1. Deploying Vulnerability Management and Policy Compliance on a Global Scale ON TIME – ON BUDGET – ON DEMAND
Implementation Best Practices by David French – Technical Account Manager, Qualys Inc.
December 2007

2. Implementation Timeline (based on a 120 day deployment)
Phase 1 (1st Month)
Deploy Scanner Appliances
Configure Domains / Add IP Tracked Hosts to the subscription
Perform Host Discovery Mappings
Begin enter Asset Groups, Business Units, and Users
Plan for use of delegation. Start with less delegation and add more rights over time.
Start baseline scans
Analyze baseline numbers to determine remediation strategy
Phase 2 (2nd Month)
Perform a second scan of all hosts
Continue entering Asset Groups, Business Units, and Users
Train QualysGuard users (Readers and Scanners)
Start building remediation policies (rules)
Deploy ticketing to a test group
Start testing report templates for executive reporting
Phase 3 (3rd Month)
Perform complete scan of environment
Implement use of the ticketing system
Change the tracking method for hosts utilizing DHCP
Start Developing Executive Reports
Start developing remediation metrics/reporting
Examine automation capabilities with the APIs
Phase 4 (4th Month)
Implement Executive Reporting
Implement Remediation Reporting
Automate processes via the API where possible/applicable

3. QualysGuard Implementation Steps
Depending on the size of the environment, perform either a baseline map, baseline scan, or both. (This may already have been performed as part of the evaluation.)
Prior to running a baseline map, the domains to be used as well as the methodology (geographical vs. the use of the none domain) must be decided on.
Prior to running a baseline scan, the IPs must be added via the Assets tab and Asset Groups for scanning must be created. You may also want to add “test” remediation policies at this time so you can see what a systems administrators' ticket queue would look like (from a workload perspective).
As you enter IP addresses to the account via the Assets tab, smaller ranges and IPs will collapse into larger ranges that are entered. You will want to think about how you want your Assets tab to look to facilitate administration. Do you want to enter in Class C ranges for server segments and Class B ranges for workstations? You can still drill down in the Assets tab to manage your addresses. This is not a major issue but one that should be considered before entering all IP information into your account.

4. QualysGuard Implementation Steps
Determine scanner placement based on knowledge of network segmentation and available bandwidth.
Gather data needed for scanner configuration at all locations.
If scanner appliances will be shipped overseas, it may be better to have Qualys ship them.

5. QualysGuard Implementation Steps
Based on whether or not you are deploying QualysGuard using a centralized or de-centralized model, determine the following:
Asset Group Structure for granting access to QualysGuard. (Asset Groups for scanning [if needed] should be in place at this time.)
Business Unit structure.
Rights to be delegated for Reader and Scanner accounts.
Remediation system use : policies and procedures.
Define Options Profiles to be used.
Define any needed Global Report Templates.
Procedures for support, typically centralized through the team that is implementing QualysGuard.

6. QualysGuard Implementation Steps
Automation:
Determine schedules for all scans and maps. Typically, change controls are used for the first test/baseline scans. Once initial scans and maps have been run, “rolling” change controls are typically issued and a schedule is posted on an Intranet site.
Enable remediation policies (rules) as you schedule segments/systems for scans.
Change the tracking method for workstations to NetBIOS.

7. QualysGuard Implementation Steps
Training:
Create company specific training for readers and scanners.
For QualysGuard administrators, you may want to send them to the certification course (1 day).
Web based training is available as well via the main Qualys web site.

8. QualysGuard Implementation Steps
Executive Reporting
Executive Reporting is generally not put into effect until several scans have been made of the entire environment. This is because vulnerability counts will increase as segments/hosts are added to the scanning schedule.

9. Where does QualysGuard fit into your Security Operations Center? (SOC)
The next three slides will show sample Daily, Weekly, and Monthly SOC Analyst duties and where QualysGuard would fit in.

10. Sample SOC Procedure (1)
Daily Duties: (Note events in the SOC Analyst Log.)
Check IPS console
Check AV console
Check SIM
Check VPN Access logs
Run EventCombMT / LogParser Scripts
Check QualysGuard for rogue hosts on DMZ’s and/or critical server segments (Qualys)
Check security portals
Check Mailing Lists (Secunia, etc.)

11. Sample SOC Procedure (2)
Weekly Duties:
Run AV outbreak report
Run Remote Access/VPN report
Run tickets per user report (Qualys)

12. Sample SOC Procedure (3)
Monthly Duties:
Run vulnerabilities by severity report (Qualys)
Internal systems
Externally facing systems
Business Unit comparison reports (scorecards)
Run virus outbreak reports
Run system compliance reports (Qualys)
Is Anti-Virus installed?
Is SMS and/or other required services installed?
Are systems running unauthorized services?

13. Engaging Support
Support is available via phone or 7X24X365. You can access the phone numbers or submit a ticket via the QualysGuard application via the support link in the upper right hand corner.
Instead of submitting tickets through the QualysGuard GUI you may want to use your regular client to submit trouble tickets and feature requests. If you type a meaningful subject line, the auto response mechanism will create a ticket with the subject line as the title of the ticket.
When working with support they will often request scan data. They are looking for raw data (obtained from the Scan section) in PDF format. If the file is large or has sensitive information, you can request a secure upload link when you enter the ticket. (Be sure to modify your default report profile (Scan Results (“username”) to include the appendix.)
If you feel you need an issue escalated, do not hesitate to contact your Technical Account Manager. Also, feel free to copy your Technical Account Manager on critical tickets as you submit them.

14. Gathering Data for Support
Support will need raw data from the scan section of QualysGuard for their first analysis. (Be sure to modify your default report profile (Scan Results (“username”) to include the appendix.)
Sometimes, you will need to take a trace while running another scan to re-create the issue. If you can’t have the network team implement a sniffer in a timely fashion, you can use ngSniff to capture data for Windows hosts. ngSniff does NOT require packet drivers (WinPcap). (
Some customers place network taps in front of Scanner Appliances that reside in Datacenters to facilitate the gathering of trace files.

15. QualysGuard Settings to Be Aware Of
Scanner polling intervals
Scanner polling intervals should be set to 30 seconds. Update traffic is light and modifying this setting will make map and scan jobs get picked up more quickly. (If your scanner appliances are intermittently disappearing within QualysGuard, increase your polling interval to 60 seconds. This rarely happens and is due to the egress environment the scanner appliances reside in.)
Map Settings
The default settings on the Map tab for Options Profiles are set to “All Hosts” and NOT to ignore hosts discovered via DNS. This is because mapping was developed first to be used for Internet facing systems. For internal maps you should change the “Perform basic information gathering setting” to “Netblock Hosts Only” and enable the option to ignore hosts discovered only via DNS.
Brute forcing
The default options profile has Brute Forcing set to limited. Again, this is because QualysGuard started out as an Internet bases scanning technology. For internal scans against systems/environments with account lockout policies in place, Brute Forcing should be set to “Minimal” or “None”.
Using Brute Force settings higher than “Minimal” internally should only be done when you are intending to verify blank/weak passwords on systems with the understanding that account lockouts may occur as a result.
Scanning for only a few QIDs
To run scans for specific QIDs, there are five “base” QIDs that must also be selected. These are listed in the Scanning FAQ. (In the help file, do a search for Scanning FAQ.) Always be sure to add QID – Host Scan Time, to any custom Options Profile you create.