One of my most frequent topics of discussion in my time as a vulnerability management architect was the question of a Qualys vulnerability vs discovery scan. It’s especially confusing because Qualys is completely silent on the topic. There’s a reason for that. Let’s talk about the types of Qualys scans and what they can do for you.
Officially, Qualys discovery scans don’t exist. That said, you can implement something very close to what Qualys’ competitors call a discovery scan, and reap numerous benefits from it.
What is a discovery scan?
The concept of a discovery scan in vulnerability management is a scan similar to an Nmap scan. It just sweeps your network looking for live hosts and tries to identify what they are. The goal isn’t to find vulnerabilities, just build an inventory.
Ideally, you then feed the results of the discovery scan into a vulnerability scan. This way, you aren’t trying to vulnerability scan empty space. This saves time and it’s easier on your network.
Qualys doesn’t officially support a discovery scan. Instead, it calls them map scans. But there’s a problem with map scans.
Pros and cons of Qualys map scans
Qualys doesn’t give a lot of things away for free, but map scans are one of them. You can map the known universe all you want for free, regardless of how big or small your Qualys subscription is. And then the Qualys UI produces a nice map of what it finds.
But there are two problems with Qualys map scans. First, they don’t always work in complex networks. If the map scan works in yours, great. But the Qualys map scan isn’t as smart or clever as the vulnerability scan. I once saw a Qualys vulnerability scan that by all rights should have failed. But it didn’t. Qualys found a leak in the network that it could use to scan a segment that it shouldn’t have scanned. It took four months, but it did it.
Map scans aren’t that resilient. Not at all.
The second problem with map scans is the results don’t integrate with the rest of Qualys. The results are there, but it’s up to you to download them and enter the hosts into Qualys yourself. There’s no reason you can’t use the API to automate it–one of many reasons to learn Python–but Qualys doesn’t have a facility to do it for you.
The third problem is map scans don’t apply tags. Tagging is the only facility to feed the results of one scan into another scan in Qualys. The whole point of discovery scans in competing products is to be able to tag your hosts, so you can do targeted vulnerability scans–say, all your Windows workstations during the day, and network equipment, Linux/Unix devices, and Windows servers at night. Qualys map scans can’t do that.
Here’s the workaround.
The Qualys Light Inventory Scan
If you go into your option profiles library in Qualys, you’ll find a profile you can import called a Light Inventory Scan. This is a map-like scan that uses the same codebase as the vulnerability scans. This means it’s robust like a vulnerability scan, and it also applies tags.
I’ve used a Light Inventory scan to tiptoe around sensitive devices for years. A vulnerability scan can sometimes cause devices to misbehave when they aren’t designed to handle fuzzing. But I can only think of one time in my career I found a device that couldn’t handle a light inventory scan, and those devices are becoming more rare because lots of other things can knock them down too.
The gray area on the light inventory scan is whether it’s free like a map scan, or costs money like a vulnerability scan. This policy has changed over time, so be sure to discuss it with your technical account manager to avoid violating your license.
Should a discovery scan be authenticated?
There are two schools of thought on whether discovery scans should be authenticated. One school says yes, because it improves identification and asset tracking, to avoid creating duplicate devices, and properly distinguish between Windows servers and workstations.
The reason not to authenticate discovery scans is that a rogue device could steal a password when you try to log into it. Security professionals don’t like that.
The workaround is to integrate Qualys with your password vault. That way, if someone does steal a password, it will have changed by the time they get a chance to use it for anything. Then you get the best of both worlds, as well as improved authentication on your vulnerability scans as well.
The difference between a vulnerability and discovery scan
A light inventory scan is just a defanged, declawed vulnerability scan. A vulnerability scan sweeps your network looking for vulnerabilities, and it may fuzz ports, check files, and do any number of other things to assess your devices on your network. Qualys has over 50,000 vulnerability signatures. It has enough intelligence not to throw all 50,000 of them at every host, but a vulnerability scan can throw a lot of thunder at your network.