Interview: Asset Inventory Is The First Step In Vulnerability Management

All modern software contains some form of vulnerability. These may be software defects requiring a patch to remedy them, or configuration issues that can be resolved via administrative activity. Cybercriminals know this. They regularly launch attacks with the goal of breaching companies and stealing data from them. The need for organization’s to properly assess and manage vulnerabilities has never been so strong.

Effective vulnerability management helps to narrow the gaps in your security where attackers could potentially creep in. Dealing with security-relevant weaknesses is an ongoing process; it requires the vulnerable points in the IT infrastructure to be identified, key vulnerabilities prioritized, and then steps taken to eliminate these vulnerabilities.

We spoke with Paul Baird, UK Chief Technical Security Officer at Qualys, to get his insight into what makes an effective vulnerability management platform. We discussed why security must remain as adaptive as possible, how automation can help to mitigate the industry’s issue with burnout, and how to roll out vulnerability management in a streamlined, minimally disruptive way.

Could you please give us an introduction to yourself and your security background?

I’ve been in the industry for 25 years; I started around 1998 when I had my first IT job. I moved into security part-time, probably about 12 years ago, when I was a senior infrastructure engineer, and I started doing a lot of work around incidents and breaches. Being a data center organization, we dealt with a lot of security incidents on a day-to-day basis due to the fact that 95% of our infrastructure was publicly available.

I then moved into full-time security, which I’ve done for about eight years now. I’ve held titles like Senior Infrastructure Engineer, Security Architect, a Security Operations Centre (SOC) Manager, and I was fortunate enough to lead the Global Head of Cyber Security Operations at Jaguar Land Rover for two years, before Qualys poached me. And now I’m sitting at C-level and enjoying every moment of it. This role is my first venture into the vendor side as well, as I’ve always sat on the other side of the fence as a practitioner and a cybersecurity user. I’ve been with Qualys now for 22 months, and I still very much have a customer hat on. I even used to be a customer of Qualys.

Could you introduce the Qualys platform? Who are your typical customers, and what challenges are you helping them to solve?

Qualys has been around since 1998, we hit the market with our vulnerability management solution. We’ve always been cloud; that’s something that our original CEO, Philippe Courtot, wanted. And this was well before cloud was a popular term. For nearly 25 years, we have been a provider of cloud-based IT security and compliance solutions. We have around 10,000 subscription customers now in over 130 countries, so we’re very much a global organization.

I don’t think we have a typical customer as we’re in every vertical you could possibly imagine, from retail to banking, to healthcare, to manufacturing. So, we don’t really have a typical customer. We’re in 66% of the Forbes Global 50, and I think something like 46% of the Forbes Global 500. So, we’re in a lot of, if not all, major organizations in some form.

Around 80% of successful breaches are new or unknown zero-day attacks. These attacks either involve new or evolved malware variants or the exploitation of undisclosed vulnerabilities. Why are so many organizations today struggling with vulnerability management?

I can put two lenses on this, from being a practitioner on the other side, and then from being with Qualys now and engaging with hundreds of CISOs a month on this very topic.

I think, first and foremost, it’s asset inventory. Companies struggle with vulnerability management because if we don’t know what assets we’ve got out there, we don’t know the context of the vulnerabilities. So, it’s about having a stable vulnerability management platform and getting true visibility. The second part is, once you’re happy with your asset visibility and you are running your vulnerability management program, working with the rest of the business on how to get things fixed.

Traditionally, vulnerability management solutions were very good at showing you the problems but not about helping you fix them. And that’s where Qualys has really changed the narrative in the last couple of years. We’re very much focused now on remediation, and we’re getting to the point of helping organizations automate their remediation as well. So, we help customers fix that problem for the longer term.

How does Qualys VMDR — one of your most popular products — help organizations overcome these challenges, and what differentiates it from other solutions in the vulnerability management space?

So VMDR has broken away from traditional vulnerability management because we’re now detecting, responding to, and remediating those threats. We’ve taken four foundational aspects of cyber security – which are visibility of your assets, vulnerability management, prioritization, and response – and have wrapped them up into one unique solution. This allows customers to visualize their assets, better understand their vulnerabilities and risks, and then take action to solve those problems.

We’ve just introduced TruRisk into our vulnerability management platform, which gives the customer a better understanding of their risk profile for vulnerability management. Traditionally, vulnerability management programs worked off your typical CVSS [common vulnerability scoring system], and patching teams would start at the top and work their way down. While that approach worked in the past, it is not suitable for companies today given the number of threats that they face. Not all issues are equal.

What we’re trying to change is the way that prioritization works, because there are a lot of other “things” that wrap around an asset and where it should be on the priority list. You’ve got to think: are there mitigating controls? Are there firewalls in place? Is this asset critical to the business? So, we’re giving the customer a way to understand and prioritize their vulnerabilities so that they can patch those critical problems a lot quicker. This helps teams to concentrate their efforts and reduce risk.

Some of the biggest threats we’re seeing this year have involved attacks on supply chains. How can Qualys help organizations mitigate third-party risk?

I see the supply chain as two different things now, so I will cover both. There is the traditional supply chain when you’re working with third-party providers, and there’s also the software bill of materials (SBOM).

Understanding what your partner’s security processes are is a massively underfunded area within global organizations. In companies I worked with previously, most of our cyber issues didn’t come from internal attacks or problems, they came from our third-party supply chains.

With Qualys, we’re here to support broader business practices so companies can improve their overall software supply chains. We help customers with tasks like security questionnaires, as an example, which allows enterprise organizations to take a snap-in-time posture of how their supply chain management is and how they’re working. For example, do your suppliers have active security policies in place, and how often do they run those processes? Is this enough to meet your needs, or do you have to work with them to improve their workflows? Alternatively, will you now have the information you need to change your supplier, as this will reduce your risk? Without this kind of information, you have to take a lot on trust, and that is not enough in today’s environment.

When we talk about the supply chain, we need to touch also on SBOM, which is basically an inventory of how software is made up. And this really came around with things like Log4shell, when there was a third-party open-source piece of software, Log4J, that had a massive vulnerability. This open-source piece of software was wrapped into other people’s software, then into other people’s software again, so organizations had no idea whether they were vulnerable to this vulnerability or not. Without this insight into all the components that make up your software, you can miss out on a vulnerability that exists. So, when we talk about supply chain, it includes third-party providers, but also looking at software bill of materials as well.

Software bill of materials is something that everybody is now talking about an awful lot. And with regards to the supply chain, I don’t think there is enough talk in the industry about supporting third-party risk. We’re used to looking internally at what our risks and vulnerabilities are, and we sometimes forget to look at our partners. Yes, we’re paying for a service, so we expect them to be at our level, but sometimes they can’t afford it or don’t understand the risk posture. So, I think there’s a lot of educational awareness that the industry could do to help the supply chain.

How do you anticipate the threat landscape will continue to evolve as we move into 2023 and beyond, and what plans does Qualys have to keep up with these changes?

We’re very connected to our customers and the market, so we’re adaptive in our development strategy. You have to be in this industry; changes happen on a daily, weekly and monthly basis. In my interview with the late Philippe, I got the opportunity to ask a question, and I asked him what his strategy was for the next three and five years. He said that was impossible. He said, “There’s no way that an organization like Qualys can look that far ahead, because of how the industry changes,” and I absolutely agree.

You can’t predict the future. When I was running cybersecurity programs, I tried to develop a strategy that was three years and five years ahead. This was pre-COVID, and I would never have written into my strategy that my team, and the entire company of 50,000 people, would all be working from home. You couldn’t possibly foresee that, so you have to be adaptive and very agile. Today, ransomware is a huge focus for organizations, but how will it have evolved by the end of next year? I don’t think anybody knows. We obviously have insights, at Qualys we’re very close to our customers in the market, but it’s still very difficult to predict precisely what will happen over the next year.

The overarching principles at Qualys now are around automation and remediation to support the SOC teams and the businesses. So, no matter what happens in 2023, we are very much focused on that automation. The industry is struggling to hire cybersecurity talent at the moment, and Qualys wants to help those cybersecurity teams by taking away those repetitive tasks they have to do time and time again. If we can remove the noise, it allows security teams to focus on the bigger threats to the organization.

So, you think burnout from repetitive tasks is a significant contributing factor in the issues the industry is having with retaining talent?

I think there is. There are two ways you can look at burnout. From a technology point of view, automation and machine learning are what’s going to help solve the issue. 

I was working at an organization, and we were rolling out our event management solution just to see and capture security events. So, we were pulling in four and a half billion security events across half our estate in one day. Imagine, if you didn’t have automation, and you didn’t have some type of machine learning or artificial intelligence, and you were expecting SOC engineers to pour through those security events. It wouldn’t work.

This issue is only going to get worse. As organizations grow, events are going to increase and increase and increase. Automation is needed to help mitigate that burnout and support staff retention because engineers get bored very quickly when repeating the same tasks over and over again. It’s our job, as leaders, to recognize that.

The other side of that coin is understanding when our teams are struggling and being able to support them. That’s hard enough to do when we’re in the office, but now that there are also higher rates of hybrid or remote working, it’s even more difficult to spot when someone is having trouble. We have to make speaking up easier, to make asking for help more acceptable, and make sure that those resources are available.

What are your final words of advice to organizations struggling to gain visibility into their systems and protect themselves against today’s advanced cyberthreats?

I think the biggest problem for today’s CISOs is how to battle through the technical challenges and the inter-departmental politics. Rolling out a vulnerability management and visibility program is extremely challenging within any organization – big or small – because you’re touching every part of the business, and sometimes you may be looking at stepping on the toes of other parts of the business.

As a senior leader, know your peers, understand your peers, and understand their parts of the business. And when you are rolling out this asset inventory and vulnerability management, start by ensuring you’re not conflicting with anybody. So, align with the business, align with your peers, and then work with them to get insight and visibility of the environment, you can then prioritize your remediation, and finally start patching, and then everybody’s happy.

Thank you to Paul Baird for taking part in this interview. You can find out more about Qualys’ via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.