Transcription
18QUALYS SECURITY CONFERENCE 2018Qualys Compliance SolutionsAutomate the Assessment of Technical Controls & Mandate-based SecurityRequirementsTim WhiteDirector, Product Management, Qualys, Inc.
Compliance ChallengesContinuing Expansion ofIndustry & RegulatoryMandatesEnsuring Coverage of Technical& Non-Technical ControlsMaintaining Visibility AcrossSilosDue Diligence BeyondRegulated Environment2Qualys Security Conference, 2018December 11, 2018
Necessities to Support DigitalTransformationComplete Visibility across Business Units, Technologies, andEnvironmentsSimplified Processes, So they can focus on improving securityrather than running productsFlexibility options for capturing required compliance dataSupport for emerging technologies and capabilities3Qualys Security Conference, 2018December 11, 2018
Necessities to Support DigitalTransformationTight integration across security technologies to supportcomplex mandates and audit requirementsAutomation and process integration to support DevSecOpsComprehensive reporting against regulations, mandates &audit objectives4Qualys Security Conference, 2018December 11, 2018
Qualys Security Compliance AppsPCPolicy ComplianceFIMFile Integrity MonitoringSAQSecurity Assessment Questionnaire5
Use Case: ISO Compliancevia unified security programCustomer: EU Financial institutionDigital Transformation underwayLeveraging ISO for control objectives company wideGDPR IT Security Goals as a function of ISOGoalsAddress ISO certification readiness as a bi-product of goodcybersecurity practicesConsolidated cybersecurity dashboard based on the ISO objectivesRequiresSecurity Vendor ConsolidationIntegrated SolutionsStrong Regulatory ContentEnd-End mandate reporting
Start with a Strong FoundationAsset ManagementRestrictions on Changesto software packagesOperations cal VulnerabilityManagementAccess ControlProcedural Controls &Supplier relationshipsCMVMTPPCSAQ
Continuously Assess Controls withQualys Policy ComplianceDefine Policies and ControlsContinuously AssessReport, Inform & RemediateManage ExceptionsPC
Complete VisibilityAssessment for Out-of-band ConfigurationsExpanded UDC SupportCloud Agent Support for OS UDC’sDatabase UDCWindows File ContentCommand UDCPC Dashboard9Qualys Security Conference, 2018December 11, 2018
Broad Technology & Control Coverageto support Emerging Technologies & DigitalTransformationNetwork DevicesApplicationsOperating SystemsEmerging TechnologiesContainersCloud SecurityQualys Platform Security ReportSecurity Gap Assessment10Qualys Security Conference, 2018December 11, 2018
Coming Soon: PC Dashboard & Control SearchPC
Database UDCInitial Support: MSSQL,Oracle, MongoDBDefine DB Query (readonly), Customizable by DBVersionSet a query to return tabulardata to evaluate (which caninclude evidence)12Qualys Security Conference, 2018December 11, 2018
Qualys Security Conference, 2018
Simplifying ProcessesExpanded Library ContentInstance Discovery & ControlsMigration to New UI – Up First:PC DashboardPolicy & Control LibraryReportingMandate-based Policy ConfiguratorLeverage Asset Inventory for AssetLifecycle Management14Qualys Security Conference, 2018December 11, 2018
Mandate Policy ConfiguratorMore Granular, CustomizableControl ObjectivesCustom & Library MandatesGenerate Policies fromMandateMandate-specific ReportsGap Analysis Reports15Qualys Security Conference, 2018December 11, 2018
DecemberQualys17Security11, 2018Conference, 2018
Integration Across the Platform:Unified Compliance AssessmentOut of the box Library of MetricsSAQ Self-AssessmentsVendor Risk ViolationsVM & PC Remediation SLA FailuresCustomizable! Map back to ControlObjectives & Custom MandatesResult: Single Pane of Glass for ReportingMetrics & Compliance Violation Trackingacross the platform!21Qualys Security Conference, 2018December 11, 2018
Defining Metrics & MappingsLeverages new Alertingfeature as exposed in appsDefine ANY QQL QueryAction is Log a ComplianceMetricMetrics are then mapped toControl Objectives, which arecross-mapped to regulations22Qualys Security Conference, 2018December 11, 2018
Security Metric ExamplesHigh Severity Vulnerabilities/PatchingFIM Incident Review ExpiredCloud Security ConfigurationIssuesExpired or Self-SignedCertificatesVendor Risk – Failure toRespondProcedural Control GapIdentified23Qualys Security Conference, 2018December 11, 2018
Assess ALL your assets against CISWith Qualys Security Configuration AssessmentSecurity Configuration AssessmentLightweight add-on to VMBroad platform coverageAccurate controls & contentSimple assessment workflowScan remotely or via agentPowered by the Qualys Cloud PlatformSupport for NIST Reporting comingsoon!24Qualys Security Conference, 2018December 11, 2018
IntroducingOut-of-Band Configuration AssessmentOCA, add-on to VM/PCFlexible Data Collection viaAPI/UISupport for Inventory,Policy Compliance andVulnerability AssessmentBulk data, Automated andCustomizable25Qualys Security Conference, 2018December 11, 2018
Out of Band Configuration AssessmentLarge Global BankDisconnected/Inaccessible systems to be a part ofoverall Vulnerability, Risk and Compliance programSensitive Systems/Regulated DevicesLegacy SystemsHighly locked down systemsNetwork AppliancesAir-gapped Networks26Qualys Security Conference, 2018December 11, 2018
Current OptionsAd-hoc scriptsProcedural controls(manual assessment)Outside auditsLimited software-basedsolutions27Qualys Security Conference, 2018December 11, 2018
Configuration Upload WorkflowPush the Asset dataUpload Configuration DataQualys creates agent-baseddata snapshotReport Generation28Qualys Security Conference, 2018December 11, 2018
Technology SupportV0.9 and v1.0 releaseNovember - 2018Future PrioritiesFireEye AppliancesBigIP F5Brocade DCX SwitchAcme Packet NetImperva FirewallCisco Wireless Lan Controller 7Cisco UCS ServerNetApp OnTapJuniper IVEAS/400Cisco MerakiSonic FirewallFortinet FirewallsAruba WLCDell EMC Data DomainOracle Tape Library29Qualys Security Conference, 2018December 11, 2018
Availability & RoadmapNovember 2018January 2019v.0.9 release for limited customersAPI-based Asset and Config DataUpload for PCExtend Support to VMSupport OCA for AS400complianceDecember 2018UI-based Data Upload for PCBulk asset data upload (CSV)Integration with AssetView30Qualys Security Conference, 2018December 11, 20181H 2019Possible SDK routeExpand Platform CoverageCMDB IntegrationFIM Integration
18QUALYS SECURITY CONFERENCE 2018File Integrity MonitoringLog and track file changes across global ITsystems.
Validating IntegrityWhy do organizations need FileIntegrity Monitoring solutions?Change control enforcementCompliance & audit requirementsExplicit mandates like PCISecurity best practicesCompromise detection32Qualys Security Conference, 2018December 11, 2018
Qualys File Integrity MonitoringReal-time detectionBuilt on the Qualys Cloud AgentEasy to install, configure andmanageNo expensive infrastructure todeployFIM
Use Case:File Integrity Monitoring for PCICustomer: RetailDistributed network environment that benefits from cloud-based model20k Windows systemsLarge Linux back end infrastructure on-prem and in the cloudGoalsMonitor for change control enforcementPCI auditor requirementsRequiresScalable, cloud-based solutionHands-off management of distributed agentsVM PC FIM at the Point of SaleBroad Linux platform support34Qualys Security Conference, 2018December 11, 2018
FIM ChallengesDeciding what depth to monitorTuning out noise, but not missing important eventsScalability of legacy solutionsMeeting auditor event review requirements35Qualys Security Conference, 2018December 11, 2018
What Are Customers Monitoring?Critical Operating System BinariesOS and Application Configuration FilesContent, such as Web sourcePermissions (such as on Database Stores)Security Data (Logs, Folder AuditSettings)User & Authentication Configurations36Qualys Security Conference, 2018December 11, 2018
Focus for 2019Simplest tuning in the industry!Secondary Event Filtering and AutomatedCorrelationAPI access to dataRule-based AlertingReportingExpanded data collection & whitelistingfeaturesExpanded Platform Support37Qualys Security Conference, 2018December 11, 2018
DemoFIMFile Integrity Monitoring
FIM Feature RoadmapQ4 2018Q1 2019Agent Health UI ImprovementsTune from Event ViewInitial Reporting - Change Incident ReportMonitoring Profile Editor Phase IIIncident Management UI & WorkflowImprovementsLibrary ImprovementsFIM Mgmt API featuresExternal Change Control IntegrationQ3 20192.11.9Late Q4 2018/Early Q1 20191.10Incident List APIIncident-Event List APIEvent Query APIManagement Queries API2.3Show File Text Change DetailsWindows Registry Change DetectionMonitoring Profile Import/ExportStreaming Event APIQ2 20192.2Process WhitelistingDashboard Expansion &AssetView Integration2.0Automated Incident CorrelationExpand ReportingBasic Notification39Qualys Security Conference, 2018December 11, 2018* Roadmap items are future looking; timing andspecifications may change
18QUALYS SECURITY CONFERENCE 2018Security AssessmentQuestionnaireAutomate the Assessment of ProceduralControls & Vendor RiskTim WhiteDirector, Product Management, Qualys, Inc.
Assess Procedural Controls withSecurity Assessment QuestionnaireCloud-Based QuestionnairesVisually design questionnairesAssign assessment leveragingembedded workflowIntuitive responseTrack using an operational dashboardReview answers and evidencesSAQ
One of the biggest Financial InstitutionsAssesses their Internal Proceduraland Process controls42Need to comply with number ofInternational and regional mandates/standards.Took 2 hours to rebuild Excelbased 76 question assessmentusing web-based UI and Outof-box Rich contentThey understand 50% compliancerequirements are related toassessing processes and proceduresDashboards the processdeficiencies and risk posed byInternal controls failureImportant that Respondents findit easy and make the collecteddata actionableConsolidates the Internalprocedural control posturewith Technical compliancecontrolsQualys Security Conference, 2018December 11, 2018
New-age Vendor AssessmentChallengesExtend the Perimeter to include vendors- security & vulnerability data collectionVendor Profiling based on the services,Vendor Assessment based on criticalityVendor control data aggregation withInternal security and compliance dataAutomated workflow, operationaldashboards43Qualys Security Conference, 2018December 11, 2018
One of the biggest pharmaceutical companiesAssessing their vendor risk throughSAQ44Vendors Profiling — DefinesCriticality based on Serviceareas/Cybersecurity domainsAssesses vendors per theirrisk profile, in astandardized (SIG) mannerUses out-of-the-boxcontent, including regionalmandatesDashboards the risk posedby the highly criticalvendors and ranks themper riskEasy online workflow for thevendors, receives reminders,alerts and statusConsolidates the vendorcontrol posture with Internalprocedural & technicalcompliance controlsQualys Security Conference, 2018December 11, 2018
Rich Template LibraryIndustryPCI DSS SAQ A, B, C, DIT for SOXGLBABASEL 3 (IT)HIPAAHITRUSTNERC CIP v5SWIFTNERC CIP!!45Popular StandardsISO 27001-2013 ISMSNIST CSFCOBIT 5FedRAMPCOSOITILCIS TOP 20 ControlsShared Assessment (SIG)*– vendor assessmentIncludes premium content – Shared Assessments (SIG)Use as-is or customize to your needsQualys Security Conference, 2018December 11, 2018RegionalGDPRAbu Dhabi Info SecStandardsANSSI (France)MAS IBTRM (Singapore)BSP (Philippines)BSI GermanyISM (Australia)UK Data ProtectionRBI Guidelines (India)California Privacy**Canada Data Protection2018**Technical ServicesCSA CAIQ v3.0.1CSA CCM v3.0.1Vendor Security forHosting Service ProviderAWS **Procedural controls forcloud, containers**
SAQ RoadmapQ3 2018User/Role/Privilege ManagementQuestion BankCreate template fromlibrary templatesNew campaign UIRisk scoringQ1 2019Vendor-driven workflows to cater to customers- Create answer bank,- Upload customer required templates- Match on Keywords- Metrics, Dashboards on risk posed to my customersQ4 2018SAQ Lite – for PCI usersVendor Risk Management workflows- Vendor Onboarding, Profiling- Automated assessment based on Vendorprofiles/onboarding- Compare vendors based on risk scores- Dashboards on total Vendor risk/Trending/Top 5 risky vendors46Qualys Security Conference, 2018December 11, 2018* Roadmap items are future looking; timing andspecifications may change
In the world where everyone is a vendor of someoneSAQ Feature coming up in Q1: Answer bankTechnology company wants to understand Risk posed to thecustomersReceives 100s of questionnairesfrom their customers andanswers them offline, throughspread-sheetsWant to understand What riskthey pose to their criticalcustomersCostly & resource-intensiveto respond and gains novisibility into risk intelligenceWant to understand the topfailing, passing cybersecurityareas/ answers to improvetheir own internal controlsWants to drive the vendor-management projectto showcase their good security practices and usethe data for contract negotiation47Qualys Security Conference, 2018December 11, 2018
DemoSAQSecurity Assessment Questionnaire
18QUALYS SECURITY CONFERENCE 2018Thank YouTim Whitetwhite@qualys.com
Dec 11, 2018 · Incident List API Incident-Event List API Event Query API Management Queries API 2.0 Automated Incident Correlation Expand Reporting Basic Notification Q3 2019 2.3 Show File Text Change Details Windows Registry Change Detection Monitoring Profile Import/Export Streaming Event API 39 Qualys Sec