What is our primary use case?
Our primary use case is to create an automated workflow that involves tagging assets, creating remediation policies, and automated patching. This process is intended to cover everything from asset discovery to remediation.
How has it helped my organization?
Qualys TotalCloud helps us with patching. There are certain limitations with SCCM when it comes to patching. A request needs to be created, and then it takes a lot of time, whereas Qualys TotalCloud, specifically in terms of remediation, is pretty much touchless, so zero-touch patching is what we have been trying to achieve. It helps us greatly in patching certain vulnerabilities that, for example, are Chrome-related. We do not have to depend on any other tool for patching.
Discovery is automated here. We have scheduled scans that discover. We have built an automation for that.
Qualys TotalCloud provides unified vulnerability and threat assessment across both IaaS and SaaS. We are using it more for SaaS environments. We are using it in Azure as well so that we can get a good security posture for it. We have a different team for IaaS.
Qualys TotalCloud has immensely helped us reduce active vulnerabilities. It has greatly affected our ability to build dashboards because we use it through the API. We have generated a lot of content and dashboards based on API integration, which provides us with up-to-date metrics. We have deployed cloud agents across Linux and Windows workstations. We get pretty much up-to-date data from Qualys scans. We also have vault integration. We have integrated it with CyberArk Vault. A lot of features have been helpful.
We are able to see the risks associated. It helps us prioritize based on the risk score. It helps us identify ground rules and remediate risks on them.
It has saved a lot of time and effort, but I do not have any metrics.
The TruRisk Insights feature gives us a good risk posture, but it is not yet embedded in our automation. We have built the GUI dashboards to view the risks and prioritize them.
The risk analysis is good. We are ingesting a lot of resources or products to see how we can improve the accuracy. The risk score helps us with accurate prioritization. There can be a scenario where something with a high vulnerability score might contribute to lower risk.
It has helped us in prioritizing the remediation and preparing better dashboards for our CISO's review.
What is most valuable?
It is a cloud-native app that integrates with both IaaS and SaaS. It seamlessly integrates with other platforms.
The features we use the most include zero-touch assessment for quick patch creation and deployment. Every time any vulnerabilities are identified, we can create quick patches and deploy them. Those are the ones that we basically use.
We are also trying to implement a risk-based program, although it is currently limited.
What needs improvement?
The patching process with Qualys Patch Management, which is part of TotalCloud, does not cover installing certain prerequisites on the servers or workstations. This shortcoming means we must rely on SCCM when any service stack updates or additional prerequisites are needed.
For how long have I used the solution?
I was a part of Qualys previously. I have used the whole Qualys VMDR suite for almost five years there and three years here. It has been a year or so with TotalCloud.
What do I think about the stability of the solution?
The stability of the solution is strong. I would rate it a nine out of ten for stability.
What do I think about the scalability of the solution?
It is absolutely scalable, and I would rate its scalability as nine out of ten.
We have multiple locations. The assets are spread across the globe, so we have deployments at multiple locations.
We have a team of five people working on this project, but we have many other projects and about 200 to 300 people working on TotalCloud.
How are customer service and support?
Support is good overall. While they do take some time to assess issues, we are generally satisfied with the support received.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We have used Qualys for this project since its inception, and we did not use a different solution beforehand.
How was the initial setup?
The deployment was easy. On the infrastructure side, we have added agents to the base image itself. Automated scanning using discovery features helps ensure seamless operation.
We use Azure and OCI Cloud. The documentation provided was clear for our cloud setup. It was easy to install our scanners. The networking was set up by our cloud team, so it was easy to set it up.
We follow the whole change management request process here. The change request needs to be raised two weeks prior to installing the agents. There are a lot of processes involved where a sign-off is made for the agent to be deployed. It takes about two weeks for cloud agents to be deployed. For scanning through existing scanners, since the environment is already built up, we can scan within hours. That is not an issue. Scanner-based scanning is easy. We can scan seamlessly from the cloud and on-prem. Once an agent is a part of the base image, it is provisioned within hours. If we have to upgrade the agent, it goes through a whole change management process, which takes around two weeks.
It does require maintenance because we have to update our agents regularly. That is done as a part of our change management process. Its maintenance includes cleanups. There could be certain stale entries. We have to remove those stale entries in Qualys because there is no mechanism built in right now to clean them.
What other advice do I have?
I would definitely recommend Qualys TotalCloud to other customers. The accuracy of vulnerability detection signatures and the over-the-air updates for both scanners and agents ensure that everything is kept up-to-date.
I would rate Qualys TotalCloud a ten out of ten.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.