In this blog, we are going to talk about an article on “How InfoSec uses the Elastic Stack for vulnerability management”. First, we want to congratulate Elastic, as this is one of those rare times that a company came forward and publicly shared its vulnerability management process. This article has some great points for any organization looking to automate their vulnerability management process, however, we wanted to point out how they could have improved their vulnerability management posture if they used SecOps Solution instead of Qualys. We highly recommend you go through the above article as it has a wealth of information but if you have a time crunch here’s a short summary.
The article very well explains the vulnerability management process. They have divided the complicated architecture of vulnerability management used by them into three main components :
- Data injection and enrichments
- Reporting and notification
- Configuration management.
In the injection step, they talk about how they use Qualys along with the Elastic stack to monitor the injection and how that makes it more efficient. They have elaborated on how the ElasticSearch and metrics system has helped them in real-time reporting and notification. Overall, the article was focused on how Elastic stack can be delivering the flexibility we require without the hassle of maintaining our own solution or dealing with feature requests with a third-party vulnerability management solution.
What if we use SecOps Solution instead of Qualys for vulnerability management?
Vulnerability Management Architecture of Elastic when they used Qualys:
Vulnerability Management Architecture of Elastic if they had used SecOps Solution:
Let us understand how vulnerability management posture would have been improved if they had used SecOps Solution:
- For vulnerability intelligence sources with Qualys, Elastic had to fetch feeds from NVD, EPSS, and CISA separately and then they had to build that entire automation but with SecOps everything is inbuilt which would have saved them a lot of time and effort. The future maintenance of managing these databases would have been altogether avoided.
- Again for vulnerability scanners Elastic needed to buy each tool separately from Qualys and they didn’t have any solution for mobile application security. Elastic had to integrate the module for container security separately into their system to use it but with SecOps everything comes under one platform.
So, now you have a clear understanding of how SecOps would have improved the Elastic VM process. Let’s discuss how SecOps would have helped to provide a more sufficient way of Data injection:
Unlike Qualys which relies on CVSS score. SecOps uses a combination of EPSS and CVSS to collect the data which is the most efficient way of prioritizing vulnerabilities as it focuses on the severity as well as the probability of exploitation of the vulnerability.
Qualys has an XML-based API which requires lots of time to classify the data.
Here’s a fantastic blog explaining the issues with XML-based API.
SecOps instead use JSON-based REST API to generate this data which has a defined schema that makes it easy to integrate into the Elastic stack without writing any complicated Go script query.
Qualys although a security software has had its fair share of reported security vulnerabilities present in its own cloud agent scan like CVE-2022-29550 which may unexpectedly write credentials (from environment variables) to disk in cleartext and have a medium severity and still now there is no mitigation or patch available to suppress this vulnerability. Another example is CVE-2022-29549 which executes programs at various full pathnames without first making ownership and permission checks and without integrity checks. Also, the vendor recommendation is to install this agent software with root privileges which puts any organization data at very high risk, and still, Qualys take no action to mitigate these vulnerabilities as of the time this article was published. If you like to know more about the severity of these CVEs you can check them on our EPSS calculator.
Overall, Qualys is a good security tool but it does not upgrade itself along with the changing environment and the API used is still highly outdated and requires to be changed to fit in the organization which uses the latest technology and requires Zero setup time and automation in the scanning process which is provided by SecOps.
SecOps Solution is an agent-less Risk-based Vulnerability Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.
To schedule a demo, drop us a note at firstname.lastname@example.org