Aug 31st, 2021

Qualys Patch Management (PM)

Qualys EDR / Patch Management Blog Series [Part 1]

NOTE: This is the first part of a blog series.

Part 1: Qualys Patch Management (PM)

Part 2: Qualys Endpoint Detection and Response (EDR)

Part 3: PM and EDR Remediation Demonstration

Overview

In this blog post, we will take a look at the Qualys Patch Management (PM) module. We will be answering questions including, “What is Qualys Patch Management?”, “What is it used for?”, “How does it work?”, “How to activate and set up?”, “Which feature does what?”, and “What can we do with this module?”.

Part 2 of this blog series will be focusing on Qualys Endpoint Detection and Response (EDR). EDR is an important endpoint security module similar to PM. Then, in Part 3 of this blog series, we'll be showing various remediation techniques using PM and EDR.

Index

Part 1: Qualys Patch Management (PM)

  1. . Patch Management (PM) with Qualys: An Overview
  2. . Patch Management Features
  3. . Patch Sources
  4. . PM Activation & Setup
    1. Cloud Agent Module
      1. install Cloud Agent on target host.
      2. Assign target agent host to a Configuration Profile that has PM enabled.
      3. Activate PM module on target agent host (Alternative to Configuration Profile
    2. Patch Management Module
      1. Assign target agent host to an enabled PM Assessment Profile.
      2. Assign hosts to PM Jobs (activate license).
  5. . Overview of the PM Application
    1. Patch Management UI
    2. Assessment Profile
    3. License Consumption
  6. . PM Deployment Job/ PM Uninstall Job
    1. Job Status
    2. Patching from VM and VMDR
    3. VMDR Prioritization Report
  7. . PM Assets
  8. . Patch Catalog (Patches)

Part 2: Qualys Endpoint Detection and Response (EDR)

  1. . Qualys Endpoint Detection and Response (EDR) Overview
  2. . EDR Activation and Setup
    1. Install Cloud Agent on target host.
    2. Assign target agent host to a Configuration Profile that has PM enabled.
    3. Activate PM module on target agent host (Alternative to Configuration Profile
  3. . EDR Application Overview
    1. EDR User Interface
  4. . Events and Incidents
    1. Hunting Events
    2. Using Queries for Hunting Suspicious Activity
  5. . EDR Investigation and Response Actions
  6. . Rule-Based Alerts
    1. Configure Rules
    2. Trigger Criteria
    3. Aggregating Alerts
    4. Activity Tab
  7. . Prevention
    1. Global Asset Inventory (AI)
    2. Detect Vulnerabilities and Missing Patches
    3. Additional Context from Configuration Management

Part 3: PM and EDR Remediation Demonstration

  1. . PM Patching (Virtual Machine)
  2. . Remediation with EDR (Virtual Machine)
    1. Dealing with Malicious Event
    2. Response Actions

1. Patch Management (PM) with Qualys: An Overview

Qualys Patch Management is a cloud-based tool that assists security and IT professionals in quickly resolving vulnerabilities and patching their systems.

Image shows Patch Management PM with Qualys

Qualys Patch Management can:

  • Locate any missing fixes.
  • Patch your assets, whether they're on-site, on mobile devices, roaming, or in the cloud.

Qualys Patch Management, built on the world's greatest cloud-based security and compliance platform, frees you from the considerable expense, resource, and deployment issues associated with traditional software.

Qualys Patch Management video library will provide you with more information.

2. Patch Management Features

  • Correlates newly found vulnerabilities with the patches that are necessary.
  • Allows the use of existing Qualys Agents for deploying and uninstalling patches.
  • Patches the operating system and applications, including patches from third-party software suppliers (e.g., Adobe, Java, Google, Mozilla, Microsoft, etc.)
  • Enables patching from almost anywhere with an Internet connection (e.g., airports, coffee shops, remote offices, etc.).
  • Discovers which patches are missing or required and identifies patches that have been superseded.
  • Creates patches for specific vulnerabilities, severity levels, and known threats.

3. Patch Sources

OS and Application Patches come from Global CDNs for Vendors (e.g., Oracle, Adobe, Microsoft, Apache, Google, etc.)

Qualys validates downloaded fixes using both digital signatures and hash values which are then validated again using Qualys Malware Insights.

Local repository (Qualys Gateway Server)

  • Patch downloads requested by one agent are cached on QGS and made “locally” available to other agents who require the patch.
  • Manifests and agent binaries are also cached by QGS.

4. PM Activation & Setup

The following configuration procedures are necessary to use the Qualys Patch Management (PM) program successfully:

4.1 Cloud Agent Module

4.1.1 On the target host, install Cloud Agent.

Note: Cloud Agent must be installed with an activation key that is compatible with the PM module.

Image shows Cloud Agent must be installed with an activation key

Check out the Qualys Cloud Agent Installation Guide with Windows and Linux Scripts if you're not sure how to install and configure “Qualys Cloud Agent.”

Image shows Qualys Cloud Agent Installation Guide with Windows and Linux Scripts

4.1.2 Assign a Configuration Profile with PM enabled to the target agent host.

To establish a “Configuration Profile” containing assets, add a new asset tag.

Image shows Assign a Configuration Profile with PM enabled to the target agent host.

Create a new “Configuration Profile” to work with.

Image shows Create a new “Configuration Profile” to work with.

PERFORMANCE: The high-performance option performs more frequent inspections.

Image shows The high-performance option performs more frequent inspections.

ASSIGN HOSTS: Choose which assets will receive this profile. Assets can be found using “Asset Tags" or "Asset Names.”.

Image shows Choose which assets will receive this profile. Assets can be found using “Asset Tags" or "Asset Names.”

PM: For Configuration Profile, enable the PM module. To accommodate Windows Updates, the cache size must be at least 2048 MB.

Image shows For Configuration Profile, enable the PM module.

4.1.3 Activate the PM module on the target agent host (as an alternative to Configuration)

You can also manually activate the asset module instead of using Configuration Profile to enable PM.

Image shows you can also manually activate the asset module instead of using Configuration Profile to enable PM.

Image shows you can also manually activate the asset module instead of using Configuration Profile to enable PM.

4.2 Patch Management Module

To use the PM module, you must assign hosts to the profile you created.

4.2.1 Assign the target agent host to a PM Assessment Profile that is enabled.

To assign target agents for PM jobs, create an “Assessment Profile.”.

Image shows how to assign target agents for PM jobs, create an “Assessment Profile.”.

Choose which assets will be assigned.

Image shows which assets will be assigned.

Note: In the Assessment Profile, only asset tags can be used to choose assets.

Set up an "Assessment Schedule" to collect patch data from agents.

Image shows set up an "Assessment Schedule" to collect patch data from agents.

Note: Scanning time should be at least 4 hours long.

Note: Unlicensed assets will have a 24-hour scan interval.

Image shows scanning time should be at least 4 hours long. Unlicensed assets will have a 24-hour scan interval.

4.2.2 Assign hosts to PM Jobs (activate the license).

To assign hosts to PM Jobs, you need to activate their licenses. The number of licenses available is limited.

Note: In License Consumption, only asset tags can be used to select assets.

Image shows license Consumption, only asset tags can be used to select assets.

5. Overview of the PM Application

5.1 Patch Management UI

Image shows Patch Management UI

  • CONFIGURATION: Set the frequency of patch assessments and the number of patching licenses to be used.
  • JOBS: Use one or more PM Jobs to deploy and/or uninstall specific patches for specific groups of host assets.
  • ASSETS: A list of the agent host assets that were activated by the PM module.
  • PATCHES: A catalog of application and operating system patches.
  • DASHBOARD: This section has "widgets" that track key patch statistics.

5.2 Assessment Profile

As the Assessment Profile, the System Profile will be used by default.

Assessment scans reveal which patches are missing and which have been implemented on an agent host.

Image shows Assessment Profile

5.3 License Consumption

Asset Tags are used to designate which agent host assets are patchable. (Note: Asset tags are the only way to specify.)

To prevent patching on specific assets, choose the “Exclusion” check box.

Image shows License Consumption

6. PM Deployment Job/ PM Uninstall Job

We'll concentrate on the main stages in patch deployment (PM, VM, VMDR). We'll look at various patch deployment options.

Create Deployment job:

Image shows Create Deployment job

Select your assets. “Asset Tags” or “Asset Names” can be used to select assets.

Image shows Asset Tags or Asset Names

Patches that are patchable can be chosen. (isSuperseded:false)

Image shows Patches that are patchable can be chosen

Patches are automatically added "within scope" when you click "add patches." Patches that haven't been superseded can be chosen to make patch jobs more efficient.

Note: “Key” symbol nearby patch name means “Acquire from Vendor”. These patches aren't available for download, and they can't be applied to the job.

Image shows Key symbol nearby patch name means “Acquire from Vendor”

Patches identified with “key-shaped” icons will not be downloaded by Qualys' Cloud Agent, according to the confirmation notice box.

Image shows confirmation notice box

Selected patches will be listed.

Image shows selected patches

Deployment Jobs can be made to "run on demand" or "scheduled," and "Recurring Jobs" can be used recursively as "daily, weekly, or monthly."

If a patch installation does not begin inside the given "Patch Window," the job will be marked as "Timed out."

To provide patch jobs for an infinite period of time, choose "None."

Image shows to provide patch jobs for an infinite period of time, choose "None."

Allow agents to download required patches prior to the commencement of a scheduled job with the "Enable opportunistic patch download" option enabled. (Note: This step can be only applied for scheduled jobs.)

Image shows allow agents to download required patches

Messages sent to the client during deployment.

Image shows pre-deployment Qualys message

  • Before patch deployment begins, a pre-deployment message is sent to the client. Can be deferred for a specified number of days and a specific time.

Image shows deployment in progress Qualys message Image shows deployment complete Qualys message

  • The information signals the Deployment in Progress and Deployment Complete statuses.

Reboot messages were used to inform the client of the reboot.

  • Reboots are disabled when you use "Suppress Reboot".

Image shows Reboots are disabled when you use "Suppress Reboot".

  • "Reboot Request" is a notification that the client needs to reboot.
  • When the deferment limits are reached, "Reboot Countdown" displays a countdown message and reboots.

Clients receive pop-up messages. It is possible to customize the message descriptions.

Image shows clients receive pop-up messages. It is possible to customize the message descriptions.

Note: The process of generating an uninstall job is similar to that of creating a deployment job. Instead of downloading patches, simply pick remove patches.

Note: Some of the patches can’t be rollback and uninstall. For this reason, uninstall patches are less than downloadable patches.

6.1 Job Status

Image shows job status.

On the “View Progress” page, you can see the “Job Status”.

Image shows View Progress page.

  • Enabled: Job is presently active.
  • Disabled: Job is presently inactive.
  • Completed: Job has been completed.

Image shows enabled, disabled, completed jobs

When the deployment job is finished, click "View Progress" to see the results.

Image shows click "View Progress" to see the results.

To see the details of a patch that failed, skipped, or succeeded, click "View Patch Details".

Image shows To see the details of a patch that failed, skipped, or succeeded, click "View Patch Details"

Patch details are listed.

Image shows patch details are listed.

6.2 Patching from VM and VMDR

On the "VULNERABILITIES" section, both VM and VMDR support patching.

The "Patches" section of the "Patch Management Module" will be redirected if you click "View Missing Patches".

Image shows Patching from VM and VMDR

Note: There are no patches for all vulnerabilities.

Image shows there are no patches for all vulnerabilities.

Filter for vulnerabilities that can be patched. Patches that are required for your job can be added from this section.

Image shows filter for vulnerabilities

6.3 VMDR Prioritization Report

Prioritize your remediation activities with VMDR Prioritization.

Image shows Prioritize your remediation activities with VMDR Prioritization

Prioritize assets by selecting “Asset Tags”.

Click “Prioritize Now”.

Image shows asset tags Image shows Click “Prioritize Now”

To a new or existing job, add prioritized patches.

Image shows Click “Prioritize Now”

The “Add to New Job” or “Add to Existing Job” buttons redirect you to the tab for creating deployment jobs.

Note: Also, Prioritized Vulnerabilities can be filtered as “Patchables”.

Image shows Also, Prioritized Vulnerabilities can be filtered as “Patchables”.

7. PM Assets

When the PM module is enabled, the host assets are displayed. The number of “MISSING” and “INSTALLED” patches is displayed after a successful assessment scan.

Note: All assets have been scanned successfully.

Image shows all assets have been scanned successfully.

View asset details, add assets to an existing job or add assets to a new job using the "Quick Actions" menu.

Image shows View asset details.

  • When you click "Add to New Job," you'll be redirected to the "deployment job tab".
  • The “Add to Existing Job” button redirects you to the “Existing Deployment Jobs” tab.
  • Any deployment job can have additional assets added to it before it is enabled.
  • A “recurring” job might have additional assets added to it both before and after it is enabled.

Image shows existing deployment jobs.

For details of missing or installed patches, click the numbers.

You can also add a new or existing job to this section.

Image shows add a new or existing job to this section. Image shows all patches, turn off the filters.

8. Patch Catalog (Patches)

On the Patch Management UI, the “Patches” tab lists all patches that are available or unavailable for assets.

By default, when a tab is clicked, it displays filtered results for available assets.

Image shows Quick Actions menu

To see all patches, turn off the filters.

Image shows Quick Actions menu

Use the “Quick Actions menu” to view asset details, add assets to an existing job, or add assets to a new job.

Image shows Quick Actions menu

Conclusion

In the first part of this series, we have learned about Qualys Patch Management (PM). We have discussed the features, benefits, and sources of Qualys PM. We've learned how to use configurations to activate and set up the PM. We made an overview of the PM application, assets, and patches. We also learned about the “Deployment job”, which is the most important part of PM.

Now, we are ready to investigate the Qualys EDR module. Please join us in Part 2: Qualys Endpoint Detection and Response (EDR) of this blog series, where we’ll learn about EDR, an important endpoint security module similar to Qualys Patch Management (PM).

If you liked this post, share it now!

Our Recent Posts

PM and EDR Remediation Demonstration

Explore how to patch using Qualys PM and remediate the target host with Qualys EDR modules. Fin...

Read More

Qualys Endpoint Detection and Response (EDR)

Learn about Endpoint Detection and Response (EDR) essentials and its benefits. Follow the Qualy...

Read More

AWS IAM for Red and Blue Teams

Learn how you can securely manage access to AWS services and resources. See AWS IAM from two pe...

Read More