Qualys IOC 2.0 update improves threat detection and response

Qualys IOC 2.0 comes with increased threat detection and response capabilities designed to more accurately detect indicators of compromise and potential cyberattacks.

Qualys, a cloud-based security and compliance vendor, updated its Indication of Compromise offering. Part of the Qualys Cloud Platform, IOC 2.0 comes with new functions to deepen security coverage.

Qualys Cloud Platform is the vendor's architecture that powers IT security and compliance cloud apps and provides visibility across IT assets. Qualys IOC is an app on the vendor's platform that hunts cyberthreats, detects suspicious activity, and identifies known and unknown malware devices on and off the network.

Indicators of compromise are pieces of data that identify potentially malicious activity in a system or network -- such as unusual privileged user account activity, increases in database read volume and nonhuman web traffic behavior -- indicating a cyberattack may have taken place.

According to Gartner, businesses are spending almost 9% more on security in 2019 than in 2018, with spending predicted to grow from $114 billion to $124 billion. A primary motivation for the increase in security spending is the need to address digital business risks -- achieved by focusing on building threat detection and response capabilities.

Updates to Qualys IOC include additional detection, investigation and response capabilities.

Qualys IOC 2.0's behavior-based scoring engine accounts for behavior attributes such as file analysis, process state and network connections in order to prioritize responses, enabling security analysts to respond to critical attacks first.

Extended attack detection identifies malicious, suspicious and fileless attacks that are often missed by antivirus agents. Qualys claimed this feature eliminates the cost and complex operation that other offerings require. Qualys IOC 2.0 is capable of scaling event correlation to handle the event volume that comes with modern attacks, according to the vendor.

Qualys' Elasticsearch clusters also enable users to store raw event telemetry and post-processed attack indicators across time-series and current state indexes in version 2.0. According to the vendor, this capability allows analysts to determine if an attack is live in a network and when the attack happened to bolster investigation and response.

Additionally, Qualys IOC 2.0 brings a real-time response platform service that enables analysts to create alerts and notifications for critical insights, managed by the Qualys Query Language -- supporting a two-second search for threat hunting, investigations and dashboard widgets. Alerts include email messages, integration with ticketing systems, Slack channel posts and PagerDuty incidents. Qualys intends to release more response methods later this year.

The Qualys IOC public API integrates with third-party SIEM; threat intelligence platforms; incident handling and response systems' security orchestration, automation and response platforms; and IT ticketing systems. The vendor plans to support the Qualys Technology Add-on for Splunk in September 2019.

Qualys IOC was first introduced in 2017 to consolidate security features, such as network visibility, threat hunting, unified agent event collection and actionable intelligence for security analysts, among others.

Annual subscriptions for the Qualys IOC Cloud App start at $2,995 and are priced according to the number of assets where the Qualys Cloud Agent is installed.

Dig Deeper on Network security

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing