New Users
Home
Analysts & Consultants
People
Channel Advantage
Products
Technology
Case Studies
Awards
About This Guide
Philippe Courtot, Simplifying IT security for organizations of all sizes
While today’s interconnected networks enable companies to easily share information with their customers, suppliers, and partners, they also introduce new vulnerabilities—relentlessly and nearly every day—onto enterprise networks and applications. That makes just keeping pace with the sophistication and frequency of new security vulnerabilities and attack techniques a serious challenge, as the software flaws that make worm and hacker attacks possible are both being discovered and exploited in ever growing numbers. Regulatory Risks Rise. Whether it’s Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, any number of state data breach disclosure laws such as SB-1386, or the Payment Card Industry (PCI) Data Security Standard, it all comes down to securing the integrity and availability of sensitive personal and corporate information. Vulnerability Risks Increase and grow more complex. In the year 2000, there were about 1,090 new software vulnerabilities announced; last year, that figure skyrocketed to nearly 6,000. And attack tools, worms, and exploits are now available within days, not weeks or months, of the public announcement of these vulnerabilities. Businesses need to move more swiftly than ever to identify and remedy these risks. Yet, traditional security auditing tools that identify network vulnerabilities cannot keep up with the evolving threat landscape, and they are often complex and difficult to manage. Creating an automated process to continuously monitor network security and identify vulnerabilities is critical to protecting the enterprise and ensuring regulatory compliance. The on-demand model assures that businesses of all sizes can benefit from security services and protect their data and their customers’ information. This is where Qualys, under Philippe’s leadership, has excelled.
While today’s interconnected networks enable companies to easily share information with their customers, suppliers, and partners, they also introduce new vulnerabilities—relentlessly and nearly every day—onto enterprise networks and applications. That makes just keeping pace with the sophistication and frequency of new security vulnerabilities and attack techniques a serious challenge, as the software flaws that make worm and hacker attacks possible are both being discovered and exploited in ever growing numbers.
Regulatory Risks Rise. Whether it’s Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, any number of state data breach disclosure laws such as SB-1386, or the Payment Card Industry (PCI) Data Security Standard, it all comes down to securing the integrity and availability of sensitive personal and corporate information.
Vulnerability Risks Increase and grow more complex. In the year 2000, there were about 1,090 new software vulnerabilities announced; last year, that figure skyrocketed to nearly 6,000. And attack tools, worms, and exploits are now available within days, not weeks or months, of the public announcement of these vulnerabilities. Businesses need to move more swiftly than ever to identify and remedy these risks.
Yet, traditional security auditing tools that identify network vulnerabilities cannot keep up with the evolving threat landscape, and they are often complex and difficult to manage.
Creating an automated process to continuously monitor network security and identify vulnerabilities is critical to protecting the enterprise and ensuring regulatory compliance. The on-demand model assures that businesses of all sizes can benefit from security services and protect their data and their customers’ information. This is where Qualys, under Philippe’s leadership, has excelled.
Name: Philippe Courtot Title: Chairman and CEO Likes to be called: Philippe Company: Qualys, Inc.
Executing the Vision Just because the complexity of vulnerabilities, attacks, and regulatory compliance burdens are all on the rise doesn’t mean that the tools used to protect IT systems need be. In fact, Qualys has demonstrated quite the opposite through its on-demand Web services-based QualysGuard line of vulnerability management appliances. Since its founding under Philippe’s leadership, Qualys has transformed the way security applications are delivered through its on-demand, Software as a Service model. Philippe had identified two trends that would permanently transform IT security: 1) Software would become a service that is delivered rather than a product that is installed and maintained by the end user; and 2) In order to achieve the highest levels of security possible, security technology must be simplified and also blend into the very fabric of business-related technology. The rest of the high-tech industry is just now catching up to Philippe’s vision of these two trends. The trend toward security evolving into the infrastructure can be seen with Cisco Systems and Microsoft’s respective NAC and NAP technologies. It is seen with Symantec’s acquisition of Veritas, as well as EMC’s recent acquisition of RSA Security; both highlight how security is merging with storage and data management technologies. The Software as a Service trend is already well underway and can be witnessed by Microsoft’s significant commitment to this delivery model, as well as with Salesforce.com’s phenomenal success. Long before SaaS was the buzz of the day; before Google rose to its dominance; before Salesforce.com became a household name; and while the Internet bubble imploded and many lost faith in the future of the Internet as the dominant platform for e-business, Philippe drove forward to build Qualys as a company that would transform forever the largely complex processes of IT security into a streamlined process that could be understood and performed by anyone, regardless of their depth of technical acumen. Through the success of its flagship vulnerability and regulatory compliance management solution, QualysGuard, Qualys has transformed a complex and traditionally manual process into a fully automated, accurate, cost-effective, and easily deployed on-demand system for reducing the business and regulatory risks surrounding business-technology systems. QualysGuard Brings Affordable, Simplified Security and Regulatory Compliance to Companies of All Sizes The QualysGuard line of vulnerability and compliance management solutions provides the easiest–to-deploy, most accurate, and most comprehensive way to reduce security and regulatory compliance risks. All a company needs is a Web browser to scan its network to spot and fix the vulnerabilities that constitute the gateway for roughly 99 percent of all successful attacks. That’s how Qualys has forever transformed the way companies reduce the risks associated with their IT systems—and at a cost that is, on average, 50 to 90 percent less than traditional software scanning solutions. The company’s innovative security services model doesn’t require companies to deploy costly servers to scan for software and network vulnerabilities. With 99.999 percent accuracy, no software to manage, and tight integration of both vulnerability and compliance management, Qualys has slashed the levels of operational-risk. Here’s an overview of QualysGuard, and how it is more innovative and effective than the competition: Global Deployability: Easily performs scans on geographically distributed and segmented networks both at the perimeter and behind the firewall. Lower Total Cost of Ownership: On-demand technology offers significant economic advantages with no capital expenditures, extra human resources, or infrastructure to deploy and manage. Extremely Accurate and Up-to-Date: QualysGuard has the largest KnowledgeBase of vulnerability signatures in the industry (5,000+), and performs more than two million scans per month with an unparalleled accuracy rate 99.999 percent. Scalable: Rapidly deploy and expand using QualysGuard's distributed scanning and on demand architecture. Strong Security Model: Protects in-transit and in-storage data, using SSLv3 and AES encryption. QualysGuard Provides the Highest Accuracy in the Industry Every QualysGuard on-demand solution fully leverages Qualys’ centrally managed Secure Operations Center. Each time a customer performs a vulnerability scan, they’re running the very latest version of the application, including the most up-to-date vulnerability checks. Within the SOC, Qualys’ R&D team virtually eliminates the likelihood of costly and time consuming false-positives through consistent audits of the effectiveness of vulnerability signatures. This continuous Quality Assurance testing – of each and every signature – within the QualysGuard Knowledgebase and the on-demand, Web services delivery of updates far surpasses the capabilities of clunky software-based scanners. Through QualysGuard, customers – without ever having to manually manage or update the application or vulnerability database themselves – instantly benefit from application updates, enhancements, and the most accurate vulnerability signatures possible. And when it comes to accuracy, Qualys is fanatical. And its Six Sigma quality program is one example of this. Through this program, Qualys is continuously improving upon its already unmatched quality. Throughout 2003, Qualys scanned one million unique hosts each quarter, and maintained an accuracy level of 99.997 percent for the year. Through the second quarter of 2005, Qualys raised its own unsurpassed standard: With more than ten million hosts scanned each quarter, it achieved a greater than 99.999 percent accuracy rate. That means that fewer than 30 false positives were reported after ten million unique network devices were scanned every three months. These are just some of the ways Qualys has forever altered how vulnerabilities are identified and fixed. It has slashed and simplified the formerly complex process of vulnerability and compliance management. Now, companies everywhere can proactively protect their networks and integrate security with business policy and regulatory demands. Security threats and government regulations are growing in complexity, but Qualys has proven that the tools used to protect systems certainly don’t have to. QualysGuard’s benefits to customers: Scanning Comprehensive vulnerability KnowledgeBase that incorporates 5,000+ unique checks—the largest vulnerability database in the industry. Network mapping rapidly detects and identifies servers, desktops, routers, wireless access points, and other networked devices. Inference-based scanning engine. Authenticated or unauthenticated scanning capabilities. Internal and external scanning provides a 360-degree view of network vulnerabilities. Scans are configurable for optimum performance and minimum network load. Customization of scans to seek out specific ports/services and specific vulnerabilities. Schedule and automate network discovery and vulnerability scan tasks on a daily, weekly, or monthly basis. Automated daily updates to the QualysGuard vulnerability KnowledgeBase. Reporting Easy access to concise, auto-generated reports. Executive Dashboard provides real-time illustration of risk. Detailed reports with verified remediation actions for technicians. SANS Top 20 Report provides industry baseline. Automated MasterCard SDP / Visa CISP compliance reporting. Top ten reports of the most prevalent vulnerabilities (both internal and external). Network topology visualization of all discovered hosts. CVE-linked and Bugtraq-referenced vulnerability checks with detailed remediation instructions. Customizable reports for flexible, on-demand reporting by business units for executives and managers. Automated trending and differential reporting. Export reports to HTML, MHT, PDF, CSV, and XML formats. Remediation Automatically generate and verify trouble tickets concerning network vulnerabilities. Ticket trending and reports by owner, group, and vulnerability to measure network threat level. Policy-based remediation workflow management with automatic trouble ticket creation/assignment. Automated remediation ticket generation and verification. Out-of-the-box integration with ticketing systems (e.g., Remedy). Out-of-the-box integration with patch management and software distribution solutions (e.g., Citadel, PatchLink). Policy Compliance Trusted, third-party network auditing and reporting meets the compliance needs of HIPPA, GLBA, SB 1386, Sarbanes-Oxley, and others. Automated Self-Service MasterCard SDP / Visa CISP compliance certification. Management Automatic centralized reporting from distributed scans. Consolidated administration of both internal and external (perimeter) scanning. Flexible asset prioritization and asset grouping that gives users the ability to fix the highest priority vulnerabilities based on asset value and security policies. Daily signature updates and feature enhancements are completed automatically and transparently to the user. Hierarchical role-based user access controls allow delegation of responsibilities to reflect organizational structure. Authorized user access from any location. Scheduled scans and network discoveries. All functionality and management is available via a Web browser. Appliance-based; no software to install or maintain. Deployability/Scalability Deploys in minutes with no software installation, rollout complications, or maintenance upgrades. Immediately accessible anytime, anywhere, via a Web browser. On-demand technology allows users to scan globally with no additional infrastructure to buy or maintain. Security End-to-end encryption of vulnerability data. SAS/70 audited security architecture provides maximum data protection. Section 508 compliant. Optional two-factor authentication with RSA SecurID. Trusted, third-party certification of network security with tamper-resistant audit trails. Secure architecture protects scan results from tampering and manipulation. Interoperability Extensible XML-based API. Policy Compliance SDK available for custom report generation. Out-of-the-box integration with existing or legacy security management consoles (e.g., ArcSight, GuardedNet, Symantec, etc.). Out-of-the-box integration with ticketing systems (e.g., Remedy). Out-of-the-box integration with patch management and software distribution solutions (e.g., Citadel, PatchLink). Correlates with Snort IDS, using the open source Qualys QuIDScor engine to eliminate IDS false positives. Industry standard support for vulnerability scoring with Common Vulnerability Scoring System (CVSS). Industry standard support for the addition of custom detections using Open Vulnerability Assessment Language (OVAL). Support 24x7x365 email/telephone customer and technical support. Weekly, Web-based customer training. Technical training and certification workshops. Multiple versions of QualysGuard are available for enterprises large and small, as well as security services providers: QualysGuard Enterprise: for large distributed organizations. QualysGuard Express: for small to medium-sized organizations or enterprise business units. QualysGuard Consultant: for professional services organizations. QualysGuard MSP: for managed service providers. QualysGuard has proven to be a phenomenal success. Today, Qualys provides on-demand vulnerability management and policy compliance to more than 2,000 enterprise subscribers, including 200 of the Forbes Global 2000. Using QualysGuard, security managers strengthen the security of their networks, conduct automated security audits, and ensure compliance with internal policies and external regulations. QualysGuard @CUSTOMER: The Innovation Continues In February 2006, Qualys took its on-demand platform to a new level when it unveiled QualysGuard @Customer, the first solution of its kind to offer the quality, cost, and deployment benefits of the Software as a Service (SaaS) model with the scalability, power, and data control of an onsite Security Operations Center (SOC) at a fraction of the cost of maintaining a traditional SOC. The need for @Customer was clear: As corporations and government agencies struggle to secure the thousands—even tens of thousands—of devices within their infrastructure they find traditional vulnerability scanners don’t adequately meet the complexity of the task: they don’t scale to quickly identify all of the assets within the infrastructure and all of the associated security flaws, while the costs to deploy dozens of scanners or hire teams of consultants remain high. To make the situation ever more challenging, many large corporations face internal security policies, contractual agreements, and government and international laws that forbid outsiders from having access to security information regarding their infrastructure—information that in the wrong hands would create great risk of compromise. QualysGuard @Customer solves all of these problems: it scales to perform millions of scans and secures the most complex of environments from misconfigurations and vulnerabilities—all at a fraction of the cost of any alternative or competing product or service. In addition, QualysGuard @Customer solves all of the issues surrounding thorny regulatory and security policy demands when it comes to IT security data sharing. The fact is that QualysGuard @Customer is the first vulnerability management solution to provide all of the benefits of Software as a Service—low-cost, high-quality, and ease of deployment—with the power, scalability, and control of an onsite Security Operations Center. The core of the @Customer security solution is built upon Qualys’ hosted QualysGuard vulnerability management service. The entire solution is built to remain secure: The application servers run on Linux; the database servers are supported by the Red Hat Enterprise 3 operating system and the Oracle Standard One database; And all additional servers are run on a highly-secured modification of Red Hat Linux that includes a customized configuration designed to achieve a highly-secure hardened platform. While all the hardware and software is located onsite, Qualys provides all necessary hardware and software support and maintenance. Through @Customer, organizations maintain complete control and confidentiality over their sensitive security information to ensure that they continuously meet internal security policy, government regulatory, and internal contractual data security demands. That’s how @Customer elevates the power, flexibility, accuracy, and cost-effectiveness of QualysGuard for corporations, governments and government agencies, and security service providers that need to secure tens of thousands of devices and maintain total confidentiality of security vulnerability data. The redundant and load-balanced @Customer architecture is fully automated and operates 24x7x365. Customers are assured that within the @Customer data center continuous audits identify new vulnerabilities, and effective remedies are always applied. Additionally, a robust firewall, integrity checking system, and intrusion detection architecture are implemented to protect against and monitor any attacks. Service Level Agreements (SLAs) for the @Customer data center are equivalent to those of QualysGuard: 99 percent uptime calculated quarterly. The @Customer Security Operations Center is the first of its kind and is based upon the identical architecture of Qualys’ internal SOC which, today, provides more than seven million scans every month. The @Customer’s base configuration supports the deployment of up to 2,000 QualysGuard vulnerability management scanners, which can perform millions of scans every month. The system can store 700 GB of security data. Each @Customer configuration can be modified to provide additional data storage, scanner appliances, and security scans to meet customer demands. @Customer is designed to provide end-to-end security for sensitive vulnerability data, considering industry best practices at all layers of the application. The @Customer platform follows the defense-in-depth approach to IT security. And customers are able to provide any requisite infrastructure security based on their own unique security practices for securing sensitive data (which may include Intrusion Prevention, Firewalls, etc.). All customer data is completely encrypted with 128-bit AES encryption, and neither Qualys nor anyone without authorization has visibility into the security data gathered. Aside from the distributed QualysGuard Scanner Appliances, it requires only a single rack-mount for all components. Now, through @Customer, all of the benefits of SaaS are combined with the power and flexibility of an on-site SOC so that organizations can achieve the highest levels of IT security and regulatory compliance possible while retaining complete control of the security data about their infrastructure. @Customer is the only solution to converge the benefits of SaaS delivery, management, quality, and low-cost with the power and control of onsite vulnerability and compliance management—while eliminating all of the great concerns that surround the outsourcing of security and the associated government regulations, internal policies, and contractual agreements that forbid the disclose or sharing of IT security data. @Customer is provided for an annual $100,000 lease—a fraction of the cost of other alternatives, or attempting to build a similar solution in-house. Through this continued vision of simplified security and on-demand software services delivery, Qualys has removed the complexity of security checks for the end user. Since its inception, Qualys held both the vision and technical capability to leverage the efficiency and scale of the Web to bring this goal to reality. Qualys provides its customers with automated security audits—they way they need them and accessible at any time from any Internet browser. QualysGuard @customer is only the most recent example.
Executing the Vision Just because the complexity of vulnerabilities, attacks, and regulatory compliance burdens are all on the rise doesn’t mean that the tools used to protect IT systems need be. In fact, Qualys has demonstrated quite the opposite through its on-demand Web services-based QualysGuard line of vulnerability management appliances.
Since its founding under Philippe’s leadership, Qualys has transformed the way security applications are delivered through its on-demand, Software as a Service model. Philippe had identified two trends that would permanently transform IT security: 1) Software would become a service that is delivered rather than a product that is installed and maintained by the end user; and 2) In order to achieve the highest levels of security possible, security technology must be simplified and also blend into the very fabric of business-related technology.
The rest of the high-tech industry is just now catching up to Philippe’s vision of these two trends. The trend toward security evolving into the infrastructure can be seen with Cisco Systems and Microsoft’s respective NAC and NAP technologies. It is seen with Symantec’s acquisition of Veritas, as well as EMC’s recent acquisition of RSA Security; both highlight how security is merging with storage and data management technologies. The Software as a Service trend is already well underway and can be witnessed by Microsoft’s significant commitment to this delivery model, as well as with Salesforce.com’s phenomenal success. Long before SaaS was the buzz of the day; before Google rose to its dominance; before Salesforce.com became a household name; and while the Internet bubble imploded and many lost faith in the future of the Internet as the dominant platform for e-business, Philippe drove forward to build Qualys as a company that would transform forever the largely complex processes of IT security into a streamlined process that could be understood and performed by anyone, regardless of their depth of technical acumen. Through the success of its flagship vulnerability and regulatory compliance management solution, QualysGuard, Qualys has transformed a complex and traditionally manual process into a fully automated, accurate, cost-effective, and easily deployed on-demand system for reducing the business and regulatory risks surrounding business-technology systems.
QualysGuard Brings Affordable, Simplified Security and Regulatory Compliance to Companies of All Sizes The QualysGuard line of vulnerability and compliance management solutions provides the easiest–to-deploy, most accurate, and most comprehensive way to reduce security and regulatory compliance risks. All a company needs is a Web browser to scan its network to spot and fix the vulnerabilities that constitute the gateway for roughly 99 percent of all successful attacks. That’s how Qualys has forever transformed the way companies reduce the risks associated with their IT systems—and at a cost that is, on average, 50 to 90 percent less than traditional software scanning solutions.
The company’s innovative security services model doesn’t require companies to deploy costly servers to scan for software and network vulnerabilities. With 99.999 percent accuracy, no software to manage, and tight integration of both vulnerability and compliance management, Qualys has slashed the levels of operational-risk.
Here’s an overview of QualysGuard, and how it is more innovative and effective than the competition:
Global Deployability: Easily performs scans on geographically distributed and segmented networks both at the perimeter and behind the firewall. Lower Total Cost of Ownership: On-demand technology offers significant economic advantages with no capital expenditures, extra human resources, or infrastructure to deploy and manage. Extremely Accurate and Up-to-Date: QualysGuard has the largest KnowledgeBase of vulnerability signatures in the industry (5,000+), and performs more than two million scans per month with an unparalleled accuracy rate 99.999 percent. Scalable: Rapidly deploy and expand using QualysGuard's distributed scanning and on demand architecture. Strong Security Model: Protects in-transit and in-storage data, using SSLv3 and AES encryption.
QualysGuard Provides the Highest Accuracy in the Industry Every QualysGuard on-demand solution fully leverages Qualys’ centrally managed Secure Operations Center. Each time a customer performs a vulnerability scan, they’re running the very latest version of the application, including the most up-to-date vulnerability checks. Within the SOC, Qualys’ R&D team virtually eliminates the likelihood of costly and time consuming false-positives through consistent audits of the effectiveness of vulnerability signatures. This continuous Quality Assurance testing – of each and every signature – within the QualysGuard Knowledgebase and the on-demand, Web services delivery of updates far surpasses the capabilities of clunky software-based scanners. Through QualysGuard, customers – without ever having to manually manage or update the application or vulnerability database themselves – instantly benefit from application updates, enhancements, and the most accurate vulnerability signatures possible.
And when it comes to accuracy, Qualys is fanatical. And its Six Sigma quality program is one example of this. Through this program, Qualys is continuously improving upon its already unmatched quality. Throughout 2003, Qualys scanned one million unique hosts each quarter, and maintained an accuracy level of 99.997 percent for the year. Through the second quarter of 2005, Qualys raised its own unsurpassed standard: With more than ten million hosts scanned each quarter, it achieved a greater than 99.999 percent accuracy rate. That means that fewer than 30 false positives were reported after ten million unique network devices were scanned every three months.
These are just some of the ways Qualys has forever altered how vulnerabilities are identified and fixed. It has slashed and simplified the formerly complex process of vulnerability and compliance management. Now, companies everywhere can proactively protect their networks and integrate security with business policy and regulatory demands. Security threats and government regulations are growing in complexity, but Qualys has proven that the tools used to protect systems certainly don’t have to.
QualysGuard’s benefits to customers:
Scanning
Comprehensive vulnerability KnowledgeBase that incorporates 5,000+ unique checks—the largest vulnerability database in the industry.
Network mapping rapidly detects and identifies servers, desktops, routers, wireless access points, and other networked devices.
Inference-based scanning engine.
Authenticated or unauthenticated scanning capabilities.
Internal and external scanning provides a 360-degree view of network vulnerabilities.
Scans are configurable for optimum performance and minimum network load.
Customization of scans to seek out specific ports/services and specific vulnerabilities.
Schedule and automate network discovery and vulnerability scan tasks on a daily, weekly, or monthly basis.
Automated daily updates to the QualysGuard vulnerability KnowledgeBase.
Reporting
Easy access to concise, auto-generated reports.
Executive Dashboard provides real-time illustration of risk.
Detailed reports with verified remediation actions for technicians.
SANS Top 20 Report provides industry baseline.
Automated MasterCard SDP / Visa CISP compliance reporting.
Top ten reports of the most prevalent vulnerabilities (both internal and external).
Network topology visualization of all discovered hosts.
CVE-linked and Bugtraq-referenced vulnerability checks with detailed remediation instructions.
Customizable reports for flexible, on-demand reporting by business units for executives and managers.
Automated trending and differential reporting.
Export reports to HTML, MHT, PDF, CSV, and XML formats.
Remediation
Automatically generate and verify trouble tickets concerning network vulnerabilities.
Ticket trending and reports by owner, group, and vulnerability to measure network threat level.
Policy-based remediation workflow management with automatic trouble ticket creation/assignment.
Automated remediation ticket generation and verification.
Out-of-the-box integration with ticketing systems (e.g., Remedy).
Out-of-the-box integration with patch management and software distribution solutions (e.g., Citadel, PatchLink).
Policy Compliance
Trusted, third-party network auditing and reporting meets the compliance needs of HIPPA, GLBA, SB 1386, Sarbanes-Oxley, and others.
Automated Self-Service MasterCard SDP / Visa CISP compliance certification.
Management
Automatic centralized reporting from distributed scans.
Consolidated administration of both internal and external (perimeter) scanning.
Flexible asset prioritization and asset grouping that gives users the ability to fix the highest priority vulnerabilities based on asset value and security policies.
Daily signature updates and feature enhancements are completed automatically and transparently to the user.
Hierarchical role-based user access controls allow delegation of responsibilities to reflect organizational structure.
Authorized user access from any location.
Scheduled scans and network discoveries.
All functionality and management is available via a Web browser.
Appliance-based; no software to install or maintain.
Deployability/Scalability
Deploys in minutes with no software installation, rollout complications, or maintenance upgrades.
Immediately accessible anytime, anywhere, via a Web browser.
On-demand technology allows users to scan globally with no additional infrastructure to buy or maintain.
Security
End-to-end encryption of vulnerability data.
SAS/70 audited security architecture provides maximum data protection.
Section 508 compliant.
Optional two-factor authentication with RSA SecurID.
Trusted, third-party certification of network security with tamper-resistant audit trails.
Secure architecture protects scan results from tampering and manipulation.
Interoperability
Extensible XML-based API.
Policy Compliance SDK available for custom report generation.
Out-of-the-box integration with existing or legacy security management consoles (e.g., ArcSight, GuardedNet, Symantec, etc.).
Correlates with Snort IDS, using the open source Qualys QuIDScor engine to eliminate IDS false positives.
Industry standard support for vulnerability scoring with Common Vulnerability Scoring System (CVSS).
Industry standard support for the addition of custom detections using Open Vulnerability Assessment Language (OVAL).
Support
24x7x365 email/telephone customer and technical support.
Weekly, Web-based customer training.
Technical training and certification workshops.
Multiple versions of QualysGuard are available for enterprises large and small, as well as security services providers:
QualysGuard has proven to be a phenomenal success. Today, Qualys provides on-demand vulnerability management and policy compliance to more than 2,000 enterprise subscribers, including 200 of the Forbes Global 2000. Using QualysGuard, security managers strengthen the security of their networks, conduct automated security audits, and ensure compliance with internal policies and external regulations.
QualysGuard @CUSTOMER: The Innovation Continues In February 2006, Qualys took its on-demand platform to a new level when it unveiled QualysGuard @Customer, the first solution of its kind to offer the quality, cost, and deployment benefits of the Software as a Service (SaaS) model with the scalability, power, and data control of an onsite Security Operations Center (SOC) at a fraction of the cost of maintaining a traditional SOC.
The need for @Customer was clear: As corporations and government agencies struggle to secure the thousands—even tens of thousands—of devices within their infrastructure they find traditional vulnerability scanners don’t adequately meet the complexity of the task: they don’t scale to quickly identify all of the assets within the infrastructure and all of the associated security flaws, while the costs to deploy dozens of scanners or hire teams of consultants remain high. To make the situation ever more challenging, many large corporations face internal security policies, contractual agreements, and government and international laws that forbid outsiders from having access to security information regarding their infrastructure—information that in the wrong hands would create great risk of compromise.
QualysGuard @Customer solves all of these problems: it scales to perform millions of scans and secures the most complex of environments from misconfigurations and vulnerabilities—all at a fraction of the cost of any alternative or competing product or service. In addition, QualysGuard @Customer solves all of the issues surrounding thorny regulatory and security policy demands when it comes to IT security data sharing.
The fact is that QualysGuard @Customer is the first vulnerability management solution to provide all of the benefits of Software as a Service—low-cost, high-quality, and ease of deployment—with the power, scalability, and control of an onsite Security Operations Center. The core of the @Customer security solution is built upon Qualys’ hosted QualysGuard vulnerability management service. The entire solution is built to remain secure: The application servers run on Linux; the database servers are supported by the Red Hat Enterprise 3 operating system and the Oracle Standard One database; And all additional servers are run on a highly-secured modification of Red Hat Linux that includes a customized configuration designed to achieve a highly-secure hardened platform. While all the hardware and software is located onsite, Qualys provides all necessary hardware and software support and maintenance.
Through @Customer, organizations maintain complete control and confidentiality over their sensitive security information to ensure that they continuously meet internal security policy, government regulatory, and internal contractual data security demands.
That’s how @Customer elevates the power, flexibility, accuracy, and cost-effectiveness of QualysGuard for corporations, governments and government agencies, and security service providers that need to secure tens of thousands of devices and maintain total confidentiality of security vulnerability data. The redundant and load-balanced @Customer architecture is fully automated and operates 24x7x365. Customers are assured that within the @Customer data center continuous audits identify new vulnerabilities, and effective remedies are always applied. Additionally, a robust firewall, integrity checking system, and intrusion detection architecture are implemented to protect against and monitor any attacks. Service Level Agreements (SLAs) for the @Customer data center are equivalent to those of QualysGuard: 99 percent uptime calculated quarterly.
The @Customer Security Operations Center is the first of its kind and is based upon the identical architecture of Qualys’ internal SOC which, today, provides more than seven million scans every month. The @Customer’s base configuration supports the deployment of up to 2,000 QualysGuard vulnerability management scanners, which can perform millions of scans every month. The system can store 700 GB of security data. Each @Customer configuration can be modified to provide additional data storage, scanner appliances, and security scans to meet customer demands.
@Customer is designed to provide end-to-end security for sensitive vulnerability data, considering industry best practices at all layers of the application. The @Customer platform follows the defense-in-depth approach to IT security. And customers are able to provide any requisite infrastructure security based on their own unique security practices for securing sensitive data (which may include Intrusion Prevention, Firewalls, etc.). All customer data is completely encrypted with 128-bit AES encryption, and neither Qualys nor anyone without authorization has visibility into the security data gathered. Aside from the distributed QualysGuard Scanner Appliances, it requires only a single rack-mount for all components.
Now, through @Customer, all of the benefits of SaaS are combined with the power and flexibility of an on-site SOC so that organizations can achieve the highest levels of IT security and regulatory compliance possible while retaining complete control of the security data about their infrastructure.
@Customer is the only solution to converge the benefits of SaaS delivery, management, quality, and low-cost with the power and control of onsite vulnerability and compliance management—while eliminating all of the great concerns that surround the outsourcing of security and the associated government regulations, internal policies, and contractual agreements that forbid the disclose or sharing of IT security data.
@Customer is provided for an annual $100,000 lease—a fraction of the cost of other alternatives, or attempting to build a similar solution in-house.
Through this continued vision of simplified security and on-demand software services delivery, Qualys has removed the complexity of security checks for the end user. Since its inception, Qualys held both the vision and technical capability to leverage the efficiency and scale of the Web to bring this goal to reality. Qualys provides its customers with automated security audits—they way they need them and accessible at any time from any Internet browser. QualysGuard @customer is only the most recent example.
Qualys’ customers range from small businesses to the Fortune 100. And they all benefit from the following features that enable them to cost-effectively reduce the risks associated with their business-technology infrastructure and attain regulatory compliance: QualysGuard enables customers to discover and prioritize every networked asset. QualysGuard enables customers to proactively identify and fix security vulnerabilities. QualysGuard enables customers to prevent worms, viruses & Trojan horses. QualysGuard enables customers to manage and reduce business risk. QualysGuard enables customers to ensure compliance with laws. regulations, and corporate security policies. Perhaps the benefits of end users are best summed up in their own words: "The world of security is becoming more complex and threatening every day. Today, firewalls and intrusion detection solutions simply aren't enough. We need a solution that will not only help us identify potential vulnerabilities, but will also prioritize which vulnerabilities are the most important and what steps are needed to correct them. Qualys has helped companies like ours anchor their security policies with an automated, scalable and proactive solution that will result in a bottom-line ROI." – Deefay Young, Senior Network Security Analyst, Adobe Systems "QualysGuard will allow AXA to prove to regulators, who are increasingly conscious of the risks to IT systems, that we are actively managing potential risk." – Monty Couch, AXA "With its huge KnowledgeBase of known vulnerabilities and fixes, QualysGuard eliminates the need to hire experts on each of our operating systems and applications." – Lenard East, Network Engineering and Operations Manager, Bank of the West "The favorable cost-benefit ratio, the simplicity of using the product, and the differentiated reporting functions were decisive criteria which impelled specialists and management alike to opt for the implementation of this particular scanner." – Thomas Barth, Head of Information Security, BSH Bosh and Siemens The Next Innovation: Integrate Organizational IT Security and Compliance Efforts for Maximum Efficiency. The threats posed against business-technology systems, and the laws and regulations that govern their use and the handling of the sensitive information they hold, are constantly changing. The struggle to remain both secure and compliant can be difficult and expensive. Currently, companies are forced to throw significant amounts of capital and labor at separate security and compliance initiatives. Qualys, under Philippe’s leadership, already is well underway developing new innovations that leverage the power of SaaS to help companies unify their IT security and compliance programs– by once again eliminating complexity and blending security deep into the fabric of business-technology systems. Philippe’s vision is to utilize SaaS to forever change the way companies and government agencies manage their IT security and compliance programs by coalescing data collection from the myriad of enterprise point products already in use – network and system management tools, vulnerability scanners, security event managers. Simply collect the data once, slice and dice it into appropriate reports for the correct constituency. The efficiencies gained will enable everyone in the organization, from executive management to security professionals and internal auditors, to always have at the ready the actionable information they need to remain both secure and compliant to government and industry regulations, as well as internal security polices.
Qualys’ customers range from small businesses to the Fortune 100. And they all benefit from the following features that enable them to cost-effectively reduce the risks associated with their business-technology infrastructure and attain regulatory compliance:
QualysGuard enables customers to discover and prioritize every networked asset.
QualysGuard enables customers to proactively identify and fix security vulnerabilities.
QualysGuard enables customers to prevent worms, viruses & Trojan horses.
QualysGuard enables customers to manage and reduce business risk.
QualysGuard enables customers to ensure compliance with laws. regulations, and corporate security policies.
Perhaps the benefits of end users are best summed up in their own words:
"The world of security is becoming more complex and threatening every day. Today, firewalls and intrusion detection solutions simply aren't enough. We need a solution that will not only help us identify potential vulnerabilities, but will also prioritize which vulnerabilities are the most important and what steps are needed to correct them. Qualys has helped companies like ours anchor their security policies with an automated, scalable and proactive solution that will result in a bottom-line ROI." – Deefay Young, Senior Network Security Analyst, Adobe Systems
"QualysGuard will allow AXA to prove to regulators, who are increasingly conscious of the risks to IT systems, that we are actively managing potential risk." – Monty Couch, AXA
"With its huge KnowledgeBase of known vulnerabilities and fixes, QualysGuard eliminates the need to hire experts on each of our operating systems and applications." – Lenard East, Network Engineering and Operations Manager, Bank of the West
"The favorable cost-benefit ratio, the simplicity of using the product, and the differentiated reporting functions were decisive criteria which impelled specialists and management alike to opt for the implementation of this particular scanner." – Thomas Barth, Head of Information Security, BSH Bosh and Siemens
The Next Innovation: Integrate Organizational IT Security and Compliance Efforts for Maximum Efficiency. The threats posed against business-technology systems, and the laws and regulations that govern their use and the handling of the sensitive information they hold, are constantly changing. The struggle to remain both secure and compliant can be difficult and expensive. Currently, companies are forced to throw significant amounts of capital and labor at separate security and compliance initiatives. Qualys, under Philippe’s leadership, already is well underway developing new innovations that leverage the power of SaaS to help companies unify their IT security and compliance programs– by once again eliminating complexity and blending security deep into the fabric of business-technology systems.
Philippe’s vision is to utilize SaaS to forever change the way companies and government agencies manage their IT security and compliance programs by coalescing data collection from the myriad of enterprise point products already in use – network and system management tools, vulnerability scanners, security event managers. Simply collect the data once, slice and dice it into appropriate reports for the correct constituency. The efficiencies gained will enable everyone in the organization, from executive management to security professionals and internal auditors, to always have at the ready the actionable information they need to remain both secure and compliant to government and industry regulations, as well as internal security polices.
Philippe Courtot: Risk Taker, Market Maker - Throughout his career, Philippe Courtot has demonstrated a unique mix of technical vision, marketing, and business acumen. Time and time again, Philippe has transformed largely unknown, yet innovative, companies into industry leaders. Prior to his current position as chairman and CEO of Qualys, Philippe was the chairman and CEO of Signio, an electronic payment start-up that he repositioned to become a significant e-commerce player. In February 2000, VeriSign acquired Signio for more than a billion dollars. Today, VeriSign's payment division, based on the Signio technology, handles 30 percent of electronic transaction in the U.S., processing $100 million in daily sales. Before Signio, Philippe was president and CEO of Verity, where he reengineered the company to become the leader in enterprise knowledge retrieval solutions. Under Philippe's direction, the company completed its initial public offering in November 1995. Philippe also turned an unknown company of 12 people, cc:Mail, into the dominant e-mail platform provider, achieving a 40 percent market share while competing directly against IBM and Microsoft. Acknowledging the market-leading position of cc:Mail and the significance of e-mail in corporate environments, Lotus acquired the company in 1991. In 1986, as CEO of Thomson CGR Medical, a medical imaging company, Philippe received the Benjamin Franklin award for his role in the creation of a nationwide advertising campaign promoting the life-saving benefits of mammography. Philippe served on the Board of Trustees of The Internet Society, an international non-profit organization that fosters global cooperation and coordination on the development of the Internet. As a longtime Silicon Valley entrepreneur, Philippe has taken many risks to bring to reality his vision for the hi-tech industry. For example, he first began evangelizing the benefits of on-demand software in 2000. At a time when other previously championed “service” business models were failing to deliver on their promises, Philippe took a significant career and financial risk by investing his own money to launch Qualys and ensure that the industry’s first on-demand vulnerability management service would not only succeed, but would fundamentally change the industry. Today, other security vendors, as well as other technology leaders, are following Qualys’ successful business model and offering on-demand technologies and services. It was Philippe’s vision that brought on-demand technology to the network security industry, an industry long thought to be far too complex and sensitive for the Software as a Service (SaaS) model. Philippe realized that complexity was often security’s biggest enemy. His vision for QualysGuard has given companies of all sizes more efficient and effective ways to manage the security of their networks. French and Basque born, Philippe holds a Master’s Degree in Physics from the University of Paris. He came to the US in 1981 and has lived in Silicon Valley since 1987.
Philippe Courtot: Risk Taker, Market Maker - Throughout his career, Philippe Courtot has demonstrated a unique mix of technical vision, marketing, and business acumen. Time and time again, Philippe has transformed largely unknown, yet innovative, companies into industry leaders.
Prior to his current position as chairman and CEO of Qualys, Philippe was the chairman and CEO of Signio, an electronic payment start-up that he repositioned to become a significant e-commerce player. In February 2000, VeriSign acquired Signio for more than a billion dollars. Today, VeriSign's payment division, based on the Signio technology, handles 30 percent of electronic transaction in the U.S., processing $100 million in daily sales. Before Signio, Philippe was president and CEO of Verity, where he reengineered the company to become the leader in enterprise knowledge retrieval solutions. Under Philippe's direction, the company completed its initial public offering in November 1995. Philippe also turned an unknown company of 12 people, cc:Mail, into the dominant e-mail platform provider, achieving a 40 percent market share while competing directly against IBM and Microsoft. Acknowledging the market-leading position of cc:Mail and the significance of e-mail in corporate environments, Lotus acquired the company in 1991.
In 1986, as CEO of Thomson CGR Medical, a medical imaging company, Philippe received the Benjamin Franklin award for his role in the creation of a nationwide advertising campaign promoting the life-saving benefits of mammography. Philippe served on the Board of Trustees of The Internet Society, an international non-profit organization that fosters global cooperation and coordination on the development of the Internet.
As a longtime Silicon Valley entrepreneur, Philippe has taken many risks to bring to reality his vision for the hi-tech industry. For example, he first began evangelizing the benefits of on-demand software in 2000. At a time when other previously championed “service” business models were failing to deliver on their promises, Philippe took a significant career and financial risk by investing his own money to launch Qualys and ensure that the industry’s first on-demand vulnerability management service would not only succeed, but would fundamentally change the industry.
Today, other security vendors, as well as other technology leaders, are following Qualys’ successful business model and offering on-demand technologies and services.
It was Philippe’s vision that brought on-demand technology to the network security industry, an industry long thought to be far too complex and sensitive for the Software as a Service (SaaS) model. Philippe realized that complexity was often security’s biggest enemy. His vision for QualysGuard has given companies of all sizes more efficient and effective ways to manage the security of their networks.
French and Basque born, Philippe holds a Master’s Degree in Physics from the University of Paris. He came to the US in 1981 and has lived in Silicon Valley since 1987.
Qualys Inc. 1600 Bridge Parkway Redwood Shores, CA 94065 USA Tel: 1-650-801-6100
Recommend this to others:
HOME |
ADVERTISE WITH US |
TELL US ABOUT YOURSELF |
UPDATED PRIVACY POLICY |
Copyright © 2006 Silicon Valley Communications - All rights reserved.
