Qualys TruRisk™

Qualys TruRisk™ prioritizes vulnerabilities and assets based on the risk it poses to your infrastructure. It accurately quantifies cyber risk to reduce exposure, track risk reduction trends, and enhance the cyber security program's effectiveness.

You can secure your IT infrastructure for small or midsized companies by implementing the remediation and mitigation capabilities of Qualys TruRisk packages. You can opt for the following packages of Qualys TruRisk: 

• VMDR TruRisk - Deploying the VMDR TruRisk package leads to comprehensive risk-based vulnerability management.
• VMDR TruRisk FixIT - VMDR TruRisk FixIT package is a bundle of the VMDR TruRisk along with the remediation and patch management feature.
• VMDR TruRisk ProtectIT - VMDR TruRisk ProtectIT is a combined package of VMDR TruRisk and Anti-virus and Anti-malware protection. 

Contact Qualys Support for more information about these Qualys VMDR TruRisk Packages. 

The TruRisk Algorithm uses risk-based scores, Qualys Detection Score (QDS), and Asset Criticality Score (ACS) to calculate the TruRisk Score of an asset. This section briefs about the following:

• Qualys Detection Score
• Asset Criticality Score
• TruRisk Algorithm

Qualys Detection Score

Qualys Detection Score (QDS) is assigned to vulnerabilities detected by Qualys. It has a range from 1 to 100, categorized in severity levels- Critical (90-100), High (70-79), Medium (40-69), and Low (1-39). QDS is listed in the Vulnerability details and is derived from Vulnerability Technical Details (CVSS score), Vulnerability Temporal Details, and Vulnerability Remediation Details (CIDs).

The following screenshot is an example graphical representation of QDS that provides complete information about the vulnerability:

                                   

Asset Criticality Score

Asset Criticality Score (ACS) shows an asset's criticality from 1 to 5. If an asset's criticality score is higher, it implies that the vulnerability's impact on that asset will also be higher. ACS is calculated based on multiple asset tags. The tag with the highest criticality score is considered the contributing factor when calculating the TruRisk Score.

TruRisk Algorithm

To calculate the TruRisk Score for externally managed assets, the following is the TruRisk Algorithm:

TruRisk Score = MIN( ACS * (wc*Avg(QDSc)*np.power(Count(QDSc), 1/100) + wh*Avg(QDSh)*np.power(Count(QDSh), 1/100)+ wm*Avg(QDSm)*np.power(Count(QDSm), 1/100)+ wl*Avg(QDSl)*np.power(Count(QDSl), 1/100)),1000)

In the above formula:-

• ACS- Asset Criticality Score
• w- weighing factor for each severity level of QIDs [critical(c), high(h), medium(m), low(l)]
• Avg(QDS)- Average of Qualys Detection Score for each severity level of QIDs
• np.power- the value of np.power is constant to 0.01

Using the above formula, the derived TruRisk score gives a graphical representation and lists the vulnerabilities. You can click the Patch Now option to remediate these vulnerabilities. The following screenshot is an example of TruRisk Score that provides complete information about the asset and the vulnerability:

                                     

Additional Resources

• Qualys VMDR TruRisk Package
• Prioritize Vulnerabilities using Qualys TruRisk™

• Calculating TruRisk Score