QualysGuard: Identifying and Remediating Cyber Risk

Intended for people who are hearing that Qualys is offered at Stanford and that people are expected to use this security scanning software. 
This is external vulnerability scanning. Compared to Microsoft EMET which is internal scanning.
Basic demographics:
5 system administrators
1 web developer
2-3 used Qualys previously
Qualys
85000 hosts at peak. Stanford offering this service to scan servers. We have all of these servers to search for risks and then remediate them.
All schools need to collabrorate to address this initiative. ISO will look for hotspots to give more targeted assistance.
From external looking in, Qualys allows us to discover which ones are vulnerable. QualysGuard VM scans machines for services. Database of vulnerability definition against each service. 
Run proof-of-concnpt attacks (that are safe) against these servers. Qualys defines vulnerabilities as 1. confirmed (doing something egregious) 2. potential (vulnerable to SQL injection on Wordpress, etc.) 3. informational (what information leaks are available? unsafe configurations?) 
Is this all external? Yes. But we do have internal scanners as well. Never install agents. 
This is a recommendation from ISO. 
Input
IPs, domains
Output
PDF, XML, CSV reports
CVE issue numbers, suggested configurations 
Not meant to be completely comprehensive, but used to pinpoint pain spots
Stanford initiative
Such a large problem, we can't mitigate everything. First thing to focus on are the most critical vulnerabilities from the external internet. 4 or 5 on Qualys scale. Then 4 or 5 on internal network.
What is a 3? 
You can set values to your host to get scoring based on your host. 3's e.g. Poodle vs. 5's e.g. Heartbleed. 5600 vulnerabilities, 2400 are 4's and 5's. 
Potentials
Focus on the confirm. The third stage is confirm 3's and lower, and potential 5's and lower. How high-value this is? Or is it noise? 
VPN
Not protected by 2-step yet, but will be soon. Already-infected machines?
Arms race
Bad guys can use Qualys as well. Other people have been using this software for years. We need to catch up!
Challenges
Rolling something out? Propensity for firewalls to filter out things that look like DoS attacks. Workarounds. Slow down the scan, without any parallel scanning. Seems to take care of the problem.  Scan Option Profile name is "Max packet burst, Min Scanning Intensity, No Parallel"
A lot of people. Many people who are responsible need to learn about this. Take data from NetDB and match it up with Qualys. Great tool, but the interface is not very friendly :) 
Reporting effort
November 8th or 9th. Getting reports from departments and will send out to the IT leaders. Consistent decrease in vulnerabilities from outside. 
Firewall rules
What if through NetDB you could see firewall rules, Qualys reports, and NetDB. Too tedious to look over many places? Can they be collated? ISO will scan NetDB site-wide scan and put them all at qualys.stanford.edu. 
SF State case
ISO does central scans and sends out unit by unit report. No real true information in the list of all printers, computers, servers. The best use is for each department to set up things on their own and adjust them to their own use case. Creating exceptions are hard.
Web app vs. servers
Web apps are left to the people.
Common portal for sysadmins to look at aggregate place?
Centralized place to view everything. Branding differences. Cross-train? Splunk? One of the risks is swimming in tools. We need to know how to use these tools. Facade of security unless we all have expertise in this area. On-campus Qualys mitigation parties? Who's running these servers--everyone--faculty, students, institutions.
ISO proactively notifying people about this. NetDB user and admin will be responsible.
Official tutorial: Qualys has great documentation on their website. Webinars. Videos. Free training in downtown SF. 
Schedule scan? For off-peak times. 
Qualys separates reporting, scanning, and option profiles (how it scans). More modular approach. New report, not new scan.