Built on the Qualys Enterprise TruRisk Management Platform, the ROC framework consolidates risk signals across an organization’s digital footprint into a single pane of glass. It enables Continuous Threat Exposure Management (CTEM), cyber risk quantification, and risk remediation, empowering CISOs to translate cyber risk into business terms, ensure audit readiness, and build long-term resilience.

The mROC Partner Alliance equips partners to drive growth by delivering enhanced Qualys-powered ROC services that transform how enterprises measure, manage, and reduce cyber risk. The expanded roster of partners brings world-class expertise to help organizations overcome common cybersecurity challenges such as fragmented tools, disjointed risk response, and limited visibility—enabling a proactive approach to managing cyber risk at scale.

“When we introduced the concept of the Risk Operations Center, we knew it had the potential to redefine how organizations manage cyber risk,” said Sumedh Thakar, president and CEO of Qualys. “Today, with the launch of our inaugural global mROC partners, we’re delivering on that vision. This is a major milestone in building a thriving ROC ecosystem—one that helps businesses around the world take control of cyber risk with clarity, speed, and measurable impact.”

mROC Partners, through a comprehensive suite of risk service offerings, play a critical role in Qualys’ mission to make cyber risk management easier to adopt, more practical to implement, and more impactful for organizations globally. This innovative group of mROC partners has been thoroughly trained and enabled to operate a ROC powered by Qualys Enterprise TruRisk Management (ETM), delivering comprehensive managed risk services. By aggregating and analyzing risk signals from both Qualys and third-party tools, they offer their clients a holistic, business-aligned view of their risk exposure.

“The Teksalah and Qualys partnership is built on a shared vision — to embed a holistic risk-based, proactive approach at the core of enterprise cybersecurity. Through our powerful platforms, intelligent tools, and proven services—covering real-time risk monitoring to effective remediation—we are enabling organizations to manage risk with precision and drive secure innovation. Together, we are transforming our client’s cybersecurity from a control function into a catalyst for business growth and resilience,” commented Murali Konasani, CEO, Teksalah.

How is generative AI being utilized to enhance cybersecurity measures today?
Today, generative AI is used to bolster cybersecurity defences in a multitude of ways. It automates mundane tasks, sifting through vast data logs to identify potential vulnerabilities and weed out false positives (Gartner, 2021). More impressively, generative AI can predict emerging threats by simulating attack scenarios, helping teams spot anomalies before they escalate (Mandiant, 2022).

Compared with older rule-based systems, these AI models adapt in real time, learning from both benign and malicious activity to create dynamic defence postures. A notable example is Darktrace’s “Antigena” product, which uses self-learning AI to detect abnormal network behaviours. In 2018, it reportedly thwarted an insider threat by flagging unusual data transfers in a UK-based financial services firm (Darktrace, 2018). The technology reduced the manual workload on analysts by automating front-line triage, freeing human experts to focus on higher-level investigations.

What potential risks does generative AI introduce in the cybersecurity landscape, such as AI-driven cyberattacks?
As much as generative AI can fortify security, it equally arms malicious actors with new tools. Sophisticated attackers are already deploying adversarial machine learning to bypass detection (Goodfellow et al., 2014) and using deepfakes to manipulate social engineering scams. One infamous example involved fraudsters using deepfake voice impersonation of a CEO to authorise a fraudulent wire transfer of approximately €220,000 from a UK-based energy firm in 2019 (Wall Street Journal, 2019).

This dark side underscores why cybersecurity leaders must remain vigilant. Generative AI can automate the creation of malware variants, obfuscate malicious code, or create entire networks of bot accounts capable of launching coordinated attacks (ENISA Threat Landscape, 2021). These challenges highlight the need for organisations to keep their AI defences on par with adversarial AI capabilities.

How can organizations leverage generative AI for proactive threat detection and response?
Given the growing dangers, organisations are increasingly using generative AI for proactive threat hunting. By training models on historical attack datasets, security systems can anticipate emerging vulnerabilities, formulate defensive strategies, and even recommend immediate containment measures (IBM X-Force Threat Intelligence Index, 2022). Generative AI excels at pattern recognition, which — when combined with behavioural analysis — helps security teams detect anomalies that conventional defences might miss.

Several Fortune 500 companies have begun deploying AI-driven “red team” exercises using synthetic data to simulate real attacks (Ponemon Institute, 2022). By synthesising new attack variants, these organisations can better train their detection algorithms and prepare incident response teams for novel threat scenarios.

What ethical concerns arise when using generative AI in cybersecurity, and how can they be addressed?
A critical ethical question arises when deploying powerful AI tools for cybersecurity: Where do we draw the line between data-driven intelligence and intrusive surveillance? Privacy concerns loom large, particularly when AI systems process personal information to identify potential insider threats (NIST SP 800-53, 2020). It is essential that organisations establish transparent governance structures, involving cross-functional teams from legal, compliance, and human resources.

These frameworks should clarify data usage policies, ensure algorithmic fairness, and reinforce accountability (European Commission, 2021, EU AI Act, 2024). Treating user data with respect whilst maintaining robust defences is not just a matter of compliance; it’s a moral imperative that, if neglected, can damage trust irreparably.

What challenges do cybersecurity teams face when integrating generative AI tools into their workflows?
Despite the allure of next-generation solutions, cybersecurity teams often face significant hurdles when incorporating generative AI. Firstly, there is a matter of technical complexity. Building models that accurately understand and adapt to evolving threats requires specialised expertise and substantial computational resources (Gartner, 2021). Secondly, legacy systems are mostly ill-equipped to handle the high data throughput AI demands, leading to integration bottlenecks (Mandiant, 2022). Then, there is a problem of inflated expectations. The hype around AI can cause organisations to invest in poorly scoped projects, hampering returns and morale (Ponemon Institute, 2022).

To combat these issues, teams should conduct thorough proofs of concept and collaborate with experienced data scientists to align capabilities with organisational needs.

Are there any notable examples of generative AI successfully preventing or mitigating cyberattacks?
Several case studies highlight the growing success of generative AI in thwarting attacks. Darktrace reported detecting anomalous “beacon” traffic months before a known banking Trojan was publicly identified (Darktrace, 2019). Meanwhile, a large financial institution in Asia leveraged AI-driven user behaviour analytics (UBA) to pinpoint a suspicious spike in credential escalations, uncovering an elaborate insider threat that might otherwise have slipped under the radar (IBM, 2020). These incidents illustrate the transformative power of AI when integrated thoughtfully with security operations.

How do you see generative AI evolving in the cybersecurity domain over the next few years?
Over the coming years, generative AI is expected to mature into an even more intuitive and autonomous guardian. As data collection methods expand and computational power grows (Ponemon Institute, 2022), AI models will become more adept at detecting zero-day exploits and adapting, on the fly, to novel attack techniques. Widespread adoption of AI systems that interact seamlessly with security analysts will facilitate real-time recommendations, and “self-healing” networks capable of automated patching are likely to become mainstream (Gartner, 2021).

However, we should brace for an escalation in AI-enabled cyberattacks as well (e.g. from near perfect deep-fakes, to far better personalised targeted attacks). This unfolding arms race underscores the importance of continuous innovation and collaboration between industry, academia, and government (ENISA Threat Landscape, 2021).

What role does human oversight (HITL) play in ensuring generative AI systems are effectively managing cybersecurity threats?
Human-in-the-loop oversight remains indispensable. Even the most advanced AI systems can produce false positives or overlook subtleties requiring human judgement (European Commission, 2021). Skilled analysts, especially those with deep domain knowledge, are needed to validate AI-driven alerts, fine-tune learning models, and account for socio-political contexts.

As a result, AI should be viewed as an extension of human capabilities rather than a replacement. A balanced combination of machine efficiency and human intuition results in the most effective security outcomes (Mandiant, 2022). Lastly, let’s not forget that emerging legislations (EU AI Act for example) might “insist” on having human decisions for certain privacy-critical aspects.

How can smaller organizations with limited budgets incorporate generative AI for cybersecurity?
Budget constraints need not bar smaller organisations from leveraging generative AI. A pragmatic step is to use cloud-based security tools with built-in AI features, offsetting the cost of on-premises infrastructure (Microsoft Azure Security Centre, 2021). Partnerships with managed service providers can also help smaller entities develop tailored AI strategies.

Starting with low-complexity use cases, such as automated phishing detection, can yield quick wins and free up resources to invest in more advanced capabilities. By focusing on modular, scalable solutions, smaller organisations can gradually expand their AI footprint without jeopardising financial stability.

What best practices would you recommend for implementing generative AI tools while minimizing risks?
To implement generative AI responsibly, organisations should embrace and follow industry good practices. A good example would be NIST SP 800-53. Basic steps should not be news to cyber-security professionals:

1. Establish a clear governance framework that outlines AI deployment goals, data usage policies, and oversight responsibilities.
2. Invest in robust training datasets to mitigate bias and ensure the AI can accurately detect real threats.
3. Enforce rigorous testing and validation procedures, including adversarial testing to identify potential exploits.
4. Maintain audit logs and version-control for the AI models, enabling swift rollback if necessary.
5. Finally, foster a culture of transparency by openly communicating to stakeholders how and why AI is used within the security apparatus.

“Needrestart is a utility that scans the system to determine whether a restart is necessary for the system or its services. Specifically, it flags services for restart if they’re using outdated shared libraries — such as when a library is replaced during a package update. By promptly updating services with the newest libraries, needrestart is vital for maintaining the security and efficiency of Ubuntu Server,” commented Saeed Abbasi, Product Manager, Vulnerability Research at Qualys TRU.

“The vulnerabilities are present in the needrestart component, installed by default on Ubuntu Server since version 21.04, impacting a substantial number of deployments globally. In versions before 3.8, the component allows local attackers to execute arbitrary code as root. This exploit is achieved by manipulating an attacker-controlled environment variable that influences the Python/Ruby interpreter, passing unsanitised data to a library that expects safe input, thereby enabling the execution of arbitrary shell commands,” added Abbasi.

Potential Impact
These vulnerabilities in the needrestart utility allow local users to escalate their privileges by executing arbitrary code during package installations or upgrades, where needrestart is often run as the root user.

An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security.
This poses considerable risks for enterprises, including unauthorized access to sensitive data, malware installation, and disruption of business operations. It could lead to data breaches, regulatory non-compliance, and erosion of trust among customers and stakeholders, ultimately affecting the organization’s reputation. Enterprises should swiftly mitigate this risk by updating the software or disabling the vulnerable feature.

Steps to Mitigate Risk
Disabling the interpreter heuristic in needrestart’s config prevents this attack. The needrestart configuration file is typically located at /etc/needrestart/needrestart.conf. This file contains various settings that control the behaviour of the needrestart utility.

# Disable interpreter scanners.
$nrconf{interpscan} = 0;

This modification will disable the interpreter scanning feature.

A thorough analysis of the 22,254 reported vulnerabilities during the initial seven and a half months of 2024 (up until the research cut-off date of July 21, 2024) reveals that a precise subset of 0.91% (almost 1%) has been weaponized, and a very small fraction accounts for the most severe threats. This subset represents the highest risk, characterized by weaponized exploits, active exploitation through ransomware, threat actors, malware, or confirmed wild exploitation instances.

The analysis also indicates an increase in the weaponization of old CVEs since the onset of 2024. Over the last 7.5 months, there has been a notable increase, slightly over 10%, in the weaponization of older CVEs identified before 2024, which is a stark reminder that cybersecurity is not just about staying ahead but also about not falling behind. Some of these vulnerabilities have been trending on the dark web for months. An example is CVE-2023-43208 NextGen Mirth Connect Java XStream (Qualys Vulnerability Score 95/100), which heavily involves systems used by healthcare organizations.

“This resurgence of previously identified vulnerabilities, which mainly impact remote services and public-facing applications, highlights a significant oversight in updating and enforcing cybersecurity protocols. It emphasizes the need to shift from a purely reactive security posture to a more proactive, predictive, and preventative approach,” commented Saeed Abbasi, Product Manager, Vulnerability Research at Qualys TRU. “By adopting a holistic view that incorporates continuous monitoring, rapid patch management, and a deep understanding of the evolving threat landscape, businesses can significantly reduce their vulnerability to cyberattacks. This strategic foresight will protect critical assets and foster trust and resilience in our increasingly interconnected world.”

Mid-2024’s Most Wanted: Top 10 Exploited Vulnerabilities
In 2024, a select group of vulnerabilities have emerged as particularly prevalent targets for cyberattacks. Qualys ranks vulnerabilities based on their prevalence and impact, integrating multiple factors such as CVSS base scores, exploit code maturity, real-time threat indicators, and evidence of active exploitation, among others, for a comprehensive assessment.

This Top 10 ranking reflects their current significance in the cyber threat landscape. This designation is derived from an analysis incorporating data from over 25 distinct threat intelligence sources utilised by Qualys.

Critical Contenders: Just Missed the Cut
While the top 10 list captures the most crucial vulnerabilities of mid-2024, a few just missed the cut but demanded attention due to their high severity and potential impact. These vulnerabilities are critical for organizations to address immediately.

• CVE-2023-22527 (Atlassian Confluence): This severe remote code execution vulnerability, with a QVS of 95 and a CVSS score of 9.8, allows attackers to run arbitrary code on affected installations.
• CVE-2023-48788 (FortiClient EMS): This SQL injection flaw, which scores a QVS of 95 and a CVSS of 9.8, poses a high risk by allowing attackers to manipulate databases and access sensitive information.
• CVE-2024-24919 (Check Point Security Gateways): This information disclosure vulnerability, although it has a slightly lower CVSS score of 8.6, and a QVS of 95, can leak sensitive data.

All of the above vulnerabilities are listed on the CISA KEV, highlighting their recognized significance, exploitation in the wild, and potential impact. While not included in the top 10, each presents a clear and present danger to network security and requires prompt attention from cybersecurity teams to mitigate risks effectively and protect sensitive systems.

“Adopting a hybrid vulnerability management strategy that combines agent-based and agent-less methods, including network, external, and passive scans, is crucial. This approach is particularly pertinent given that 21.74% of CVEs in the CISA KEV catalogue are actively exploited on network and perimeter devices, underscoring the need for a comprehensive security posture to effectively identify and mitigate vulnerabilities. Organizations must ensure regular updates, diligent patch management, and advanced threat detection systems are in place to mitigate the risks associated with high-critical vulnerabilities,” added Abbasi.

APIs are integral to digital transformation initiatives across industries. The latest data indicates that over 83% of web traffic now comprises API traffic, highlighting their critical role in modern web applications using microservices, cloud, and hybrid environments. However, this also underscores the vulnerabilities that accompany their widespread adoption.

“Many organizations use a variety of security tools, such as SAST, DAST, SCA, or point solutions for API security that often operate in isolation, without a unified platform to integrate their findings. Moreover, the absence of integration between these tools leads to a fragmented view of the application security posture and results in uncoordinated efforts and gaps in security coverage. Similarly, SAST & DAST tools offer limited coverage for API-specific issues and focus predominantly on code vulnerabilities,” commented Kunal Modasiya, Vice President, Product Management, CyberSecurity Asset Management, Qualys. “Mainly, these solutions fail to extend their assessment to the runtime or environmental threats where APIs operate and provide visibility into the vulnerabilities of the underlying infrastructure hosting these APIs, leaving significant security gaps at the network and host levels.”

Qualys API security addresses and allows organizations to:

• Measure API risks across all attack surfaces with a unified view of API security by discovering & monitoring every API asset across diverse environments, enabling better decision-making and faster response times.
• Communicate API risks like OWASP API Top 10 vulnerabilities & drift from OpenAPI specs with real-time threat detection and response, minimizing the risk window and enhancing overall security.
• Eliminate API risks with integrated workflows supporting Shift-Left & Shift-Right practices, bridging the gap between IT and security teams, promoting seamless collaboration, and improving operational efficiency.

Key features of Qualys API

1. Comprehensive API discovery and inventory management
   Qualys WAS with API Security automatically identifies and catalogues all APIs within an organization’s network, including internal, external, undocumented, rogue, and shadow APIs. Whether APIs are deployed in multi-cloud environments (AWS, Azure), containerized architectures (Kubernetes), or API gateways (Apigee, Mulesoft), Qualys’ continuous discovery ensures an updated inventory across all platforms, preventing unauthorized access points and shadow APIs.
2. API vulnerability testing & AI-powered scanning
   Qualys provides comprehensive API vulnerability testing using 200+ prebuilt signatures to detect API-specific security vulnerabilities, including those listed in the OWASP API Top 10, such as rate limiting, authentication & authorization issues, PII collection, and sensitive data exposure. Moreover, for large applications, Qualys combines the power of deep learning and AI-assisted clustering to perform efficient vulnerability scans. This smart clustering mechanism targets critical areas, achieving a 96% detection rate with an 80% reduction in scan time.
3. API compliance monitoring
   Qualys performs both active and passive compliance monitoring to identify and address any drift or inconsistencies in API implementation and documentation in adherence to the OpenAPI Specification (OAS v3). Clear, standardized API documentation, in adherence to OAS, ensures that shared documentation is easily understood by recipients, simplifies security assessments and enforcement, and enhances the accuracy of code, benefiting both automated tools and human developers. Qualys also continuously monitors APIs for compliance with industry standards such as PCI-DSS, GDPR, and HIPAA to ensure that APIs remain compliant with evolving regulations, avoiding potential fines and enhancing data protection.
4. API risk prioritization with TruRisk
   Qualys leverages its proprietary TruRisk scoring system, which integrates multiple factors such as severity, exploitability, business context, and asset criticality to prioritize risks based on overall business impact, ensuring that the most critical vulnerabilities are addressed first. It also categorizes risks based on the OWASP API Top 10, helping organizations focus on the most prevalent and severe API security threats.
5. Seamless integration with Shift-Left and Shift-Right workflows
   Qualys integrates seamlessly with existing CI/CD tools (e.g., Bamboo, TeamCity, Github, Jenkins, Azure DevOps) and IT ticketing systems (e.g., Jira, ServiceNow), supporting both shift-left and shift-right security practices. This facilitates automated security testing and real-time threat detection and response without disrupting development workflows. By bridging the gaps between IT and security teams, Qualys ensures smoother operational transitions, improving API security practices and reducing the risk window.

APIs are integral to digital transformation initiatives across industries. The latest data indicates that over 83% of web traffic now comprises API traffic, highlighting their critical role in modern web applications using microservices, cloud, and hybrid environments. However, this also underscores the vulnerabilities that accompany their widespread adoption.

“Many organizations use a variety of security tools, such as SAST, DAST, SCA, or point solutions for API security that often operate in isolation, without a unified platform to integrate their findings. Moreover, the absence of integration between these tools leads to a fragmented view of the application security posture and results in uncoordinated efforts and gaps in security coverage. Similarly, SAST & DAST tools offer limited coverage for API-specific issues and focus predominantly on code vulnerabilities,” commented Kunal Modasiya, Vice President, Product Management, CyberSecurity Asset Management, Qualys. “Mainly, these solutions fail to extend their assessment to the runtime or environmental threats where APIs operate and provide visibility into the vulnerabilities of the underlying infrastructure hosting these APIs, leaving significant security gaps at the network and host levels.”

Qualys API security addresses and allows organizations to:

1. Measure API risks across all attack surfaces with a unified view of API security by discovering & monitoring every API asset across diverse environments, enabling better decision-making and faster response times.
2. Communicate API risks like OWASP API Top 10 vulnerabilities & drift from OpenAPI specs with real-time threat detection and response, minimizing the risk window and enhancing overall security.
3. Eliminate API risks with integrated workflows supporting Shift-Left & Shift-Right practices, bridging the gap between IT and security teams, promoting seamless collaboration, and improving operational efficiency.

Key features of Qualys API

1. Comprehensive API discovery and inventory management
   Qualys WAS with API Security automatically identifies and catalogues all APIs within an organization’s network, including internal, external, undocumented, rogue, and shadow APIs. Whether APIs are deployed in multi-cloud environments (AWS, Azure), containerized architectures (Kubernetes), or API gateways (Apigee, Mulesoft), Qualys’ continuous discovery ensures an updated inventory across all platforms, preventing unauthorized access points and shadow APIs.
2. API vulnerability testing & AI-powered scanning
   Qualys provides comprehensive API vulnerability testing using 200+ prebuilt signatures to detect API-specific security vulnerabilities, including those listed in the OWASP API Top 10, such as rate limiting, authentication & authorization issues, PII collection, and sensitive data exposure. Moreover, for large applications, Qualys combines the power of deep learning and AI-assisted clustering to perform efficient vulnerability scans. This smart clustering mechanism targets critical areas, achieving a 96% detection rate with an 80% reduction in scan time.
3. API compliance monitoring
   Qualys performs both active and passive compliance monitoring to identify and address any drift or inconsistencies in API implementation and documentation in adherence to the OpenAPI Specification (OAS v3). Clear, standardized API documentation, in adherence to OAS, ensures that shared documentation is easily understood by recipients, simplifies security assessments and enforcement, and enhances the accuracy of code, benefiting both automated tools and human developers. Qualys also continuously monitors APIs for compliance with industry standards such as PCI-DSS, GDPR, and HIPAA to ensure that APIs remain compliant with evolving regulations, avoiding potential fines and enhancing data protection.
4. API risk prioritization with TruRisk
   Qualys leverages its proprietary TruRisk scoring system, which integrates multiple factors such as severity, exploitability, business context, and asset criticality to prioritize risks based on overall business impact, ensuring that the most critical vulnerabilities are addressed first. It also categorizes risks based on the OWASP API Top 10, helping organizations focus on the most prevalent and severe API security threats.
5. Seamless integration with Shift-Left and Shift-Right workflows
   Qualys integrates seamlessly with existing CI/CD tools (e.g., Bamboo, TeamCity, Github, Jenkins, Azure DevOps) and IT ticketing systems (e.g., Jira, ServiceNow), supporting both shift-left and shift-right security practices. This facilitates automated security testing and real-time threat detection and response without disrupting development workflows. By bridging the gaps between IT and security teams, Qualys ensures smoother operational transitions, improving API security practices and reducing the risk window.

Hadi Jaafarawi, Managing Director for Middle East at Qualys

Many organisations find it challenging to accurately discover all their assets, specifically those that are internet-facing, efficiently measure and prioritise the risk, and then remediate it. Anonymised customer data from the Qualys Threat Research Unit (TRU) indicates the median time to remediate (MTTR) for the average organisation was 29 days. In contrast, the median time to weaponise (MTTW) was just seven days.

The free access to the Qualys Enterprise TruRisk Platform allows organisations to remediate issues in as little as 30 minutes and within seven days for full alignment. Incorporating Vulnerability Management Detection and Response (VMDR), CyberSecurity Asset Management, and Patch Management, the Qualys offering helps organisations to:

Identify External Assets: Accurately discover both internal and external assets within your environment and flag End of Life (EOL) and End of Support (EOS) software and devices.

1. Conduct Efficient Risk-based Prioritisation: Vulnerabilities are prioritised by their TruRisk score and automatically mapped to necessary updates to simplify IT workflows for a customised NCSC risk and remediation view.
2. Automate Patching: The gap between security and IT teams is closed with Qualys Patch Management. Qualys brings these groups together to safely prioritise and deploy patches automatically to help customers update by default within seven days.

“Given the rate at which adversaries are weaponising vulnerabilities, it is almost impossible for most organisations, with their complex infrastructures and patch workflows, to keep up,” said Hadi Jaafarawi, Managing Director – Middle East, Qualys. “By offering the Qualys Enterprise TruRisk Platform free for 30 days, organisations can avail of a solution that streamlines asset discovery, takes the guesswork out of understanding which vulnerabilities are the riskiest and helps with prioritisation, so they can mitigate risks quickly and efficiently to safeguard their businesses.”

“While this is alarming and continues the years-long trajectory of more vulnerabilities being found than the year before, it is important to note that not all vulnerabilities present a high risk; in fact, a small subset (less than 1%) contributes the highest risk. These particularly critical vulnerabilities have a weaponized exploit, are actively exploited by ransomware, threat actors, and malware, or have confirmed evidence of exploitation in the wild,” commented Saeed Abbasi, Product Manager – Threat Research Unit, Qualys.

The Qualys TRU analyzed the high-risk vulnerabilities to get more insights and discuss common trends. The TRU inspected which were most exploited, what attack methods and tactics were used, and what strategies could be used to fortify defences against them. Some key takeaways from the research include:

Mean Time To Exploit Availability for High-Risk Vulnerabilities in 2023
The mean time to exploit vulnerabilities in 2023 stands at 44 days (about one-and-a-half months). However, this average masks the urgency of the situation. In numerous instances, vulnerabilities were exploited available on the very day they were published. This immediate action represents a shift in the modus operandi of attackers, highlighting their growing efficiency and the ever-decreasing window for response by defenders.

One-Third of High-Risk Vulnerabilities Found in Network Infrastructure & Web Applications
A substantial 32.5% of the 206 identified vulnerabilities reside within the networking infrastructure or web application domains — sectors traditionally difficult to safeguard through conventional means.

More Than 50 Percent of High-Risk Vulnerabilities Exploited by Threat Actors & Ransomware Groups
Of the 206 high-risk vulnerabilities Qualys tracked, more than 50 per cent were leveraged by threat actors, ransomware, or malware to compromise systems. 115 were exploited by named threat actors; 20 were exploited by ransomware; and 15 were exploited by malware and botnets.

The vulnerabilities identified span an extensive set of systems and applications, including, but not limited to, PaperCut NG, MOVEit Transfer, various Windows operating systems, Google Chrome, Atlassian Confluence, and Apache ActiveMQ. This breadth showcases that no application is beyond the reach of attackers, who are determined to exploit any vulnerability to compromise systems. Notably, many of these vulnerabilities, such as those found in MOVEit Transfer, Windows SmartScreen, and Google Chrome, are exploitable remotely, obviating the need for physical access to the targeted system.

Most Active Threat Actors of 2023
In 2023, the cyber landscape was shaken by TA505, also known as the CL0P Ransomware Gang. This group masterminded a high-profile cyberattack by exploiting zero-day vulnerabilities, and they notably exploited zero-day vulnerabilities in key platforms like GoAnywhere MFT, PaperCut, MOVEit, and SysAid. Their sophisticated use of diverse malware types for information gathering and attack facilitation marked them as a significant threat. The severity of their actions prompted advisories from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), highlighting the need for improved cybersecurity measures.

Most Active Malware of 2023
In 2023, LockBit and Clop were prominent in the ransomware arena. LockBit, using its advanced ransomware-as-a-service model, targeted a range of organizations, including in the IT and finance sectors. Clop, known for exploiting vulnerabilities, conducted extensive attacks on large enterprises, notably in the finance, IT, and healthcare sectors.

“It is evident that the rapid pace of vulnerability weaponization and the diversity of threat actors pose significant challenges for organizations globally. To accurately assess the genuine risk presented by open vulnerabilities within their organization, businesses must employ a comprehensive set of sensors, ranging from agent to network scanners to external scanners. In addition, it is imperative to thoroughly inventory all public-facing applications and remote services to ensure they are not vulnerable to high-risk vulnerabilities. Finally, I’d advise organizations to employ a multifaceted approach to the prioritization of vulnerabilities — focus on those known to be exploited in the wild (start with the CISA KEV), those with a high likelihood of exploitation (indicated by a high EPSS score), and those with weaponized exploit code available,” added Abbasi. “These recommendations will help reinforce the critical need for a robust, proactive approach to vulnerability and risk management, especially in an increasingly sophisticated and pervasive era of cyber threats.”

When I imagine the region’s CISOs staring unblinkingly at their ceiling as they try to get to sleep at night, I imagine the questions burning in their brains, robbing them of rest. Where are our vulnerabilities? Are we making progress on risk? What is the ROI of our cybersecurity suite? These and other questions are not answered by sleepless rumination, no matter how hard we try. No, they are answered through measurement. But therein lies the challenge. How do we extract the right metrics from the fog of complexity that is the modern IT suite? How do we supply tactical thinkers with accurate information at the right time?

Setting the table
We must begin by focusing on outcomes. If we ingest too many telemetry feeds, we over-encumber the SOC and defeat our purpose before we even begin. If you define what you want to achieve, then it becomes easier to choose those metrics that illustrate delivery or shortfall. After you have determined what good and bad scores look like for your metric, think in terms of a narrative that will resonate with the relevant audience — end users, senior stakeholders, and GRC (governance, risk, and compliance) teams. While telling your story, be sure to include the limitations of current measurement and how to improve on this, once buy-in from your audience is achieved, and more budget is allocated. Also, be ready to answer questions such as “Why now?” and “Why not sooner?”. Let your narrative paint a picture of an ongoing process that has room to mature.

When you start out, it will be necessary to baseline everything to summarize your organization’s cyber-risk posture, from the perimeter (however you choose to define it) to the personal endpoints of remote-working employees. From this, you can gauge the best preventative, detective, and corrective controls to introduce. As part of baselining, perform an audit of data-retention standards and measure the organization’s adherence to them.

Bread and butter
After having established your baselines, you are ready to select Bread and Butter (B&B) metrics. For the purposes of storytelling, B&B metrics should be split into two groups — Below the Line (BTL) for tactical and operations teams and Above the Line (ATL) for leadership audiences. For the former, metrics must provide insights into network environments and arm the SOC with the right information at the right time to allow rapid and effective decisions that can mitigate risk.

The baseline for BTL metrics will have established a picture of hardware distribution and associated risks. For example, mobile devices like laptops are viewed with more suspicion than desktops that are permanently stationed within controlled premises. By distinguishing between assets like this, we can identify vulnerabilities and target mitigations more intelligently. We can also establish better controls. Reviews of software will also be necessary.

Yes, examine servers and cloud-hosting environments, but do not neglect the errant personal device used by a WFH employee. It may be riddled with unsanctioned software and may be missing mandated applications and critical updates. Also missing may be the software agents that gather the very information needed by security teams. The percentage of assets that are missing such agents is another critical BTL metric because not only are these assets at risk but so are any assets with which they share dependencies.

When considering ATL metrics, we need to provide leadership teams with the right information to craft value-adding risk-management strategies. These metrics centre on strategy and the building of a more resilient security posture, so they often involve organization-wide measurement and risk scoring. Cumulative risk scoring can be helpful in giving a bird’s-eye view of vulnerabilities and their associated risks. A risk heatmap allows leaders to see at a glance where they need to direct resources. Sometimes that can be done by instructing teams to refocus their efforts.

In other instances, investment in a new tool or platform may be required. Perhaps the problem can even be addressed through a new policy or awareness training for end users. Care should be taken, however, not to be misled by high-level metrics when vulnerabilities in low-risk assets may obfuscate the organization’s averages. It may be useful to separate ATL risk metrics into device types such as clients, servers, network infrastructure, and so on, together with device roles.

Metrics such as these present decision makers with a view of elevated risk areas, which allows them to target cybersecurity investments. Further segmentation is advised between ATL metrics that cover internal networks and those that measure risk from external domains. As IT environments become more of a mixture of cloud and on-premises, understanding these risks separately helps leaders make better decisions about the source of risk and the extent to which they can control their exposure.

On-premises data centres and cloud platforms vary greatly in risk profile. On-premises facilities are physically more secure but challenges such as scaling, resources, and hardware maintenance remain. Cloud platforms solve these problems and present the added value of managed services and predictable costs. But when it comes to security, the shared responsibility model is a work in progress and the distribution of obligations between provider and customer represents many risks, including those associated with potential misconfigurations. It is important to get to grips with these details and balance the architecture of the environment with the organization’s risk appetite and business requirements.

Measure who you are
Organization-wide risk scoring may be critical, but that does not mean that we abandon more granular risk assessment. Segmentation can be done by geography, subsidiary, or business unit. Metrics that are tailored to these categories will lead to more actionable information. Again, stratification allows more efficient allocation of resources as teams deploy security measures intelligently to address unique challenges. Measurement must never stop, because threats never stop.

Today, application and security operations teams rely on manual checks or siloed scripts to evaluate the security of first-party software, resulting in ad-hoc security assessment that impedes the ability to prioritize and remediate risk effectively. Furthermore, traditional vulnerability assessment or software composition analysis tools do not detect the presence of embedded open-source packages across the production environment. As a result, security teams face challenges in comprehending the true risk, particularly in security breaches like the Log4J incident.

The new Qualys solution enables organizations to bring their own detection and remediation scripts created using popular languages like PowerShell and Python to Qualys Vulnerability Management, Detection and Response (VMDR) as Qualys ID (QIDs), which the Qualys Cloud Agent executes in a secure and controlled manner. Qualys TruRisk then detects and prioritizes the findings in the same workflow and reporting as used for the third-party software findings. This empowers application and security teams to leverage their own detections to identify sensitive content, assess critical process and application statuses, tag assets based on sensitive or PII data presence, and mitigate risks associated with critical vulnerabilities like Log4J by configuring file parameters or addressing Follina by modifying GPOs/registry settings to efficiently manage the risk arising from both first and third-party sources.

The new Qualys platform capabilities allow teams to:

1. Easily Build Your Own Signatures – Create Qualys Detections (QIDs) and remediations based on your own logic or scripts leveraging major scripting languages such as Python, PowerShell and others. These detections integrate directly into VMDR workflows and TruRisk scoring, helping SecOps teams unify and manage risk across first and third-party applications in their environment.
2. Proactively Detect, Manage and Reduce Supply Chain Risks: Get continuous, real-time visibility into deeply embedded open-source software packages, such as Log4J, openSSL and commercial software components leveraging the Qualys Cloud Agent. Qualys TruRisk then prioritizes and correlates the information based on data from over 25 threat feeds and the asset’s business criticality. This information allows security teams to rapidly mitigate the risk of high-profile security issues such as zero-day threats and Log4J outbreaks by crafting custom detection and responses.
3.  Effectively Communicate Risk with Unified Reporting and Dashboarding: With native integration to VMDR workflows, effectively communicate the unified view of risk in first and third-party software to the right stakeholders via real-time dashboards and reports. Integration with ticketing systems such as ServiceNow and JIRA enables the automatic assigning of detailed remediation tickets to the right owners through a common view to quickly close tickets and reduce risk.

“First-party applications, being proprietary, often lack adequate risk detection, prioritization and remediation support from scanning tools,” said Sumedh Thakar, president and CEO of Qualys. “Our first-in-industry capabilities enable organizations to leverage the Qualys platform’s capabilities, identifying and analyzing both first-party and third-party software risks to develop an overall TruRisk score for a comprehensive view of the organization’s overall risk.”

Enhancements to the Qualys Cloud Platform, including Custom Assessments and Remediation via VMDR integrations, will be available by the end of August.