthenticated) scanning. alone indicates Authenticated Only discovery. The vulnerability can be detected only using authenticated scanning. and indicates Remote or Authenticated discovery. The vulnerability can be detected using remote scanning or authenticated scanning.

Patch Available. indicates that a patch is currently available from the vendor. Note that you can use the Search functionality in the KnowledgeBase to find all vulnerabilities that have or do not have an available patch.

36

QualysGuard Evaluators Guide

Step 2: Scanning for Vulnerabilities Scanning Summary

Exploitability. indicates that exploitability information is available. The service correlates exploitability information with service-detected vulnerabilities when known exploits are published by third party vendors and/or publicly available sources. Associated Malware. indicates that malware is associated with this vulnerability. The service correlates malware information with vulnerabilities when malware threats for vulnerabilities are published in the Trend Micro Threat Encyclopedia. The Severity column indicates severity from 1 (minimal) to 5 (urgent). Red represents confirmed vulnerabilities, yellow represents potential vulnerabilities, and blue represents information gathered.

Scanning Summary
QualysGuard supports both on demand and scheduled vulnerability scanning. Scanning profiles allow you to tailor the scan based on your selection of scanning criteria. All scans initiate emails with results summaries and links to the saved Scan Results information. QualysGuard also provides additional scanning functionality. For more information, refer to the QualysGuard Policy Compliance Getting Started Guide and the QualysGuard Web Application Scanning Getting Started Guide. These guides are available for download from within your user account in the Resources section (Help>Resources).

QualysGuard Evaluators Guide

37

Step 3: Reporting
One area that distinguishes QualysGuard from other Vulnerability Management solutions is its very flexible, comprehensive reporting capabilities. Most other solutions produce rigid reports that reflect, one-for-one, whatever data they have gathered during a scan. There are few, if any, mechanisms for filtering, regrouping, or synthesizing the data into higher levels of information abstraction. QualysGuard reports, on the other hand, like quality business intelligence reporting, permit filtering and sorting that allows data to be viewed in different ways. QualysGuard reports consist of the following basic components: Network assets (IPs and/or Asset Groups) included in the report, Graphs and charts showing overall summaries and network security status, Trending analysis for a given network, Information about discovered vulnerabilities, and Filtering and sorting options to provide many different views of the data.

Report Share
Report Share functionality provides enhanced reporting capabilities for customers with large amounts of report data, and promotes collaboration and sharing of reports. Users can run reports once and share them with other users. Each report is saved for 7 days. Report Share functionality is enabled for Enterprise accounts automatically. When Report Share is enabled, users launch reports, view report status and download completed reports from the report history list according to their user roles and account settings. Additional features enable users with manager privileges to distribute reports to the right people at the right time. Managers and Unit Managers can grant users access to reports which they would otherwise not be able to view in Report Share, and users can distribute secure PDF reports to users outside of the application via email. To access shared reports, select Report from the left menu. The report history list appears. (If Report Share is not enabled, then the report templates list appears instead. See Report Templates.) The report history list is empty until at least one user generates a report. As reports are generated, the list is populated. The sample report history list below shows several reports in various formats, created by different users at different times.

Step 3: Reporting Report Share

Privileges to view reports in the report history list depends on each users assigned role and assets, as defined for their user account. By default, Managers can view all reports in the subscription, Unit Managers can view all reports in their business unit, and Scanners and Readers can view their own reports. If the compliance module is enabled for your subscription, then Auditors can view all policy compliance reports, which are based on compliance scan data.

Launch Reports with Report Share


With Report Share, the reporting process works in a very similar way to the scanning process. You launch a report, it runs in the background while you work on other things, you can check the status from the report history list, and when the report is complete, an email summary is sent out with a link to the saved report. To launch a new report, select Report from the left menu. Go to the New menu and select the type of report you want to generate: Scan Report (Template Based or Scorecard), Patch Report, Map Report, Compliance Report or Remediation Report. When the compliance module is enabled for the subscription, additional compliance reports are available for reporting on compliance scan data.

QualysGuard Evaluators Guide

39

Step 3: Reporting Report Share

Follow the online prompts to provide report details like a report title, report template and report format. Note there are several report templates provided by the service to help you get started. The Template Library provides a variety of pre-configured report templates designed to address many of your reporting needs. You can import them to your account and use them as-is or edit them to suit your requirements.

In the example above, the templates in your account appear first followed by those that you can import from the library. (Tip: if you type in this, field the list is filtered according to what you type.) Select the Executive Report template. This is an Auto template with the All group specified as the report target. You can overwrite the target for the current report by typing in the Asset Groups and IPs/Ranges fields. Click Run to launch the report. The status of your report appears in a second browser window. Close the window to let the report run in the background. You can check the status of your report at any time from the report history list, and then download the completed report once its finished. A report completion email notification is also available. When enabled, an email is sent to you when the report is complete. The email includes a report summary and a link to the saved report.

Additional Report Share Features


Additional Report Share features are available for making reports available to users who need them. Grant Users Report Access As a Manager user, you have the ability to grant other users access to reports that they wouldnt typically be able to see based on their user account settings. Report access can be granted for a specific report or for a scan report template. When granted for a scan report template, all reports generated by the scan template become available to users with report access. Other users with management responsibility (Unit Managers and Auditors) have the ability to grant users report access based on their own account privileges. Securely Distribute PDF Reports As a Manager user, you have the ability to encrypt PDF reports with a password and distribute them to users via an email distribution list, including users inside and/or outside of the subscription. To do this, go to Setup>Report Share on the top menu and select Secure PDF Distribution and click Save. The next time you launch a report with report share, youll see the option Add Secure Distribution. Select this option, add a report

40

QualysGuard Evaluators Guide

Step 3: Reporting Report Templates

password, add custom distribution groups with email addresses, select one or more groups for the report, and then launch the report. When the report is completed, an email notification with a secure link to the report is sent to users who will be prompted to enter the report password before viewing the report. Also the encrypted report appears on the report history list for users with access; the report password must be entered to view the report. Youll notice an encrypted report is flagged with a gold lock ( ) in the report history list in the Format column. (There is one encrypted report in the report history list shown above). Both Managers and Unit Managers have the ability to encrypt PDF reports and distribute them to users.

Report Templates
Most reporting is template-based. The report template outlines what information is included in the report and how that information is displayed. To view report templates available in your subscription: When Report Share is enabled, select Report Templates on the left menu under Tools. When Report Share is not enabled, select Report on the left menu. Your account includes pre-defined report templates to simplify report generation. The Template Library provides additional report templates that you can import to your account and use as-is or edit as needed. These templates are designed to address many of your reporting requirements. You can run these report templates at any time. You can also create custom scan and map report templates. See the report templates list below:

The Type column identifies the type of report: for a scan report, for a compliance report, for a map report, for a remediation report, for patch report and for a consultant report (consultant accounts only). Whether or not Report Share is enabled, you can always run reports directly from the report templates list. To do so, click Run ( ) next to the report template you want to use and follow the online prompts. When Report Share is enabled, the report is launched using Report Share.

Import Report Templates from the Library


You can import report template from the Library while viewing the report templates list. To do this, go to New>Import from Library. The Import Templates from Library pop-up appears.

QualysGuard Evaluators Guide

41

Step 3: Reporting Trend Analysis and Differential Reporting

Select the check boxes next to the templates you want then click Import. The selected templates are added to your report templates list. If there are vulnerability search lists associated with these templates, the search lists are also added to your account in the search lists data list. Once imported you can use these items as-is or edit them to suit your specific needs. The Library includes a variety of report templates, option profiles and vulnerability search lists. You can import configurations from the Library while viewing your data lists (report templates, option profiles, and search lists) and while stepping through workflows where these configurations are used. Once imported, configurations are saved in your account for viewing and editing.

Create Custom Templates


If the provided templates dont meet your exact needs, you can create custom scan and map templates and specify the information you want to include. Go to the report templates list then go to New>Scan Template, New>Patch Template, or New>Map Template. Select display and filter options for your report. (If the policy compliance module is enabled in your subscription, then you will also see the option to create a new Policy Template. See the Policy Compliance chapter for more information, starting on page 62.) Scan reports can be tailored in thousands of different ways, and we suggest you try some different combinations of options to see the resulting output. On the New Template page, click the Advanced button to see all available options. Begin by giving your report a title, such as First Scan Report. Then, go down the list of options in display, and when you are finished, select Test at the bottom. You will notice that if you began your options by asking for only Status data, then later on, trend-oriented options will be grayed out. On the other hand, if you select Status with Trend these options then become available. The Display, Filter and Services and Ports tabs each provide different reporting options. The User Access tab allows you to grant certain users access to reports generated from this template. As you finish setting report options, the buttons at the bottom of the page allow you to Save, Save As, Test, or Cancel. You can create on-the-fly reports that give you a snapshot, or you can create templates you will use repeatedly, and therefore will want to save. To see full details about all available template options, click the Help button in the bottom right corner of the New Template page.

Trend Analysis and Differential Reporting


Using the scan report template, select the Status with Trend option, and just the first two options under Graphics (Business Risk by Asset Group over Time and Vulnerabilities by Severity over Time) and then select Test at the bottom of the page.

42

QualysGuard Evaluators Guide

Step 3: Reporting Trend Analysis and Differential Reporting

The report starts with a report summary:

The summary of vulnerabilities section reports statistics on the vulnerabilities detected:

Following this is the graphical depiction showing business risk by asset group over time. It also shows vulnerabilities by severity over time. This is just one simple example of how QualysGuards trend analysis reporting can give you a fast overview of business risk and vulnerability trends on a given network. QualysGuard allows customers to store host vulnerability data from scan results for an indefinite amount of time. This is very useful for organizations to establish a certain baseline and continue to reference it in order to measure progress. Sample graphs are below:

QualysGuard Evaluators Guide

43

Step 3: Reporting Trend Analysis and Differential Reporting

Detailed Results follow the report graphics. The current status (New, Active, Re-Opened or Fixed) appears for each vulnerability detected on the host. A sample detailed results list is below:

44

QualysGuard Evaluators Guide

Step 3: Reporting Trend Analysis and Differential Reporting

Performing Remediation Actions


There are several remediation actions you can perform directly from an Auto scan report. These include ignoring vulnerabilities, activating ignored vulnerabilities, creating remediation tickets and viewing/editing existing remediation tickets. In the Detailed Results section, place your cursor over the red cross ( action from the drop-down menu. ) and then select an

Depending on the status of the vulnerability, one of the following options appears: Ignore vulnerability. Ignore this vulnerability on the host/port combination. Ignoring vulnerabilities causes them to be filtered out of Auto scan reports, host information, asset search results and your dashboard. This action also closes associated remediation tickets for the vulnerability/host pair. If no ticket currently exists, one will be created and closed automatically for tracking purposes. To include ignored vulnerabilities in Auto scan reports, change filter settings in your report template. Note that ignored vulnerabilities always appear in Manual scan reports. Activate vulnerability. Reactivate this ignored vulnerability on the host. To see this option, you must include ignored vulnerabilities in your Auto scan report. To do so, change filter settings in your report template.

Depending on whether a ticket exists, one of the following options appears: Create ticket. Create a new remediation ticket for the host/vulnerability/port combination. The Create Ticket page appears where you specify who the ticket should be assigned to and when the ticket should be resolved. The ticket creation is logged in the ticket history with the name of the user who created the ticket and a time stamp for when the action took place. View ticket. View an existing ticket for the host/vulnerability/port combination. The Ticket Information page appears. From the File menu, click Edit to resolve or closeignore the ticket, reassign the ticket to another user or add comments to ticket details.

It is best practice to create one or more remediation policies for the subscription to automate the ticket creation process. With a remediation policy in place, tickets are created automatically by the service when detected vulnerabilities match conditions specified in policy rules. See the Remediation chapter for complete information, starting on page 56.

Business Risk Reporting


One of the key functions of a Vulnerability Management solution is remediation reporting and tracking. To do this in the most efficient way, there needs to be some way of associating network assets with various business operations, so that the severity of vulnerability is correlated with business security exposure in order to arrive at a metric for business risk. QualysGuard automates business risk reporting while enabling users to tailor it to their enterprise. The system provides a default definition, but it also allows users to modify it to better reflect their own internal metrics. You customize the business risk calculations by going to Setup>Business Risk on the top menu bar. The Business Risk Setup page will appear defined by a matrix with Business Impact columns and Security Risk rows.

QualysGuard Evaluators Guide

45

Step 3: Reporting Trend Analysis and Differential Reporting

So, for example, a security risk of 5 has a business risk of 9 if the asset is associated with a Low impact business operation. On the other hand, it would have a business risk of 100 if associated with a Critical impact operation. The Business Risk Setup page below illustrates this.

You can assign Business Impact values to any asset group you have created. To do this, you select Asset Groups under Tools on the left menu. Here you will see the asset groups listed along with their IPs, domains, business impact, user, and last modified date. You can change the business impact definition by selecting the edit icon, selecting the Business Info tab, then setting the Business Impact level. Change it to some other identification, so if it was Critical, change it to Medium. Afterward, select Save. Note how changing the Business Impact level changes the previous trend and status report results, particularly the Business Risk metric:

CVSS (Common Vulnerability Scoring System)


QualysGuard supports CVSS Version 2. CVSS is the emerging open standard for vulnerability scoring (using a scale of 1 10). CVSS was commissioned by the National Infrastructure Advisory Counsel (NIAC) and is currently maintained by FIRST. CVSS is widely supported by security organizations and vendors including: CERT, Mitre, Cisco, Symantec, Microsoft and Qualys. To display CVSS scores in scan reports, you must first enable the CVSS Scoring feature for the subscription. To do so, go to Setup>CVSS on the top menu bar. Then select the Enable CVSS Scoring check box. Once enabled, CVSS scores will be calculated for vulnerability/host pairs and displayed in scan reports.

46

QualysGuard Evaluators Guide

Step 3: Reporting Trend Analysis and Differential Reporting

The following values are needed to calculate a CVSS score for a vulnerability: Base Score, Temporal Score and Environmental metrics. CVSS Base Score. The Base score measures the fundamental, unchanging qualities of a vulnerability. When the final CVSS score is calculated, the Base score is modified by the CVSS Temporal score and Environmental metrics. The Base score is provided by the service and assigned to vulnerabilities. CVSS Temporal Score. The Temporal score measures the time dependent qualities of a vulnerability, which may change over time. The temporal score allows for mitigating factors to reduce the overall CVSS score for a vulnerability. The Temporal score is provided by the service and assigned to vulnerabilities. CVSS Environmental Metrics. The CVSS Environmental Metric group captures the characteristics of a vulnerability that are associated with the users IT environment. Users define environmental metrics in asset groups. The metrics apply to all hosts in the asset group. In the sample scan report below, a final CVSS score of 8.6 is displayed for QID 90496 on IP 10.10.24.100. See the vulnerability details for the CVSS Base and Temporal scores assigned to the vulnerability and the CVSS Environmental metrics assigned to the hosts asset group.

QualysGuard Evaluators Guide

47

Step 3: Reporting Scorecard Reports

Scorecard Reports
Scorecard reports provide vulnerability data and statistics appropriate for different business groups and functions. By configuring scorecard reports to use different views and groupings of assets, you can create multiple reports based on the same data satisfying both security operations personnel and business line leaders. You can then share each generated report with the people who need it in a format that is meaningful to them. The service provides 5 different scorecard reports which may be run on asset groups in your account, asset groups in a particular business unit (Manager only) or asset groups that have been tagged with business information (as defined for asset groups). Scorecard reports provided by the service: Asset Group Vulnerability Report Identifies vulnerabilities with severity levels 3-5. Ignored Vulnerabilities Report Identifies vulnerabilities that are currently ignored. Most Prevalent Vulnerabilities Report Identifies vulnerabilities with the highest number of detected instances. Most Vulnerable Hosts Report Identifies hosts with the highest number of critical vulnerabilities. Patch Report Identifies hosts with missing patches and software.

To view and manage scorecard reports, select Report from the left menu. Then select the scorecard report option from the New menu. The New Scorecard Report page appears showing the 5 scorecards provided by the service plus any user-customized scorecard templates. To run a scorecard report, select a scorecard from the list and click Run. You can also edit a scorecard template to customize report settings and save it for future use. To do so, select a scorecard from the list and click the Edit link.

After launching a scorecard report, the report appears in the report history list when Report Share is enabled in your account, and from there you can check its status to completion. When Report Share is not enabled, the report status appears in a pop-up window. When the report completes, it appears in the pop-up window.

48

QualysGuard Evaluators Guide

Step 3: Reporting Scorecard Reports

The sample scorecard report below shows the top 10 most prevalent vulnerabilities across all asset groups that have been tagged with the Function Finance and Location New York:

QualysGuard Evaluators Guide

49

Step 3: Reporting Patch Reports

Patch Reports
The Qualys Patch Report helps you streamline the patching process and improve remediation efficiency. The patch report leverages standard QualysGuard capabilities to provide accurate, actionable and focused reports so you can quickly and efficiently remediate vulnerabilities without applying unneeded, redundant patches. For the most accurate results in your patch report, be sure that authenticated scanning was used to scan the hosts selected for the report. Using authenticated scanning allows the scanning engine to collect the most detailed information about each target host including the host's operating system. When this information is in your account, the service identifies the most appropriate missing patch(es) in your patch report. QualysGuard provides a pre-configured patch template Qualys Patch Report. Using this template you can identify the patches you need to apply right away. Your patch report can be saved in these formats: PDF, CSV and Online Report. The Online Report format provides a feature-rich user interface including numerous ways to navigate through your report content. HTML content is displayed in your browser using Ext, a client-side Java framework. A sample Online Patch Report is shown below. This report was generated using the preconfigured template Qualys Patch Report. In this report patches are grouped by host.

This patch report summary shows: 196 total patches need to be applied to fix the vulnerabilities on the target hosts, 14 hosts require patches to be applied in order to fix the vulnerabilities, and 318 vulnerabilities in the user's account are addressed in the report. (1) To view the target asset groups and/or IPs: Click View Report Targets.

50

QualysGuard Evaluators Guide

Step 3: Reporting Consultant Reports

(2) To sort the HOSTS list by a host attribute: Click a host attribute (column title) in the HOSTS list. The arrow next to the column title indicates the sort order: ascending (Up arrow) or descending (Down arrow). Click the column title again to toggle the sort order. (3) To view the missing patches for a particular host: Move your mouse pointer over a host in the HOSTS list and click the host row. The missing patches for the host appear in the PATCHES list (on the right). In the PATCHES header you'll see the number of missing patches for the selected host. In this case, there are 13 missing patches for the host 10.10.24.47. (4) To page through the HOSTS list: Use the arrow keys (under the list area) to page forward and backward through the list. Enter a number in the field provided to jump to a certain page number. (5) To apply a filter to the HOSTS list: Enter a string in the Filter field (under the list area). The HOSTS list will be updated to display only hosts with attributes matching the string you enter. For example, if you enter 10.10.25.6 the report will display only IP addresses including that string. (6) To read the vendor's security bulletin related to a patch: Click the vendor ID link for a patch in the PATCHES list. (7) To view the vulnerabilities that will be fixed after applying a patch on a host: Refer to the Vulns column for a patch in the PATCHES list. Click the number of vulnerabilities link to view a list of vulnerabilities which the patch will fix (this link is available if "QIDs that will be fixed by each patch" is selected in the patch template used).

Consultant Reports
*Consultant reports apply only to Consultant subscriptions. Consultants have the ability to create consultant templates and generate consultant reports specific to their customers needs. These formats are supported: PDF, HTML, MHT, XML, CSV and Microsoft DOCX. Using the consultant template you can define the report layout and filtering options similar to scan report templates. The consultant template includes configurations for cover page, customer information and report summary.

QualysGuard Evaluators Guide

51

Step 3: Reporting Consultant Reports

A sample cover page is below. The cover page includes the customer information, consultant information and the summary defined in the template.

52

QualysGuard Evaluators Guide

Step 3: Reporting Asset Search

Asset Search
During the scanning process, the scanning engine attempts to gather information about target hosts, including the hosts operating system, open TCP and UDP ports and services running on open ports. The asset search feature enables you to search through scan results to find hosts based on this type of information. To perform an asset search, select Asset Search on the left menu. Identify your search target and host attributes (optional). To start the search, select Search. Using the host attributes section, you can search for hosts with a certain DNS or NetBIOS hostname, tracking method, operating system, port number, service or detected vulnerability. You can also search for hosts scanned within a particular time-frame. The sample below shows an asset search on the group First Asset Group for all Linux hosts running the HTTP service.

Asset search results appear in a separate browser window so you can launch several queries at the same time. You have the option to print asset search results and download them in various formats.

QualysGuard Evaluators Guide

53

Step 3: Reporting Risk Analysis

As shown below, two hosts matched the criteria specified in the sample asset search.

Risk Analysis
With the almost daily identification of new vulnerabilities and the daily update by Qualys of our KnowledgeBase you can instantly quantify exposure to new threats. Even before launching a scan you can run Risk Analysis against your existing scan data to identify risk. To perform risk analysis, select Risk Analysis on the left menu. Identify the target hosts you want to analyze for a risk due to a specific threat in the Analyze section. Then select the QID for the threat (vulnerability or potential vulnerability) you want to test, and click Run.

Results from the risk analysis appear in a separate browser window.

54

QualysGuard Evaluators Guide

Step 3: Reporting Reporting Summary

The example below shows results for analysis of the QID 90151 on the assets in the group titled First Asset Group:

The Results section lists all hosts from the asset group that are potentially at risk due to the threat you selected (vulnerability or potential vulnerability). Hosts are at risk if at least one positive match is identified between the vulnerability exploit data and known host information. Hosts are listed by business impact and then by the number of conditions matching the vulnerability exploit data. In the example above, host 64.39.104.243 has 3 matching conditions for the vulnerability: operating system, service and open port. Host 64.39.104.242 has 1 matching condition: operating system.

Reporting Summary
QualysGuards highly flexible, comprehensive reporting capabilities distinguish it from other Vulnerability Management solutions. Report Share functionality provides Enterprise users with a centralized location for sharing reports with other users. Template based reports and Scorecard reports are available for reporting on vulnerability scan data in your account. The Qualys Patch Report helps you streamline the patching and remediation process. Policy compliance features include the Payment Card Industry (PCI) module and compliance reports such as the Qualys Top 20 Report and SANS Top 20 Report. The Template Library includes pre-defined report templates that you can import and use as is or edit as needed.

QualysGuard Evaluators Guide

55

Step 4: Remediation
Discovering all network assets, scanning various assets for vulnerabilities, and reporting what was found are all critical aspects of Vulnerability Management. As the last piece, having now found those vulnerabilities, you need to eliminate or mitigate them. QualysGuard provides a remediation ticketing capability similar to trouble tickets created by a support call center. You, as a manager, can control the policies surrounding such tickets, and assign the responsibility for fixing them. QualysGuard will note when tickets have been created, and will track in subsequent scans any remediation changes. Manual trouble ticket creation does not scale in an enterprise network with thousands of hosts and vulnerabilities. Therefore, this process is automated via remediation policies, allowing customers to automatically create tickets upon scan completion and assign them to the appropriate user within the organization. Additionally, customers can automate trouble ticket integration into their helpdesk systems using the QualysGuard API.

Remediation Policy
Remediation tickets are created by selecting Remediation Policy under Tools on the left menu. The rules in your remediation policy determine how tickets will be created and to whom tickets will be assigned. A sample policy with multiple rules is shown below:

Unit Managers may be granted permission to create business unit specific remediation policies. The rules for business unit policies may be seen under the column Business Unit. The ones displayed as Unassigned are rules for the global policy, created by managers for the subscription.

Step 4: Remediation Remediation Policy

To allow a Unit Manager to create a business unit remediation policy, select User Accounts under Tools and edit the users account. Under Extended Permissions you can check the Create/edit remediation policy check box and save the change. See User Management on page 14 for more information on adding users. Policy rules use vulnerability search lists to define the conditions that must be met for a ticket to be created. There are two types of search lists: static and dynamic. A static search list includes a specific list of vulnerabilities (QIDs). A dynamic search list consists of a set of vulnerability search criteria (severity levels, CVSS scores, patch availability, products, vendors, etc). When a dynamic search list is used, the service dynamically compiles a list of QIDs based on the criteria defined in the list. Dynamic search lists are updated automatically by the service as new QIDs are added to the KnowledgeBase. Several search lists are provided by the service. You can also create custom search lists for specific purposes. To create a vulnerability search list, select Search Lists under Tools. Then go to New>Static List or New>Dynamic List. For now, lets create a dynamic search list with confirmed severity levels 4 and 5. In the New Dynamic Vulnerability Search List page, give the search list a title and then select the severity levels in the Criteria section. Click Save to save the search list. Saved vulnerability search lists may be used in remediation policy rules, option profiles and scan report templates. Were now going to create a remediation policy rule using the new dynamic search list. When you go to the Remediation Policy page for the first time there are no rules. Create policy rules appropriate to the organizations existing security policy. You need to add at least one rule before QualysGuard will automatically create tickets. Select Remediation Policy under Tools on the left menu, and then go to New>Rule. On the New Rule page, give the rule a title, such as First Rule. In the Conditions section, specify the hosts the rule applies to. Then add one or more saved search lists to the rule. In the Actions section, you may choose to assign tickets to a specific user, to the user who launched the scan resulting in the ticket (the default) or to the user who owns the host. Optionally, select Ignore if you never want tickets created when the rule conditions are met. Click Saveafter making your selections.

The new rule will now show up in the remediation policies list as First Rule. The sample rule above results in tickets being created when vulnerability severity levels 4 and 5 are detected. The tickets will be assigned to the user who launched the scan resulting in the detection.

QualysGuard Evaluators Guide

57

Step 4: Remediation Ticket Creation

Ticket Creation
Now that you have explored the remediation capabilities and created a remediation policy, you are ready to run a scan to create tickets. Launch a scan as you did before. See Starting a Scan on page 26 for assistance. When your scan completes, go to the Remediation page by selecting Remediation on the left menu. Tickets that are in Open state and assigned to you are listed.

Click the Search option on the top menu bar to find tickets based on various ticket, host and vulnerability attributes.

58

QualysGuard Evaluators Guide

Step 4: Remediation Ticket Creation

Click the Info icon ( ) for any ticket to view ticket details. The Ticket Information page will appear. You can expand and collapse sections to view different ticket details.

The ticket history includes actions taken on the ticket automatically by the service such as when the vulnerability was discovered, when it was fixed, and the remediation policy rule that resulted in the ticket creation. Actions taken by users are also included. Verification is done automatically as scan results become available. You also have the option to launch a verification scan directly from the Ticket Information page. This option is available for tickets on IP tracked hosts. This is especially useful if youve applied a fix for a vulnerability and want to immediately verify that the fix resolved the issue. To do so, go to File>Scan on the top menu bar. You will be redirected to the Launch Scan page with certain scan settings prepopulated. For example, the scan title will be Verification Scan Remediation Ticket <number>. If applicable, select a scanner appliance to apply to the task, and then select Launch. Remember, many tickets may be updated as a result of scanning a single host. To make changes to the ticket, you would go to File>Edit on the top menu bar. The Edit Ticket page will appear. You can change the ticket state, reassign the ticket to someone else, add comments, and so on.

Manual Ticket Creation


As already discussed, it is best practice to create one or more remediation policies for the subscription to automate the ticket creation process. With a remediation policy in place, tickets are created automatically by the service when detected vulnerabilities match conditions specified in policy rules. QualysGuard also has the functionality for out-of-band ticket creation. Users can manually create tickets for any host/vulnerability/port combination directly from scan status reports (Auto). See Performing Remediation Actions in the Reporting chapter on page 45.

QualysGuard Evaluators Guide

59

Step 4: Remediation Remediation Reporting

Remediation Reporting
A large network will likely have a very large number of remediation tickets associated with it at any point in time. Thus, any user may also have a large number of tickets. One way for a manager to understand the progress and compliance with remediation policy is to use QualysGuard to initiate a remediation report. These remediation report choices are available: Executive Remediation Report, Tickets per Vulnerability, Tickets per User and Tickets per Asset Group. Run the Executive Remediation Report by clicking the Run icon ( ) next to it on the report templates list. Follow the online prompts to select report options like report target (asset groups and/or IPs). Leave the default All tickets selected. Then click Run. QualysGuard will then run an Executive Remediation Report like the one shown below. The report summary shows statistics like this:

The status of all Open Tickets appears like this:

The status of all Closed Tickets appears like this:

60

QualysGuard Evaluators Guide

Step 4: Remediation Remediation Ticket Update Notification

Then you can see the ticket state changes over time. The graphs showing Ticket State Changes and Open Ticket Trend appear like this:

Feel free to run the other remediation reports to see the information that QualysGuard returns.

Remediation Ticket Update Notification


You can choose to receive daily remediation ticket updates in your user account. The email notification identifies the status and changes to the tickets in your account over the past day. Tickets assigned to you and tickets based on assets in your account are included.

Remediation Summary
QualysGuard provides a remediation process that allows you to close the loop in your Vulnerability Management process. This is done with powerful capabilities, such as automatic ticket generation, that separates QualysGuard from other solutions.

QualysGuard Evaluators Guide

61

Step 5: Policy Compliance


QualysGuard Policy Compliance allows customers to audit and document compliance to internal and external auditors to meet corporate security policies, laws and regulations. This operationalizes Vulnerability Management and Policy Compliance, combining it into a single solution that is delivered as a service. Policy Compliance is available in your account only when it is enabled for your subscription. The Policy Compliance module provides compliance management features, allowing users to create and manage policies, perform compliance scans, run compliance reports, and manage exception requests. This chapter will provide you with an introduction to QualysGuard Policy Compliance and its features. For complete information, refer to the QualysGuard Policy Compliance Getting Started Guide, which is available for download from the Resources section (Help>Resources).

Policy Compliance Workflow


The Policy Compliance process is shown below.

Before You Begin Before you begin, check the top menu bar to see whether the PC module lock icon is enabled for your subscription. When the PC module is enabled, then a red lock appears like this: Contact Technical Support or your Technical Account Manager to enable this feature.

Step 5: Policy Compliance Policy Compliance Workflow

Add Auditor Users (Optional) Create users with the Auditor user role to perform compliance management tasks. Auditors can create and manage compliance policies for the subscription, generate reports on compliance data and manage exception requests. Auditors only have visibility into compliance data (not vulnerability data). Add Custom Controls (Optional) The service provides technical controls for measuring compliance against a wide variety of technologies, including operating systems (i.e. Windows 2003) and applications (i.e. Oracle 9i). In addition to the service-provided controls, users can add custom controls to the subscription making them available for compliance scanning and reporting. The service supports custom controls for various Windows and Unix technologies. Customize Frameworks for the Subscription (Optional) When users view technical control information the details include a list of frameworks, standards and regulations that the control maps to. Manager users have the option to customize the list to only display selected frameworks. This setting is made at the subscription level. Step 1: Create Policies A policy is a collection of controls (service-provided or user-defined custom controls) pertaining to one or more technologies in your environment. Each control in the policy includes a statement of how the technology specific item should be implemented and one or more checks performed by the service to validate the control. The policy is later compared to compliance scan results to identify whether hosts are compliant with the policy. Step 2: Assign Asset Groups to Policies When creating or editing a policy, assign asset groups to the policy. Assigned asset groups should include compliance hosts that are relevant to the technologies in the policy. Step 3: Run Compliance Scans Compliance scans identify whether hosts are compliant with user-defined policies. You can launch a compliance scan on hosts that have been defined as compliance hosts for your subscription. Before you launch compliance scans, you must create compliance profiles and add authentication records for trusted scanning. Step 4: Generate Compliance Reports Generate specialized compliance reports on host compliance data. Interactive reports let you change the report source options in real-time to identify the compliance status for individual hosts and the pass/fail status for technical controls. Template-based reports identify whether the service was successful in authenticating to hosts and whether hosts are compliant with user-specified policies. Step 5: Manage Exceptions A workflow is provided for exempting certain hosts from certain controls in a policy. Exceptions are valid until a specified end date as determined by the exception approver. Any user with compliance management privileges can request an exception. Managers and Auditors then review exception requests and either accept or reject them.

QualysGuard Evaluators Guide

63

Step 5: Policy Compliance Accessing Policy Compliance Features

Accessing Policy Compliance Features


When enabled, Managers are granted access to compliance management features automatically. Managers can add Auditor users with access to compliance policy management and reporting features at the enterprise level, without vulnerability management capabilities. Sub-accounts may be added/updated to grant these users role-based access to compliance management.

A. Compliance Scans Compliance scans gather compliance data from hosts in asset groups. B. Compliance Reports Reports with multiple views to review compliance status with a particular policy by business unit, asset group or host. (Note Report Share is enabled.) C. Exceptions Exception requests submitted by users. Each request is for a host/control in a certain policy. Managers and Auditors may approve exceptions. Unit Managers may approve exceptions when granted this permission. D. Policies A policy is a written statement of a rule that is applied to operating systems and applications, referred to as technologies, in the network environment. E. Controls Technical controls based on CIS and NIST standards measure compliance against frameworks and regulations such as COBIT, ISO, ITIL, FFIEC, NERC, etc.

Policy Compliance Summary


QualysGuard provides Policy Compliance functionality for auditing host configurations and measuring their level of compliance with internal and external policies. When enabled, Policy Compliance features are integrated into QualysGuard, allowing users to run compliance scans, generate policy compliance reports, and manage exception requests.

64

QualysGuard Evaluators Guide

Wrap-up
Now that you are in the process of your evaluation it is time to think about your key requirements and prioritize them. Some of the key strengths that differentiate QualysGuard are:

Secure Operations Centers


QualysGuard provides end to end security, connecting QualysGuard Secure Operations Centers (SOCs) to remote intranet scanners, scanner appliances and users. When managers add new users and assign roles to them, QualysGuard uses the role-based permissions to grant users access to scan data (manage, scan, or read only). Additionally, every bit of vulnerability data scanned is stringently encrypted before being transported to the Qualys SOC. All of your vulnerability account data stored in redundant SOCs is also encrypted and unreadable by anyone without account authorization. QualysGuard is the only solution that encrypts vulnerability data for customers a security requirement for enterprise customers as well as a key requirement for Sarbanes-Oxley compliance.

Global Scanning Infrastructure


The QualysGuard security service provides a highly accurate scanning infrastructure used by thousands of organizations around the world to protect their networks from the security vulnerabilities that make attacks against networks possible. The service draws upon this same scanning infrastructure to deliver business applications in the form of service modules for PCI compliance, policy compliance and web application scanning. The QualysGuard process is similar to that used by the best consultants exercising best practices. As such, scanning is non-intrusive yet effective and accurate. It leaves no vulnerability uncovered and so provides comprehensive discovery and analysis. For vulnerability scans, the KnowledgeBase core upon which QualysGuard relies is updated several times each day, and new vulnerabilities and their signatures are added daily. Qualys is continuously improving its already very low level of false positives, so our assessments are accurate to a very high degree reaching Six Sigma quality level in terms of accuracy and low false positives.

Prioritized Remediation
With the flexibility to tailor business risk metrics, and the ability to modify business impact levels, you can closely match business risk results with actual business risk exposures. This is critical for creating an effective, priority-oriented approach to remediation. It is the combination of vulnerability severity AND business impact that determines both the level of business risk and the order of remediation priority. When a user is assigned a remediation ticket, it is associated with a specific vulnerability. That user can easily and quickly identify the vulnerability, its threat level and impact, and find the remedy or workaround to eliminate or mitigate it.

Wrap-up Compliance Reporting

Compliance Reporting
QualysGuard provides customizable reports for achieving compliance with a wide variety of security standards and regulations, including Payment Card Industry (PCI) Data Security Standard, HIPAA, GLBA, SB 1386, Sarbanes-Oxley, FISMA, the CobIT information technology standard and others. QualysGuard is certified by MasterCard for PCI Compliance auditing and reporting. When appropriate vulnerabilities are fixed per the PCI standard, the QualysGuard PCI Executive report may be submitted directly to the acquiring bank for certification. QualysGuard also offers pre-defined report templates for identifying the Qualys Top 20 and SANS Top 20 vulnerabilities. Using QualysGuards reporting engine and API, you can produce custom compliance reports where you build a custom policy and run reports against this policy. QualysGuard Policy Compliance provides automated exception and trend reporting to document compliance to internal and external auditors. The Auditor user role gives selected users permission to manage compliance reporting and exceptions. Reports identify compliance to a policy by asset group and by host. Exception creation and management is integrated in reporting workflows for ease of use.

Interoperability
Although QualysGuard provides all the capabilities to handle vulnerability management on its own, it also provides an extensible XML API for integration with third-party commercial and internal customer applications. QualysGuards trusted, third-party vulnerability assessments provide a solid foundation for automated correlation and analysis. Robust integration capabilities benefit many types of organizations by improving the capabilities of existing solutions such as: SIEM, Patch Management, Help Desk, Risk Management, Network Admission Control, IDS/IPS, Network Patching, Network Behavior Analysis, Security Policy Management, Penetration Testing, and more.

Software-as-a-Service (SaaS) Solution


To implement a Vulnerability Management and Policy Compliance process with best practices and to identify and remediate critical vulnerabilities in a timely manner this requires the ability to discover changes to a network within a short time after they have occurred. It relies on comprehensive and accurate vulnerability assessments with a minimum of false positives. Because all network assets and vulnerabilities are not equal, the process needs a way to establish meaningful priorities for addressing the vulnerabilities that are found. It must have a way to track and report on remediation efforts to provide a real measure of progress and reduced threat levels. And, it must provide policy compliance reporting for information security management and risk assessment. QualysGuard addresses all these enterprise requirements with its Software-as-a-Service (SaaS) solution. There is no infrastructure to deploy or manage. For more information, please visit www.qualys.com.

66

QualysGuard Evaluators Guide

Contact Support Software-as-a-Service (SaaS) Solution

Contact Support
Qualys is committed to providing you with the most thorough support. Through online documentation, telephone help, and direct email support, Qualys ensures that your questions will be answered in the fastest time possible. We support you 7 days a week, 24 hours a day. Access online support information at www.qualys.com/support/.

QualysGuard Evaluators Guide

67