Qualys rolled out a powerful new feature in their January Cloud Platform Release Version 10.7 that offers a new method to identify and merge the results of remote IP-tracked scans with data collected by the Qualys Cloud Agent to create the Unified View of an asset’s vulnerabilities.

Merging remote IP-tracked and agent-tracked vulnerability data is not new to Qualys.  This capability already exists using agentless tracking, however this new merge method is significant because the remote scan now does not require host authentication to match the IP-tracked asset with its corresponding agent record.

Same Great Coverage, Less Overlap – Why the new method is better

The new identification method is a very big win for any Qualys customer using remote scans to close the cloud agent detection gap.  Cloud Agent assets with duplicate records due to failed authentication will become a thing of the past, so asset inventory will be more accurate.

Minding the Gap – Why Merging Scan Data Is Important

The Cloud Agent provides better internal coverage of an asset than using a remote authenticated scan, and in many use cases is the only option where a network scanner appliance can’t scan the asset.  That said, the Cloud Agent cannot perform remote-only (unauthenticated) vulnerability detections such as open ports, protocol analysis, or web CGI checks, nor is the agent capable of performing detections requiring non-OS level authentication such as to a database or webserver (HTTP).  In addition, there are a small number of remote authenticated-only checks the agent is unable to perform.  It is important to note, however, that Qualys has a 100% parity goal for Cloud Agent coverage compared to a remote scan for supported authenticated local vulnerability checks.  The new Agent Correlation ID brings Qualys one step closer to removing the need for OS-level authentication on Cloud Agent assets.

Overall, the detection gap isn’t significant but it shouldn’t be ignored if possible.  To close the gap, many Qualys customers leverage both remote and agent-based scanning, and use the agentless tracking option to match the asset and combine the results and understand an asset’s complete technical risk.

A key concern with agentless tracking is remote scans require host authentication to collect the Agent Identifier string.  If authentication fails during a remote scan, two separate asset records are created because there is no other completely reliable way of matching the scan results to the same asset as the agent.  This duplication of asset records makes it difficult for customers to get accurate and complete visibility of their asset inventory and overall risk.

New and Improved – What is the new Hybrid Scanning method

Qualys recognized the pitfall of failed authentication and innovated a new optional method to correlate remote scan data with agent-based scans that does not rely on authentication.  The Cloud Agent now has a new function in the Configuration Profile called Agent Scan Merge.  Also, a new datapoint is introduced called Agent Correlation Identifier, a unique string to identify an asset.

The new correlation method starts with enabling the Agent Scan Merge function, which instructs the agent to open one TCP port on the asset, the first available in a range of 10001-10005. There is a secondary option to open all five ports, which could be useful in situations when there is no certainty which port(s) will be available on the host or accessible to a network scanner appliance.

When the agent detects a remote scan on the port, it responds with the Agent Correlation ID.  The remote scan detects the identifier string using a new Information Gathered QID 48143 “Qualys Correlation ID Detected”, and uses it to merge remote vulnerability data collected with the agent’s asset record.

New Agent Scan Merge workflow:

More power, but what’s under the hood?  Other Considerations

Port Security

Security professionals know that opening a new port is something that should be done with scrutiny towards confidentiality, integrity, and availability.  The new Agent Scan Merge feature is well designed with those considerations in mind:

• The agent TCP listening service will not accept or parse any incoming packets – this eliminates any possibility of compromising the service for port intrusion.
• The service will respond to any traffic detected on the port, but it will only provide the Agent Correlation ID in response.
• The ID is an independent alpha-numeric string that is only useful to Qualys in matching the asset to the agent record.  Anything else that might send traffic to the port (unintentionally or maliciously) will also receive the ID but it cannot be used to compromise the asset.
• Any impact from a DDoS attack on the port will be severely diminished because the cloud agent has a built-in CPU throttle (when the agent Configuration Profile has CPU set to default ‘Normal’)

Qualys is working to make the Agent Scan Merge port assignments customizable in the future.

If there are still concerns about the open port on cloud agent assets when connected outside of the corporate network, Qualys offers the option to restrict when the agent enables the port.  The On-Premise Detection option can be used to define when an asset is connected inside the corporate perimeter, through either a defined IP Address or range, Gateway IP, and Subnet Mask, or by using a regular expression to define a DNS Suffix (or multiple suffixes.)

In addition, it is possible to modify the scope of agents using the feature by including (or excluding) assets using applicable Asset Tags in the agent Configuration Profile.

Existing Duplicate Asset Records

The new Agent Scan Merge feature will only prevent new duplicate records from being created on Cloud Agent assets – as long as ports 10001-10005 are reachable by the scanner, at one of those ports is available on each asset, and a scan is launched with QID 48143 included in the scan.  If the ports are not reachable, or the QID is not included in the scan, the asset merge will fail and a duplicate asset record will be created.

Asset merging will only occur from the moment the feature is activated, it will not clean up any previously existing IP-tracked assets generated due to previous failed authentication.

As of this writing, the Cloud Agent does not presently support the Agent Scan Merge feature on Mac, AIX, or BSD operating systems.  Unified View on these OS types is still available, but scans must use authenticated remote scans along with agentless tracking.

Drivers, Start Your Engines!  Enabling Agent Scan Merge

Using the Agent Correlation ID and Agent Scan Merge feature is fairly straightforward, but there are prerequisites and configuration choices that need consideration:

Prerequisites

• The Agent Correlation Identifier feature must be available on your Qualys Platform.
• Agent hosts must have the minimum Cloud Agent version:
  • Windows Agent version 4.2 or later.
  • Linux Agent version 3.1 or later.
• The agent configuration profile must have the Agent Scan Merge option enabled.  Steps are outlined below to enable the option.
• The following TCP ports must not be blocked on the network: 10001, 10002, 10003, 10004, 10005. When the feature is enabled, Qualys will automatically add these ports to every scan on the backend (not in the Scan Option Profile) when the agent correlation identifier is accepted.  At this time, this is not a configurable option.
• Vulnerability scans must include Information Gathered QID 48143 “Qualys Correlation ID Detected”.  Using the “Full Vulnerability Scan” option will include this QID by default.  If a Custom scan is using a Search List, this QID must be added manually to the search list.

Acceptance and Configuration

To get started, there are settings to be updated in two locations in the Qualys UI:

In the Vulnerability Management module:

1. Navigate to Assets > Setup > Asset Tracking & Data Merging.  On the tab Unique Asset Identifiers, scroll down to Agent Correlation Identifier and select the option Accept Agent Correlation Identifier (this can only be changed by the Primary Contact on the subscription):
   
   
2. In the same window, select the Asset Tracking & Data Merging tab and select the option Merge data for a single unified view (this can only be changed by the Manager Primary Contact on the subscription):
   
   
3. In Scans > Option Profiles, either create a new option profile (or edit an existing profile) and make sure the scan is set to Complete or if Custom is selected then ensure QID 48143 is added.

In the Cloud Agents Module:

1. Navigate to Agent Management > Configuration Profiles. Select a profile to edit (or create new)
2. In the Configuration Profile editor, under section Agent Scan Merge, select Enable Agent Scan Merge for this profile:
   

Then finally, in the Vulnerability Management module:

1. Navigate to Scans > Option Profiles. Create a new option profile (or edit an existing profile) and make sure the scan is a Full scan of all QIDs or a Custom scan with QID 48143 added.
2. Launch a new vulnerability scan – scans will start gathering data for QID 48143.

Brace Yourselves, A Webinar Is Coming…

Join Qualys on February 17th, 2021 1:00 pm EST as Spencer Brown, Qualys Cloud Agent SME, presents a talk on the New Unauthenticated and Agent-based Scan Merging Capabilities in Qualys VDMR.

Register for the event here – https://www.brighttalk.com/webcast/11673/464819

References

Qualys Cloud Platform Version 10.7 Release Notes

https://www.qualys.com/docs/release-notes/qualys-cloud-platform-10.7-release-notes.pdf

Qualys Blog: Unified Vulnerability View

https://blog.qualys.com/product-tech/2021/01/21/unified-vulnerability-view-of-unauthenticated-and-agent-scans

Qualys Documentation – Getting Started with Agent Correlation Identifier (no login required)

https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/host_assets/agent_correlation_identifier.htm