Vulnerability Management Detection &
Response (VMDR)
Lab Tutorial Supplement
1
Table of Contents
COMPREHENSIVE SENSORS ................................................................................................................................. 3
DOWNLOAD CLOUD AGENT ........................................................................................................................................................ 4
CONFIGURE AGENTS FOR VMDR .............................................................................................................................................. 6
GLOBAL IT ASSET INVENTORY ........................................................................................................................ 13
DYNAMIC RULE-BASED TAGS .................................................................................................................................................. 15
VULNERABILITY MANAGEMENT ..................................................................................................................... 16
VMDR PRIORITIZATION REPORT ................................................................................................................... 18
DASHBOARDS & WIDGETS ................................................................................................................................ 22
PATCH DEPLOYMENT JOB ................................................................................................................................. 25
PATCH CATALOG .................................................................................................................................................. 30
VMDR CERTIFICATION EXAM .......................................................................................................................... 33
2
Comprehensive Sensors
Qualys Sensors provide the most comprehensive approach to collecting all your asset
and software inventory data.
Scanner Appliance
Any Qualys user with scanning privileges has access to Qualys’ pool of Internet-based
Scanner Appliances.
Qualys Hardware-based and Virtual Scanner Appliances can be deployed throughout
your business or enterprise architecture.
Qualys Virtual Scanner appliances are available for multiple virtualization platforms:
For a detailed discussion of Scanner Appliance deployment and usage, please see the “Scanning
Strategies and Best Practices Self-Paced Training Course” (qualys.com/learning).
3
Download Cloud Agent
Qualys Cloud Agents install locally on the host assets they protect, sending all collected
data to the Qualys Cloud Platform, for analysis.
Qualys agents presently support various Windows, Mac, Linux, and Unix-based
operating systems.
Agents can be downloaded from the Qualys Cloud Agent application or the VMDR
“Welcome” page.
Navigate to the following URL to view the “Download Cloud Agent” tutorial:
http://ior.ad/7bZq
Welcome Page
The VMDR “Welcome” page provides one more place for you to download and install
Qualys agents.
Here, you’ll find the same download executables and installation commands, as you
would within the Qualys Cloud Agent application.
4
Qualys Cloud Agent supports multiple operating systems.
When deploying agents from the VMDR “Welcome” page, the “Default VMDR Activation
Key” will be used.
This key is automatically generated for VMDR accounts. Other activation keys, you have
created, can be viewed and edited from the “Cloud Agent” application.
For a detailed discussion of agent installation steps, see the “Cloud Agent Self-Paced Training
Course” (qualys.com/learning).
5
Configure Agents for VMDR
Multiple VMDR applications are supported by Qualys Cloud Agent:
§ Asset Inventory (AI)
§ Vulnerability Management (VM)
§ Security Configuration Assessment (SCA) / Policy Compliance (PC)
§ Patch Management (PM)
These supported application modules must be activated for your VMDR host assets.
Navigate to the following URL to view the “Configure Agents for VMDR” tutorial:
http://ior.ad/7bZE
Welcome Page
The VMDR “Welcome” page provides another place to configure agent Activation Keys
for VMDR.
This typically replaces the option to “Download Cloud Agent” for accounts that have
multiple Activation Keys.
6
Pick a key and then select the “Upgrade” option from the “Actions” button.
The key will be upgraded to include required VMDR application modules (AI, PM, VM,
SCA).
While VMDR includes the “Security Configuration Assessment” module (by default),
agent Activation Keys can also be updated to include Policy Compliance.
For a detailed discussion of agent configuration and tuning, see the “Cloud Agent Self-Paced
Training Course” (qualys.com/learning).
7
Passive Sensor
Qualys Passive Sensor operates in “promiscuous” mode, capturing network traffic and
packets from either a network TAP, or the SPAN port of a network switch.
Simply deploy passive sensors at strategic network locations, to begin monitoring
network traffic and conversations.
Both physical (hardware-based) and virtual sensor appliances are available:
The Management Interface of the sensor appliance is assigned an IP address and must
successfully connect to the Qualys Cloud Platform.
The Sniffing Interface is not assigned an IP address and receives traffic from a network
TAP or the SPAN port of a network switch.
8
An important advantage to capturing network traffic, comes from the bonus
information collected from network conversations (conversations between
communicating hosts).
A passive sensor not only collects the traffic from “managed” company assets, but it also
sees traffic from other host assets and services that are attempting to communicate
with your “managed” host assets (including communications coming from unknown or
“unmanaged” assets).
For more information and details on deploying and using Passive Sensor, see the “Global
IT Asset Inventory and Management Self-Paced Training Course” (qualys.com/learning).
9
Cloud Connector
Create connectors for your AWS, Google, and Azure accounts.
Enumerate cloud instances and collect useful metadata such as:
• Instance or virtual machine ID
• Location or region
• External and private IPs
• Installed software and active services
• and much more...
Search Tip: Within the Qualys Asset Inventory application, use the “inventory.source”
query token, to quickly find AWS, Azure, and Google instances:
• AWS - inventory.source:INSTANCE_ID
• Azure – inventory.source:VIRTUAL_MACHINE_ID
• Google – inventory.source:GCP_INSTANCE_ID
Leverage Qualys Cloud Security Assessment (CSA), to identify and correct
misconfigurations.
10
Container Sensor
Qualys Container Sensor is installed on a Docker host as a container application, right
alongside other containers.
Once installed, CS will assess all new and existing Docker images and containers for
vulnerabilities (i.e., Qualys KnowledgeBase).
Types of Container Sensors:
• General – Scan Docker hosts.
• Registry – Scan images in public or private registries.
• CI/CD Pipeline – Scan images within CI/CD pipeline (e.g., Jenkins and Bamboo).
For more information and details on deploying and using Qualys Container Sensors, see
the “Container Security Self-Paced Training Course” (qualys.com/learning).
11
Container Runtime Security
Qualys Container Runtime Security provides container runtime visibility and protection
and allows you to create rules or policies to actively block or prevent unwanted actions
or events within your container applications.
This is achieved by instrumenting images with Container Security components that
gather functional-level, behavioural data about the processes running within a
container.
We use an application-native instrumentation process that provides complete visibility of
the application inside the container. The instrumentation is very lightweight and
provides configurable data collection options with low\no impact on application
containers.
This behavioural data is then used by Container Security to monitor process activity,
allowing you to apply security policies and custom security controls, to block specific
events or attempted activities.
Container Runtime Security (CRS) can be deployed for both on-prem and cloud
container environments and is particularly useful for securing containers in a CaaS
environment where the underlying host infrastructure is managed by a cloud service
provider.
Presently, the Container Runtime Security instrumenter supports the following registries
for instrumentation:
• Public registries: Docker Hub
• Private registries: v2-private registry: JFrog Artifactory (secure: auth + https)
12
Global IT Asset Inventory
The Qualys Asset Inventory (AI) application collects raw data from Qualys Sensors and
then adds its own categorization, normalization and enrichment.
Qualys provides Level 1 and 2 categories for Hardware, Operating Systems, and
Software Application assets.
Managed vs. Unmanaged Assets
With Qualys Passive Sensor, the Asset Inventory application will help you to distinguish
between managed and unmanaged host assets.
Managed assets in your account, will have a known hostname, IP address, MAC address,
etc...
Newly discovered hostnames, IPs, and MAC Addresses will be initially labeled as new or
“Unmanaged.”
Unidentified vs. Unknown Assets
Unidentified
§ Not enough data has been discovered/collected for Qualys to determine the
hardware or operating system.
§ To reduce the number of unidentified assets in your account, attempt to
perform scans in “authenticated” mode and ensure network filtering devices
allow your scan traffic to pass.
Unknown
§ Adequate data exists for Qualys to categorize the asset, but it has yet to be
cataloged.
13
§ Assets are processed by Qualys labs for analysis and categorization. Qualys
researchers review data and update the catalog daily.
It is common to find “unidentified” and “unknown” values in the OS and Hardware
columns of “unmanaged” assets.
New data collected can potentially be merged with existing data only when:
1. Both IP address and MAC address have been successfully matched, or
2. Both IP address and hostname have been successfully matched.
Global IT Asset Inventory provides confidence levels (HIGH, MEDIUM, and LOW) for OS
and hardware detections of unmanaged assets.
**NOTE: A single asset can potentially have multiple interfaces.
CMDB Sync
With the Qualys CMDB Sync App, your ServiceNow CMDB can serve as another source
of data. To work successfully, the app needs to be installed in Qualys and ServiceNow.
Once installed, metadata can move in both directions.
Asset metadata synchronization is performed only for assets already in both Qualys and
ServiceNow (i.e., not for new asset discovery). ServiceNow CMDB can benefit from
Qualys categorization, normalization, and data enrichment.
For more information and details about the CMDB Sync App, see the “Asset Inventory CMDB
Sync App” User Guide: https://www.qualys.com/docs/qualys-asset-inventory-cmdb-sync.pdf
14
Dynamic Rule-Based Tags
Qualys Asset Inventory provides multiple rule engines for creating dynamic Asset Tags.
The “Asset Inventory” rule engine allows you to build tags using the Qualys Query
Language and various query tokens, including the hardware, OS, and software category
tokens.
Navigate to the following URL to view the “Dynamic Rule-Based Tags” tutorial:
http://ior.ad/7dEg
Example Queries
To build a dynamic tag for Relational Database Management Systems, use the “Asset
Inventory” rule engine with the following query:
software:(category:Databases / RDBMS)
The first parameter (Databases) is separated from the “category2” value (RDBMS) by the
slash (“/”) symbol.
To build the same tag exclusively for “Server” host assets, use the “Asset Inventory” rule
engine with this modified query:
software:(category:Databases / RDBMS) and operatingSystem.category2:server
The Boolean operator “AND” combines the query from the previous example, with an
additional query token/condition. Boolean operators AND, OR and NOT can be
leveraged to build accurate and effective queries.
15
Vulnerability Management
Vulnerability findings can be viewed from multiple Qualys applications, Global IT Asset
Inventory also provides response capabilities.
When viewing asset details from within the Asset Inventory application, vulnerability
findings are initially displayed graphically.
Specific vulnerability details can be quickly displayed with a click of your mouse.
Qualys severity levels rank the potential impact or outcome from a successful
vulnerability exploit.
Patches for specific vulnerabilities can then be added to a new or existing patch job,
directly from Asset Inventory.
16
Qualys VMDR provides extensive tools and features for working with vulnerabilities,
including dynamic Widgets and Dashboards, search and query tools, and the
“Prioritization Report.”
Once required assessment data is collected from Qualys scanners and agents, the
VULNERABILITIES section of Qualys VMDR, displays your complete list of discovered
vulnerabilities along with powerful search and query capabilities.
Patch Jobs can be quickly and conveniently created for a specific list of high-risk
vulnerabilities, allowing you to deploy patches, based upon the vulnerabilities they
actually fix.
Navigate to the following URL to view the “Vulnerability Assessment” tutorial:
http://ior.ad/7dEB
After selecting one or more patchable vulnerabilities, click the “View Missing Patches”
option, to automatically begin job creation (within the Patch Management application).
Not all vulnerabilities are patchable. Use the following query to locate vulnerabilities
that are patchable by Qualys’ PM module:
vulnerabilities.vulnerability.qualysPatchable:TRUE
Remember, the task of deploying and uninstalling patches requires Qualys Cloud Agent.
17
VMDR Prioritization Report
Use the VMDR Prioritization report to automatically prioritize the riskiest vulnerabilities
for your most critical assets – reducing potentially thousands of discovered
vulnerabilities, to the few that matter.
By correlating vulnerability information with threat intelligence and asset context, The
Prioritization Report will help you to “zero in” on your highest risk vulnerabilities and
quickly patch them.
The VMDR Prioritization report :
• Guides you to target and quickly patch your highest risk vulnerabilities.
• Helps you find the specific patch to fix a particular vulnerability.
• Allows you to quickly identify and remediate the vulnerabilities that are most
likely to get exploited.
• Empowers security analysts to pick and choose the relevant threat indicators for
your specific and unique organization.
• Provides an integrated workflow that reduces the time between vulnerability
detection and patch deployment.
Navigate to the following URL to begin the “VMDR Prioritization” tutorial:
http://ior.ad/7dEE
After selecting one or more Asset tags to specify your targeted assets, prioritization
options are provided in three categories:
Age: Prioritize vulnerabilities by their age. Detection age is the number of days since the
vulnerability was first discovered (e.g., by a scanner or cloud agent). The “Vulnerability”
option will distribute vulnerabilities by actual or real age.
18
Real-Time Threat Indicators (RTI): Prioritize vulnerabilities by their known and existing
threats.
Combine multiple threat indicators, using the “Match Any” or “Match All” operators.
RTIs are divided into two groups: Potential Impact and Active Threats.
19
Attack Surface: Remove vulnerabilities from the report that are not associated with a
running kernel, actively running service and other attack surface indicators.
Once your priority options have been selected, click the “Prioritize Now” button.
The displayed assets, vulnerabilities and patches will reflect the priority options you
specify.
20
As you continue to make adjustments to the priority options, the displayed
vulnerabilities and patches are automatically adjusted. Patches can be deployed
individually or all at once.
21
Dashboards & Widgets
Continuously monitor assets and vulnerabilities with any number of “out-of-box”
Dashboards and Widgets, or build your own custom Dashboards and Widgets.
Navigate to the following URL to begin the “Dashboards & Widgets” tutorial:
http://ior.ad/7ena
Widget Types
Widgets are designed to display query results graphically. There are four different
graphic options:
Widgets are automatically updated to reflect changes in your asset data and findings.
22
The “count” widget can be configured to change color, as changes to assets and
vulnerability findings reach specific thresholds or special conditions.
A “reference” query in the count widget, is useful for comparing the “initial” query’s
result set to some type of control or benchmark. The difference between the result sets
of both queries is represented as a percentage.
In the example above, HIGH severity vulnerabilities (Sev. 3, 4, 5) are presently about
94% of ALL vulnerabilities (Sev. 1, 2, 3, 4, 5). The “count” widget is configured to change
from its base color to red, when this percentage is greater than 50 percent.
23
Export to Dashboard
Export the results of any VMDR Prioritization Report and monitor them as a widget.
Results will be continuously updated within the Dashboard Widget.
24
Patch Deployment Job
While a patch assessment is useful for providing a list of “installed” and “missing”
patches, “Deployment Jobs” perform the tasks of actually installing patches to host
assets.
Navigate to the following URL to view the “PM Deployment Job” tutorial:
http://ior.ad/7dVY
Before creating any job, you’ll need to add “patchable” agent hosts to the “Licenses” tab
(withing the CONFIGURATION section of the Patch Management application).
Use Asset Tags to include host assets for license consumption. The “Total Consumption”
indicator is updated with the number of agent hosts labelled with the tag(s) included.
25
Create Deployment Job
You can create a “Deployment Job” for agent host assets that are missing patches.
Presently, you can add a maximum of 200 patches to a single job.
While it is common to build a job from the JOBS section, of the PM application, jobs can
also be created within the PATCHES and ASSETS sections.
You can add assets to a job by Host Name or by Asset Tag. If you include more than one
Asset Tag, be sure to select an appropriate Boolean operator (i.e., Any or All).
By default, the “Patch Selector” displays patches that are “Within Scope” of the host
asset(s) your job is targeting.
For greater patching efficiency, consider selecting patches that have NOT been
superseded (“isSuperseded:false”) to eliminate older, redundant patches.
Patches that display the symbol will require a reboot.
26
If you attempt to add patches (to an existing job) that are already included, you will
receive a warning message similar to the one below:
Duplicate patches will not be added to a job.
You can run jobs on demand, or you can schedule your jobs to run at a future date and
time.
Schedule jobs to run once, or to recur on a daily, weekly or monthly basis.
You have the option to configure a “Patch Window” (i.e., “Set Duration” option), to run
the deployment job within a specific time frame.
A job will display the “Timed out” status, if the installation does not start within the
specified patch window.
Select the “None” option to give a job as much time as it needs.
27
The Deployment and Reboot Communication Options, allow you to specify the type of
“pop-up” messages end-users will receive, before, during and after job deployment.
The “Deferment” settings provide active end-users the option to postpone the start of a
job and to postpone a system reboot (if required).
If no user is logged-in, patching will begin as scheduled and rebooting will start
immediately following patch deployment.
The option to “Enable opportunistic patch downloads” potentially allows scheduled jobs
to save time by attempting to download patches, prior to job execution.
28
Assets and patches can be added to any job that is “Disabled.”
Assets and patches can be added to a “Recurring” job, both before and after it is
“Enabled.”
Once patch deployment is complete, another patch assessment scan will begin
automatically and the number of missing and installed patches will be updated for the
affected host(s).
Use the “Quick Actions” menu to view the progress of any job.
29
Patch Catalog
The Patch Catalog contains tens of thousands of OS and application patches. Presently
you can add up to 200 patches to a single job.
Navigate to the following URL to view the “Patch Catalog” tutorial:
http://ior.ad/7eq0
By default, only the latest (non-superseded) and missing patches are displayed. This is
done to help you focus on the essential patches required by your host assets.
To view ALL patches in the catalog, remove (uncheck) the “Missing” and “Non-
superseded” filter options and then click somewhere outside of the “Filters” drop-down
menu (to refresh the displayed patches).
30
Quickly search for specific groups of patches in the Patch Catalog, using
the faceted search pane on the left.
Search for patches by:
• Application Family
• Vendor
• Category
• Type
• Vendor Severity
• Reboot Requirements
For more sophisticated queries, use Query Tokens and the Qualys
Query Language (QQL) in the “Search” field, at the top of the Catalog.
Any query entered into the “Search” field will be affected by the
current filtering options. Be sure to verify the filter options, prior to
submitting queries.
Type the following query into the “Search” field and press the “Enter” or “Return” key:
downloadMethod:AcquireFromVendor
Patches identified with the “key-shaped” icon, cannot be downloaded by Qualys’ Cloud
Agent.
31
isRollback:true
The “Rollback” patches in the catalog are candidates for an Uninstall Job. Not all
patches can be uninstalled.
Patch jobs can also be created and updated from within the PATCHES section of the
Patch Management application.
For more assessment and patching details, enroll in the “Patch Management Self-Paced
Training” course (qualys.com/learning).
32
VMDR Certification Exam
Participants in the VMDR training course have the option to take the VMDR Certification
Exam. This exam is provided through our Learning Management System
(qualys.com/learning). To take the exam, candidates will need a “learner” account.
If you would like to take the exam, but do not already have a “learner” account, click the
“Request a new account” link, from the “Qualys Training & Certification” login page
(qualys.com/learning).
Once you have created a “learner” account (and for those who already have an
account), click the following link to access the “VMDR - QSC 2020” course page:
https://gm1.geolearning.com/geonext/qualys/scheduledclassdetails4enroll.geo?&id=22511065648
From the “VMDR – QSC 2020” course page, click the “Enroll” button (lower-right
corner).
33
After successfully completing the course enrollment, click the “Launch” button, for the
Qualys VMDR Exam.
Each candidate is provided five attempts to pass the exam.
With a passing score of 75% (or greater), click the “Print Certificate” button to download
and print your course exam certificate.
34