Earlier this year, RedLock announced support for host vulnerability insights through a technology partnership and integration with Tenable and AWS Inspector. We are now pleased to announce integration with Qualys, one of the leaders in the host vulnerability management space.
In dynamic cloud environments, vulnerability management at scale is difficult. According to RedLock’s research, it was revealed that an average cloud resource’s lifespan is 2 hours and 7 minutes. This makes it hard to pinpoint specific, questionable cloud resources, or understand the real exploitability and risks associated with them.
The RedLock Cloud 360 platform can monitor, alert, and search for vulnerabilities across your public cloud environment based on severity, CVE IDs, and other attributes. By overlaying vulnerability data from Qualys with information on network traffic, user activity, risky configurations, and threat intelligence from RedLock, organizations have deeper visibility and contextual insights to prioritize remediation.
The RedLock-Qualys integration is easy to set up in the RedLock Cloud 360 platform. The entire integration is done using Qualys vulnerability management APIs. Customers need to provide the following information from their Qualys deployment:
Once the integration is complete, RedLock will periodically scan and ingest the vulnerability data from Qualys and provide different mechanisms to consume that data through the RedLock console.
Once the vulnerability data is ingested in RedLock, users can consume that using RedLock Query Language (RQL) and subsequently create policies based on that. RQL is an easy-to-use and extensible query language that security teams can leverage to gain insights into their cloud environments. RQL also provides the basis for all of the out-of-the-box as well as custom configuration, network and audit policies customers use in their cloud environment.
Using RQL, users can write a simple query such as the following to find out all instances that have critical vulnerability:
config where hostfinding.type = 'Host Vulnerability' and hostfinding.severity = 'critical'
Users can also search for a specific vulnerability with the following RQL:
config where hostfinding.type = 'Host Vulnerability' and hostfinding.name = 'CVE-2017-0144'
Users can click on any of the instances with host vulnerabilities to get specific details on the vulnerabilities through the resource explorer page (see below):
RedLock also overlays the network traffic in your environment with the vulnerability data to provide additional context and to help with the prioritization of critical vulnerabilities.
The following network query looks at all resources that are receiving traffic from the Internet or Suspicious IPs AND have critical host vulnerabilities:
network where source.publicnetwork IN ('Internet IPs', 'Suspicious IPs') and dest.resource IN (resource where hostfinding.type = 'Host Vulnerability' and hostfinding.severity = 'critical')
As is the case with config RQL, customers can click on the resource or the Host Vulnerability link on the Network RQL page to gain more insights into the specific vulnerabilities through the resource explorer page.
Extending the example above, customers can now turn the network RQL or for that matter, any custom RQL related to host vulnerability into a policy. All that is required is to save the RQL and then from the policy page, use the saved RQL to create the policy. Once the policy is created, RedLock will continuously monitor your environment and generate an alert if a critical vulnerability was discovered on instances that are receiving suspicious traffic from the Internet.
Learn more about how RedLock and Qualys can give you visibility in your public cloud environments and request a demo.