Qualys IOC expands the capabilities of the Qualys Cloud Platform to deliver threat hunting, detect suspicious activity, and confirm the presence of known and unknown malware for devices both on and off the network

“Threat hunting relies on both advanced threat knowledge and deep knowledge of the organization's IT environment, which will also benefit the organization itself in learning more about its IT environment and finding the places where attackers can hide.”

Gartner, How to Hunt for Security Threats, Anton Chuvakin, April 2017

Anton Chuvakin Research Vice President & Distinguished Analyst, Gartner

Highlights

Robust agent event collection

Qualys IOC uses the Cloud Agent’s non-intrusive data collection and delta processing techniques to transparently capture endpoint activity information from assets on and off the network that is more performant than query-based approaches or log collectors.

Actionable intelligence for security analysts

Customers can use pre-defined threat hunting rules and easily import indicators of compromise artifacts into widgets, dashboards, and saved searches to quickly verify threat intelligence, scale of infections, first-infected asset (“Patient Zero”), and timeline of compromises.

Highly scalable detection processing

Threat hunting, suspicious activity detection, and OpenIOC processing is performed in the Qualys Cloud Platform on billions of active and past system events, and coupled with threat intelligence data from Qualys Malware Labs to identify malware infections (indicators of compromise) and threat actor actions (indicators of activity).

Streamline investigations with a single view of asset

Qualys IOC creates a Single View of the Asset, showing threat hunting details unified with other Qualys Cloud Apps for hardware and software inventory, vulnerability posture, policy compliance controls, and file integrity monitoring change alerts for on-premise servers, cloud instances, and off-net remote endpoints. A single user interface significantly reduces the time required for incident responders and security analysts to hunt, investigate, detect, and respond to threats before breach or compromise can occur.

Lightweight and scalable capture and search of system activity details

From Qualys IOC’s single console, you can monitor current and historical system activity for all on-premise servers, user endpoints, and cloud instances — even for assets that are currently offline or have been re-imaged by IT.

Qualys IOC utilizes the Cloud Agent to capture endpoint activity on files, processes, mutant handles (mutex), registries, and network connections, and uploads the data to the Qualys Cloud Platform for storage, processing, and query. Specific event details include:
- File name, path, MD5/SHA256 hash, size, create/delete date, version and more
- Process name, process arguments, process ID, image path, image MD5/SHA256 hash, elevated status, running/terminated status, username, loaded modules, parent process name, parent process ID, and more
- Mutex handle name, process name, process ID, process arguments, process image name, process image path, process image MD5/SHA256 hash, and more
- Registry key, value, data, detection date, image details
- Network connections for running process, local IP/Port, remote IP/Port, remote resolved fully qualified domain name, protocol, state, process name, process ID, process arguments, image path, image MD5/SHA256 hash, and more.
Cloud Agent delta processing only sends changed events from the asset to the Qualys platform for storage, processing, and searching. Performance tuning for CPU resource and network utilization allows IOC to run on resource-constrained systems such as fixed function devices, user endpoints, cloud instances, and virtual machines.

Quickly search, investigate, hunt, and respond to security incidents

Security analysts use the web interface for offline search, hunting, and investigations, and use the visual interfaces to easily find outliers, create dashboards, and perform ad hoc querying by pivot searching across billions of events.

Qualys IOC offers multiple pre-defined threat hunting widgets for critical Advanced Persistent Threats (APT), CERT security advisories, and identifying suspicious process usage that can be indicative of non-malware attacks, including:
- Use of known good applications for malicious purposes
- Malware detection evasion techniques such as processes running from the Recycle Bin or processes running from the anti-virus program’s quarantine folder
Easily verify threat intelligence reports by quickly determining if file hashes, processes, mutexes, and registry keys exist in your network. Qualys IOC time-series data search results displays currently running indicators or those that were executing in the network previously but are no longer present.
Users can add their own indicators of compromises, including file hashes, process names, mutexs, IPs and domain names, as well as define comprehensive search logic for suspicious behaviors. Examples include:
- Java process having network connections
- Cmd.exe parent process is Java
- Svchost.exe running outside C:\windows\system32 directory
- Process running without an image

Qualys malware family detection

Qualys Malware Labs continuously creates new behavior models using OpenIOC formats into the platform for detection against new and previous events to find enterprise-targeted malware family variants without using signatures.

Most malware innovation is focused on creating new variants of existing malware families to evade detection by signature-based systems, a detection capability standard in Qualys IOC application.

Automatically detect new malware family variants as new behavior models are published to the Qualys platform by the Malware Labs team.
Augment existing endpoint security by detecting malware family variants that traditional approaches have missed.
Identify first stage malware droppers that were prevented from executing compared to persistent, running malware that is actively communicating outside the network.
Pivot to display system events occurring just before the malware infection (process execution, new files, new registry keys) to identify new exploit vectors and new infection techniques.
Correlate malware infection with Qualys Threat Protection vulnerability exploit intelligence to determine if targeted attacks against your enterprises are succeeding.

Powered by the Qualys Cloud Platform

Single-pane-of-glass UI

See the results in one place, in seconds. With AssetView, security and compliance pros and managers get a complete and continuously updated view of all of their IT assets — from a single dashboard interface. Its fully customizable and lets you see the big picture, drill down into details, and generate reports for teammates and auditors. Its intuitive and easy-to-build dynamic dashboards aggregate and correlate all of your IT security and compliance data in one place from all the various Qualys Cloud Apps. With its powerful elastic search clusters, you can now search for any asset – on-premises, endpoints and all clouds – with 2-second visibility.

Centralized & customized

Centralize discovery of host assets for multiple types of assessments. Organize host asset groups to match the structure of your business. Keep security data private with our end-to-end encryption & strong access controls. You can centrally manage users’ access to their Qualys accounts through your enterprise single sign-on (SSO). Qualys supports SAML 2.0-based identity service providers.

Easy deployment

Deploy from a public or private cloud — fully managed by Qualys. With Qualys, there are no servers to provision, no software to install, and no databases to maintain. You always have the latest Qualys features available through your browser, without setting up special client software or VPN connections.

Scalable and extensible

Scale up globally, on demand. Integrate with other systems via extensible XML-based APIs. You can use Qualys with a broad range of security and compliance systems, such as GRC, ticketing systems, SIEM, ERM, and IDS.

Quick Navigation;