Qualys is proactive about network security

VP Gerhard Eschelbeck discusses the company’s ASP model for protecting against intruders

ASSESSING A COMPANY’S networks for vulnerabilities is a key part of the overall security market. Qualys’ QualysGuardWeb service provides an ongoing picture of network exposures to help administrators detect and prioritize vulnerabilities before they are exploited. In an interview with InfoWorld Test Center Director Steve Gillmor, Qualys Vice President of Engineering Gerhard Eschelbeck discusses the company’s ASP model and how best to protect multiple entry points into a company, given the increase in VPN and wireless technologies.

InfoWorld: Can you give me a snapshot of what Qualys does and where the company is right now?

020910hnqualys.gif
Eschelbeck: Qualys really takes [network] vulnerability assessment into the next level. Basically what we do for our customers is we look at their networks and we find security holes. We find vulnerabilities for them, in the same way as a hacker would do. So we look for buffer overflows, any kinds of vulnerabilities that we can imagine from the outside world on a customer’s network. That includes firewalls, mail servers, Web server, and whatnot. The service [has been] up and running for about one and a half years now, as a service to our customers.

InfoWorld: Do you upgrade the service internally?

Eschelbeck: Absolutely. We roll out new features on a very rapid innovation cycle. Every two weeks we bring out new features and new functionalities. Obviously, what that means [is] we have to highly automate our development processes internally. One of the first steps [I took] when I joined Qualys [one and a half years ago from Network Associate] was to completely automate a lot of the steps that would have been done manually from a testing perspective. For example, we test the product every night, completely automatically. At 8 p.m., when the developers are leaving the building, we automatically build the latest source code into binaries, automatically install them on the system, run a regression test, run stress testing, and run complete load testing until the morning hours. And when the developers come back in the next morning, they get automated results about the testing.

InfoWorld: Have you thought about distributing a software version of this service?

Eschelbeck: Excellent question, actually. Would the customers really like to see us moving there? It is pretty clear that the service model, like the ASP model for vulnerability assessment, just makes a lot of sense. It’s just a perfect match for an ASP [model] in my perspective. You have to, as a vendor, do daily updates for signatures. Your vulnerability assessment is only as good as your last signature. We push it daily into our datacenter, so that all our customers immediately have the latest signatures available. We take away a lot of the burden from our customers of managing it and maintaining the infrastructure to do scanning.

However, as you can imagine, some customers would like to have the ability to scan inside the firewalls as well. Today we scan externally, and internally we take the scanning technology that we have and package it into an appliance system. We already are in beta with this appliance system; that was one of our major deliveries in June. We have this appliance installed inside the firewall and it’s still communicating with our datacenter for getting new signature updates on a daily basis, but it doesn’t require the customers to change anything on their infrastructure. They can keep the firewall the same way; there is no hole to be poked in their firewalls. It’s using an SSL outbound communication to communicate with our datacenter, but it’s inheriting all the features and functionalities that we already have built for the external scanner.

That’s the way we deliver the software version of the scanner. It’s still the services-based model — the ASP model — where it’s simplicity of use. The customer only needs a Web browser, no software to install. And with the appliance, all the customer needs to do is just put it into the network. It’s automatically establishing communication with the datacenter, establishing a trust there, and from this point on the customer uses the Web browser to completely manage the application.

InfoWorld: Microsoft with .Net and Passport has moved more toward a federated model. Does that have some impact on what you are doing?

Eschelbeck: What we’ve seen is a tremendous change in how a company’s perimeter is looking. In the past it was very straightforward, very simple to have one access point to the Internet. There was typically one firewall that was highly protective of the internal infrastructure, and it was not a big deal from a security exposure perspective. What we see [happening] is a big change there, driven by things like companies offering Web services to the outside public. Companies deploy VPN access points, so [there are] multiple entry points to their networks. They deploy wireless access points, so there are multiple entry points into a company, and that’s potentially a significant impact from a security perspective, as you can imagine. When I see .Net, I see exactly the same situation, where you have a significant number of services that every single company is offering on their publicly facing interfaces. And by doing that, there is clearly a security need for a continuous risk that those additional services are providing there.

InfoWorld: What companies do you interface with? Who are your partners?

Eschelbeck: From a partner side, we work with pretty much any security team that’s out there. We have 1,900 different vulnerability signatures in our database right now. Those 1,900 signatures are compiled of Sun, Microsoft, Cisco, you name it — pretty much throughout all the operating systems that you can imagine. So we work very closely on the one side with vendors, [and] on the other side with intelligence providers like Security Focus, [Veritect] Vigilance, and others. But we also work with the security research teams from different companies, and even unaffiliated research teams, to look for vulnerability intelligence and to be able to intelligently develop a signature and push it into the service for our customers.

InfoWorld: What is the impact of the Linux community on the issue of security? There are many who say that because of its openness and transparency, security is easier to maintain in that environment. Do you agree?

Eschelbeck: We are a completely Linux-based system. All of our infrastructure is completely Linux-based, so I may be a little bit biased here. But my take on the situation is that the transparency that Linux gives you is certainly an incredible benefit from a security perspective, because you can immediately verify how you’re vulnerable now. There is no question about it. The challenge that I see, however, is that the innovation cycle in the Linux community is very rapid. And keeping up with this innovation cycle is probably going to be a big challenge for a lot of corporations and a lot of organizations. Even ours. We’re an incredibly security-conscious company, so we take every patch, every update that we get with a grain of salt and look at it carefully [to see] what it did, how we could fix it. But I really believe that the rapid innovation cycle is probably going to cause quite some pain for a lot of companies, companies who are not necessarily focused only on security.

InfoWorld: What do you think of the recent e-mail from Bill Gates to Microsoft, essentially shutting down development for three months while they do a security sweep of the entire platform?

Eschelbeck: I think it’s incredibly good to [see] such a commitment from a company. It’s probably going to take six months to a year until we see the first results there. But I think it’s all a credit to him for making such a bold step and putting a lot of money into at least making this commitment. [However], results need to be seen down the road.

InfoWorld: How do Web services impact your business?

Eschelbeck: Even today, while Web services are still very early on, there is already a significant push towards making Web services secure. This is pretty obvious given when you publish a service over your perimeter, your network, and you want to make sure that it’s not exposing any data that’s not supposed to be there. So I see Web services as an opportunity for us to grow our signature database. What we believe our customers are telling and reassuring us is that regular, automated vulnerability assessment is the key and the requirement to make a secure network. It’s the only proactive way you can do it. Web services are exposing even more data, so the need for doing a regular, automated vulnerability assessment is even more there.

The way we have seen our technology maturing is that customers are using us in a completely automated way. They set up the scheduler as part of the service, they let our system go out there and scan them every Monday or every month or whatever their interval is based on their security policy, and we then tell them the results of the latest scan vs. the previous scan. Is there any delta, are there any changes in the security exposure? Do they need to take any actions? Are those high-priority vulnerabilities that we found in your most recent scan or not?

Basically we give them a tool and an ability to automatically make this assessment, [which] was in the past a highly manual process. As you can imagine, there’re all kinds of tools out there. But the issue with those tools is the data consistency and keeping the data available for further and later analysis. That’s what an ASP model like Qualys certainly has brought to the table, [plus] the ability to compare the results from one scan to the other or from one discovery to the other. We not only do scanning for vulnerability, we also do a device discovery. One of the biggest challenges for a lot of large companies is to even know what devices are out in their DMZes. So they’re using our service as well to do a device discovery. We go out for them to discover the devices on the DMZs and they can compare it every time against what’s valid and what’s invalid.

This has an incredible amount of value now with wireless access points popping up all over the place. There is really not a lot people can do against that, other than walking around in the building and looking for the [waves] and shutting them down. However, with the technology that we have developed, we can find them over the wire. You don’t need to walk through buildings; instead you look through them through the wire. You identify them, you fingerprint them, and you tell the administrators and users, “Hey, those are your wireless access points on your network. Are they actually valid or not?” We have customers from the very low end that just have one IP on the Internet, like a firewall, for example. But we also have customers with multiple Class B networks on their perimeter. So we are from the very small end to the large end.

InfoWorld: Do you have plans to move into not just detection but prevention or response to a detected event?

Eschelbeck: There are a number of technologies that we are looking into right now. We’ve built a model with this centralized platform where the Web services are running at the database [and] all the enforcement is happening up to the scanning service. We have those scanners distributed on the Internet, not just here in the United States. We have scanners in Europe, and we’re just starting it in Asia as well, to get close to our customers. And this is just an incredible distribution mechanism for other technologies, such as network-based intrusion detection — looking at the traffic — as well as load consolidation information. A lot of companies today have fundamental security technology rolled out, but don’t have the resources and time to look at any of the results that those products are delivering to them. There are logs being rolled over, rolled over, day [after] day, and nobody’s looking at the data.

InfoWorld: What is the best advice you could give people who deal with solving security issues?

Eschelbeck: In the past years, there was a lot of technology developed without customers in mind. Fundamentally, when you develop technology, you have to work with the customer and that’s the [highest] priority. You listen to your customer and work with your customer developing technology. Particularly for CTOs, this is so important. A lot of CTOs develop technology in a clean room, in a sterile room, and forget about the people who are using and leveraging their technologies. If you develop and design technology with your customer in mind, it’s already a good step toward success. That’s probably the biggest recommendation I can give people: To work and look for the opportunity to stay in touch with the customer, while designing and developing technology.

Source: www.infoworld.com