All Your VMDR Questions, Answered

Last week, Qualys launched its latest solution, Vulnerability Management Detection and Response – VMDR, which integrates asset visibility, vulnerability management, detection and response across global hybrid-IT environments all from a single app. It was presented to the world with an informative webinar (available here).

With the recognition that this launch is taking place during unprecedented times, we caught up with Sumedh Thakar, President and Chief Product Officer, and Philippe Courtot, Chairman and CEO at Qualys, to discuss how VDMR can help organisations improve their security posture.

Will VMDR replace VM and all its associated modules?

VMDR is not a combination of the existing modules, it’s essentially one single application. In that sense, it will replace a lot of the functionalities we have with the various VM solutions, like threat protection. Users, however, are not going to be forced to upgrade to VDMR.

Users who decide not to update to VMDR will still receive certain benefits and features, such as the dynamic dashboard.

Does the asset discovery inventory identify external facing assets, and how do the capabilities for end of life and outdated components factor in, as we know unpatched applications are at higher risk?

VMDR brings together a lot of the data from the different sensors and coordinates it in the back end. It effectively provides enterprises and organisations with the ability to scan the entire internet and identify external assets.

We are currently working on even more integrations, which will bring additional feeds into that capability. Furthermore, the asset inventory provides the visibility from an internal asset perspective, too.

There are additional optional enhancements, such as the ability to know when a piece of software is reaching end of life. It is bundled into the product and it can be activated very easily for those who wish to trial it.

One of the core features of VMDR is the integration of patch detection and patch deployment capabilities into a single interface. What if an organisation doesn’t have the Qualys patch management module enabled, would the dashboard still show that a patch is available to the user?

Absolutely. The great advantage of having an integrated interface is the ability to switch from detection of devices to the detection of patches as part of VMDR. What that means is that organisations can detect specific patches on specific devices.  The agent allows you to tag exactly which file needs to be deployed to fix a specific vulnerability. Even if the patch deployment capability is not enabled from Qualys, the detection capability is included as part of VMDR, so from there organisations can decide whether they want to leverage that information to deploy another third party patching system or leverage Qualys’ agent itself and reduce the window of exposure.

What if an organisation has Qualys, but there’s another team that deals with the patching, how can VMDR help them?

Being cloud-native, we have always had very strong role-based access control capabilities and user scope capabilities. So, even if it is a different team that deploys patches within an organisation, they can be given specific access and specific permissions to look at the patching part and have an approved workflow in there.

Therefore, you can have the separation of duties between the vulnerability team and the patching team, who can both be looking at the same platform and looking at the same data, but through different  workflows tailored for individual users.

Customers are worried about potential issues when patching production servers. How can Qualys help?

We have a highly capable patch deployment module, which is very mature and has built in scheduling and roll back of patches. Because everything we do on the platform has the cohesion and the homogeneity of being tied around assets and asset tags, customers that have automated tests can simply enable one particular tag on test systems first. Once they are satisfied that the patch doesn’t cause any issue on the test systems, the patch can be rolled out on to the production servers, with the knowledge that it won’t impact assets negatively.

You can also do that based on the type of asset: with laptops, for instance, it is almost always the case that the organisation wants to auto-patch Adobe or the operating system, but as the capability matures we are aiming to provide information on which patches might be failing or causing issues.

We are currently using the Qualys cloud agent for VM on a cloud and premise virtual machines. Is VMDR different to what we are currently using?

It’s all part of the same sensors and the same agents, which means that all the capabilities are built in the platform. Whether you use Qualys’ agent that does data collection and sends it back to the platform on laptops, on Microsoft Azure or AWS, you won’t need to install another one or manually update it.  Whether it’s cloud, android devices, or tablets in meeting rooms, the same agent can be deployed to discover devices, bring all of those together, detect all vulnerabilities, prioritise and provide the ability to remediate and respond.

Does VMDR require the deployment of the cloud agent?

VMDR doesn’t require the cloud agent to be deployed, as we can already provide the ability to look at threats and paradigms based on scans and authenticator scans. However, deploying the cloud agent gives organisations even more precise information from devices, and the capability to automatically correlate and highlight what is needed. Given how quickly the nature of assets and vulnerabilities change, a lot of the value of VMDR comes from having more real time information from the agents.

What are VDMR’s API options?

As you enable VMDR, a lot more high-fidelity information will be coming out from the APIs. We have a couple of additional new APIs related to patching, which will provide additional information to integrate with other patch management solutions.

The base level of the APIs usage tier is already included in VMDR, so if organisations wish to have even more hyper realism on the APIs, then that will be something that can be discussed with account managers as Qualys can certainly help with that.

Given that many organisations had to swiftly adapt to remote working, how can VMDR ease their security concerns?

Deploying patches remotely puts considerable pressure on IT security teams. To give back to the community, Qualys has enabled a standalone version of the VMDR cloud-based solution, Qualys Remote Protection, which is available for free for 60 days. It gives security teams instant and continuous visibility of remote computers so they can easily see missing patches for critical vulnerabilities and deploy them from the cloud. The patches are delivered securely and directly from vendors’ websites and content delivery networks to ensure there is little to no impact on external VPN bandwidth.