Qualys EDR / Patch Management Blog Series [Part 1]NOTE: This is the first part of a blog series. Show
Part 1: Qualys Patch Management (PM)Part 2: Qualys Endpoint Detection and Response (EDR)Part 3: PM and EDR Remediation DemonstrationOverviewIn this blog post, we will take a look at the Qualys Patch Management (PM) module. We will be answering questions including, “What is Qualys Patch Management?”, “What is it used for?”, “How does it work?”, “How to activate and set up?”, “Which feature does what?”, and “What can we do with this module?”. Part 2 of this blog series will be focusing on Qualys Endpoint Detection and Response (EDR). EDR is an important endpoint security module similar to PM. Then, in Part 3 of this blog series, we'll be showing various remediation techniques using PM and EDR. Patch Management (PM) with Qualys: An OverviewQualys Patch Management is a cloud-based tool that assists security and IT professionals in quickly resolving vulnerabilities and patching their systems.
Qualys Patch Management can:
Qualys Patch Management, built on the world's greatest cloud-based security and compliance platform, frees you from the considerable expense, resource, and deployment issues associated with traditional software. Qualys Patch Management video library will provide you with more information. Patch Management Features
Patch SourcesOS and Application Patches come from Global CDNs for Vendors (e.g., Oracle, Adobe, Microsoft, Apache, Google, etc.) Qualys validates downloaded fixes using both digital signatures and hash values which are then validated again using Qualys Malware Insights. Local repository (Qualys Gateway Server)
PM Activation and SetupThe following configuration procedures are necessary to use the Qualys Patch Management (PM) program successfully: 4.1 Cloud Agent Module4.1.1 On the target host, install Cloud Agent.Note: Cloud Agent must be installed with an activation key that is compatible with the PM module.
Check out the Qualys Cloud Agent Installation Guide with Windows and Linux Scripts if you're not sure how to install and configure “Qualys Cloud Agent.”
4.1.2 Assign a Configuration Profile with PM enabled to the target agent host.To establish a “Configuration Profile” containing assets, add a new asset tag.
Create a new “Configuration Profile” to work with.
PERFORMANCE: The high-performance option performs more frequent inspections.
ASSIGN HOSTS: Choose which assets will receive this profile. Assets can be found using “Asset Tags or Asset Names.”.
PM: For Configuration Profile, enable the PM module. To accommodate Windows Updates, the cache size must be at least 2048 MB.
4.1.3 Activate the PM module on the target agent host (as an alternative to Configuration)You can also manually activate the asset module instead of using Configuration Profile to enable PM.
4.2 Patch Management ModuleTo use the PM module, you must assign hosts to the profile you created. 4.2.1 Assign the target agent host to a PM Assessment Profile that is enabled.To assign target agents for PM jobs, create an “Assessment Profile.”.
Choose which assets will be assigned.
Note: In the Assessment Profile, only asset tags can be used to choose assets. Set up an Assessment Schedule to collect patch data from agents.
Note: Scanning time should be at least 4 hours long. Note: Unlicensed assets will have a 24-hour scan interval.
4.2.2 Assign hosts to PM Jobs (activate the license).To assign hosts to PM Jobs, you need to activate their licenses. The number of licenses available is limited. Note: In License Consumption, only asset tags can be used to select assets.
Overview of the PM Application5.1 Patch Management UI
5.2 Assessment ProfileAs the Assessment Profile, the System Profile will be used by default. Assessment scans reveal which patches are missing and which have been implemented on an agent host.
5.3 License ConsumptionAsset Tags are used to designate which agent host assets are patchable. (Note: Asset tags are the only way to specify.) To prevent patching on specific assets, choose the “Exclusion” check box.
PM Deployment Job/ PM Uninstall JobWe'll concentrate on the main stages in patch deployment (PM, VM, VMDR). We'll look at various patch deployment options. Create Deployment job:
Select your assets. “Asset Tags” or “Asset Names” can be used to select assets.
Patches that are patchable can be chosen. (isSuperseded:false)
Patches are automatically added within scope when you click add patches. Patches that haven't been superseded can be chosen to make patch jobs more efficient. Note: “Key” symbol nearby patch name means “Acquire from Vendor”. These patches aren't available for download, and they can't be applied to the job.
Patches identified with “key-shaped” icons will not be downloaded by Qualys' Cloud Agent, according to the confirmation notice box.
Selected patches will be listed.
Deployment Jobs can be made to run on demand or scheduled, and Recurring Jobs can be used recursively as daily, weekly, or monthly. If a patch installation does not begin inside the given Patch Window, the job will be marked as Timed out. To provide patch jobs for an infinite period of time, choose None.
Allow agents to download required patches prior to the commencement of a scheduled job with the Enable opportunistic patch download option enabled. (Note: This step can be only applied for scheduled jobs.)
Messages sent to the client during deployment.
Reboot messages were used to inform the client of the reboot.
Clients receive pop-up messages. It is possible to customize the message descriptions.
Note: The process of generating an uninstall job is similar to that of creating a deployment job. Instead of downloading patches, simply pick remove patches. Note: Some of the patches can’t be rollback and uninstall. For this reason, uninstall patches are less than downloadable patches. 6.1 Job Status
On the “View Progress” page, you can see the “Job Status”.
When the deployment job is finished, click View Progress to see the results.
To see the details of a patch that failed, skipped, or succeeded, click View Patch Details.
Patch details are listed.
6.2 Patching from VM and VMDROn the VULNERABILITIES section, both VM and VMDR support patching. The Patches section of the Patch Management Module will be redirected if you click View Missing Patches.
Note: There are no patches for all vulnerabilities.
Filter for vulnerabilities that can be patched. Patches that are required for your job can be added from this section.
6.3 VMDR Prioritization ReportPrioritize your remediation activities with VMDR Prioritization.
Prioritize assets by selecting “Asset Tags”. Click “Prioritize Now”.
To a new or existing job, add prioritized patches.
The “Add to New Job” or “Add to Existing Job” buttons redirect you to the tab for creating deployment jobs. Note: Also, Prioritized Vulnerabilities can be filtered as “Patchables”.
PM AssetsWhen the PM module is enabled, the host assets are displayed. The number of “MISSING” and “INSTALLED” patches is displayed after a successful assessment scan. Note: All assets have been scanned successfully.
View asset details, add assets to an existing job or add assets to a new job using the Quick Actions menu.
For details of missing or installed patches, click the numbers. You can also add a new or existing job to this section.
Patch Catalog (Patches)On the Patch Management UI, the “Patches” tab lists all patches that are available or unavailable for assets. By default, when a tab is clicked, it displays filtered results for available assets.
To see all patches, turn off the filters.
Use the “Quick Actions menu” to view asset details, add assets to an existing job, or add assets to a new job.
ConclusionIn the first part of this series, we have learned about Qualys Patch Management (PM). We have discussed the features, benefits, and sources of Qualys PM. We've learned how to use configurations to activate and set up the PM. We made an overview of the PM application, assets, and patches. We also learned about the “Deployment job”, which is the most important part of PM. Now, we are ready to investigate the Qualys EDR module. Please join us in Part 2: Qualys Endpoint Detection and Response (EDR) of this blog series, where we’ll learn about EDR, an important endpoint security module similar to Qualys Patch Management (PM). Check out our Vulnerability Management services to stay secure! What are the two types of patch management tools used to create an effective patch management system choose two?The two types of patch management software are on-premise patch management software and cloud-based patch management software. On-premise software uses a customer-based or local environment. Cloud software monitors and manages applications directly from a central server.
What are some of the advantages to an automated patch update service?A modern, automated patching platform is specifically designed to make applying updates and patches simpler, more accurate, and more secure. It helps you avoid configuration drift. And it provides peace of mind when you know that you're taking steps to institute good cyber hygiene enterprise wide.
Which AV approach uses a variety of techniques to spot the characteristics of a virus instead of attempting to make matches?A newer approach to AV is dynamic analysis heuristic monitoring, which uses a variety of techniques to spot the characteristics of a virus instead of attempting to make matches.
What is the name for a cumulative package of all patches and hotfixes?Service pack – cumulative sets of all hotfixes, security updates, critical updates, and updates created since the release of the product. Service packs might also contain a limited number of customer-requested design changes or features.
|