What advice do you have for others considering Qualys CyberSecurity Asset Management?

Qualys CyberSecurity Asset Management does require some maintenance on my end, such as manual updates in terms of releases. Checking those out, doing some testing, and confirming it looks good in a non-prod environment is not that complicated. Even again, if you do the boot states, it's easy to manage. They come out about every 12 months, and I know that's one thing against Netgate—that they're a little bit slower on development—but honestly, that's probably preferable because it's not constantly updating. My review rating for this product is 9.

I need to talk with my architecture team because after the Qualys conference, we've discovered there are things that aren't configured correctly. This could possibly mean we might need to get with Qualys CyberSecurity Asset Management to get things in shape so that we're adequately detecting vulnerabilities. On a scale from one to ten for support, I would give them a nine. We're just a customer and do not have any partnerships with Qualys CyberSecurity Asset Management. I rate Qualys CyberSecurity Asset Management a six out of ten.

The only advice I have for new users on how to start with Qualys CyberSecurity Asset Management is that the only way that you eat an elephant is one bite at a time. There's a lot of things that need configuring and a lot of things that can be done through the system, and it can seem overwhelming. Just do one thing at a time. Check out the best practices for setups and definitely utilize your account managers, especially when first onboarding, to set up those onboarding calls to make sure that the main priorities that you're looking for get set up. On a scale from 1 to 10, I would rate Qualys CyberSecurity Asset Management an eight overall.

To a colleague at another company who believes they only need external attack surface management for their vulnerability management and detection response program, I would advise them to fully utilize Qualys CyberSecurity Asset Management for a better experience. By using all its features, rather than limiting themselves to just external attack surface information, they can gather more comprehensive information that can enhance their job performance. For organizations considering Qualys CyberSecurity Asset Management, my advice is to fully utilize all the features available to maximize the experience. By leveraging all information provided, IT professionals can enhance their operations since every detail matters, and more information generally leads to better outcomes. I would rate Qualys CyberSecurity Asset Management an eight out of ten.

We do have Qualys scanners deployed in our data centers, however, since this is a fresh deployment, we haven't had to convert anything. Everything's being deployed net new. We don't use any of the passive network sensors yet. We have plans to deploy them. Currently, all we have deployed are the endpoint agents. We have the data center scanning appliances deployed, and then we also have the cloud connectors deployed. So we don't have any of the network passive sensors deployed yet. Here's what I would say to someone a colleague at another company who says that they only need to add external attack surface management for their vulnerability management detection, but they don't need to to go the full depths, you know, the system offering: first of all, I don't even think you can add external attack surface management without CSAM. They're a hand-in-hand product. Second of all, you can't correlate your internal scan assets with your external tech service assets if you don't have CSAM. So it really helps deduplicate findings. It helps you understand what the vulnerabilities from your external scans and your external attack surface management are and how they connect to the vulnerabilities on your internal scans. I'd advise others to deploy endpoint agents or cloud agents to get the most comprehensive view. Take your time with the deployment for accuracy. The deployment effort directly correlates to its effectiveness. Qualys CyberSecurity Asset Management is a Ferrari. If not configured properly, it performs as a Ford engine. I rate Qualys CyberSecurity Asset Management ten out of ten.

I did not use the CMDB Sync feature. As a pen tester, I want a scanner that simplifies my job, and Qualys CyberSecurity Asset Management is the only scanner that meets that need. Without it, manual checks would take five days for complete pen testing, but now, using the results, we can complete it within 3.5 days, reducing my time by almost 20%, allowing me more focus. I did not use the external attack surface management module. I would recommend Qualys CyberSecurity Asset Management because it is easily understandable, requiring no guidance if someone knows cybersecurity terminologies, allowing them to initiate scans directly. I can't think of negative points at the moment, as I haven't used other scanners recently, though I am examining HCL AppScan documentation. I believe that integrating any AI module into Qualys CyberSecurity Asset Management would be beneficial, especially to simplify technical support interactions since AI is becoming commonplace in other scanners. I would rate Qualys CyberSecurity Asset Management a ten out of ten overall.

The risk score and asset evaluation are primarily based on multiple factors, including the asset criticality score and the Qualys Detection Score (QDS) for vulnerabilities, as well as their severity levels. Additionally, we consider the Asset Criticality Score (ACS) to reflect the value of critical assets. The QDS is also used for the Common Vulnerability Scoring System (CVSS) base score and to assess exploits, while checking on the maturity level and mitigation controls in place. I would rate Qualys CyberSecurity Asset Management a nine out of ten.

I have the most experience with Qualys CyberSecurity Asset Management, VMDR, and CSAM, as well as CA. Besides VMDR, I also used the Threat Intelligence model extensively. Regarding the CMDB Sync feature, I learned about it just a couple of weeks ago. Although we don't have the implementation, we would find it useful to share information from Qualys, such as vulnerabilities and all devices, and track the person in charge of a certain device by creating a ticket. The TruRisk score is a very useful feature, as it summarizes all the factors influencing the importance of a vulnerability concerning an asset or an endpoint. It helps with the prioritization of remediation. We have both the passive sensor and the cloud agent. We use the cloud agent by installing it on the devices, while the passive sensor allows us to detect devices that don't have the protection and can't have the protection, for example, the networking devices. We don't manage maintenance for Qualys CyberSecurity Asset Management as it depends on the vendor because they sometimes deploy updates and upgrades, but nothing is required on our end. On a scale of 1-10, I rate this solution a 7.

The vulnerability management aspect differs from penetration testing, which focuses on configurations rather than vulnerabilities. From a hacker's perspective, 'living off the land' involves exploiting existing configurations without utilizing vulnerabilities. This might include users having inappropriate access to files and folders, violating least privilege principles. Vulnerability scanners can detect CVEs but struggle with identifying misconfigurations or IT hygiene issues, which attackers can exploit. Regarding CMDB and CSAM, they serve different purposes. External attack surface management focuses on domains and URLs owned by a company, while CSAM handles internal asset management. The EASM module can be valuable independently. I would rate Qualys CyberSecurity Asset Management an eight out of ten.

We have contacted customer support when identifying false positive operating systems. When IT teams report discrepancies in operating system identification, we coordinate with support. Registry key changes were implemented to correct these issues, which helped the agent identify the exact operating system. Some registry keys were preventing the agent from identifying the correct operating system. Regarding integration, we need additional customized dashboards based on software versions or organization-specific software. The agent can collect the data, but we need customized dashboard capabilities for internal software specific to our organization. The solution covers the entire attack surface, including assets in the cloud, public-facing assets, and private hosting. We can create categorizations and analyze True Risk for these assets before prioritizing vulnerability remediation. Regarding CMDB integration, the service now team is working on the integration, which is expected to complete within two months. We have provided the required attributes and requirements. This review rates Qualys CyberSecurity Asset Management 10 out of 10.

Overall, I would give Qualys CyberSecurity Asset Management a nine out of ten.

The CSAM module is great and continually improving with updates. I would rate it nine out of ten. However, based on the company's budget, Qualys offers limited features, which can also be utilized in other environments. I rate the overall solution nine out of ten.

I would recommend this solution if you want a unique software to collect all the inventory data and have information about the attack surface. I would rate Qualys CyberSecurity Asset Management a nine out of ten.

I would strongly recommend Qualys CSAM to other users because of its reliable detection logic and high level of support. We have not seen any glitches with it. In the case of any issues, we can get them resolved promptly, maintaining efficiency. I would rate the Qualys CSAM a ten out of ten for its overall performance.

I would rate Qualys CyberSecurity Asset Management ten out of ten. Qualys CyberSecurity Asset Management does not require maintenance on our end. To gain comprehensive visibility and reporting within the policy, new users should deploy the agent. This action provides a complete overview of vulnerabilities and support statuses, offering valuable insights for both IT management and cybersecurity purposes.

I would highly recommend this solution to other users looking to enhance their asset inventory visibility. Asset inventory is the primary source of truth for any IT team or information security team. Qualys CSAM provides that visibility. With the integration of CMDB, you get even better visibility over the asset inventory. You also get EOL information about the assets and applications. These are the main reasons for recommending it. I am pretty happy with it. I would rate Qualys CSAM a ten out of ten.

For Attack Surface management, we are using other tools in our organization. Our threat tracking and threat intelligence teams are using other tools. They are not integrated with the Qualys CSAM. We are exploring opportunities to integrate everything into one solution. We are planning to integrate Qualys CSAM with ServiceNow within a year. Everything will be automatically integrated with the ServiceNow module. Overall, I would rate Qualys CSAM an eight out of ten. There are some areas for improvement.

I would recommend this solution because by using a single solution, we can cover the three main pillars of CyberSecurity: vulnerability management, asset and product lifecycle management, and compliance management. It is the best product. In a single product, we can do all these things. These are the three pillars of cybersecurity. Nowadays, cyber threats are increasing. As vulnerability analysts and managers, our prime focus is to gather all the servers and categorize the servers based on the operating system technology. It can be an IT or OT server. It can be public-facing or private-facing. Our main focus is to gather vulnerabilities, and based on the severity of the vulnerabilities, we have to prioritize the servers. We can shortlist the top ten vulnerable servers. The remediation team can then focus on them to mitigate vulnerabilities. To implement that solution, we need to categorize everything. The categorization part has to be done as per the CSAM model. If we want to do external server categorization, we have to go for external attack surface management or EASM, or we can use CSAM for internal servers. When you get the product license, external attack surface management is not available. It is not activated. You need to activate it from CSS and configure it. It asks for domain details and the domain you want to focus on. Based on the domain details, it configures external attack surface management. You also need to consider the scan schedule, such as, after how much time, it will launch a discovery scan. You need to provide information about how many servers or products are managed by Qualys or how many are unmanaged but still detected in Qualys. After the configuration, you have to wait for the first discovery scan. When that is completed, Qualys looks for the domain name mentioned in the configuration area and pulls out details related to that domain. It shows the status and any vulnerabilities, and whether an asset is managed or unmanaged. You have the overall data, and you can also define or prioritize based on TruRisk Score, which is generated by external attack surface management. We are not using the CMDB Sync feature. We have integrated Qualys CSAM with ServiceNow CMDB, so all the onboarded servers or products are directly reflected in ServiceNow CMDB. When any high-severity vulnerability is detected by Qualys CSAM through discovery scans, it automatically raises a ServiceNow incident, which is automatically assigned to the asset owner or product owner. This automation has been implemented by our team. Overall, I would rate Qualys CSAM a ten out of ten.

I'm an end-user. When we first started using the solution it had fewer features than it has today. That said, it still was the platform that allowed us to manage hardware and software assets on-prem and in the cloud. I'd rate the solution nine out of ten. It's a good idea to start with Qualys training, and I have to say their training is outstanding. Their training provides the best way for a new user to learn how to work with the platform. The platform itself can be very complex and there are many features that might affect one another.

I would rate Qualys CyberSecurity Asset Management ten out of ten. Qualys Cybersecurity Asset Management seems to offer a more comprehensive solution than what I've seen from competitors like Tenable and Rapid7. While I haven't reviewed their offerings recently, in the past they primarily focused on vulnerability scanning, which isn't as extensive as Qualys CSAM's asset management capabilities. No maintenance is required. Everything is self-updating from Qualys. From cloud agents to sensors, all of those are automatically updated. Organizations that rely solely on external attack surface management for vulnerability management are making a dangerous assumption. This approach presumes complete knowledge of their assets, which is unrealistic without full visibility into internal and external environments. Companies with a 'we're secure' attitude often have poor security, while those welcoming security assessments tend to have a strong security posture. CSAM's tagging features, especially dynamic tagging with its easy-to-use rules, can significantly improve your efficiency across various tasks like patch and vulnerability management. By automating manual work, dynamic tags free up your time. Take advantage of the free CSAM training and consider consulting a trusted partner to accelerate your learning and implementation – their experience can save you weeks of effort.