Black Hat Conference: Multi-Vector EDR, With Qualys

Black Hat USA went virtual this year, thanks to COVID-19. Nonetheless, as always it was chock full of compelling stuff. I had the honor of hosting a session during the weeklong event, speaking with Sumedh Thakar, president and CPO of Qualys, and Ben Carr, Qualys CISO, during which we discussed Multi-Vector EDR, the company’s new multi-vector endpoint product.

Multi-Vector EDR leverages the Qualys Cloud Platform to collect and correlate vast amounts of IT, security and compliance data to provide a broader view beyond the endpoint. It’s compelling technology and something completely new in the IT security space.

The video of our session is below, followed by a transcript of the discussion. Enjoy!


Alan Shimel: Hello Black Hat attendees, and welcome to this session. My name is Alan Shimel. I’m the editor in chief for, Security Boulevard, CEO founder of MediaOps and I’ll be your host as I introduce you to my two guests for this session. Let me introduce you to Sumedh Thakar, president, chief product officer at Qualys. Sumedh, welcome.

Sumedh Thakar: Thank you. Good to be here.

Shimel: It’s good to have you here and joining Sumedh and I is Ben Carr, CSO chief information security officer at Qualys. Ben, welcome.

Ben Carr: Thanks, Alan. Appreciate it. Look forward to being here.

Shimel: Okay and to our friends at Black Hat watching this, thank you for joining us. I know this year’s a little bit different for us. We’ve been going to Black Hat for years. It’s the first virtual Black Hat. And while it may not be the same as sharing a beer or a drink together in person, there’s also a lot we can do and I hope you’re going to enjoy what we have in store for you today.

We’re here today, though, ’cause we’re going to talk about Qualys’ recently introduced new product, new entry, multi-vector endpoint product. Sumedh, if you don’t mind, I’m going to ask you to do the honors of kind of just laying out what exactly is a multi-vector EDR.

Thakar: Yeah, so this is what the audience is very familiar with, the EDR term, which is endpoint detection and response, and what we have basically done is taken that to the next level by introducing the concept of a multi-vector endpoint detection and response, which we just launched recently just at the end of July and it brings a very different perspective to EDR, which, Alan, you’re very familiar with.

Today, a lot of the EDR lacks context and what the multi-vector EDR from Qualys does, it brings a lot of enrichment context from many different vectors of asset inventory _____ management configuration assessment, etcetera, to making the EDR much more effective and actually something that helps broaden the response as well.

Shimel: Sure. You know what? All three of us have been in the security industry for many, many years collectively. Between the three of us, there’s probably a lifetime of security there. And, you know, and EDR quite frankly has been a moving target for many years. Right? We’ve all lived through the transition from what we used to call anti-virus to endpoint protection to now EVR, right? But really, what we were always talking about was how do we protect individual endpoints from malicious activity and there are, over the years, the vectors and the attack surfaces have multiplied, but it’s still that same mission.

And quite frankly, you know, I could go back to Black Hat in 2005 I remember being there and we were talking about is antivirus and endpoint useless. Is it obsolete and what to do, are we better off, you know, when Microsoft went to a free antivirus model, everyone – remember those days, Ben? I’m sure you remember, is this the end of it? Because quite frankly, what was missing all that time was context. Right?

We were never able to get endpoint security beyond the screen. We could only see what was happening on the screen and the hard drive on the endpoint and we were never able to put it in context of in a real tie or semi – you know, near real time mode of what was happening right then in the world around us, in our network around us, in our peers around us, our other devices. It was missing that context.

And that’s really, when I look at multi-vector EDR, the multi-vector EDR, to me, we finally have context. And we’re going to discuss this in a lot greater detail. But you know what, Sumedh, I really think that our audience would benefit from seeing maybe the interface, a quick demo of the product so then we could come back and dig in a bit. What do you think?

Thakar: Yeah, I think that’s a great idea because this is such a new concept in EDR that I think it would be good to do a quick use case. So I think what I can do is credentials and those being leveraged for credential dumping and using that to attack the machines has a lot of different things around it that a multi-vector EDR can really bring that out and then help the response.

So what I’m going to do is I’ll do a quick demo to show that end-to-end use case, which will really kind of set the stage and highlight what we’re talking about here and then we’ll come back and talk a little bit more about it. So let me go ahead and pull up the demo here so that I can see what we can do.

Shimel: Fantastic. Thanks, Sumedh.

Thakar: Okay, so I’m going to do a demo of the multiple vectors that go into the multi-vector EDR that we talked about and the absolute first one that is the most important which brings the most amount of enrichment is a true global IT asset inventory and this is one of the things that we do extremely well, but we do it at a broader scale on the Qualys platform because we are bringing devices that are beyond endpoints as well, which really adds the bigger context of the entire asset inventory and so you can see that we’re bringing everything from IoT devices to endpoints, client hardware, operating systems, a lot of information on end of life systems, EOL, of course we bring the vulnerabilities, the different types of software that is installed.

We categorize and normalize that information into different types of assets and asset categories. And with that, you kind of have a really comprehensive visibility of the inventory, and that’s really the starting point. Once you have that and the free agent that we provide with the multi-vector EDR really gives you the ability to do this inventory and do it accurately. And so with that, a lot of times the EDR solutions fail is just being able to find out all the devices where your EDR is not even running.

And so because they’re based on an agent, so one of the things that we do is with our ability to bring all of that inventory in one place, we can very quickly tell you all of your devices that are Windows operating system, and then I can go here and type to say, which ones of those are not activated for EDR, and you’re going to see 20 assets that are not activated for EDR that are Windows systems.

So you are getting a very good idea of the coverage, quickly go on to select those assets and within the Qualys platform, you can just activate these agents for endpoint detection and response and then within a few minutes, you’re going to have them connecting and downloading the ability to do, perform EDR on that same agent that is doing vulnerabilities, etcetera.

So now we can go into the more specific view on an EDR, which gives you this very nice dashboard that very quickly identifies the number of assets that are being monitored, how many of those assets are infected and with how many new malware that were detected today.

So, of course, there’s a lot of additional information, the family of malware and the number of evens and files and processes in network and we’ll see that through the rest of the demo, but the big thing that we do now is also map that into the MITRE framework. Right? So there’s different stages of the attack and there’s different techniques that are being used and the ability to have a much broader platform that is actually able to not just focus on the telemetry collector but the endpoint, but also using passive scanners and other connectors that we have on the platform, gives us the ability to do a much broader mitre framework mapping. You know, for example, a discovery, if you are an only agent based solution, you only have limited ability, versus if you have a passive scanning solution, you can get a much broader perspective.

And then of course, we can see the top techniques that are being used in the last 24 hours. You can see the malicious events that are being generated, which are the family of malware that is causing the most havoc in your environment, which are your high risk assets. The dynamic asset tagging brings the ability to do quick mapping of the assets and the ability to then map those to the CVEs, and this is something that we’re going to talk about in this demo.

So I’m going to focus on one of the commonly used techniques which is related to credential access, so leveraging malware to dump LSAS, the credentials from memory is something that’s very commonly used, so now you can come here, see tactic names, credential access. There are eleven behavioral and one IT exploit that was detected.

Once you go in there, you can see there’s two specific ones we have narrowed down on and then let’s pick this executable and I’ll tell you why this was flagged. Because you – and let me jump directly – I mean in addition to all of the basic information that you get because of the broader inventory, one of the things that you’re going to get is a very quick ability to look at the process tree.

Now when you look here, you will see that this is sort of an unknown executable, ytd.exe, that we hadn’t seen before, but it was dropped from Firefox. Right? So most likely somebody went to a website or downloaded something from Firefox, which then executed this executable. There was a network connection that was made, two processes were executed from there.

And if you click on host, you will see that the antimalware capability, which is your signature based, actually blocked, this is a Mimikatz family of malware which is used to try to get the credentials.

Now, this was blocked, but why it was flagged in the EDR, and this is really where you need the EDR is the antimalware only matches the signature and it’s blocking it, but it’s not giving you the broader context of the overall way that this thing got there.

So the first thing you want to do from a remediation perspective, which we now provide directly as part of our EDR is the ability to take action, whether it’s kill, quarantine, delete, etcetera, but you can pick that file, you can see the associated events from that file, network connections, etcetera, and then you can basically say, “I want to take a specific action,” so that you’ve sort of taken care of that one particular host, but you can get a lot more additional information about the image, etcetera, but then here it’s where it becomes very interesting and the multiple vectors come into play, right, because the response that we saw as the traditional response that any EDR solution provides, which is, let’s go kill the process, kill the file, kill the malware, etcetera, but as we all know, that the specific system most likely is not going to be leveraged in production again until it is taken out completely, reimaged and then put back into production environment.

But, the response that you really are looking for is the prevention, is the ability to now find out that Firefox has a particular vulnerability that is exploitable where malicious support execution can be done and that’s most likely where that executable came in. And then the second is that you could have prevented the ability for that Mimikatz or any other solution, no matter whether it comes through Firefox or any malware that comes through a USB or anything like that is that you can leverage misconfigurations or configurations, I should say, on the device to be able to block the credential stealing that can happen.

And these are configurations that you can enable on your systems. And a lot of times, this ability to take a response here by looking at the misconfigurations, selecting them quickly and then going and fixing, finding all the other hosts that are impacted in your environment where this thing is not enabled. Now you can go clear the quick job that leverages the same agent, that is already deployed and then takes the remediation action.

So this response, which goes beyond the specific endpoint that is impacted is very crucial to be able to take a response action which actually prevents future attacks that may be leveraging that kind of a technique or that kind of a capability, and then we can go and first take care of that to make sure that you cannot execute that kind of an attack there. After you’ve done that, you’ll see that’s in progress. The next thing is to look at the vulnerability. Right?

So now here where we tie VMDR and EDR together, and this is so crucial to have those on the same platform, because now you can see all vulnerabilities in your environment on those critical remote endpoints which are related to malware, but we can filter it down to that specific CVE, which was the Firefox one that we talked about and you can see that three hosts are impacted right now.

And so you want to focus on those because you want to immediately go and start deploying the patches that fix that on all the hosts that that particular Firefox binary is left unpatched. And the same platform leveraging the same agent can now do this. And this is really the big part of the multi-vector that we talked about is the ability to bring together configuration assess, a configuration assessment, a malware detection vulnerability assessment. So EDR _____ multi-vector EDR are two sides of the same coin to bring them together to execute a much broader response than just killing the particular process.

And so here you will see that that thing went down and you now only have eleven issues that you’re looking at from a credential access perspective. And then really being able to provide a much broader visibility, not just on a specific host, but being able to have a unified dashboard that brings all the information related to your top assets, the ability to look at the vulnerabilities, to categorize them into client versus server, end of life.

This context is very important for a multi-vector EDR because now you can see, we had a multi-vector EDR, which are there where you’re tracking your prevention aspect of your response and then here when you come, you can see, of course, your more specific EDR response that you can take. And this is really where I wanted to, you know, I know we’re running over tie to get back to the conversation, but I – you know, this is really where I wanted to come in and give a very quick preview how the solution is now able to do a much more sort of a multi-vector capability, which brings in not just endpoint, but the rest of the information around it and then the ability to take response actions and bring in enrichment that goes beyond just the specific endpoint and just the traditional EDR solutions that only focus on that one particular endpoint.

Shimel: Sumedh, thanks. Thanks for that demo. I think our audience now understands a little bit more of what we’re talking about, the multi-vector EDR. You know, and it addresses so many issues that I think we’ve had to live with for too long in the security space. But first, Ben, I want to give you the first chance to comment. You saw the demo. You’ve obviously seen it before. What do you think? What’s your thoughts on this?

Carr: Yeah, thanks Alan. So, you know, for me as a security professional who’s been in the space quite a long time, one of the biggest challenges we face is, I think you mentioned it earlier, and it’s been a highlight point of mine is really developing true context. Right?

So when we see a security issue, how do we get to the relevant facts quickly and then how do we make the quick pivot to take action? And the tie in to operations, right, to be able to pass that information back and forth seamlessly between the security group and the operations group and actually provide that full set of context or informational security awareness, you know, operational awareness, operational readiness, to be able to take action once we see something.

So in the demo, as we looked at it, you know, we can see that there’s an action that would alert any traditional EDR product. And that’s fairly easy to do. But without the full context, without having the asset information, which Qualys really was on the forefront of developing that into a security product, leveraging that and then leveraging that connection into VMDR, which we related around RSA, that true functionality gives us the ability not only to see an event happen, understand the asset that it’s actually happening on, the context around it, all the other assets that it could potentially happen on, and then to quickly pivot to a response action, to actually take true response and remediation, not just for the asset in question, but for any other asset where we may have lateral movement or an asset in the enterprise that we don’t realize we have an issue with.

So I think that that legacy of what Qualys has developed and truly getting to that fundamental context or viewpoint is really what we’re executing on.

Shimel: Agreed. Agreed. And you make a good point with the VMDR stuff, Ben, and Sumedh, I think you’ll agree. I don’t think you could do this multi-vector EDR without that underling foundation of what it gives you, right? Because that context that we’re all now talking about, that wealth of information sits at that VMDR level. Right?

All of the intelligence, all of that information that is in a usable format, right, within is leveraged here at the multi-vector EDR space and to me, again, I don’t work at Qualys, but there aren’t many companies in our industry that can bring all of that together that have – Sumedh, I forget how many end points, the Qualys agent, how many instances of that are running right – I think it was 30 at RSA, so it’s gone up ten since then, right? Forty million agents out there. How many vulnerability scans, how many, you know, this – just the data alone. Now, as we know and we’ve covered it in the past, pulling all of that information into actionable intelligence is a job. But it’s something that you did already when you laid that foundation and now we see the benefits of it with this product.

I guess my issue – not my issue, but what I’d like to bring out with the demo is the management capabilities here across a network, across an organization, right, where we can leverage not only in protecting an individual endpoint, but again, leveraging that information across multiple endpoints, across an organization. When we see things – look, we’re here virtually ’cause of COVID. Right? And how many spearfishing and COVID related kind of attacks are we seeing, Twitter being the latest example. Right? This is the kind of thing that can help us there, I would think. Sumedh, what do you think?

Thakar: Yeah, absolutely. And I think you make a very good point about the fact that multi-vector EDR is possible because you have the foundation of VMDR already in place because – and actually they go hand in h and, right, if you really boil it down to the basics of compromises. There’s two things.

One is prevention and the other is detection. Right? So the prevention is you want to make sure you do everything to prevent the attack from happening in the first place. Right? That is patching your system, fixing your configurations, tweaking your policies, whatever it is, to harden that endpoint so that it doesn’t get compromised. But you’re going to have something or the other happen so if you look at that prevention part, that’s your VMDR. Right? You’ve got to do everything to make sure that you don’t have that attack happening in the first place.

After that, you want to be able to detect if there is activity happening that you want to take some action on and that’s where the EDR piece comes into play. Right? So you’re basically bringing the VMDR with the EDR together on the same platform, so not only do you reduce the agent that you have to deploy, but also that context is already tied in.

You know, I really like what you said at the beginning, which is EDR for too long has been focused on the screen. Right? IT’s about what is happening on the hard disk of that one endpoint. That’s really what they focus on to say what’s going on, but if that endpoint has been compromised by a printer in the network, which is compromised, you don’t get that because you cannot put an agent on the printer.

And so while the EDR _____ have been focusing on that, the reality is that the customer at the end of the day, they have been focusing on bringing all this data together in one place. Right?

And that’s why you see they’re pulling this data from many different places into a SIEM solution, into Splunk, into other solutions, trying to get that bigger picture context so that the analysts, they can reduce the amount of manual work they have to do when a compromise happens.

And that’s kind of what you’re seeing we are doing here is that we’ve built that platform with 40 million agents out there. We’re doing six trillion data points in elastic search. We’re doing five billion messages in Kafka daily, a million bytes per second on our Cassandra clusters. And the idea is that we bring all of that power of the platform packaged into that solution, which brings the VMDR and the EDR together so that the customers don’t have to do all of that because that’s a very costly affair for them to hire the developer’s, bring the data, have multiple agents and try to do this themselves.

And at the end, we’ve learned from our customers and that’s really what we’re trying to do with bringing multi-vector EDR is to bring that context. And as you saw in the demo, for a long time, the response from the traditional EDR vendor is just about killing the process or quarantine the particular system. But what you saw in the demo is the response needs to immediately be, I need to make sure that my other devices that may be vulnerable or may have this ongoing attack are protected right away.

And the reality is that once you have a device that’s compromised by malware, you’re never actually going to just use that device again. You’re basically going to take that offline, reimage it and do all of that. So the response is much more valuable when you’re actually able to protect the other devices quickly by pivoting within the same UI in sort of today’s approach where once you have some finding in the EDR , you have to go before other products to try to get the context of that system.

And that’s really what we are focused from a vision perspective and all the work we’ve been doing on scaling the platform the VMDR foundation to bring that together.

Shimel: Hundred percent right. You know, I’m listening to you talk and I’m thinking about my own experiences and you know, the idea of a SEIM and some of the log aggregators and management tools that we’ve had in the industry. Ben, I know you’ve been through this too, right?

That was sort of the promise is that we were going to bring all of these disparate intelligence points together, but as you say, Sumedh, we would have to leave that endpoint product to go look at the SEIM and then hopefully the SEIM saw something that was actionable and then we would decide based upon that, what are we going to do? Are we going to do it back on the endpoint product? Is it something I got to do at the firewall? Is it a patch? Is it something I better scan for vulnerabilities?

You know, and raise your hand out here, how many of you have spent tens of thousands, if not hundreds of thousands of dollars on SEIMs that were supposed to do this. And then we realized, right, what was the bane of the security person? Signal to noise ratio, false positives, desensitizing. Right? And that –

Carr: The data becomes unmanageable. Right? I mean, that’s the issue and then when we look at how analysts respond to work and what they look to do to actually escalate real issues, it’s only the very top level organizations who are going to invest, you know, millions of dollars who can afford to build a fusion center. Right? And ultimately, that’s – what we’re delivering on is what they’re trying to get to. Right? It’s this multi-vector approach where you can look at information as it comes in, see the relevance and then understand the pivots to actually take action.

You know, I mean I’m sure there’s a lot of other CSOs out there that have gone to the board and said, “Look, what we’re trying to do is not prevent every breach, because it’s just not functionally possible. Like, that’s a lie if you tell the board you’re trying to do that. Ultimately, the value is in how quickly can I respond and how quickly and impactfully can I recover.

And so that’s exactly what this platform from an MBDR perspective is trying to do is say, “We see it happening. It’s something that missed DPP. Right? It came through, we see this unknown exploit affect the endpoint. How can we prevent exploitation within the rest of the enterprise? How can we prevent spread? How can we recover and how can we maximize the value?”

Shimel: Excellent, excellent points, Ben. Sumedh, go ahead.

Thakar: Yeah, the one thing I will add to that is one of the things that is the most understated in this whole thing is the context of the asset from an inventory perspective. Right? We always talk about the starting point of any security program is a powerful asset inventory and almost nobody has it. So as you saw in the demo, one of the things that is part of the multi-vector EDR is a very powerful inventory capability that is included, which actually brings not just the information that is out there, but then we also normalize and categorize that information. And so that really helps you bring the context of the system.

I mean, you know, we’ve had EDR solutions in the past ourselves we’ve used and you basically get an alert saying, you know, see 29X75machine saw this particular thing, and then you have no context. You have to go on to other systems to try to find out who owns it, who’s logged in, is that – where is it located, is that my _____ right? And one of the things that we focus very early on is that we wanted to provide this as an inventory of high quality, provide the categorization, normalization, but also provide that ability with the agent to do that for free, right like don’t charge customers to get that basic inventory information, which of course really helps those customers because when they have something going on, not on does their IT team have a full inventory of everything that they have, but then you can also see the gaps, right, a lot of times in these EDR solutions, they can’t tell you where you don’t have EDR because they are only on the machines that you put them on.

And so as you saw earlier too, we focus in building a more holistic platform that is continuously bringing information about the assets, the non-endpoint assets as well as endpoint assets and then provide a way to quickly make sure that you are always up to date on having an EDR on all of the assets that you care about and you can do that in an automated way.

Shimel: Excellent. Sumedh, I’d like to ask another question and I’m asking it on behalf of the audience. Some of us out here have already invested a lot of money on endpoint security. How can we – can we leverage at all those endpoint investments to use the new EDR, the multi-vector EDR solution?

Thakar: You know, the issue with these solutions today is that you have a different inventory solution, you have a different solution for your EDR, a different one for your vulnerability deployment and a different one from your systems deployment and another one for patching. And that’s not really working that well. Right?

So today, the integrated single agent from Qualys is going to replace a lot of those capabilities that are being run in individual agents. Right? I mean, if you look at this in the cloud environment, it’s even more pronounced. Right? If you have each of your agents taking two percent of your CPU and you have five of those, you’re basically saying ten percent of your bill on Amazon is just to have the endpoint agents run, which is a huge amount. Right? And so the idea is that we help customers eliminate and reduce the number of agents that they have.

Of course, if there is an agent that they’re currently in the process, that is providing some asset inventory information, etcetera, today the platform that we are building that’s coming right after the multi-vector EDR, which is more of a XDR platform, which is collecting data from other third party sources in addition to Qualys, I think the customers will be able to leverage some of the existing deployment that they have to be able to do that.

But the challenge always is going to be the same as they have today, which is that customers have limited success in stitching together different vendor solutions to try to make it work because you’re always looking at the least common denominator of what can be supported and what kind of data that you can get rather than an out of the box packaged capability that is bringing all of this together so you don’t have to do the tie ins. And that’s kind of how the progression of this is going to happen.

Shimel: Understood. Ben, you know, this is not a new problem in security, right, the tower of Babel where we have –

Carr: No, it’s still agent spread and the proliferation of security within the enterprise has always been an issue. Right? I mean, I tell an interesting story. I was a very large company at one point and we were in the early stages of the Qualys deployment and we were very successful in the workstations. It was low hanging fruit. You know, we actually had, when we made a presentation on the success we had, we had the server team come back and actually ask us, “Hey, can we deploy this agent on the servers?” And I was flabbergasted, right, because no one ever wants agent spread.

But their point was, you showed us how we could recapture time. Right? Because if we can tell in real time and in maintenance window if a pass is successful, if an issue is fixed, we don’t have to come out of that maintenance window with a 20 percent failure rate. We don’t have to do another maintenance window later.

So it may seem like a necessity to standardize on a singular agent, but I think the benefits far outweigh the issues that that causes. Right? That streamlining effect, the value of having that data in one centralized place and having that context available and being able to, in real time, give that data either to a security operations team, it’s, you know, unmatched.

Shimel: Absolutely. I think quite frankly, we’ve been kicking this can down the road for a very long time. Right? I remember the days and I’m sure both of you might as well, where we had agentless agents. Right? It’s not really an agent. It’s just something running in the registry, but it’s not an agent. It’s not an agent. We don’t call it an agent. It was still an agent.

And you know, what’s one more agent. You already had five and even before the cloud, even on the endpoints when you looked at, you know, your CPU and memory, who much of it was taken up by the patch, by the AV, by the this, by the that? And they were, quite frankly, they were hogs. They were resource hogs. And so, I think there comes a point where you do have to bite the bullet and say, “Hey, we’re going to, you know, it’s addition by subtraction. Or subtraction by addition.”

Carr: I think a lot of people who’ve tried to approach this are like, “Isn’t there another way to do it without an agent?” But in reality, like especially given today’s times, everything that’s been happening and the move to remote work, like it’s been proven out, the only way to actually gather this data, especially for remote transient devices, it has to be an agent. Right?

And then you combine that with movement to cloud and temporal devices where you’re turning them on, turning them off, the e\only way to do that is with an agent. You just – you can’t guarantee that you’ll catch them with a network scan, with some type of remote device connecting to it. It has to be done with a localized agent that actually provides, again, you know, not to harp on that, but the context. Right?

You need all that context and so the best way to do it is with one agent, that coalesces that information and then provides it in a system that you can access from anywhere, and ask those questions whether the agents actually – whether the system is actually up or not because that agent provided that to that cloud platform.

Thakar: And I will add to that. Right? I mean, if you, in the early days of Qualys, we were very religiously agentless. Right? We were scanner based.

Shimel: I remember.

Thakar: That was the – but that was what was needed. That was good because people used to do their vulnerability assessment, like the really cutting edge customers did that once a month, like they were the superheroes. Right? Everybody else was, “One supporter was good enough,” and then as this thing progressed, people just weren’t with the churn and as Ben mentioned, some of the infrastructure, cloud, endpoints coming and going all the time, and just now even more with remote work from home, I think that sort of made us realize that there is no one size fits all solution here. Right? There’s other vendors that still claim agentless is the best, some that claim agent-based is the only way to go.

The reality is that you have to have a combination of both because you have devices where having the agent is extremely beneficial for real-time information and then you have devices that get compromised all the time, but you cannot have an agent. Like, you know, you have a printer, you just go to slow down and see how many printers are exposed directly to the internet which have exploitable vulnerabilities. Right? And those cannot be caught by the _____ solution.

And so the best of both worlds, which is bringing agent-based and agentless together, as you saw with the passive scanning that we have introduced as well is to augment that idea that you need to be able to bring these together so that you can get the full context. Right? As an example, an EDR tool can tell you the first hop. It can tell you that this device is talking to, communicating with that other device that’s in the network. Right? But it doesn’t see the context of, for there is there a path to my crown jewels? Right?

I have a developer laptop that had a malware _____ so okay, it’s able to talk to some GR whatever it is, fine. That’s their normal, but by the way, there is a way from that GR to be able to go to some other solutions. That is data that can only come network-based solutions that can actually see the communication, that can see those connections being made. And so now that gives you even more context so that you’re able to say, “I can see three hops down that if this device gets compromised, that there is a real challenge to my service _____ which is my production server, which is moving all my money.

Shimel: Right. And we’re almost out of time, gentlemen, but Sumedh, you make a point here that I want to emphasize to the audience and that is that’s what you get by using the Qualys product here. You get that full 360 degree. You get what we call passive scanner, right, passive listening, whatever you want to call it, out on the edge of the network or in various parts of the network. You get your full vulnerability data that you guys have been doing for 20 plus years now.

You get all of that, right, powering what’s a best-of-breed endpoint product, right? Because all of that comes with it. It’s – and that – that’s what I think people need to take home here. Right? The time has come for this. The time has come for us to move beyond endpoint versus edge versus cloud versus data center. It’s all one attack surface. And the same way we need one product that sort of defends all of that, we need a product that also shares that information so that we can leverage it at every different point that’s attackable, that’s vulnerable, that can be exploited.

So, Ben, Sumedh, I’d like to give you one each your last thoughts and we’ll let our Black Hat attendees get on to their next session.

Carr: Yeah I – so you know, from my perspective, I’ve been waiting a long time for something like this, right, the execution of the vision and pulling this together I think as you said, like being able to look for a- I think the way I put it is a purpose-built solution, right, as opposed to trying to build a solution for a purpose. Right?

We really pull all this data together, it really leverages the asset information for the true context. And then built in response and reaction when we actually see something happening. I mean, there’s nothing else right now that exists that does this. And I think that’s where we’re looking to actually provide value to our customers.

Shimel: Sumedh?

Thakar: Yeah I think I kind of heard Ben say that it’s taking too long and we need to work faster. I think we had to have a lot of things happen and that’s why the timing from why we are able to do this now and a lot of it has to do with the technology and the computer capabilities and all of that maturing to the point where you are able to bring in that kind of data, you are able to bring it in real-time, you are able to churn it or the computers have become big. The bandwidths have become big. Right?

A lot of time home users who are just using dialup modems or I remember two megabyte DSL was like the fastest you could ever find. And so I think as things have matured, our platform has also matured and we have really cleared a way where we focus on bringing all of the contexts together and then once you have that, learning from our customers because they’re doing this today themselves with the limited success and a lot of people, as Ben said, don’t even have the resources to do that. So providing that on the Qualys platform in a single solution has been the focus and as you said, Alan, we will see more coming from us that goes beyond EDR because again, all of this is tied together.

Your containers are running on infrastructure. Your web applications and APIs are running on these containers and so they are tied together and we need to be able to see all the contacts in one place, and I think that’s kind of where the direction of where we’re going, so I – you saw the demo and you heard the discussion. Obviously, nothing is as good as being able to try the solution, which is, again, easy cloud-based, easy to deploy, so definitely recommend everybody to go to and give the solution a try.

Shimel: Excellent. Thank you. But you know what, through the magic of virtual events, we can do even better than that. Sumedh, I want to invite everyone watching this to head on over to the Qualys booth in the virtual Black Hat expo hall where they can see demos of this, they can actually speak to people regarding their own questions; they can see what the future of security is going to look like here, leveraging things like DMVR and now multi-vector EDR. Guys, great work at the Qualys team.

I know this was a huge effort, as you continue to build on top of what you’re been building for 20 years and look, we all share in that success, right, if we can all be a little bit safer, especially during these times. Ben, Sumedh, thanks for joining us. Thank you for joining us here at Black Hat this year. Hopefully next year, we’ll be meeting in person again in Las Vegas and I hope to see you there. This is Alan Shimel for Security Boulevard and Have a great day.

Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded and then the DevOps Institute. is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 81 posts and counting.See all posts by alan