Release 2.18.0.0

May 24, 2024

What's New?

CSAM pill.

CyberSecurity Asset Management

The following are the new features available with the CSAM subscription.

EASM Lightweight Scan

With the introduction of the EASM lightweight scan, external assets can now be scanned using a Qualys external scanner. However, the existing VM scans and their scanner schedules are not affected.

 The EASM Lightweight Scan feature is available to limited customers as an early preview available on a request basis. Contact your Technical Account Manager or Qualys Support

The following sections provide details about the EASM Lightweight Scan:

Prerequisites

  • Your account must be Vulnerability Management Scan Processing (VMSP) migrated.
  • New Data Security Model (NDSM), QIDS, and Asset Group Management Service (AGMS) must be enabled for your subscription.

Challenges with Existing/Other Solutions

  • Most EASM tools scan for vulnerabilities infrequently, leading to inaccurate results and gaps in coverage.
  • Other tools, including Shodan, use sub-optimal vulnerability signatures based on basic banner-grabbing, creating noise of false positives. 

Benefits of the EASM lightweight scan

  • Scan your external assets for vulnerabilities with the latest industry-leading vulnerability scanner from Qualys.
  • Reduce false positives to isolate risk on the external attack surface. Quickly and accurately identify the most critical risk with industry-leading vulnerability detections, reducing 60% of false positives that result from other basic banner-grabbing EASM tools in the market.
  • The latest EASM scanner includes lightweight vulnerability scanning upon discovery. From the risk assessment perspective, Qualys Threat Research Unit (TRU) has already observed three times more critical vulnerabilities detected and a 60% reduction in irrelevant, unconfirmed vulnerabilities when compared with traditional external scanning methods, which rely on stale data snapshots.
  • Assess and flag weak SSL certificates continuously (daily) with industry-leading SSL Labs.

 You can then activate the assets for a full Vulnerability Management Detection & Response (VMDR) license for full vulnerability lifecycle management, option profile customization, prioritization, and remediation orchestration, Certificate View, and Policy Compliance applications.

Changes Made to EASM Configuration Profile Page

Under the Optional Setting, a new toggle, Enable EASM Scan, is introduced. Turn this toggle on to start the EASM lightweight scan.

Then, you can select one of the following options per your requirements.

  • All EASM Assets: To include the VM-activated assets in the EASM lightweight scan. The managed assets with the source as EASM and IP or cloud Agent are also included in the EASM lightweight scan.
  • Unmanaged EASM Assets only (Exclude VM Activated Assets): To include only unmanaged EASM assets for the EASM lightweight scan.

Optional Setting added to EASM Configuration page.

Newly Introduced Vulnerabilities tab

Under the Inventory tab, a new tab, Vulnerabilities, is introduced that lists all the vulnerabilities detected using the EASM lightweight scan. By default, vulnerabilities of type Information are excluded. Also, as it's an EASM-specific feature, the Vulnerabilities tab is visible only when the EASM toggle is on. 

Vulnerabilities tab.

Vulnerabilities Option Introduced to Add Widget to Dashboard (EASM)

Vulnerabilities is a new option added to the Add Widget to Dashboard when you have selected the EASM application.  

Add widget to dashboard (EASM).

Multiple EASM Profile Creation

Before this release, creating multiple EASM profiles was a beta feature available to limited customers. For more information, refer to the CSAM 2.17.0.0 UI Release Notes.

With this release, existing and new CSAM customers can create multiple EASM profiles for their subscriptions.

License Type

The maximum number of EASM profiles that can be created

CSAM Trial

2

CSAM Full

3

VMware ESXi Third-Party Connector Support

CSAM extends the out-of-the-box third-party connector support to the VMware ESXi connector.  With this connector, you can:

  • Discover gaps in attack surface visibility by adding missing virtual machines to your VMDR program.
  • Add business context to cyber asset inventory to enable accurate risk quantification by integrating data points from VMware ESX as custom attributes and tags.

 VMware ESXi version 1.0.0 is a prerequisite for the functioning of the VMware ESXi connector scanned asset import from CSAM. If the VMware ESXi connector is created from the Qualys Connector application, you can see the ESXI checkbox on the Create New Asset Identification Rule page. 

VMware ESXi connector option - Create New Asset Identification Rule.

Additions and Updates to the Reporting Templates

  • The Vulnerability Report is renamed to Shodan Vulnerability Details.
  • A new reporting template, EASM Vulnerability Details, is introduced, which includes details about vulnerabilities detected through EASM lightweight scans.
  • A new reporting template, the Technology Debt Report, is introduced. To learn more about what insights you get from this report, refer to the Technology Debt Report section. 

EASM Vulnerability Details report template.

CSAM and GAV pill.

CyberSecurity Asset Management and Global AssetView

The following are the new features available with the CSAM and GAV subscriptions.

Technology Debt Report

We introduced a Technology Debt (Tech Debt) report in PDF format. The following are the features and benefits of this report:

  • Communicates a transparent and actionable assessment of your Enterprise’s Tech Debt.
  • Highlights risk associated with End-of-Life (EoL) and End-of-Support (EoS) hardware and software with a new executive-ready report.
  • Enables you to prioritize and proactively plan upgrades for highly vulnerable End-of-Support software that will not have security patches.

By fostering a proactive risk management culture and informed decision-making, you can effectively protect your assets and align your security efforts with your overarching business goals.

Who can Generate this Report?

  • VMDR customers with in-product workflow can generate this PDF report and immediately get a glimpse of the Tech Debt of their  Enterprise.
    TechDebt generation from VMDR.
  • Existing CSAM customers can generate and download this report from the newly introduced Technology Debt Report template.
    Technology Debt Report template.
  • GAV customers can generate and download this report on a request basis. Technology Debt report from GAV.

 VMDR customers with GAV can generate the Tech Debt report, which also starts a CSAM trial. This requires a master user role within your Qualys subscription. If you don't see the Generate option, contact your TAM or Qualys Support for assistance.

Toast message.

How to Download the Report?

In the case of VMDR and GAV, you receive an email notification after the report is generated and ready to download. You can download the report by clicking  Download Report from the notification menu.
Download Report Option.

Cloud Asset Activation

You can now activate the Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) cloud assets.

You can activate an individual or multiple assets. While activating multiple assets, you can activate a maximum of 1000 assets at a time. For more information, refer to Activating Assets and Activate Cloud Assets.

 Your account must be Vulnerability Management Scan Processing (VMSP) enabled to activate GCP assets.

Refer to the following list to know the cloud assets and applications for which the activation is supported:

  • AWS: Vulnerability Management (VM), Policy Compliance (PC), and Certificate View (Cert)
  • Azure: Vulnerability Management (VM), Policy Compliance (PC), and Certificate View (Cert)
  • GCP: Vulnerability Management (VM) and Policy Compliance (PC)

Examples: CSAM screen captures for multiple asset activation 

Multiple asset activation - Inventory Source Azure.

Multiple asset activation - Inventory Source GCP.

Purge Support for Assets with CAPS and PS Inventory Sources

You can now purge the individual and multiple assets with the inventory sources Cloud Agent as Passive Sensor (CAPS) and Passive Sensor from the Inventory tab. 

Prerequisite

Passive Sensor 1.6.4 release

Inventory Sources - CAPS and PS.

To purge an individual asset, select Purge Asset from the Quick Actions menu of the respective asset and follow the subsequent steps. 

To purge multiple assets, select Purge Assets from the Actions list. 

For more information, refer to the Online Help.

Example 1:  Purge multiple assets with a Passive Sensor as a source

Purge Assets with inventory source - passive sensor.

Example 2:  Purge multiple assets with a CAPS  as a source

Purge Assets with inventory source - CAPS.

Moreover, while creating an asset purge rule using the Add Other Sources Criteria, you can see two more source options, Cloud Agent as Passive Sensor and Passive Sensor, apart from the Third-Party Connector source option.

Example 1: Asset Purge Rule using the Passive Sensor source

Passive Sensor source option in the Add Other Sources criteria.

Example 2: Asset Purge Rule using the Cloud Agent as Passive Sensor source

Cloud Agent as Passive Sensor source option in the Add Other Sources criteria.

Extended Certificates and Instance Details Support for Unmanaged Assets Detected by EASM

With this release, you can now view certificates and instance details of unmanaged assets detected by EASM using the following Certificate View APIs. For more information, refer to the Qualys Certificate View 3.5 API Release Notes.

Existing or new CSAM users: If you are not a VMDR customer and want to enable Certificate View and VM applications, contact your TAM for assistance. 

GAV users: If the user enables the CSAM trial version, the certificate view application is not enabled by default. Contact your TAM for assistance.

New Tokens

Refer to the following table to learn more about the tokens added to CSAM and GAV.

Token  Tab Description

inventory:(source

Tags tab

Tag creation wizard (Dynamic tag > Asset Inventory rule).

To find assets from a certain Qualys source, such as API, Active Directory, Appliance, Azure, CAPS, Passive Sensor, etc.

Issues Addressed

The following reported and notable customer issues have been fixed in this release.

Component/Category Description
CSAM+GAV-API The ServiceNow software catalog sync error is fixed.
CSAM+GAV-UI The sub-options of the "Group Assets by" filter were not visible when the browser resolution was 100%. The issue is now fixed.
CSAM+GAV-UI We fixed the issue of the updated queries not showing when a dashboard copy was made. (CSAM-24409)
CSAM+GAV-UI We fixed the issue by de-duplicating the single software library or utilities that were discovered from multiple sources with different version strings.
CSAM+GAV-UI The SerialNumber for Cisco IOS assets was not displayed on assets that do not authenticate through SSH. The issue is fixed. 
CSAM+GAV-UI The issue was observed when a parent tag was added to an asset; its child tag was not searched. After fixing this issue, if the parent tag is added to the asset, you can search for its child tag and add it to the asset. You can also search for the parent tag and add its children tags to the asset.