Cloud-delivered security services vendor Qualys is set to grow its solutions portfolio with the announcement this week of new container security and Security Configuration Assessment (SCA) tools.
Qualys is also now providing its customers with support to help comply with the 2017 White House Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Support for EO compliance is available on the Qualys Cloud Platform, which is already compliant with the FedRAMP cloud certification methodology.
Tim White, Director of Product Management for Policy Compliance at Qualys, explained to eSecurityPlanet that support for helping organizations with the new EO is provided by complete mappings of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to the Qualys control library, enabling mandate-based reports for assessments.
"These assessments can be automated through available out-of-the-box content such as the DISA (Defense Information Systems Agency) STIG (Security Technical Implementation Guide) standards for automated control assessment," White said. " These controls are run through a stringent QA process and contain valuable information about remediation, mappings against NIST CSF, NIST 800.53, and other audit frameworks."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The 2017 White House Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was issued by President Trump on May 11, with a timeline of 90 day for federal agencies to be compliant.
At this point, one month after the order was issued, there have been some issues that White has seen with organizations that need to comply with the EO. He noted that customizing controls to meet internal requirements is a significant challenge, and Security Content Automation Protocol (SCAP)-based content requires even more expertise to understand, customize, and validate prior to using for assessment. Additionally he noted that mapping between low-level security baselines and internal requirements is a significant challenge.
"Prioritizing what to fix first is half the battle in today's complex environments," White said. "With the additional context provided in Qualys content, and easy to interpret harmonized mandate-based reports, customers can clearly see where to focus their attention to have the biggest impact on risk reduction."
White explained that NIST also has procedural control requirements that cannot be assessed via technical control solutions. He noted that Qualys provides Security Assessment Questionnaire content that can help automate the data gathering and assessment for these controls with templates available out-of-the-box, reducing the time it takes for launching the initial data gathering.
Security Configuration Assessment
Qualys also announced a new Security Configuration Assessment (SCA) add-on for its Vulnerability Management service. SCA helps organizations verify and identify secure as well as insecure configurations of systems and services.
Secure configuration is often handled by organizations in different ways, including the use of SCAP (Secure Content Automation Protocol). White explained that content for SCA is provided natively out of the box and does not require or use SCAP.
"This allows us to deliver a high level of quality with fewer false positives and false negatives and enables inclusion of detailed remediation information, regulatory references, and other content above and beyond what SCAP can support," White said. "The standards supported are CIS (Center for Internet Security) Certified policies, with controls fully tested by our development team and certified by CIS."
White added that the SCA will be publicly released at the end of July. Qualys is also working on a new container security scanning technology, although a beta will not be available until September.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.