Vulnerability Management

1 Qualys, Inc. Corporate Presentation

 Agenda

§ VM Lifecycle & Sensors

§ Account Setup
§ Qualys KnowledgeBase and Search Lists
§ Organize & Manage Assets
§ Vulnerability Assessment
§ Reporting
§ User Management
§ Remediation

2 Qualys, Inc. Corporate Presentation

qualys.com/learning

• LAB Tutorial Supplement

• Presentation Slides
• VM Certification Exam
 VM Lifecycle & Sensors

4 Qualys, Inc. Corporate Presentation

Vulnerability Management Lifecycle
1.
Discover

6. 2. Organize
Verify Assets

5. 3.
Remediate Assess

4.
Report
VM Sensors

LAN 2 • EC2/VPC Remote Users

• Azure
• Google

LAN 1 DMZ

Qualys Cloud Platform

 Account Setup

7 Qualys, Inc. Corporate Presentation

 Add Scannable Hosts

§ Manager Users
• Add assets to
subscription
• Remove assets from
subscription
• Delegate “Add assets”
privilege to Unit
Managers

§ Tracking Method
• IP Address (works best
for static IPs)
• DNS Name
• NetBIOS Name

* Host Assets tab is replaced by the Address Management tab, when AGMS is enabled.
8
 Add Agent Hosts

• Install agent hosts with an

Activation Key that has
Vulnerability Management
(VM) enabled.
• Alternatively, you can
activate the VM module
after Cloud Agent has been
installed.
• Qualys Host ID is the
default tracking method for
agent hosts.

9 Qualys, Inc. Corporate Presentation

 Lab Tutorial 1

Add Host Assets, pg. 4

5 min.

10 Qualys, Inc. Corporate Presentation

 qualys.com/learning

11 Qualys, Inc. Corporate Presentation

 Qualys KnowledgeBase

12 Qualys, Inc. Corporate Presentation

VM KnowledgeBase

All QIDs are stored here

Vulnerability Severity Levels

Severity 1 – Least Urgent

Severity 5 – Most Urgent
Common Vulnerability Scoring System
• Defacto rating system for PCI DSS
• The Qualys KnowledgeBase provides CVSS
scores (NIST) in addition to Qualys Severity
CVE and Bugtraq
• Correlates Vulnerabilities and CVE ID (http://cve.mitre.org/)
• Correlates Vulnerabilities and Bugtraq ID
(http://securityfocus.com)
KnowledgeBase QID

General Info - Provides basic details like title, severity, type

Details - QID, CVE ID, Bugtraq ID and other vendor references info

Software - Vendors and products associated with the vulnerability

Threat - Defines the inherent threat within the vulnerability

Impact - What could happen should the vulnerability be exploited

Solution - How to fix the issue

Exploitability - Exploitability info correlated with this vulnerability

Malware - Malware information that is correlated with this vulnerability

Compliance - If there are compliance concerns

Results - What was returned when we probed for information

(Available in a report or scan result after scan completion)

Disabled vulnerabilities are still scanned for but they are not reported or ticketed.
 KnowledgeBase
Editing Vulnerabilities

§ Change Severity
Levels

§ Threat – Impact –
Solution have user
comments field

§ Updates from the

service not
overridden

§ Edited vulnerabilities
are noted in Scan
results
KnowledgeBase Search

Use the search functionality to find vulnerabilities by QID, title,

user configurations and many other criteria.
 Lab Tutorial 2

Vulnerability KnowledgeBase, pg. 6

5 min.

21 Qualys, Inc. Corporate Presentation

 KnowledgeBase Search List

22 Qualys, Inc. Corporate Presentation

Search List Overview

No limitation to the number of QIDs in a search list:

§ Static search list - Defined and updated manually.
§ Dynamic search list - Defined based on search criteria and
updated when new QIDs are added to the knowledgebase.
Using Search Lists

Report
Template &
Scorecards
On which vulns
do we want to
Option Profile report? Remediation
Policy
For which vulns
are we For which vulns do
scanning? we want tickets?

SEARCH
LISTS
Search List Info.

§ Detailed information about

a Search List is available
by clicking the icon.

§ General Info, list criteria,

and all QIDs that match
the criteria are shown.

§ Also shown is a list of all

report templates, option
profiles and remediation
rules where the list is used.
 Lab Tutorial 3

KnowledgeBase Search List, pg. 8

5 min.

26 Qualys, Inc. Corporate Presentation

 Using RTIs

§ Risk = Threat x Vulnerability

(Severity)
§ Severity = Impact if vulnerability
is exploited.
§ Select one or more RTI options
when creating a Search List.

27 Qualys, Inc. Corporate Presentation

Search List
Use Cases

§ Create reports for specific types of vulnerabilities:

• Microsoft’s Patch Tuesday vulnerabilities
• PCI vulnerabilities
• Only the vulnerabilities published in the last 30 days

§ Scan for a specific type of vulnerability (when necessary):

• Exchange Server, Solorigate Sunburst, etc...
• High severity vulnerabilities with know exploits

§ Create a Remediation Policy that assigns or ignores

vulnerabilities (when they are detected).
 Organize & Manage Assets

29 Qualys, Inc. Corporate Presentation

Assets Overview

Asset Asset
Search
Details Groups

Asset Asset
Search
Details Tags
 Asset Groups

31 Qualys, Inc. Corporate Presentation

 Asset Groups
§ Asset groups allow you to manually group “scannable” assets in your account.
§ Asset groups can contain a random collection of “scannable” assets or they
can be designed around specific characteristics, such as:
• Device type
• System priority or criticality
192.168.1.0/24
• Geographic or network boundaries
• Asset ownership
• and more ...

§ Asset Groups cannot be nested.

§ A matching Asset Tag is created for each Asset Group.

32 Qualys, Inc. Corporate Presentation

 Lab Tutorial 4

Asset Groups, pg. 9

5 min.

33 Qualys, Inc. Corporate Presentation

 Scan by Hostname

• Add hosts by
DNS or
NetBIOS
names.
• Use Asset
Groups to
1.
2.
Qualys account must have “Scan by Hostname” enabled.
Use the DNS or NetBIOS options to add members to Asset
“scan by
Group. hostname.”
3. Scanner appliance must resolve hostname to IP address.
4. Only hostnames resolved to IPs in your subscription will be
scanned.

34
Asset Group: Business Impact

• Business Impact is used to calculate the Business Risk Score, which assigns a higher
weight to critical host assets.
• Demonstrate progress by lowering the Business Risk Score or your Asset Groups.
 AV

Asset Tags

36 Qualys, Inc. Corporate Presentation

Asset Tag Basics
Static Tags
§ Assigned manually to host assets.
§ Commonly used as the starting point of an Asset Tag Hierarchy.

Dynamic Tags
§ Host assignment is determined by Asset Tag Rule Engine.
§ Tags dynamically change with updates to host.

Asset Tag Hierarchy

§ Tags are typically nested, creating various parent/child relationships.
§ A child tag should represent a subset of host assets represented by its
parent tag.
Automated discovery and tagging
IP Address: 10.0.30.18
OS: Windows 2008 (IT Security)

Tags: Server
Chicago
Branch (Scanner)
TELNET ON

Network
10.0.30.16/28

01001

?
10.0.30.20 10.0.30.17
10.0.30.19
Workstation 10.0.30.18
Server Workstation
Chicago Server
Chicago Chicago
Chicago
TELNET ON
Initial Asset Tags

The service creates some

initial asset tags based on
existing objects in your
account:

• Asset Groups
• Business Units
• Cloud Agent
• Internet Facing Assets
• Malware Domain Assets
 Lab Tutorial 5

OS Asset Tag Hierarchy, pg. 11

10 min.

40 Qualys, Inc. Corporate Presentation

Asset Tag Rule Engine

Although tags can be created

statically (No Dynamic Rule),
Dynamic Asset Tags provide
the most flexible and scalable
way to automatically discover,
organize and manage your
assets.
Asset Tag Hierarchy Design
Good Tree Bad Tree

§ Attempt to group tag hierarchies (parent/child relationships) around some type

of common criteria.
§ Child tags do NOT inherit the attributes or properties of their parent tags.
§ Multiple tags can be combined when selecting targets for scanning and
reporting
Testing Asset Tags
Asset Groups vs. Asset Tags

Asset Groups:
1. Manually updated.
2. Used to assign access rights to Qualys users.
3. Identifies the “Business Impact” of host assets.
Asset Tags:
1. Dynamically updated.
2. Hierarchical organization of assets (nesting).
3. Help to automate scanning and reporting tasks.
Qualys automatically creates asset tags to match each asset
group.
 Search For Assets

45 Qualys, Inc. Corporate Presentation

 VM Asset Search

• The “Asset Search”

tab provides multiple
options and criteria for
locating assets within
your subscription.
• Search or create tags
based on the criteria
you select.

46 Qualys, Inc. Corporate Presentation

Applications Inventory
Ports and Services Inventory
Host Operating Systems Inventory
Certificates Inventory

Certificate related information such as certificates by expiration

date, by key size, by certificate authority, by port, and self-
signed certificates as well as the certificates detail.
 Search Queries

• Use the “Search” field or

faceted search pane in
Asset Inventory to locate
your assets and software.
• Click the “Help” icon within
the ”Search” field for
search token options and
syntax examples.

51 Qualys, Inc. Corporate Presentation

 Lab Tutorial 6

Search for Assets, pg. 14

10 min.

52 Qualys, Inc. Corporate Presentation

 Vulnerability Assessment

53 Qualys, Inc. Corporate Presentation

 Scanners and Agents
§ Qualys Scanner Appliance targets host assets remotely:
• Remote Scan (untrusted)
• Authenticated Scan (trusted)

§ Qualys Cloud Agent installs as a local system service:

• An agents has SYSTEM level privileges to its host.
• Collected data is sent back to Qualys Cloud Platform at regular intervals.

Target Host Scanner Appliance

54 Qualys, Inc. Corporate Presentation

Qualys VM Scanning Engine

Core Engine
§ Inference-Based Scanning Engine.
§ Intelligently launches modules specific to each unique host.
§ Provides for optimal performance and accuracy.

Modules
§ Collect configuration data from targeted hosts:
• Open ports
• Active services
• Host operating system
• Installed software applications
§ Assessment modules are then launched based upon information collected.
§ Hundreds of modules can coexist during a single scan.
Data Collection Modules

Host Discovery Module

Requires : {IP ADDRESS}
Task : Checks if remote host is alive
Produces : {HOST STATUS:HOST ALIVE/DEAD}

Port Scanning Module

Requires : {HOST STATUS:ALIVE}
Task : Finds all open TCP/UDP ports
Produces : {Open Ports}

Service Detection Module

Requires : {Open Ports}
Task : Detects which service is running on an open port
Produces : {Active Services}

OS Detection Module
Requires: {Open Port} (at least one open TCP port)
Task: Detects host OS
Produces: {OS}
 Host Discovery Module
GOAL: Identify “LIVE” hosts and eliminate “DEAD” hosts from your
vulnerability scans (default).

§ 13 TCP ports (configurable to 20)

• Half-open/SYN scan
§ 6 UDP ports
§ ICMP
§ ARP (scanner must reside on local
subnet of target)

57 Qualys, Inc. Corporate Presentation

 TCP Port Scanning Module

TCP (connection-oriented):
• 0 to 65535 ports.
• Standard Scan targets the
most commonly used port
numbers (i.e., effective
coverage with being
excessive).
• Half-open/Syn Scan:
Scanner appliance sends a
RST packet, after receiving
acknowledgement from
host.

58 Qualys, Inc. Corporate Presentation

 UDP Port Scanning Module

UDP (connectionless):
• 0 to 65535 ports (Standard scan
uses 180 ports).
• Open UDP ports do not always
respond to packets sent.
• Closed UDP ports will typically
respond with ICMP “Port
Unreachable” (which may be blocked
by filtering rules).
• UDP Service Detection is performed
during UDP port scanning.

59 Qualys, Inc. Corporate Presentation

Service Detection Module

Service Discovery 23/tcp

Engine
. . . TELNET

. . . HTTP 80/tcp

. . . SNMP 161/udp

Note: Qualys VM can detect more than 600 different services on TCP
and UDP ports. To review these services go to the Help > About Section.

§ Detection by valid protocol negotiation (non-destructive).

§ Qualys will continue to test open ports until the correct service is identified.
§ Some services may be configured to use non-standard port numbers
(contrary to IANA guidelines).
§ Some services may be configured with non-standard banners.
 OS Detection Module

§ Authenticated scans provide the most accurate OS detection:

• Collected directly from Windows Registry.
• Unix command such as uname -a or cat /etc/redhat-release, etc...
• Authentication also allows for the enumeration of installed
software.

§ Scans performed without authentication rely on TCP/IP stack

fingerprinting, with some enhanced protocol interrogation:
• Packets are sent to target host to collect replies and build an OS
fingerprint (using TTL, MSS, window size, etc…)
• More accurate results can potentially be obtained by interrogating
useful protocols, such as NetBIOS, HTTP, SNMP, and others.

61 Qualys, Inc. Corporate Presentation

Vulnerability Assessment and Detection

Specific vulnerability modules are loaded based on:

§ Host Operating System
§ Active Services (and port numbers)
§ Installed Software (authentication required)

- Active (non-intrusive) tests use template-based vulnerability

signatures.
- Multiple tests validate each others’ results to “confirm” the
vulnerability.
Vulnerability Scanning Summary

Host Discovery
§ Checks for availability of target hosts. One response from the host indicates the
host is "alive"
Port Scanning
§ Finds all open TCP and UDP ports on target hosts (based on scan preferences)

Service Discovery
§ Identify which services are running on open ports

Device Identification (OS Detection)

§ Attempts to identify the operating system on the first open port

Vulnerability Assessment
§ Based on 1) Operating System, 2) Active Services, and 3) Installed Software
 Scan Configuration

64 Qualys, Inc. Corporate Presentation

Scan Configuration Components

Scan

Scanner Target
Option Profile
Appliance Host Assets

Scan Preferences Netblocks

Authentication Asset Groups

Auth Record Asset Tags

Option Profile

Scan Options:
• TCP & UDP Port config • Additional Cert Detection

• Authoritative Scanning • Dissolvable Agent

• Scan Dead Hosts • Lite OS scan
• Close Vulnerabilities on Dead Hosts • Add a Custom HTTP header value
• Performance • Host-Alive Testing
• Load Balancer Detection
• Password Brute Forcing
• Vulnerability Detection
• Authentication

Please see Qualys’ “Scanning Strategies and Best Practices” self-paced training class for a more
detailed discussion and analysis of scan settings and features found in the Option Profile.
 Lab Tutorial 7

Scanning Option Profile, pg. 16

10 min.

67 Qualys, Inc. Corporate Presentation

Option Profile
Targeted TCP and UDP Ports

§ Standard Scan provides most effective coverage without being too excessive.
§ Configure network filtering devices and host-based firewalls to permit traffic on
the ports your scan is targeting.
Option Profile
Scan Performance Settings

§ High
§ Low
§ Normal
Option Profile
Vulnerability Detection

§ When possible, avoid

“Custom” scans in
favor of “Complete”
scans.
§ Custom scans require
a QID Search List.
Option Profile
Authentication

• Allows scanner appliances to

login to host to extract more
meaningful data.
• Discover vulnerabilities not
detected by untrusted scan.
• Confirm Potential
Vulnerabilities.
• Application-based records are
used by Qualys Policy
Compliance.
 Authentication Records

72 Qualys, Inc. Corporate Presentation

Authentication Vaults

• In large organizations
where thousands of
machines are scanned
regularly for vulnerabilities,
managing passwords is a
challenge.
• Some organizations are
reluctant to let their
credentials leave the
network
 Lab Tutorial 8

Windows & Linux Authentication Records, pg. 18

10 min.

74 Qualys, Inc. Corporate Presentation

Launch Vulnerability Scan
Scan Settings
Vulnerability Scan
“On Demand”
Scan Results Summary
Scan Results Detail

Unfiltered, raw data of your scan targets

 Lab Tutorial 9

Launch Scan & View Results, pg. 22

10 min.

79 Qualys, Inc. Corporate Presentation

 Scheduling Assessment Scans

Automate Your Scans

• Assessment scans can
be scheduled to run at
daily, weekly or monthly
intervals.
• Schedules can be paused
to comply with
maintenance windows.
• Send notifications before
and after each scan.
Agent Data Collection Interval

§ Qualys Cloud Agent is configured to collect vulnerability assessment data

at regular intervals (240 – 43200 min.).
 Lab Tutorial 10

Scheduled Scans, pg. 26

10 min.

82 Qualys, Inc. Corporate Presentation

Qualys Scan Calendar
 Reporting

84 Qualys, Inc. Corporate Presentation

Report Types
Report Template Library
 Lab Tutorial 11

High Severity Report, pg. 27

10 min.

87 Qualys, Inc. Corporate Presentation

Scan Report Components

Scan Report Report Template

Netblocks Report Source Findings

Services
and Ports
Asset Groups Display
User Access

Asset Tags Filter

Scan Based vs. Host Based Findings

Scan Based Findings

What are Host Based Findings?
Daily Daily Daily
Scan 1 Scan n
• Comprised of all completed
Scan 2
scans.
• Vulnerability findings are
indexed by each host’s tracking
method.
Host Based Findings
• Provides vulnerability history
for each host, including
Host Tracking
IP / NetBIOS Vuln.Status:
vulnerability status: New,
/ DNS / UUID NEW Active, Fixed and Reopened.
ACTIVE
KnowledgeBase
QID / Sev /
FIXED • Required for “trend” reports.
Title RE-OPENED
Description
 Lab Tutorial 12

Custom Report Template, pg. 28

10 min.

90 Qualys, Inc. Corporate Presentation

Reporting Use Case

Scenario: I need a weekly report of all the new vulnerabilities

found on my Windows desktops. My Windows admins just want
to know what the vulnerability is and how to fix it. They are only
interested in the vulnerabilities that can be confirmed, and those
that have the greatest security risk (severity level) – how can we
accomplish this?
Reporting Use Case
Scan Report Template

What information can

you show to reflect
progress?
- Fixed Vulnerabilities
- Trending (Include on
the vulnerabilities you
are trying to address.
Ex. 4’s and 5’s)
Qualys Authentication Report

The Authentication Report shows

the authentication status for each
scanned host:

- Passed
- Failed
- Passed with insufficient privileges
- Not Attempted

* Run this report after an

authenticated scan to verify that
authentication was successful to
the target hosts

*Authentication Reports can also be scheduled.

Qualys Patch Report
Actionable and prioritized list of patches to apply - KB
supersede information included, so only the most relevant patches
displayed.

Online Format - Provides more interactivity (sorting, filtering)

Qualys Scorecard Reports

Provide vulnerability data and statistics appropriate for different business

groups and functions.

Easy to create and

customize (quickly)
• Most Vulnerable Hosts
• Most Prevalent
Vulnerabilities
• Vulnerability Scorecard
Report
Scheduled Reporting

Several report types that can be scheduled:

• Template-based scan reports (using Host Based Findings)
• Scorecard reports
• Patch reports
• Template-based compliance reports
• Remediation reports
 Lab Tutorial 13

Scheduled Reports, pg. 30

10 min.

97 Qualys, Inc. Corporate Presentation

Subscription Report Share Setup

• Report Share is a centralized

location for storing and
sharing reports

• When enabled for

subscription, Managers
specify the maximum amount
of report data that each user
may save

• Managers have the option to

enable secure PDF
distribution of reports
Reporting Best Practices

1. Determine what reports need to be run. What

are your goals?
2. Assign reports to users within Qualys or share
them via secure distribution.
3. Schedule reports to run after scans complete.
 User Management

100 Qualys, Inc. Corporate Presentation

User Privilege Hierarchy
Standard User Roles
Most privileged

Manager Subscription Management

Unit Manager Business Unit Management

Scanner
Vulnerability Scans
Network Discovery Maps

Reader Reporting

Remediation User Remediation

Least privileged
 Other User Roles

§ Auditor
• This role is used exclusively by the Policy Compliance application and has no privileges
within VM.

§ Contact
• This role only receives email notifications from Qualys Cloud Platform Services and is not
assigned login credentials.

§ User Administrator
• Has access to Users, Asset Groups, Business Units, and Distribution Groups.
• Can create and edit other user accounts (including Managers), but cannot create or edit
other User Administrators.

§ Knowledgebase Only (not enabled by default)

• Has limited access to the UI, but can view QIDs in the Qualys KnowledgeBase.
• This role can send and receive vulnerability notifications.

102 Qualys, Inc. Corporate Presentation

Extended Permissions

Different Roles
§ Each role has its own permission set
§ Each user can get extended permissions
§ Extended permissions vary from role to role.
 Lab Tutorial 14

Create User Account, pg. 32

10 min.

104 Qualys, Inc. Corporate Presentation

User Management
VIP and Password Resets
Business Unit

• Create Business Unit in

Users Section

• Add Asset Groups to

the Business Unit

• Assign Users
Business Unit Manager
Privileges:
Perform all vulnerability management functions:
Map, Scan
Remediation
Reporting
Manage assets, add users, and publish
template reports within their Business Unit
Extended Permissions :
Add assets
Create profiles
Purge host information
Create/edit configurations (remediation policy,
authentication records/vaults, virtual hosts)
Manage compliance, web applications
Manage virtual appliances
Restrictions:
Can only be in one Business Unit
Can only be created if the Business Unit has been established
Limited to Asset Groups defined in their Business Unit
May not have rights to run specific reports via the API
Business Unit Illustration
Subscription Setup
Security

Define user account security settings

(Users > Setup > Security):

• Restrict IP access

• Set Password Security

• Enable VIP for all users

• External IDs

• Session Timeout
 Remediation

110 Qualys, Inc. Corporate Presentation

 Remediation Workflow

• Remediation Policies (rules) automatically create tickets,

when vulnerability scans are performed.

111 Qualys, Inc. Corporate Presentation

Remediation Basics
• Remediation Policy can be used to assign a vulnerability to a
specific user account (for mitigation).
• Remediation Policy can be used to ignore specific lists of
vulnerabilities.
• Qualys automatically updates “Fixed” vulnerabilities (when no
longer detected).
• Resolved Date indicates when a vulnerability has been resolved,
ignored, or fixed (the earliest of the three)
 Assign Vulnerabilities to User

Assignment
• A specific user
• Asset Owner
• The user who
launched
the scan

Set Deadline for

remediation

113 Qualys, Inc. Corporate Presentation

 Lab Tutorial 15

Assign Vulnerabilities, pg. 35

10 min.

114 Qualys, Inc. Corporate Presentation

 Ignore Vulnerabilities

115 Qualys, Inc. Corporate Presentation

 Lab Tutorial 16

Ignore Vulnerabilities, pg. 36

10 min.

116 Qualys, Inc. Corporate Presentation

 Remediation SLA
Implement a Service Level Agreement for remediation:
• Build a remediation report based on tickets per asset group or
tickets per user.
• “How well am I meeting my SLA?”

117 Qualys, Inc. Corporate Presentation

 Lab Tutorial 17

Remediation Report, pg. 38

10 min.

118 Qualys, Inc. Corporate Presentation

Manual Ticket Creation

Manual Trouble ticket generation

• From Host Data Report
Remediation Objectives

Use Remediation Policies to measure the effectiveness of your

vulnerability mitigation and remediation operations:
• Design Remediation Policies to address and measure specific
problem areas and concerns:
- OS patching (according to impact and risk)
- Application patching (according to impact and risk)
- Exploitable Vulnerabilities (according to impact and risk)

• Assign an expiration date to targeted policies, and then focus on

overdue tickets to identify potential process issues.
• Ignore vulnerabilities to keep them out of reports.
 Exam

121 Qualys, Inc. Corporate Presentation

Exam Tips and CPE
q You have five attempts to pass
q The test is linear, no going back to an older question
q Passing score: 75% and above
q No negative marking
q Test can be taken anytime
q 30 questions (Multiple choice included)
q You may use presentation slides, lab exercises, Qualys Community, and you may have an
active Qualys session open while attempting the exam.
q No set time limit (please start a new LMS session, before launching the exam.
q A CPE credit is earned for each hour of attendance.
Useful Resources

- Your LMS account does not expire

- Register for training sessions on www.qualys.com/training
- Qualys Community and Qualys LMS are not SSO logins
- Qualys Architecture : http://www.qualys.com/enterprises/architecture/
Free Tools & Trials
- BrowserCheck
- SSL Server Test
- FreeScan
- Patch Tuesday Audit
- SCAP Scan
 Mapping

124 Qualys, Inc. Corporate Presentation

Mapping Options
DNS Reconnaisiance
- Domain Lookup <whois> (identifies DNS servers)
- DNS Zone Transfer (collects host records from DNS database)
- DNS Brute Force (www.qualys.com, ftp.qualys.com, mail.qualys.com)
- Reverse DNS Lookups (based on IPs already discovered/known)

Host Sweep (via ICMP, TCP and UDP probes)

- Very important for mapping netblocks.
- Provides “Live” host status in map results via “Host Discovery”
Mapping Configuration

Map

Option Profile Scanner Assets

(the how) Appliance (the what)

Domains/
Map Netblocks
Preferences

Asset Groups
Mapping Options
Mapping Benefits
Shows an overall view of your corporate assets

Mapping is the foundation for proper asset management

Map Results

A: Approved
S: Scannable
L: Live
N: Netblock
Mapping: Graphic Mode
Mapping: Choosing A Target
1. Domain - Qualys service will identify domain members via DNS
interrogation.
2. Netblock - Target a specific netblock range using the “none” domain.
3. Domain + Netblock – Use an IP address range to identify the upper
and lower boundaries of a domain.
4. Asset Group
- Associated Domains
- Associated IPs (already in your subscription)
Mapping Goals
1. Use map results and reports to discover and add new hosts to your
subscription and identify dead and rogue hosts.
2. Ensure network and system admin teams participate in the Mapping
and Reporting responsibilities.
 Unknown Devices Report

Compare the results of two separate Asset Maps to identify

changes in host status.

133
 Thank You

training@qualys.com

134 Qualys, Inc. Corporate Presentation