Qualys Expands IT Control Posture To ‘De-Risk’ Business

Software diversity is prolific. Because enterprise organizations have an inherent size and scope, they typically run at scale, deploying multiple databases and application layers alongside a variety of cloud and data services. In basic terms, this is a good thing i.e. having a diversified IT stack means firms can support multiple internal organizational nuances, address different regional compliance requirements… and champion technology diversity by enabling different departmental use case specializations.

But with great technology diversity comes great management responsibility. In the modern age of digital business with mission-critical applications running in public clouds, across on-premises deployments inside company headquarters and now throughout edge computing estates inside smart machines populating the Internet of Things (IoT), quite suddenly for some, there’s a new business risk factor to manage.

Twisted IT tool topographies

Software application development engineering teams working with cybersecurity specialists know this truth all too well. Favorite industry terms like spaghetti code (inefficient and potentially fragile application structures) and twisted tool topographies (an overabundance of security, system observability and protection management solutions all attempting to work together in harmony, but more usually causing something of a cacophony) proliferate throughout real world organization’s IT systems.

Security modernization and operations company Anomali tells us that, “Enterprises frequently deploy new security tools and services to address changing needs and an increase in threats. According to recent findings, mature security organizations have deployed on average - small business: 15 and 20 security tools; medium-sized companies: 50 to 60 security tools; and enterprises: over 130 tools security tools.”

The suggestion here is - in real practical terms inside real companies running real-world deployments with real-time data workflows - it’s getting harder not just to manage IT systems, but to be able to identify all risks and prioritize mitigation procedures based upon the most critical risks. Even tougher, the management and classification of ‘risk’ itself needs to be defined so that we can differentiate between those misconfigurations, threats or vulnerabilities that physically represent the biggest business threat.

Dynamically orchestrated IT entities

Cloud-based risk management and IT security solutions company Qualys has been working to broaden the scope, function and applicability of its platform to answer these software infrastructure challenges. CEO Sumedh Thakar has called for enterprise software and data foundations to be handled as ‘dynamically orchestrated entities’ that need fine-grained engineering controls. Working out what risks to chase after first sounds like a complex task.

Detailing the progression of the Qualys Platform for IT, Security and Compliance in a whitepaper sponsored by the company itself, IDC analysts Megan Szurley and Philip D. Harris suggest that, “What’s needed is a method by which prioritization considers the information about an asset within a configuration management database (CMDB), how it is categorized or classified, combined with other factors such as misconfiguration, threat landscape, the overall attack surface of the organization, various threat indicators and whether there’s active [weaponized] malware associated with the vulnerabilities.”

Risk management above all else

So then, with those capitalized functions and practices detailed above, this is not ‘just’ cybersecurity, this is why Qualys is known as a specialist in risk management above all else. These are practices that cover system health and wellbeing in a broader sense. In particular, when it comes to cloud computing, enterprises will need to be able to discover, assess, prioritize, defend and remediate vulnerabilities, threats and misconfigurations across what are now mostly hybrid multi-cloud environments. So the message here is that it’s all about de-risking that whole landscape.

Further, we can see that Qualys aims to break down organizational silos and became a singular repository tool for security and operations teams to review and look at data. This means that, in theory at least, we can remove the debate surrounding risk management if a business runs organizational silos in various groups. This is because with Qualys, information and modules are consolidated into one platform for greater consistency and control in relation to all aspects of risk management.

CEO Thakar spoke to press and analysts this month to detail what he claims to be a ‘seismic shift’ in the way his firm’s technology is now developing. Detailing the new Qualys Enterprise TruRisk Platform, Thakar says his engineers have now created a technology capable of aggregating cyber risk signals from a collection of different sources (other security vendors’ tools and more), it then coordinates them into a quantifiable risk assessment and risk scoring framework. This is intended to provide users with a centralized means of measuring, communicating and eliminating their IT risk with precise remediation and mitigation.

“Despite a market push to release more cyber risk ‘measurement’ solutions, security leaders and stakeholders alike still have no reliable means of aggregating, correlating and translating cyber signals from a growing cybersecurity stack into meaningful cyber risk mitigation and remediation strategies,” noted Thakar, in a technical statement. “Today, CISOs and security leaders must also measure and communicate cyber risk in the form of Key Performance Indicators (KPIs) that provide the business impact of vulnerabilities, threats and their risk posture in real time. However, this is easier said than done. With over 60 security tools on average, security leaders are forced to parse through a maze of risk data from a collection of disparate solutions that are managed by different teams and split between IT and security to calculate, articulate and remediate cyber risk across their extended infrastructure.”

This story gravitates around the proposition that the Enterprise TruRisk Platform provides a centralized way for organizations to measure and eliminate their cyber risk. But going further, it also informs software engineering staff and the businesspeople they work with about their own actual ‘risk posture’ with the given set of applications, data services, open source components, Application Programming Interfaces (APIs) and other connection points that the IT department decides to deploy in response to requests from business stakeholders.

“The introduction of The Enterprise TruRisk Platform marks Qualys’ commitment to helping CISOs, cybersecurity practitioners and risk stakeholders quantify the impact their cyber risk has on their businesses, with actionable paths to eliminate that risk with concise remediation and mitigations. Through this advancement, customers will now be able to gain even more from the comprehensive Qualys Threat Library and over 25 threat intelligence feeds that they already receive, empowering customers to more effectively reduce their cyber risk posture across their organizations with tangible business context,” noted Thakar, in a company blog.

Single pane of glass

What Qualys CEO Thakar called for (and what he says his team has built) is a higher level of orchestration between solutions - and this is a key trend for enterprise technology platform companies now. Every vendor wants to integrate with partners - and competitors even - and then provide the so-called ‘single pane of glass’ to enable higher-level orchestration, management and decision-making.

Thakar explained how Qualys Enterprise TruRisk Platform ‘aggregates cyber risk signals’ from a ‘wide array of disparate sources’ today. It then correlates these signals into what he describes as a ‘single unified view’ for measurable risk insights using the unified TruRisk risk scoring framework.

To put that in basic language, Qualys is saying that its platform is now capable of ingesting, integrating and incorporating risk management data from other third-party security and IT analytics management platforms and tools. With the inevitable software tool diversity that we noted in our first line here, this is all about that single pane of glass mission that the company wants to deliver on.

External data elevation

Those third-party tools that Qualys is open to welcoming include (at the time of writing) in no particular order Snyk, Microsoft Defender for Endpoint, Synopsys, Normalyze, Veracode, SentinelOne, Asimily, SafeBreach, Security Scorecard and Wiz.

“The move to ingest and unify this array of disparate sources is necessary because, today, no single tool exists to address every system security requirement,” explained Thakar. “If we think about the fact that security protection happens differently for firewalls to vulnerability management, we can also see that a different approach is needed for mobile security, for corporate IT security, for cloud datacenter security and so on. By providing a unification and orchestration tier that brings these functions together and aligns their protection requirements to business outcomes, we can reduce security risks and the corresponding operational risks they can create in a business.”

Illustrating the point by talking about modern households, most of us now realize that we need a different app to handle heating and air conditioning, one for an electronic front doorbell, one for door lock monitoring, one for gas/electricity energy consumption and one for a digitally enabled smart refrigerator if we are lucky enough to have one.

Whether the technology industry ever gets to one single pane of glass is a bigger tougher question to answer. As we can see here, it’s more likely that we might get a single pane view into IT risk management, a single view into HR systems, a single window into database management and data exchange systems, one simplified view of finance and procurement, plus of course (and more than vendor is after this crown) a single unified view of an organization’s hybrid multi-cloud estate.

That might be single pane(s) plural, but it’s still a clearer picture if we keep these windows clean and clear, pass the squeegee, please.