Qualys has made its Enterprise TruRisk Platform free for 30-days. It is doing this to help organisations meet the UK’s National Cyber Security Centre (NCSC) 5-7 days guidance for remediation. It is a target that many organisations struggle to meet.
Sumedh Thakar, President and CEO of Qualys, said, “Adversaries are weaponizing vulnerabilities more quickly than ever, which accounts for the NCSC’s focus on swift remediation of vulnerabilities. For most organizations, with their complex infrastructures and patch workflows, it’s almost impossible to meet the 5-7 day update time.
“To aid organizations in adhering to the NCSC guidelines, we’re offering the Qualys Enterprise TruRisk Platform free for 30 days. This allows organizations to streamline asset discovery, takes the guesswork out of understanding which vulnerabilities are the riskiest and helps with prioritization, so organizations can mitigate risks quickly and efficiently to safeguard their businesses.”
What is the NCSC guidance referred to here?
The NCSC made public an 8-page document on managing vulnerabilities. It breaks down the problem of vulnerability management into several steps, including asset management, risk analysis, creating the right processes, triage and other steps. As a playbook, it is probably one of the better ones around.
For some organisations, what it covers is likely, in part or even whole, to be covered by their existing setup. However, for many, it will open up the breadth of the problem and give them things to work towards.
As part of the guidance and advice, the NCSC went further. It challenged organisations to patch internet-facing assets within 5 days. Assets that are only exposed internally get a little more time, 7 days. Even for the best-performing companies, it is unlikely that all their systems meet this. And that is the key to what the NCSC has sought to do it. Challenge everyone’s perceptions and processes.
Qualys giving businesses a better start point
By making Qualys Enterprise TruRisk available free for 30-days, Qualys is offering a tool that allows an enterprise to detect where it has risk. According to Qualys, TruRisk aids “organizations in efficiently discovering and classifying internet-facing and internal-facing assets, and prioritizing vulnerabilities for swift and safe remediation.”
In the announcement, Qualys says, “The Qualys NCSC free service allows organizations to remediate issues in as little as 30 minutes and within the recommended 5-7 days for full alignment.”
The company calls out three ways that using the Enterprise TruRisk Platform will help meet the NCSC deadlines:
- Identifying External Assets: Accurately discover both internal and external assets within your environment and flag End of Life (EOL) and End of Support (EOS) software and devices.
- Efficient Risk-based Prioritization: Vulnerabilities are prioritized by their TruRisk score and automatically mapped to necessary updates to simplify IT workflows for a customized NCSC risk and remediation view.
- Patch Automation: The gap between security and IT teams is closed with Qualys Patch Management. Qualys brings these groups together to safely prioritize and deploy patches automatically to help customers update default policies, within 5-7 days, as recommended by NCSC.
Enterprise Times: What does this mean?
There is a lot of noise around vulnerability management. The purists believe that nothing matters more than everything getting patched immediately. Most, however, have little experience of the chaos that ensues when you do that and the instability it causes to IT departments. It also assumes that organisations have anything other than the faintest hint of everything that they have.
That mentality is changing. What has been emerging over the last few years is an acceptance that not all risks are the same. More importantly, not all patching has to be priority one, which just drains IT staff and irritates the business when systems keep going down.
The NCSC has done a great job of detailing a process and flow that can be applied to harden most enterprises’ vulnerability management. It has avoided the knee-jerk reaction but has also put reasonable bounds on how long you can wait. It has also identified the need for better asset management and a risk-based approach.
In doing so, it has played to Qualys’ strength with the Enterprise TruRisk Platform. Now, Qualys has grasped that opportunity with this 30-day free offer. There are two important measures here. The first is how many enterprises take up this offer. The second is how effectively Qualys’ partners can convert those 30-day users to commercial licences.
What is interesting is that Qualys is not putting the weight of this on its partner ecosystem. Enterprises simply go to qualys.com/forms/vmdr-ncsc to register. Qualys will then handle the assignments for each customer to its partners. But whoever makes the sale, Qualys, is guaranteed to come out ahead.
