Interviews | September 29, 2023

Effective Risk Assessment is Challenging but Critical to Security

Qualys | VMware Carbon Black

Jonathan Trull
CISO & SVP Security Solution Architect


Q1. What exactly does Qualys' recently announced first-party software risk management product allow organizations to do? What business or security issue will it help them address?

Effective risk assessment is the bedrock of security; this process is especially important for custom, first-party applications, and their open-source components. As companies develop their own software to meet specific requirements, the importance of a unified approach to security assessments increases. Unfortunately, risk assessments for first-party applications rarely go through the same lifecycle management of vulnerabilities from discovery to prioritization to remediation – the same process used for third-party applications. When first-party assessments are done, they often rely on disjointed, standalone tools owned and managed by different teams. As a result, effective risk management in such disparate environments becomes an impossible task, which means first-party applications are likely to be exposed to risks that are “unseen” by SecOps teams.

The Qualys Cloud Platform now includes new capabilities for assessing risks in first-party applications. Customers can “bring their own” assessment and remediation logic into Qualys Vulnerability Management, Detection and Response (VMDR) workflows and reporting, providing SecOps teams with a unified view of all first- and third-party applications along with open-source software in their environment.

Our announcement also addresses reducing supply chain risks automatically with Runtime Software Composition Analysis (SCA). These risks pertain to the surging use of open-source components during application development, which has increased the risk of exploitation of vulnerabilities within them. Related risks for the software supply chain are now a significant source of concern, as evidenced by recent attacks on MOVEit, 3CX, Log4j, SolarWinds, and others.

In response to this challenge, Qualys has added a new capability for VMDR to detect, manage, and reduce the risk of software supply chain vulnerabilities in the production environment. SCA provides continuous and real-time visibility of both open-source and commercial software components present in production of both first-party and third-party applications. Visibility into a customer’s software supply chain allows proactive action against potential risks and emerging threats.

Q2. A recent Qualys study showed that misconfigurations remain the biggest risk to enterprise cybersecurity in cloud environments. Why does that continue to be the case? What do security leaders need to understand about the shared-responsibility model?

Cloud misconfiguration is the most critical issue for securing cloud environments. Configurations refer to control settings applied to both hardware and software elements within a cloud environment that allow them to interoperate and communicate. Accurate maintenance of configurations is the user-organization’s responsibility for cloud – for their apps and data.

Cloud service providers focus on securing the supporting infrastructure in the shared responsibility model. User misconfigurations amplify the risk of data breaches and unauthorized access due to many factors: complexity of cloud environments, lack of expertise in keeping up with evolving technologies, human error leading to insecure settings and permissions, rapid deployment that compromises implementation of security measures, and the dynamic nature of cloud environments hindering visibility and control of cloud-resident unencrypted or sensitive data. Failure to get control of these security “cracks” can quickly open a cloud environment and expose sensitive data and resources to attackers.

As described in the 2023 Qualys TotalCloud Security Insights whitepaper, organizations should harden CSP configuration controls with Center for Internet Studies (CIS) Benchmarks. These controls are the gold standard for hardening configurations in CSP environments and demonstrating compliance for auditors. CIS controls are the bare minimum you should have in place for basic cloud security hygiene. However, scans for these controls are failing 34% of the time for Amazon Web Services, 57% for Microsoft Azure, and 60% for Google Cloud Platform. The following recommendations should be Priority #1 for every organization:

  • Organizations should assess the effectiveness of their CIS controls and correct misconfigurations that may inadvertently make assets public.
  • Implement least-privilege multifactor authentication for all identities.
  • Use strong passwords for all identities.
  • Protect sensitive data by enabling end-to-end encryption with self-generated keys.
  • Harness the potential of the CIS mapping in conjunction with MITRE ATT&CK tactics and techniques, as this approach provides invaluable insights and boosts the prioritization of hardening controls in cloud environments.

Q3. What does Qualys hope to accomplish at SecTor 2023? What is your main messaging at the event?

Qualys plans to share its SecTor 2023 theme of “Get More Security in a Single Platform” as an event exhibitor at Booth D700, through a general session presentation, a general panel discussion, and 11 in-booth presentations.

The Qualys Cloud Platform gives you a continuous, always-on assessment of your global IT, security, and compliance posture. It provides 2-second visibility across all your IT assets, wherever they reside. And with automated, built-in threat prioritization, patching, and other response capabilities, the platform is a complete, end-to-end security solution. The platform consolidates traditionally siloed solutions so you can avoid the cost and complexities that come with managing multiple security vendors. Qualys Cloud Platform automatically gathers and analyzes IT, security, and compliance data in a scalable, state-of-the-art backend. Provisioning any of Qualys’ natively integrated security and compliance apps - twenty and counting - is as easy as checking a box.

Attendees should stop by the Qualys Booth (D700) where they will learn how to Get More Security with our latest Qualys solutions. Hear from our experts, see demos, and meet 1:1 with a Qualys expert. In addition, Qualys vice president, product management, Mehul Revankar, will present a general session on “Navigating the Threat Landscape Through the Attacker’s Lense and Building a Robust Defense.” And, Corey Smith, vice president, Solution Architects, will participate in a Cloud Security Summit panel on “How AI and Technology are Partnering to Deal with Current Cybersecurity Challenges.”

Jason Rolleston
Vice President and General Manager

VMware Carbon Black

Q1. What new challenges has the accelerated adoption of cloud-native applications and the cloud in general, created for enterprise security teams? What gaps should they be prioritizing on addressing from a risk mitigation standpoint.

In the last few years, we’ve seen container use skyrocket as organizations move away from traditional application architecture and embrace the benefits that cloud-native architectures offer. Like any newer technology, the use of cloud-native technologies and processes is not without security risks and challenges. Those challenges include a lack of visibility and context, the need to reduce the attack surface, overly complex environments, alert fatigue and more. From a risk mitigation standpoint, it is important to secure both the Kubernetes layer and the container layer because together these layers form the basis of a cloud-native application. However, both the container and the orchestrator have unique security challenges.

Container security must span the entire application lifecycle in order to be effective. Security teams need help ensuring that only authorized applications and services run. Additionally, the use of third-party image registries has become commonplace for developing these cloud-native applications. In fact, because a majority of applications use third-party sourced components from public image registries, attackers often target them with malware. Security teams must continuously monitor for risks that might have slipped through the cracks. If developers aren’t involved in the security processes, these applications might not have the strongest security protections built in.

Without the right tools and processes in place, security teams don’t have the holistic visibility needed to secure the entire architecture. Security teams need to see specific processes running within the container or the K8 workload for a comprehensive view of their security posture for cloud-native environments to detect and respond to threats in real time.

Q2. How, if at all, are Cloud Native Application Protection Platforms different from Cloud Security Posture Management technologies? Why should organizations pay attention to the differences?

CNAPP tries to fulfill the promise of delivering DevSecOps, Basic IT security, and Detection and Response for cloud native (read container) applications all in one package. This covers secure software development, infrastructure/workload security, container and registry scanning, container security, security posture management (CSPM), and more. If it sounds super broad that’s because it is. Too broad, but we’ll come back to that.

From this description, it follows that CSPM is a subset of CNAPP and generally is used by IT security teams trying to make sure that developers haven’t done anything foolish in terms of permissions, access settings, or insecure configurations for the infrastructure they are using. In practice, identifying and applying these polices is difficult due to variations across the business that create excessive false positives when enabled.

Stepping back up, the issue with CNAPP is that it’s a tool/platform that somehow is meant to serve at least three different teams who are looking to achieve wildly different objectives. Application security by itself is a complex industry with at least twenty to thirty major players. To imply that you can subsume it into a larger platform that also does the same for two other domains while providing anything near comparable value is a big stretch and it’s not what we see in market.

What we do see is organizations dividing the function between roles. DevSecOps focuses on application security and the secure software development lifecycle. IT ensures infrastructure security and standard processes and policies are adhered to. Detection and response are driven from the SOC and requires tooling that gives them visibility into these environments. Each team defines the needs they have for their tooling and how to get their job done. In some cases, tools can do double duty, but generally compromises will have to be made somewhere.

Companies should worry less about the delineation of product spaces and stay more focused on the needs of the different teams and their practical use cases. Organizations should be dubious of vendors claiming they can give you one tool to solve all three challenges and instead focus on vendors that can articulate that they truly understand the process and operational realities required to address the problems. Organizations should also be wary of vendors telling them they need a new standalone, cloud native only tool that doesn’t integrate into other existing workflows and use cases.

Q3. What can customers and other organizations at SecTor 2023 expect from VMware Carbon Black? What does the company plan on highlighting at the event?

We really want to highlight how VMware Carbon Black’s new CNDR features differ from those already on the market. This new set of features sets us apart from other offerings by providing our customers with a unified security solution to protect endpoints, workloads and containers from a single console to enable consistent security, control and visibility across environments — thus, providing true threat detection.

Detection and response must support every element of today’s cloud-native architectures. It must scale across the internet and reveal the connection details between users, networks, containers, orchestrators, processes, and the tools used to build and monitor these cloud-native applications. Tools in today’s market are built for traditional applications but they don’t work for the complexities of modern applications. These systems leave visibility gaps. Carbon Black closes the gaps and solves some of the biggest challenges facing cloud-first enterprises today.

Sustaining Partners