Qualys announces service to help organisations comply with UK NCSC cyber guidance

NCSC advises patching window of 5-7 days; UK currently stands at 15-17 days MTTR.

Qualys is offering free 30-day access to its SaaS TruRisk platform. This move aims to assist organisations in adhering to the UK National Cyber Security Centre's (NCSC) guidelines that recommend a 5–7 day window for patching vulnerabilities. The announcement was made by Sumedh Thakar, president and CEO of Qualys, at the Qualys Security Conference in London on Wednesday.

The NCSC, in its guidelines released in February, advises organisations to patch bugs in internet-facing software and services within five days of a fix being released, and non-external-facing vulnerabilities within seven days. However, according to Qualys' threat intelligence data, the median time to remediate (MTTR) figures for external and internal glitches are 15 and 17 days, respectively, for UK organisations.

The NCSC's guidance consists of five key points: automate updates by default; identify assets, responsibilities, and vulnerabilities; triage and prioritise fixes; consider and "own the risk" of not updating a specific software; and regularly review the organisation's vulnerability.

Thakar said that the NCSC recommendations are practical yet demanding. "Adversaries are weaponising vulnerabilities more quickly than ever, which accounts for the NCSC's focus on prompt -remediation of vulnerabilities. For most organisations, with their intricate infrastructures and patch workflows, it's challenging to meet the five-to-seven-day update time."

Thakar told Computing, "[The time-limited service] will identify external [internet facing] assets in any subsidiary, any application across the organisation. Then it assesses all your vulnerabilities to determine which are the most critical. Then third, and most important, it finds a way to patch them, and it can automatically patch those for you." The platform also covers internal assets, and all data collected by TruRisk will remain in the UK to comply with data protection laws.

The time-limited service provides "dedicated approaches and visualisations that make it easier to identify external assets and go through their patch deployment priorities," according to Eran Livne, senior director endpoint remediation at Qualys. This includes flagging end-of-life and end-of-support assets that may need dedicated intervention, support for simplified IT workflows and risk-based prioritisation, and automated patching.

There are various reasons for patching delay, and one of them is a lack of focus on non-Microsoft products. Microsoft products are frequently patched automatically due to their ubiquity, but this may not always be the case with software from other vendors. According to Qualys, vulnerabilities in this long tail outnumber those in Microsoft's software in most organisations.

Another factor, according to Thakar, is the number of security tools that admins need to manage for scanning, detection, and patching. A third factor is a lack of strategy and prioritisation. Qualys aims to help customers prioritise their assets and patch those deemed important, he said.

The free service was announced to coincide with the London event, but is available to companies outside the UK as well. The company will doubtless hope that free users might become subscribers.

The pricing for the Qualys Enterprise TruRisk Platform varies based on the specific selection of apps, the number of network addresses, web applications, support contracts and so on. As per the company's website, prices for SMBs start at $2,195 per month, while on AWS Marketplace (US) prices start at $596 per month to monitor and manage 128 assets with Vulnerability Management, Detection and Response (VMDR).

Cyber threats are rising, and IT leaders need the latest information to stay ahead of the curve. Join us at the Cybersecurity Festival on 2nd May, where we bring together the most senior and influential voices from security leaders throughout the UK. Click here to secure your free place.