Vulnerability Management Buyer s Checklist Key Questions to Ask Before You Select a VM Solution

Transcription

1 VM BUYER S CHECKLIST Vulnerability Management Buyer s Checklist Key Questions to Ask Before You Select a VM Solution Vulnerability Management (VM) means systematically finding and eliminating network vulnerabilities. Choosing a solution for VM is a critical step toward protecting your organization s network and data. Without proven, automated technology for precise detection and remediation, no network can withstand the daily onslaught of new vulnerabilities that threaten security. To help finalize your decision on which solution to buy, Qualys provides this 12-point short list of considerations that will help you determine what will work best for your organization. 12 Key Decision Points Architecture Security Scalability / Ease of Use Accuracy / Performance Discovery / Mapping...5 Scanning Reporting Remediation Policy Compliance Management Cost Solution Vendor Architecture How is the VM solution delivered? Is there software or hardware that you need to install and maintain, or is software delivered as a service (SaaS) and simply requires logging in to your account via a web browser to start scanning? A system that requires you to manage installation, updates, hardware, database security, etc. ends up costing more than just the purchase price of the software, and may require additional manpower for ongoing operations. Does the solution offer a graphical user interface? Some offerings particularly older, low-end or no-cost solutions only have command line interfaces that can be tough to operate and have limited customization features (or access controls). Understand how the solution is delivered and test it before you buy it. Do I have to run an agent on all my networked devices? Software-based VM products may require you to install and update agents on every system to be scanned. Look for architecture that does not require an agent, or any other software to operate other than a standard, SSL-enabled web browser for accessing the interface. Does the product require me to run a database? Software-based VM products may require you to install and operate a database to house info for vulnerability management. The SaaS architecture does not carry that requirement. Why should I consider using SaaS for VM? For an application like VM, a SaaS solution makes more sense than software for most companies. It is easier to deploy and manage, is more flexible in supporting evolving business needs, has lower and more predictable costs, is scalable, does not lock you into a long-term license, is easier to use, and is more reliable.

2 Security VM Buyer s Checklist - 2 What is the security model used to protect the solution? It s crucial that the VM solution itself be secure, especially since it houses critical data about the network s assets and potential vulnerabilities. With software-based solutions, you are responsible and it can be a complex task to secure such systems and information. With a hosted, SaaS solution, the security is handled by the SaaS provider. Make sure the SaaS solution provides end-to-end security for sensitive vulnerability data and uses multiple standard proactive controls to protect all layers of the application. How is the solution physically protected? Make sure you understand this from your vendor. Again, traditional software-based solutions require you to do all of this work. By contrast, SaaS-based solutions handle this for you. For example, the QualysGuard service is run in Secure Operations Centers that successfully pass annual SAS70 Type II certifications. QualysGuard machines and racks are locked in a private vault requiring badge and biometric authentication for access. Physical access is restricted to designated Qualys employees, who undergo third-party reference and background checks, and sign a confidentiality agreement. It is secured behind a host-based firewall and a policy-driven file system and integrity checking system, plus an IDS architecture. Staff continuously monitor all systems and administer proper remediation and countermeasures. Qualys staff must be designated for access, and are required to use two-factor authentication for logged access to critical servers. Full backups are performed once every 24 hours to a standby server, and to encrypted tapes handled by a third party for offsite rotation. How does the VM solution protect vulnerability data transmission? If you select a SaaS solution, make sure all interactions require HTTPS (SSLv3) connections with at least AES 128-bit encryption from the user s web browser to the system performing the scans. Be very careful of clear-text communication for interface navigation, scan launching, or report generation. The system should support username/password and optional two-factor authentication (SecureID) for login. Furthermore, the user s password should not be stored on any servers, and the solution provider should not have access to these passwords. What access controls are built into the solution? Be sure the VM solution provides hierarchal access control determined by user role and privilege levels. A best-practice approach provides role-based access control for five distinct roles: Manager (complete control), Unit Manager (business unit control), Scanner (may perform scans against assets permitted by Unit Manager or Manager), Reader (only permitted to create reports), and Contact (no access to system, alerts only). Each role should allow for additional configuration settings for granular permissions. How does the solution protect vulnerability scan data? Require that vulnerability data is encrypted and securely stored in a separate instance of a secure database. The encryption algorithm, key, and unlocking process needs to be robust never written to disk in clear-text nor stored anywhere other than temporarily in system memory during the authentication / decryption phase at login.

3 Scalability / Ease of Use VM Buyer s Checklist - 3 What does it mean to say a VM solution can scale? When using a software-based product, scalability is bound by the infrastructure you purchase, operate and maintain to run the product. Make sure you understand any limitations. SaaS provides you with no boundaries in scale. It can perform external network discovery and vulnerability scans in the largest enterprise network environment. You should be able to scan every device with an IP every day. How does the VM solution scale to handle my network size? Efficiently processing a large-scale network discovery and vulnerability scan is unfeasible without intelligent scanning. Make sure the system has intelligent scanning so it can correlate the map it creates of your network devices and their operating systems with all known vulnerabilities that can affect each particular system. This ensures maximum speed and quality in assessing your network for vulnerabilities while minimizing network / host traffic. Is the VM solution fully automated? Manual discovery (or mapping) and scanning is time consuming and impractical, so automation is a must. Select a solution that lets you automatically assess your entire network for security risks at any time and immediately measure your compliance with external standards and controls. VM products that require too much manual intervention are prone to human error and inaccurate results, and waste time and resources. What level of support comes with the solution? Vulnerability issues never sleep, so make sure the solution includes 24x7x365 support. Support should include telephone calls, , and comprehensive online documentation, technical notes and FAQs. Be sure the vendor can back-up support claims with a SLA. Does the support include training? Be sure your vulnerability management solution teaches you everything you need to know and offers live and recorded training and certification programs. Ideally, you want to have this all included with your subscription. How does the solution integrate with other applications? Interoperability with your other IT security applications is essential. The solution should enable built-in, custom workflow for scanning and remediation with existing call center / help desk systems such as Remedy AR System, leading SIM / SEM solutions such as Symantec SESA V2,patch management systems such as McAfee Remediation Manager, and Cisco Security Monitoring, Analysis, and Response System.

4 Accuracy / Performance VM Buyer s Checklist - 4 How accurate is the VM solution? If the solution happens to miss a vulnerability that hackers use to compromise your network, the answer is Not accurate enough. If the solution inaccurately points out issues that are not real (i.e. false-positives), then the solution is going to overload you with bad data and waste valuable time. Many vendors make claims of superior accuracy; ask them to validate these claims. Where does the VM solution get its intelligence about vulnerabilities? Your scanning solution should leverage the industry s most comprehensive database of vulnerabilities and correlate this info with CERT, Symantec s DeepSight, Security Focus, Secunia, Mitre, and Seclists. Additionally, the solution should incorporate security bulletins from Microsoft and other leading software vendors. How does the solution update its database with the latest vulnerabilities? Before vulnerability detection signatures are released and made public (to you as a customer), they should be thoroughly tested. Open source-based solutions often have no formal testing and acceptance process, so you could be using inaccurate checks. Also, signatures for high-risk vulnerabilities need to be updated and released within hours of public disclosure. Make sure the vendor has a credible KnowledgeBase that is updated multiple times per day with checks for new vulnerabilities and enhancements to existing signatures. It s critical that the entire update process be fully automated and completely transparent to you (the customer). Can my scan policies automatically include new vulnerability signatures? Automating vulnerability signature updates is crucial not just to protect your network from the newest threats, but to ensure the continuous enforcement of corporate scan policies for security. Check to ensure the solution handles this without human intervention. How does the VM solution display vulnerabilities? You will want to be sure you re kept aware of new vulnerabilities that may hit your network. The solution should display a list of the most recent vulnerabilities added to the KnowledgeBase. Information for each vulnerability should include a detailed description and ways to remediate. Ideally, the list should be interactive, and enable users to query by CVE ID, keyword or title, vendor reference, etc.

5 Discovery / Mapping VM Buyer s Checklist - 5 Is discovery / mapping a component of the solution? The process of scanning a network for vulnerabilities has a prerequisite of knowing what s out there to check. Vulnerabilities are specific, not general they affect a particular platform, operating system and service pack, application and version number, patch version, and so forth. Make sure the solution can map all systems on your network and correlates that information with vulnerabilities to improve and speed the processing of a scan. An accurate inventory enables prioritization for the remediation process, and ensures that the correct patches are selected and applied. Also, the discovery / mapping process ensures thorough coverage of all devices on your network. Does the solution make it easy to identify all devices on my network? This task could be manual drudgery. Make sure the solution you choose completely automates the process. You should be able to simply enter an IP or range of IPs, and the system should quickly identify all the devices on your network. What information does mapping reveal about the network? The solution s automated mapping capability should discover all live devices on the network. A small footprint scan needs to accurately identify the device operating system and type of device (e.g. router, switch, access point, etc.). Ideally, the discovery process will also report other information such as DNS name, NetBIOS name, and when the device was last scanned. Can the system discover rogue devices? Your discovery map should show any new devices that are approved or rogue. That way, you have a thorough understanding of your network. Can the solution correlate mapping data with our business units? Mapping data should not exist in a technical vacuum. The solution should allow you to group network inventory by logical groups or by business units with granular information about hardware, software, applications, services, and configurations. Access controls allow a business unit to run maps, vulnerability scans and reports only on what it owns. Associating mapped data with business units also helps make results actionable.

6 Scanning VM Buyer s Checklist - 6 What are the top things to look for in a vulnerability scanner? The goal of scanning is to find and fix network vulnerabilities. A scanner tests the effectiveness of security policy and controls in your infrastructure. To do this, it must systematically test and analyze IP devices, services and applications for known security holes. It also must provide a report of actual vulnerabilities discovered and state what you need to fix in order of priority without jeopardizing the stability of devices. Do I have to manually launch each scan? In addition to manual control, the solution should allow you to pre-schedule scans that run automatically without human intervention. Does the solution support external and internal scans with all data in one place and without poking a hole in my firewall? These options refer to scanning devices that are outside the firewall as opposed to configuration inside the firewall. The solution needs to have a secure methodology to carry out perimeter scanning of external-facing IPs. The solution needs to understand the whole network and should be able to map domains and scan IPs behind the firewall. The devices required for internal scanning must be attack-resistant by using a hardened OS kernel and by not running background services or daemons that are exposed to the network. The internal devices should automatically download software updates, new vulnerability signatures, and process job requests all in a secure and reliable manner. Is the solution able to turbocharge scanning speed? Large enterprises can benefit by using a VM solution that optimizes the rate of scanning without overloading the network. For example, QualysGuard uses a scanner parallelization feature that increases scan speed up to four times faster while maintaining scan accuracy. The feature distributes a scan process to multiple Scanner Appliances in a particular asset group. Upon completion, results are combined into a single report. What about scanning networks owned by my business partners? Electronic business processes are often intertwined with business partners. Unfortunately, their networks can be a conduit for vulnerability exploits so it s crucial to scan them all. Some regulations for security compliance require partners to verify scanning or your organization must do it for them. Your solution should be flexible enough that you can quickly scan any Internet-facing IP or range of IPs so you can use it to scan partner networks, just like your own. Does the scanner support trusted scanning? The Windows Authentication feature enables Windows trusted scanning. As a result, your VM solution needs to fully support trusted scanning for Windows, and for UNIX, Oracle and SNMP systems. This will allow you to gather more system intelligence on target hosts, increasing the number of vulnerabilities that can be found by a scanner. Trusted scanning is a mandatory requirement for compliance scans.

7 Reporting VM Buyer s Checklist - 7 What types of reports does the solution provide? Reporting is a critical feature of a VM solution because it is used to guide remediation efforts. Network scanners are of little use if the reporting does not help you achieve your security and compliance objectives in a timely and cost-effective manner. The reporting functionality needs to be both flexible and comprehensive. Reporting components should include network assets (IPs and/or Asset Groups), graphs and charts showing overall summaries and network security status, trending analysis, detailed information about discovered vulnerabilities, and filtering and sorting options for custom views of the data. What canned out-of-box reports are provided by the solution? The solution should provide default reports that meet typical requirements of most organizations. Scorecard reports are also critical as they can help you quickly isolate Asset Group Vulnerabilities, Ignored Vulnerabilities, Most Prevalent Vulnerabilities, Most Vulnerable Hosts, and provide you with a Patch Report. Look for solutions that include Executive Level, Technical, Risk Matrix, and SANS20 reports. If you have specific compliance requirements (e.g. Payment Card Industry), ask about pre-built reports to meet these requirements. What are the solution s template- and custom-reporting capabilities? In addition to default reports, the VM solution must provide flexibility to see vulnerability data any way you want it. You should be able to customize the level of detail appropriate for various audiences. Typical options used include vulnerability severity level, type or specific ID (or CVE), asset group (e.g. geography, system function, location on network), IP address, service or port, status (e.g. new, active, fixed, reopened), or category (e.g. web-related, database, DNS, RPC, SMB, TCP/IP, etc.) in addition to supporting graphics to represent the data sets chosen. How does solution reporting rank vulnerabilities? The solution should assign severity rankings based on industry standards such as CVE and NIST. Vulnerabilities should be tagged to differentiate criticality. For example: Level 1 is minimal severity, Level 2 is medium, Level 3 is serious, Level 4 is critical, and Level 5 is urgent. Can the solution share reports with designated people? To reduce duplication in work effort, the solution should systematically provide a report distribution capability. This functionality should include collaboration and sharing of vulnerability status reports. Look for solutions that incorporate the ability to distribute and view reports determined by a user s assigned role. What formats does the solution provide for external report applications? The VM solution should provide flexible output options for custom use. The solution should allow scan report data to be exported to external applications in PDF, Compressed HTML, (zipped), Web Archive (MHT, for Internet Explorer only), CSV and XML.

8 VM Buyer s Checklist - 8 Is there capability for trend analysis and differential reporting? For strategic vulnerability management, the solution must include ability to analyze trends and compare scan result data over time. For example, trend data should be presented for a specific number of days, weeks, or months. A differential report can present the last two scan detections of a specific group of assets. As you will want to compare results over time, you need to pick and compare sets of scans from any point in time. Are there reports to help us comply with PCI, HIPAA, SOX and other regulations? Compliance can be a major headache for IT departments that must produce documentation to prove an organization has implemented appropriate and effective security controls required by various laws and business regulations. Look for solutions that include these compliance reporting capabilities with easy-to-use templates that allow you to extract vulnerability and host configuration data to meet your specific reporting requirements. Can the solution work with other Security Information Management technologies? Many large organizations already use SIM / SEM solutions. Look for solutions that support numerous related integrations including ArcSight, Guardednet, NetForensics, Network Intelligence, Open Systems, Symantec SIM 4.0, NetIQ, Cisco MARS/Protego, Intellitactics, and esecurity.

9 Remediation VM Buyer s Checklist - 9 Why integrate remediation with a vulnerability scanner? Discovering assets, scanning for vulnerabilities, and reporting are critical pieces of VM, but the end goal is to fix and eliminate vulnerabilities. You will want to select a solution that integrates an automated remediation ticketing tracking system. The system automatically tracks changes in vulnerabilities detected after remediation to ensure the workflow process reaches a successful conclusion. How does the solution implement remediation policy? There needs to be authorized policy control governing any remediation workflow. The solution should have menus that allow you to easily create remediation policies that determine how tickets will be created and to whom tickets will be assigned. Make sure the system enables rules and permissions that are determined by user roles. Is there a particular order in which the system schedules remediation? Fixing vulnerabilities in order severity makes logical sense. However, you also need a system that enables you to factor in the criticality of assets that need to be patched. The solution needs intelligent capabilities to prioritize remediation via policies determined by managers. The policies allow you to automatically prioritize remediation by factoring severity of the vulnerability against business impact i.e. how exploitation would affect operations of a particular asset, a business unit, or even the entire business operations. What happens when a ticket is generated? If using trouble-ticketing and workflow within your VM solution make sure that it can automatically generate a ticket when a vulnerability is detected by a scan. Based on predetermined policy, the ticket should be assigned to a designated person(s) for remediation. The ticket should be classified as open until fixed. The classification changes to closed after a subsequent scan verifies elimination of the vulnerability. Does the solution s ticketing function integrate with external systems? Helpdesks in large organizations already use a trouble-ticketing system. As a result, be sure the VM solution can integrate with third-party ticketing systems via a dedicated ticketing API, which provides a programmatic XML-based interface for ticket extraction and manipulation. For example, QualysGuard provides built-in integration with the Remedy Help Desk system and has a dedicated ticketing API to integrate with other trouble-ticketing solutions. How does the solution manage remediation efforts? A large network often has many remediation tickets open at any point in time. A manager needs to understand the progress and compliance with remediation policy by running a remediation report. Be sure your VM solution includes Executive reporting on tickets, Tickets-per-Vulnerability, Tickets-per-User, and Tickets-per-Asset Group. Users and managers will want to perform trend analysis on open tickets so they can monitor progress. Also, look for solutions that allow you to receive daily remediation ticket updates via .

10 Policy Compliance VM Buyer s Checklist - 10 Why integrate policy compliance with the VM solution? Policy compliance capability links VM with corporate security policies, laws, and regulations. In particular, this capability allows you to automatically document and audit compliance to internal and external auditors saving time, money, and lots of manual effort. If this is important to you, look for solutions that have this capability. How is the solution used by auditors? In-house and third-party auditors require access to VM data to complete their responsibilities. Look for solutions that enable you to grant auditors access to compliancemanagement features. Does the solution segregate assets for compliance? Most laws and regulations affecting network security entail a subset of assets, such as Sarbanes-Oxley s requirement to protect only systems used for financial reporting, or PCI s requirement to protect only systems used for processing or transmitting payment cardholder data. Be sure your VM solution allows you to assign specific assets to groups associated with specific policy requirements. What policies and controls does the solution support? Controls are created based on CIS and NIST standards and mapped to frameworks and regulations such as COBIT, ISO and ITIL. Controls are the building blocks for compliance policies, which are collections of controls pertaining to one or more technologies in your environment. Each control in the policy includes a statement of how the technologyspecific item should be implemented, and one or more checks performed by the solution to validate the control. Look to select a solution that supports all these factors. Can the solution support existing policies? Verify that the VM solution you select includes a Policy Library with controls that you can import directly to your account and use for compliance reporting. Controls should be classified by technology, compliance framework or regulation, and compliance check type. Once imported, you should be able to edit the controls to tweak control values and technologies to best suit the needs of your organization. How does the solution provide a protected audit trail? Auditors will suspect (and likely reject) any vulnerability data that can be manipulated by your organization. Make sure the solution does not allow users to have direct access to vulnerability data other than on a read-only basis. Be sure to 100% verify that your organization s vulnerability data is fully protected and isolated from any external manipulation.

11 Management VM Buyer s Checklist - 11 How does the solution allow you to manage assets? Asset grouping enables organizing assets by groups and business units, assigning them impact levels, and so forth. This feature is critical in the solution you choose. Be sure the solution has great flexibility and fine-grained accuracy in vulnerability scanning, remediation, and reporting. How does the solution allow you to manage users? The process of managing users of the VM solution essentially assigns various levels of role-based access rights to execute device maps, vulnerability scans, create policies, manage remediation, and govern policy compliance. Make sure the solution is robust and enables you to manage users (in granular detail) effectively. How does the solution work with complex network configurations? With IT, complexity often slows processing and delays the completion of otherwise straightforward operations. Test the VM solution s asset- and people-management capabilities. Verify that the solution makes it easy to segment your network for efficient, accurate VM. Is there any system maintenance required, such as patching scanner software? The VM solution you chose could add to your continuous burden of patching software or not. Look for SaaS-based solutions as they utilize an on-demand platform and handle all patching and system updates automatically. Make sure there s nothing for you to download, install, update, or maintain even to internal Scanner Appliances. You should get the most up-to-date VM solution every time you use your solution. What actions are required to manage activity by auditors? The demands of an auditing team can be challenging. The VM solution you select should enable a Manager or Unit Manager to simply create Auditor user accounts for authorized people conducting an audit. You probably do not want Auditors running compliance scans, but they should be able to define policies and run reports based on compliance scan data.

12 Cost VM Buyer s Checklist - 12 What are the costs of doing VM with traditional software solutions? Understand your complete costs with the various VM solutions you re evaluating. Be sure to calculate the true, total cost of ownership. Using a software-based VM solution entails many costs: the software itself requires license, annual support and maintenance fees. Users and administrators must be trained. There is the people-intensive process of getting departmental approvals, configuring, and fine-tuning the applications. Maintenance and partitioning of a database is required, plus encryption for securing data. Supporting and maintaining the applications requires staff to test and install updates and new signatures, conducting scans and remediation. Finally, there is the cost of servers, appliances, storage infrastructure, and disaster recovery. Isn t it cheaper to hire a consultant? Consultants can be a great resource, but their work is usually focused on a penetration test, which simply finds vulnerabilities at a single point in time. Paying consultants to do regular, ongoing vulnerability assessments quickly becomes too expensive compared to other solutions. Consultants can best be utilized to augment your security department s expertise and assist in remediating issues that are uncovered in the VM process. Can I save money by using free, open-source software? Using free, open source software can be tempting but in the long run, you need to factor in the real costs and overall effectiveness of such a choice. The obvious drawbacks such as questionable quality of code, potential injection of vulnerabilities via untested open source modules, and skimpy training and support should weigh heavily in your decision. Obviously, you still must pay for the traditional costs of using software noted above. Does using commercial VM software offer a more cost-efficient option? Commercial software is more likely to be higher quality than open source software, plus it has better training and support. It carries the extra annual costs of license, annual support, and maintenance. It also requires you to pay for all the usual requirements of using software noted above. How does Software-as-a-Service lower the costs of VM? SaaS is the most cost-efficient way to do VM. With SaaS, a third party such as QualysGuard, runs the application on a secure Internet web server, which users operate and control on demand with a web browser. You save money by paying a periodic subscription fee, instead of paying for software, regular updates, and ongoing maintenance. From an operational perspective, what other ways does SaaS lower costs? A SaaS solution such as QualysGuard is already up and running, so it immediately deploys no matter how large and complex the infrastructure. There are no agents to install or other software to deploy anywhere in the infrastructure. QualysGuard also provides an API for simple, rapid integration with enterprise network management platforms.

13 VM Buyer s Checklist - 13 Aside from deployment savings, isn t SaaS just as expensive as using software? A SaaS solution such as QualysGuard provides more cost efficiency than software because it s a hosted solution. Updates to software and vulnerability signatures are automatic and instant for the entire enterprise. Collation of vulnerability data is automatic, so you get instant enterprise-wide views of your security posture. What are the soft costs lowered by SaaS? There are many areas for additional savings. Deployment of software to nationally- or internationally-dispersed business units often requires onsite help or professional services; SaaS deployment is instant. Scaling software requires more hardware infrastructure; SaaS is instantly and infinitely scalable without requiring users to deploy more hardware. Compliance with corporate encryption policy using software can be complex; with SaaS, encryption is automatic. Interoperability of software solutions often requires extensive customization; QualysGuard s built-in XML-based API is immediately plugs in to any application using this universal standard.

14 Solution Vendor VM Buyer s Checklist - 14 What is the solution provider s business history and market strength? Make sure you re selecting a market leader that focuses on vulnerability management. Look at resources from analysts such as Gartner and Forrester to see what they have to say about the company and solution. Read case studies and review their references. The company should have a solid reputation and a proven track record. What is the solution provider s VM product line? A provider that focuses on VM solutions usually can offer breadth and depth of their product offerings. Make sure the solution fits your specific need. In other words, make sure the solution is scalable, robust enough, easy-to-use and cost-effective. Who are some of the solution provider s customers? Look to see how many customers are using the solution and what they have to say about it. Does the company openly provide case studies and testimonials of brand-name market leaders that are using the solution? Are these companies actually using the VM solution? Check references and ask to speak with customers that may be in your industry. Who are some of the solution provider s partners? Who does the company work with? Integrate with? See if the solution integrates with leading security solutions and technologies in Security Information & Event Management (ArcSight, Cisco, netforensics, Network Intelligence, Novell, StillSecure, 1Labs, Symantec); Patch Management ( Citadel), Help Desk Ticketing Systems (CA Service Center, BMC Magic Service Desk, HP Service Desk, Bugzilla and others); Risk Management (Redseal, Skybox); Network Access Control (MetaInfo); IDS/IPS (Neon Software, ForeScout); Network Patching (BlueLane); Network Behavior Analysis (Mazu Networks); Security Policy Management (Archer Technologies, McAfee); Penetration Testing (Core Security Technologies). What recent awards has the vendor won for its solution? Recent awards are another strong indicator of product quality and market penetration. For example, a few of Qualys recent awards include SC Magazine Awards 2008 Winner (U.S.), Information Security Readers Choice 2008, Frost & Sullivan Best Practices Award 2008, Information Security Decisions Best in Show 2007, SC Magazine Awards 2007 Europe Winner, and Network World Clear Choice Award. Can I get a free evaluation of the VM solution? If you can t try it, don t buy it. You should see how the solution would work in your environment and give it a thorough test drive. It is important to see how easy (or difficult) it is to install, maintain, and use across your entire organization. Qualys provides a free 14-day trial evaluation of the fully-functional QualysGuard solution. Start your evaluation now by logging onto: