Introducing TruRiskTM 2.0: Enhanced Cybersecurity for Superior Risk Assessment
In a significant move to enhance cybersecurity risk calculation and understanding, Qualys has announced the launch of its Enterprise TruRiskTM Management (ETM) platform, set to debut in October 2024. The platform will offer a more accurate representation of actual security threats, based on customer feedback and rigorous analysis.
For Qualys ETM customers, the transition to TruRiskTM 2.0 will be seamless. Activation of the ETM module will automatically transition customers to the new TruRiskTM 2.0 scoring system without the need for additional action. Non-ETM customers, however, will not be impacted by this change.
What's New in TruRiskTM 2.0?
TruRiskTM 2.0 employs a maximum detection score approach for calculating risk, focusing more acutely on the number and severity of detections. It also dynamically adjusts risk scores every hour as new vulnerabilities are detected and existing ones are remediated.
The platform expands its risk sources to include Cloud Resources, Workloads, Containers, Web Applications, GenAI/LLM Models, among others. It also considers a wider range of risk factors such as Misconfigurations, Expired Certificates, Unauthorized Ports, Unauthorized Software, Required but Missing Software, and Custom Rule-based Risk Factors.
TruRiskTM 2.0 scores all vulnerabilities, both Qualys and third-party, using the Qualys Detection Score (QDS), which uses multiple signals for threat intelligence. It also uses CVE IDs for vulnerability counts to provide an aggregated risk score for an Asset.
Prioritization and Improved Precision
TruRiskTM 2.0 assesses individual vulnerabilities instead of a group of related vulnerabilities, considering the maximum criticality (max QDS) across all vulnerabilities and the number of occurrences in critical, high, medium, and low buckets. This approach ensures a clearer, more precise view of an asset's security posture by prioritizing maximum detected risks and their frequency.
Low-severity vulnerabilities do not offset high-priority risks in TruRiskTM 2.0, providing a truer representation of an Asset's security posture. The new algorithm in TruRiskTM 2.0 focuses on the maximum detected risks and counts of CVEs.
Score Capping
To prevent overwhelming users with excessive risk scores, TruRiskTM 2.0 caps the maximum score at 1000 and additional caps are placed on medium and low vulnerability detection counts.
Transition for Existing Customers
For existing Qualys customers, the transition to TruRiskTM 2.0 is automatic once they migrate to the new Enterprise TruRiskTM Management (ETM) module. The QID view within the VMDR platform will be maintained to ensure existing workflows and reports remain uninterrupted.
In October 2024, Qualys will announce the release of Enterprise TruRiskTM Management and introduce an enhanced version of the Qualys TruRiskTM 2.0 scoring system. The company looks forward to helping its customers navigate the ever-evolving cybersecurity landscape with greater precision and clarity.
