Qualys announces TrueRisk for Kubernetes, automating risk visibility

Bart: Can you tell us who you are, what your role is, and where you work, specifically at Qualys?

Abhishek: My name is Abhishek Singh. I'm the Vice President of Product Management for Kubernetes and Cloud Security at Qualys. Qualys is a security and compliance company that manages risk for companies with hybrid infrastructures, from on-prem to cloud and multi-cloud, across various workload types, such as traditional workloads, containerized workloads, and cloud-native workloads. We have expanded our focus from vulnerability management to risk management, and we can discuss why risk management is important and what it entails, including topics like CVE, and how our product TruRisk for Kubernetes can help.

Bart: Perfect. So what do you want to share today with us?

Abhishek: I lead the Kubernetes and container security piece at Qualys, and would love to talk about that area in general and what Qualys has to offer in this space, particularly with TruRisk for Kubernetes.

Bart: And what problem exactly does [Total Cloud KCS](What is Total Cloud KCS? It is not present in the provided links, could you provide more context or information about it?) solve?

Abhishek: Qualys has been a vulnerability management leader for 25 years, with a threat research unit that has been managing vulnerabilities for legacy workloads. When considering containers, every monolithic application is being broken down into microservices, which increases the attack surface and the number of vulnerability findings. The quality of finding vulnerabilities is very important, and Qualys has been distinguished in how it does vulnerability management. We report missing patches, which is very actionable, meaning that when we report something, we take care of superseding patches and only report what is really applicable. This approach eliminates noise, and our reports are always remediation-ready. We also summarize vulnerabilities, taking four or five CVEs and creating one QID, a Qualys ID. Additionally, we score these vulnerabilities using 25-plus threat feeds integrated into our platform, which allows us to rescore vulnerabilities. While CVSS scores may show too many criticals and highs, and EPSS scores may show too few, Qualys' Threat Feed provides a more nuanced view, making it easier to manage risk. With many vulnerabilities to address, it's essential to decide which ones to fix first, and that's the problem we're trying to solve in the context of Kubernetes and containers.

Bart: Now, looking at this specifically from a problem or pain point perspective, what problem is Total Cloud KCS solving?

Abhishek: It's really about managing risk in modern cloud-native environments. If you look at what is new about cloud and cloud-native, it's summarized with the three acronyms DIE for cloud-native. Earlier, the security paradigm used to be CIA, which stands for confidentiality, integrity, and availability. These days, it's called DIE, which stands for Distributed, Immutable, and Ephemeral, and they map to CIA. So, you can map DIE to CIA. How do you manage risk in this new environment? The world said, let's shift left because things are distributed, immutable, and ephemeral. The only way to do it is to shift left. However, the fact is that you cannot shift risk left. If you have shifted risk left, it means that you've eliminated risk, which is not a possibility. It's very hard to accomplish a state where you have eliminated risk. You have to manage risk now. How do you manage risk? That's where we come in - we do the prioritization, and we also do runtime prioritization. So, we are a complete player from left to right, starting from how you manage risk that is inherent in your environment, and then how you manage threats at runtime in a very proactive way. We are also very distinguished in this area. The industry's approach to reactive threat management is when somebody figures out the way a threat behaves, writes a signature for it, gives it to you, and you start using it. Whereas in Qualys, we are zero-day capable. We don't need any signatures, and we are proactive about threat management. We have novel technology that uses deep learning to find threats proactively without any signatures. We have taken that whole paradigm and shifted it left. Now, we can do threat management in your registry. You can look for novel zero-day malware, supply chain attacks sitting in your images, and you can scan it with the same deep learning technology. We have a lot of innovation in terms of proactive threat management on top of vulnerability and risk management. Risk management is about posture. Even if you have a good posture, you can still be attacked, and that's when threat management comes in. We have a complete cycle of risk management, security management, proactive shift left, and runtime management, which is a very unique position for Qualys to be in.

Bart: In terms of the before and after of this product announcement, what do you expect to be happening in the next steps after KubeCon for Qualys?

Abhishek: So, I did not get my product announcement. The thing we are releasing is TruRisk for Kubernetes. Qualys is known for its risk quantification capability. We have been able to quantify this. When you do some work in security, you can express risk in a quantifiable way and say what it means for business. That's what Qualys is all about: measuring risks in a business context and determining how much risk you're reducing. We are taking this paradigm and mapping it to Kubernetes. Now, we'll have a True Risk score for your Kubernetes clusters without requiring any additional work. When Qualys is deployed, it measures and quantifies risk for your clusters, and you can drill down to various levels, such as cluster level, namespace level, or pod level. This provides a full drill-down of risk, allowing you to manage your risk in Kubernetes in a fully automated fashion. That's what we are excited about, and that's the announcement we will make at KubeCon.

Bart: Can you just repeat the name for our listeners who may not be aware?

Abhishek: It's called TruRisk for Kubernetes. TruRisk is a Qualys construct that provides a TruRisk score, which is a quantification of your risk, mapped to Kubernetes automatically. This allows you to assess your risk across all your workloads, including hybrid cloud workloads, and compare it to your industry peers. TruRisk involves tagging and dashboarding, but in Kubernetes, the process can be automated without manual intervention due to the inherent context and tags already present in the system. As a result, you can obtain risk scores for your clusters, namespaces, and applications that span across clusters in an automated and out-of-the-box way.

Bart: Is TruRisk for Kubernetes for Kubernetes open source and part of the CNCF landscape?

Abhishek: No, we are not an open source vendor per se. Obviously, our APIs are open source, with many contributions from people leveraging them, but our vulnerability management and risk-free solutions are closed source.

Bart: We should have use Pod Topology Spread Constraints to solve this.

Abhishek: What's the Qualys business model? We charge based on the number of assets we protect. For example, Total Cloud. We have a very flexible mechanism to scan your assets, including agent-based scanning, agentless scanning, and network-based scanning. However, we don't charge based on the scanning techniques. Instead, we charge based on the data, specifically the number of assets we protect, such as the number of virtual machines or nodes running containers. Our model is a SaaS-based subscription, where we charge per node per year, and the cost depends on the size of your deployment.

Bart: And what about your competitors? Who are the main competitors out there for Qualys?

Abhishek: If you think about containers and Kubernetes, the leading players have been AquaSec and Twistlock. Twistlock was acquired by Palo Alto, so now it's called Prisma Cloud. There's a divide in terms of containers and security, with early players like Twistlock and AquaSec on one side, and right players like Sysdig and CrowdStrike, the EDR players, on the other. These right players are in the middle, trying to harmonize both sides by having threat management that is risk-informed and risk management that is threat-informed, which is a unique play.

Bart: And to take that further, what factors or features in TruRisk for Kubernetes help differentiate it from Qualys competitors?

Abhishek: The risk approach that Qualys has taken is very novel. People do all kinds of vulnerability management and report vulnerabilities, but it's not actionable. Our approach is not just actionable, it's quantified. When you choose to do work, you can choose to work on the highest priority item that will have the biggest impact. You can't eliminate risk, but you can reduce it in a way that is business-prioritized and quantifiable. The question is, how do you present your progress to your board? What have you reduced, and what have you accomplished? This is the differentiator for us in terms of the value we provide for enterprises that want to manage their risk for a modern, cloud-native workforce.

Bart: Can I take this one step further? A common thing we hear when talking about security is that it's about cost, liability, and finger-pointing. How do you address that in Qualys?

Abhishek: So, that's a very good thing. There's a divide between Dev and Sec, similar to Dev and QA. QA's job is to find issues, while Dev's job is to prevent them. How do you reconcile this divide? From an organizational point of view, both teams aim to reduce risk. We don't want to increase the burden on Dev. With a shift left mindset, the burden is placed on developers to fix everything, which is not ideal. People want to have a meaningful conversation. For example, as a security department, I can say that any vulnerable container shall not run in my cluster. I can have an admission control policy stating that vulnerable containers can't run. However, this approach gives a burden to the developers. The fine line is having a meaningful policy. If I say that a container must be scanned by Qualys for vulnerability assessment before it can run, that's a very acceptable policy, and no one can object to it. This kind of meaningful progress towards risk management makes all parties happy. Developers want to move fast, while security teams want to minimize risk. To justify what we're asking for, we need to make it meaningful and understandable to developers. We cannot be a department of "no" and must allow people to have a good methodology that makes both developers and security teams happy.

Bart: And there was a Red Hat report that came out a few years ago, talking about how over 70% of vulnerabilities come from misconfigurations. This highlights the role development plays in building a culture, raising awareness, and making developers more security-aware. To incorporate them into the process and foster a stronger security mindset, organizations must consider the roles of policy guardrails. However, the question remains: how can organizations achieve this, considering factors such as CVSS scores and EPSS scores, and ensuring compliance with standards like CVE, all while following security paradigms like CIA (Confidentiality, Integrity, Availability) and DIE (Distributed, Immutable, Ephemeral), and implementing concepts like Zero Trust?

Abhishek: To build a more security-minded culture, some of these misconfigurations that lead to vulnerabilities need to be addressed from the start. This is the "shift left" concept, where the focus is on code to cloud and cluster to code. The challenge is how to go from left to right and right to left when an issue is found at runtime, and how to trace it back to the exact developer who created it. This speeds up Mean Time to Remediate, mean time to communicate, and mean time to remediate.

The other part of this approach is making these same capabilities available in a development environment, a CI/CD environment, and an IDE environment. When developers are coding their configuration, colleagues can scan their work and provide feedback, such as "this is bad." Providing early feedback helps people address issues sooner. However, if you try to fix everything, there's too much to handle. The point of early feedback is also a little tricky.

The goal is to make it seamless so that people who are forward-looking and want to address issues early have that option, while others can prioritize and do the least amount of work to get the most amount of security and reduce their risk. This is how we are thinking about it. The theme is how to shift left and make the same tools available to developers themselves, which is a maturity curve that people develop over time.

We are pragmatic about how this will play out, and we don't expect a sudden change where people spend 70% of their time fixing security issues. However, if we offer all these options to people and they want to shift left, and they have the maturity to do so, we'll put gates in place to maintain and preserve their baseline and prevent it from being compromised. These gates exist in CI/CD, where we can fail builds if they're vulnerable, and in admission control, where we can fail deployments if they're vulnerable. However, we don't enforce that. We have a complete left-to-right strategy and allow organizations to choose where they want to fit based on their maturity.

Bart: Abhishek, looking towards the future, what can we expect in the following months after KubeCon, both from TruRisk for Kubernetes and from Qualys more broadly?

Abhishek: Kubernetes has been a tricky thing. If you think about Docker, every container had to be explicitly exposed. You had to use some kind of networking to expose a port number on a Docker container. In Kubernetes, the pod network is open by default. It has a hard exterior and a soft interior, which is a fundamental way of construction for Kubernetes. If you want to expose something to the public internet, you have to make an explicit configuration to expose something. Internally, it's open by default, and that's a scary thing. One pod getting compromised puts everyone else at risk, and that's why true risk for a cluster makes sense, because you're sharing fate with all of the pods in the same cluster. You need to have that kind of resilience. Initially, people start with configuration management and having secure configuration, but in the long term, they want to become more resilient. You'll always have some risks or vulnerabilities, but how can you be resilient in light of all this? That's the language of Zero Trust. When you think about a soft interior and a hard exterior, that's a perimeter approach to security. You have a very perimeter-like hard exterior, and inside is all open, which is the same for Kubernetes. As we think about how to solve this, the idea of Zero Trust starts to come in. How can you create a least-privilege environment so that internally, things are nicely segmented? Once we get across this risk management thing, it will get to resilience, and that's where the Zero Trust kind of thing starts making sense. We are very fond of runtime security and how to be proactive. One way to be proactive is signature-free malware detection. The second way to be proactive is to profile your real applications; anything that is not aligned with that is a threat. If you have not whitelisted yourself, and again, whitelisting is a very hard problem, the way you do it is extremely hard. If we can solve that, then you're truly proactive towards security, and that's the language of Zero Trust. Zero Trust is something we are very fond of, and we think that as Kubernetes matures, people will start talking about those things. We are already on the journey towards taking our customers to Zero Trust-like approaches, and that's what is ahead of us, at Qualys.

Bart: Fantastic. Well, Abhishek, thank you very much for your time today. Looking forward to seeing what goes on next with all the work that you're doing, whether it comes to Zero Trust, helping organizations be pragmatic about their security approach. Keep up the amazing work. Take care.

Abhishek: Thank you. It's a pleasure talking, Bart. Bye.