Qualys QSC 2022: Live show reports & insights 

Snow in Las Vegas?

It actually did on ‘day zero’ (aka registration, training and welcome reception) of Qualys Security Conference (QSC) 2022 North America, held at The Venetian in Las Vegas from 8-10 November this year. 

The snow itself was confined to nearby Mount Charleston, but it snowed nonetheless.

Back down on the strip itself, Qualys wrapped up its multi-stage multi-city event programme with its largest gathering of the year.

The event itself featured content directed at security professionals, but in the widest sense of the word security i.e. this is a conference for cloud engineers, networking professionals, CEOs, CIOs, CTOs and CISOs… but also DevOps practitioners and software application development programmers and architects.

Noteworthy keynote notes

An introductory keynote to whet appetites was delivered by Robert Herjavec in his role as CEO of Cyderes, a firm described as a specialist in human-led machine-driven security-as-a-service operations automation service for managed detection & response.

Herjavec: Entertaining (somewhat over-self-congratulatory), but also technically adept and compelling as a guest speaker.

Croatian-Canadian Herjavec is a USA-version Dragon’s Den cum Shark Tank star in his own right and his session was entitled Cybersecurity: Protecting the Digital Lifeblood of the 21st Century. As an ex-mainframe salesman, Herjavec is capable of moving from the technical backend to the upper-level layperson level.

Although a good portion of his presentation was designed to be entertaining and related to his television career, Herjavec is a security and technology professional (not least due to the fact that he is CEO at Cyderes) and, so, he was questioned as to where the major risks are today? He did confirm that the most compromised industry (in the USA, if not elsewhere) right now in terms of cyber and ransomware is healthcare – the value of Electronic Patient Records (EPR) on the dark web is frightening.

“There has to be a list somewhere of the organisations that are willing to pay ransomware demands, so our advice is always not to pay it,” said Herjavec – and his wider thoughts in this space is that the cyber industry in general is moving towards being a risk-focused industry

Taking his place as event leader, Sumedh Thakar, president and CEO, Qualys welcomed the audience in this possibly-post-pandemic period of reconvening conventions that we are now enjoying.

Qualys CEO Thakar: We’ve moved on from free toasters, today’s business foundations are differentiated through the quality of digital services.

Thakar explained how he has worked his way through being a product manager, a divisional manager and now all the way up to being a CEO, thinking about the notion of today’s digital economy, he reminisced on the path that organisations in every industry will have taken to move towards becoming essentially information-based businesses.

“If you think about how banks used to attract new customers [perhaps 50-years ago], one might offer new applicants a toaster and another might offer a waffle maker. Companies no longer differentiate themselves in that kind of manner – today it’s all about the quantity and quality of the digital experiences that any business can deliver to its customer base,” said Thakar.

Talking about the way the digital economy has grown in recent times, Thakar pointed to his birth nation India and described how even a coconut seller in the street in Mumbai (he saw when hosting an event in the country this year) had a barcode on the coconut at the front of his stall so that he could be paid via PayPal (or whichever payment service), so the penetration of digital has come a long way.

What all this means of course is that with the penetration of digital, we also have penetration paint points that manifest themselves in terms of cyber risk.

“If we were all getting hacked all the time and it made no impact to our business, then we wouldn’t do anything about it – but of course today that’s not the case. Even when breaches do occur and a business is not able to quantify the impact of that action, organisations are realising the risk is existential to the core health and wealth of their business – so they know quantifying risk is part of a financial equation that they need to master,” said Thakar, speaking live to the Las Vegas audience this November 2022.

Looking at how expensive cyber insurance is and the rise of so-called ‘destructware’ (ransomware on steroids, designed not to reap money, but to simply kill off businesses and public organisations) and render them unable to operate, Thakar explained that this new strain of attack can be a whole lot cheaper to mount than physically equipping soldiers in the real world.

For Thakar, the conversation (in relation to cyber) inside organisations in every industry needs to move onwards to talk about the end-game risk that any vulnerabilities may ultimately lead to in terms of a business’s ability to operate, make money, invest and even exist in the first place. In other words, it’s that term that the technology industry is so fond of today – it’s all about outcomes.

Leading his keynote towards talking about ‘security posture’ leads us nicely into covering some of the major platform and product updates that Qualys has come forward with this winter 2022.

Core product updates

In terms of core product updates and platform enhancements showcased at Qualys QSC 2022, the company detailed TotalCloud with FlexScan.

This is cloud-native VMDR (vulnerability management detection & response) with six sigma accuracy via agent and agent-less scanning for coverage of cloud-native posture management and workload security across multi-cloud and hybrid environments.

The company says its updates come in response to the reality of a ‘plethora of industry acronym-driven point solutions’ that provide a fragmented view of risk without context. 

Qualys TotalCloud is said to extend the accuracy of VMDR with cloud-native FlexScan assessments to unify cloud posture management and cloud workload security in a single view with risk insights. TotalCloud automates inventory, assessment, prioritisation and risk remediation via a drag-and-drop workflow engine for continuous ‘zero-touch’ security from code to production cloud applications.

“Cloud security is getting very fragmented with too many point solutions, which brings more complexity,” said Thakar. “Our customers want seamless, comprehensive insight into cyber risk across their multi-cloud and non-cloud assets. With our TotalCloud offering, we bring flexible, high-quality cloud-native risk assessment to our customer base as they look to expand into the cloud with Qualys.”

Qualys FlexScan

Qualys TotalCloud introduces FlexScan a comprehensive cloud-native assessment solution that allows organisations to combine multiple cloud scanning options for the most accurate security assessment of their cloud environment.

Security teams will have multiple hybrid assessment capabilities to secure the entire cloud attack surface including:

  • Zero-touch, agent-less, cloud service provider API-based scanning for fast analysis.
  • Virtual appliance-based scanning to assess unknown workloads over the network for open ports and remotely exploitable vulnerability detection.
  • Snapshot assessment that mounts the workload snapshot for periodic offline scanning including vulnerabilities and OSS scanning.
  • Qualys Cloud Agents in the workload for comprehensive, real-time vulnerability, configuration and security assessment.

TotalCloud provides shift-left security integrated into developers existing CI/CD tools to continuously assess cloud workloads, containers and Infrastructure as Code (IaC) artifacts. 

This allows for the rapid identification of security exposures and remediation steps during the development, build and pre-deployment stages while providing support for the major cloud providers including AWS, Azure and Google Cloud.

Multi-cloud posture & ephemeral assets 

Where all of this gets us to is a need to achieve visibility into multi-cloud posture insights i.e. the real vulnerability status and operational health of any cloud-based asset in any location from on-premises out to the IoT compute edge.

Qualys has built what it calls a unified cloud posture dashboard to provide inventory, security and compliance posture insights across multi-cloud environments. Teams can identify and prioritise the misconfigurations that cause the highest risk with additional context on workload vulnerability and security posture.

The integration of QFlow technology into TotalCloud is promised to save security and DevOps teams valuable time and resources. 

Automation and no-code, drag-and-drop workflows help simplify the time-consuming operational tasks of assessing vulnerabilities on ephemeral cloud assets, alerting on high-profile threats, remediating misconfigurations, and quarantining high-risk assets.

Qualys CEO Thakar: A holistic approach to platform, automation, speed and cost constitutes real innovation in cyber security today.