Nayeem Islam On The Need For Vulnerability Scanning “At All Times”

Whilst detecting unknown or zero day vulnerabilities is certainly critical for security teams, many attacks also involve known CVEs that are included in automated attack toolkits. Although software and firmware providers are likely to know about these vulnerabilities, it often takes significant time for them to assess, patch, and deliver fixes for them. Some experts argue that we need to shift security left, implementing checks at earlier stages in the development process. But, according to Nayeem Islam, Vice President of Cloud Security at Qualys, that approach isn’t enough.

“We have made the transition to shift left, but we recognize that you can’t catch everything when you shift left,” says Islam. “Code still gets downloaded when you’re running, and you have to scan that as well. So, our philosophy is scanning at all times.”

Qualys is a software provider that specializes in cloud security and compliance services. While best known for its cyber risk and vulnerability management capabilities, Qualys’ flagship “TruRisk”platform also offers asset management, threat detection and response, and policy compliance.

In an exclusive interview with Expert Insights at the 2024 RSA Conference in San Fransisco, Islam discusses why organizations are struggling with vulnerability management, and the need for continuous scanning throughout the entire development lifecycle—including at runtime. He also shares his top tips for CISOs today, and what he’s most excited about in the cyber space as we move further into 2024 and beyond.

Note: This interview has been edited for clarity.

Could you please introduce yourself and tell us a bit about your security background, and your current role at Qualys?

I’m Nayeem Islam, the Vice President of Cloud Security at Qualys. I’ve been there about a year and a half. Prior to that, I was the CEO of a company called Blue Hexagon, which was a deep learning, AI-based cloud threat detection company that Qualys acquired; I came to Qualys as a part of that acquisition. So, now I manage the TotalCloud portfolio, which is the cloud portfolio that Qualys sells for protecting multi-cloud environments.

What is the #1 topic that the Qualys team is here to discuss at this year’s conference?

We’re here to talk about a variety of different topics. Yesterday, I gave a talk at the Cloud Security Alliance on how AI is transforming and being leveraged in the cyberspace, particularly in the cloud, where we see a tremendous shift. Companies are shifting their compute resources away from on-prem to the cloud, and we are assisting them by helping them secure their cloud workloads. So that’s a very big theme for us.

The other theme is our enterprise risk management and risk prioritization. We have a single risk platform that’s multi-cloud but also on-prem, which takes data from a variety of different sources that we and our partners see, and allows us to prioritize risk.

I’d like to focus today on that risk management side. Around 80% of successful breaches are caused by new or unknown zero-day attacks, which either involve new or evolved malware variants, or the exploitation of undisclosed vulnerabilities. Why are so many organizations today struggling with vulnerability management?

Attackers now have tools that allow them to automate the generation of malware and zero day variances. Zero day threats could be a completely new vulnerability that was unintentionally or intentionally put into some code, or a malware variant that wants to get into a system or a company. So, “zero” essentially means “new”, whether it’s an open door, or somebody using a new kind of tool to get in. In both cases, zero days play a significant part in why organizations are struggling with vulnerability management.

One of the reasons why Qualys acquired Blue Hexagon is that we had developed very accurate technology for detecting malware variants. There are about a million new malware variants a day, so it’s impossible to analyze all of them manually—which is what was done before. We developed a deep learning AI technique that allows you to have extremely high fidelity, whether it’s malware or benign, and to identify that in less than a second. So, we could really scale that analysis. That’s the fundamental approach that Qualys takes to malware that could be zero day.

Many attacks also involve known CVEs that software and firmware providers are likely to know about, but which often take significant time to patch. Can a security first mindset, or concept of “shift left” security, prevent the release of products with those vulnerabilities in the first place?  

There’s a really interesting problem here, and that’s the rest of the supply chain. Even if you shift left, people are pulling code from all kinds of random places.

In our container security solution, we actually scan for vulnerabilities in three different places: we allow you to scan for vulnerabilities in the CI/CD or the development pipeline; when you put it in registries, we allow you to scan for vulnerabilities there; and we also scan for them at runtime.

So, we have made the transition to shift left, but we recognize that you can’t catch everything when you shift left. Code still gets downloaded when you’re running, and you have to scan that as well. So, our philosophy is scanning at all times.

How important is it to scan for vulnerabilities at runtime, compared with scanning during development?

Professionals that are developing code are not security professionals, and you will often get resistance from developers to do anything to secure their code. They just want to get it out. So, as the leader of security within an organization, your role is to make sure that even when others don’t want to do things, you put in guardrails to keep the company secure. So, you’ve got to do it both at runtime and development.

Part of that resistance often comes from the friction or slowing down that these processes can cause within the development process. One way to tackle that is for security solutions to be easy to deploy and manage. How have you approached that challenge at Qualys?

This ease of use is really important. On the development side, we have a built-in plugins for developer tools. That’s one of the ways you do it—make it part of some of the Microsoft Developer Tools, so that developers can just click and start using it. Similarly, at the runtime, we offer one-click deployment of sensors so we can start scanning with the click of a button.

If you could give one last piece of advice to the CISOs and security leaders attending the conference this week, what would it be?

It’s really important to take a holistic approach and make sure that you educate your team on the effectiveness of these tools so they can be deployed at each point. And it’s not just educating the security professionals; in today’s agile environment, you need the developers to tag along. The whole organization needs education on why security’s important and how they can all work together to keep a company secure.

Finally, what are you most excited to see in the cybersecurity space as we continue into 2024, then beyond into 2025?

I’ve spent my whole career in AI, so it’s a little weird that everyone’s talking about it now. I was actually part of the first chess program at IBM that beat Garry Kasparov. Then there was a lull, and now you can’t go anywhere without people talking about generative AI!

I do think that we’re at the beginning of a pretty big shift when it comes to GenAI, but I think people are missing the ultimate goal of where want to go with it. It’s generally being used for things like writing right now, but what it portends for the future is tremendous. There will be so much automation that will come out of this, that it’ll really change the way people do their jobs. We’ll finally be able to take a crack at the security talent shortage.

Thank you to Nayeem Islam for taking part in this interview. You can find out more about Qualys’ vulnerability and attack surface management solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.

For more interviews with industry experts, visit our podcast page here.