Qualys CyberSecurity Asset Management Reviews

This is the main product that we are using for managing assets, including  hardware assets and software assets.

There are multiple features that are very useful. The first one would be the inventory that allows us to actually manage those assets and see the assets based on the cloud agents and based on the scanning that is performed periodically. 

Another useful feature would be the tags. Tags are very useful for us since we can tag virus applications in infrastructure types such as databases, operating systems, or web platforms. 

On top of that, there are software rules that we can define. Some of those rules can outline which mandatory agents need to be on an asset before going into production, for example. Some emphasize potential software that can potentially cause cyber security challenges. Having those rules in place is very useful.

The external attack surface management covers the entire attack surface. This is one of the newest features, and this is extremely useful. It allows us to see the external posture from an attacker's perspective, and we are broadly using that. We have been able to find domains that were previously not covered. We did find a few domains that were supposed to be shut down. We can better keep track of these now to validate that the domains that are listed for us are the correct ones. We can go over the newly discovered assets to validate which belong to us and which do not. 

It identifies all other risk factors for our assets. Now, it identifies the assets. It also identifies the end-of-life and end-of-life support software, and that allows us to plan ahead in terms of what needs to be upgraded or if we have to budget for a software change. That's both from an operating system perspective and also from a third-party software perspective.

This more thorough identification of risk factors has positively affected our security. Qualys is one of the main pillars that we use for monitoring our cybersecurity posture. Being on top of inventory-related operating systems or types of clients has been very helpful. The inventory features also allow us to monitor any new asset. We use this together with another platform from Qualys for network passive sensors. We can see in the inventory, including new assets identified that were connected to the network anywhere in the network. This includes workstations, laptops, cell phones, et cetera.

We leverage the solution's ability to convert already deployed Qualys Cloud agents into passive sensors that may be detected and connected to the network in real time.

Most of the assets, the ones that the ones that have CloudAgent, we monitor that. They are also discovered by the passive sensor. On top of that, they are periodically IP scanned. The cloud agent and the IP scanners complement each other and discover different types of vulnerabilities. The inventory shows up from one of three main sources: the CloudAgent, the passive sensor, and the IP scanner.

The passive sensors affected our ability to identify potential risks in real time. They dramatically improve our ability to monitor risk in real time as they show the assets connected to the network in real time. We are validating those findings with the appropriate teams in order to address issues accordingly.

We use the CMDB sync feature. That is one of the features that allows us to reconcile the inventory between Qualys and CMDB. This is also the feature that actually showed us some of the discrepancies between our two platforms. The integration allows us to automatically assign vulnerabilities and monitor the SLA. That integration is one of the main operational integrations that we are using in order to make sure that the vulnerabilities are remediated in a timely manner.

It's a superior solution as we can monitor both on-prem and on the cloud. Having the ability to manage the inventory, the hybrid inventory, in one platform, is very, very important.

It is automatically exporting the vulnerabilities and the assets. However, it would be useful to have the ability to select or filter which we would like to export. As of now, anything and everything is automatically exported. We cannot choose. 

I've used the solution for the last five years. 

It's usually very stable. However, sometimes some of the queries crash. I have opened a few support cases. Some of those support cases were solved right away. Some of those were pending a new release. Generally, it's working most of the time.

I've never had issues with scalability. You do have to choose the right sizing, however, it can scale out of the box. 

Most of the time, the technical support is very effective and responsive. They have a nice feature that allow you give feedback after a case was opened. The knowledge of the team is good. They also have the appropriate documentation to they can direct you to when needed.

Positive

We did previously use a different solution. However, there were a number of drawbacks. We were not able to both monitor and discover. After CSAM, we were able to access a full inventory and a fuller understanding.

The deployment is straightforward. You can use add-on features of cloud agents or passive sensors, once it's deployed and assets are IP-scanned, the system can automatically share the asset details. The modules are automatically activated for the agent. The cloud agents are deployed by the infrastructure teams. They are responsible for deploying the cloud agent. The network passive sensors are deployed together with the network team. Activating the modules and monitoring is handled by Qualys.

Once everything is up and running, no maintenance is needed. It's just monitoring and reporting once it's implemented. 

The pricing is fair. We don't have any objection to the current pricing model.

I'm an end-user.

When we first started using the solution it had fewer features than it has today. That said, it still was the platform that allowed us to manage hardware and software assets on-prem and in the cloud.

I'd rate the solution nine out of ten. 

It's a good idea to start with Qualys training, and I have to say their training is outstanding. Their training provides the best way for a new user to learn how to work with the platform. The platform itself can be very complex and there are many features that might affect one another. 

Currently, I use Qualys CSAM for asset management. It allows me to search for assets and manage them by implementing license management, asset inventory discovery, and ensuring that no device goes unmanaged. 

Qualys CSAM improves my organization's asset posture by providing visibility on cybersecurity assets and streamlining asset management and inventory.

It can detect every asset in our network. It is able to detect network devices such as switches, printers, and servers. However, it may provide information that is not useful, and sometimes, tagging might also be incorrect.

We were able to realize its benefits within six months. It took us around two to three months to get a good understanding of it. We spent some time fine-tuning it based on our needs and understanding false positives. Overall, in about six months, we could properly see its benefits.

Qualys CSAM helps me prioritize vulnerabilities through Qualys Vulnerability Score (QVS), which combines various threat and impact factors. It enables me to prioritize vulnerabilities based on the criticality and risk posed to my organization. This is beneficial for efficiently managing vulnerabilities.

Qualys TruRisk Scoring helps prioritize vulnerabilities and assets. It helps understand what could be prioritized for further remediation and what could be kept on hold for some time based on the manpower availability and the needs of the business.

Qualys CSAM helps find all the assets. It categorizes information based on various criteria such as host and tenant version. It provides in-depth visibility into both hardware and software.

Initial scans can produce excess data that needs refining. This extra data is not always useful for us in terms of understanding. They should provide the exact information required by the end user. It sometimes produces false positives for configurations when it comes to identifying exact hostnames and DNS names pertaining to certain IPs. Sometimes, the tagging might be incorrect. It might incorrectly tag assets. This is something that should be fixed.

Software composition analysis capability at the source code level would also be helpful. Other tools can check JAR and WAR files for any vulnerabilities. This capability is missing in Qualys CSAM.

From the user experience perspective, we need a simpler interface and reduced complexity in certain features, particularly with the Qualys Query Language. I work for a bank. I am a part of the regional team. We ask branches to use this tool effectively, but the branch IT teams find it difficult in terms of user experience. It is not easy for them to understand and use Qualys Query Language to fetch some inputs. The user interface must be improved in terms of giving some examples through popups and other UI elements. Currently, our users are not able to use it easily based on the basic training that we are giving them. That is why we are now documenting step-by-step instructions for completing tasks.

Some of the users find the UI to be very cluttered. They should simplify the dashboard. They would also like more customizable navigation.

Some users have reported slow asset discovery. They should improve speed and efficiency. When we use some of the profile options within Qualys for scanning, it can take 40 to 50 minutes to scan a single asset. That time could be reduced.

Users would also like more customizable reports. Currently, after downloading the reports, the team has to format the data provided by Qualys CSAM. If there is an option to customize the reports directly before downloading them, it would be very helpful. They can directly deliver the report to higher management. They do not have to spend time formatting the report.

There could also be better integration with other tools. Based on my integration experience previously, not in this company, there were some limitations with the integration. The APIs and integration options can be improved making the integration with various tools such as ITSM tools a smooth experience.

My team is using some Python scripts. It would be great if Qualys could provide some custom scripts as a part of the subscription. It will help new users in terms of understanding the solution better. There should be better tagging and categorization. That would be helpful for us. The tagging system should be more intuitive and flexible. Currently, the dynamic grouping of these assets based on the conditions is not up to the mark. Some of them are incorrectly tagged.

In terms of the learning curve, some of the new users find it challenging to learn the full capabilities of the platform. In addition to supporting more customizations for dashboards, reporting, or navigation, there should be more resources for people to become familiar with the product. There should be more hands-on learning materials and a better onboarding experience. The current knowledge base is not up to date with the latest features. There should be updated learning material available along with a release. When they release any new features, it can take one or two months for the learning resources to be updated.

Vulnerability remediation recommendations need to be more appropriate and specific. There could also be improvements in terms of vulnerability context. Even though Qualys CSAM identifies vulnerabilities very well, it would be helpful to have more context. Currently, in some cases, Qualys is not able to fetch the right remediation solution or proper context. It gives a generic statement. At times, recommendations are also not appropriate.

I have been using Qualys CSAM for almost four years.

Qualys' technical support team is responsive. They have a good knowledge base and helpful resources. The resolution of complex issues may sometimes take longer due to various factors, but the community and forum support is strong. Plenty of forums and resources are available from the support perspective.

Positive

The initial setup was not easy or difficult; it was moderate. 

Qualys provides tutorials and tools, but they could be enhanced to be more user-friendly and more helpful in deploying it. Qualys releases updates and enhancements regularly and the documentation is available for the new release, but Qualys video tutorials and hands-on labs are not always available or updated in parallel. Such resources are very helpful for new users in our organization in understanding the new features and the tool.

There is a significant return on investment with Qualys CSAM in terms of efficiency in vulnerability identification and management.

Qualys is competitively priced for its features. Its pricing is suitable for large organizations with more than 4,000 assets, but for smaller organizations with few assets, such as banks, the costs might be high. They should come up with packages that are suitable for small organizations.

For Attack Surface management, we are using other tools in our organization. Our threat tracking and threat intelligence teams are using other tools. They are not integrated with the Qualys CSAM. We are exploring opportunities to integrate everything into one solution.

We are planning to integrate Qualys CSAM with ServiceNow within a year. Everything will be automatically integrated with the ServiceNow module.

Overall, I would rate Qualys CSAM an eight out of ten. There are some areas for improvement.

I use Qualys CSAM to gain better visibility into all my endpoints. It is easier to find devices through Qualys CSAM rather than using our other asset inventories, as it gives me access to a single pane of glass.

Qualys CSAM helps manage external attack surfaces. I get daily emails about our external endpoints and potential vulnerabilities or ports that can be used for attacks. We work on securing them or hardening their configurations.

We do not have a lot of external-facing assets, but it gives us everything that we need to know. We have a developers team that works on the web pages on our new domain. Recently, they entered a new subdomain. Qualys CSAM found that and reported it as vulnerable because of the certificates. I reported that to upper management, and it is now taken care of.

Qualys CSAM's risk tools prioritize risks. Qualys CSAM in conjunction with patch management and vulnerability management helps to mitigate those vulnerabilities.

There is a good logic behind TruRisk. When we add things, we can rely on it. That is what is going to be important.

We have a network passive sensor. Some of our endpoints are work-from-home stations, and some of them are in the office. The network passive sensor finds everything that is connected to the office, and then it merges with the cloud agent.

Qualys CSAM is valuable for providing end-of-life and end-of-sale information. It gives me visibility into the number of products or hardware items that are end-of-life. This is a beneficial feature. I like that about it. That is a very good thing.

Qualys CSAM is not super responsive, and there can be delays sometimes, especially with the network passive sensor. You might see duplicate objects which eventually disappear but it takes time. If that can be done faster, it will be great.

I have been using Qualys CSAM for approximately one and a half years.

Qualys CSAM appears to be scalable. We do not have a lot of endpoints, but I know of a company with 60,000 endpoints. They seem to be doing fine. We have 500 to 600 endpoints, and it is working well.

Most of the time, they are fast. We submitted some bugs, and they seem to have been resolved.

Positive

I used Manage Engine before. It is not very similar, but it can give you some details about the endpoints, such as if they are end-of-life. They also pull the database from somewhere to compare our hardware or software, but Qualys CSAM gives a lot more information than that product. Qualys CSAM does a lot more.

Its deployment is modular. Everything that we have is in the cloud. The cloud agent is installed on the endpoint, and there we have everything. The cloud agent collects all the information, drops it into the cloud, and syncs it in the database. Patch management and vulnerability management all do their work together.

The initial setup was seamless. It is at their back end. We paid for it, and they just turned it on. We saw results immediately once the module was turned on. Things in the cloud are done faster than on-prem, and this is not an on-prem solution. It is a cloud solution.

Its maintenance is taken care of by Qualys. We get the product 100% working and operational. We only have to work on the information in it. If we see something wrong, we try to do something. If it is easily fixable, we do it. If it is not, we get support.

When I went to a Qualys conference, I understood the value of it, and I asked our management to get hold of it and purchase it. We were able to realize its benefits immediately.

To a colleague at another company who says they only need to add External Attack Surface Management to their vulnerability management detection/response program but they don’t need the full depth of the CSAM offering, I would recommend going for the whole CSAM. Only the external attack service management will not be enough. If they have visibility into their external stuff, they should also have visibility into their internal stuff. Otherwise, they will only see the external stuff. They will not see how it links to internal stuff in terms of hardware, IP, and port.

New users need to spend a lot of time in order to understand it well. My advice would be to try searching, finding assets, and uploading tags to get accustomed to it.

I would rate Qualys CSAM a ten out of ten. It is a great product.