Rapid7, today announced several enhancements to its IT security data and analytics solutions portfolio, developed to enable security and IT professionals to manage risk in increasingly complex modern business environments. With these innovations, Rapid7 provides the ability to efficiently prioritize defensive measures, rapidly detect and investigate user-based attacks, and increase the effectiveness and efficiency of security controls.
“Every user is now a point on the perimeter, which creates opportunities for attackers to infiltrate organizations by targeting users,” said Lee Weiner, senior vice president of products and engineering at Rapid7. “Detecting these kinds of attacks is a huge challenge, particularly given the explosion in IT complexity, with data and assets now spanning virtual, cloud and mobile environments. To help security professionals succeed in addressing these challenges, we've enhanced our solutions to prioritize risks based on business impact, effectively detect incidents of user-based attacks, and improve the effectiveness of security controls.”
Assess and Prioritize Critical Risks in Business Context - Inside and Outside the Firewall
With limited resources, security and IT teams must prioritize their efforts - and this means understanding not only vulnerabilities and exploits, but also the business value of assets. For example, the CEO's laptop is more important to the business than a photo server, but a server with Payment Card Information (PCI) or Personally Identifiable Information (PII) may be the most important. Many security products identify high priority risks based on the severity of the vulnerability, but without understanding how critical that asset is to the business. Every organization is unique with different systems, users, business models, and compliance requirements. Manually prioritizing vulnerabilities, or prioritizing them without business context, may lead to the security team not focusing on the most impactful risks to the business, leading to greater exposure for the organization or inefficient operations.
Rapid7 Nexpose 5.9 introduces Rapid7 RealContext™, which aligns risk with business priorities, ensuring that resources are used effectively to mitigate security risks that matter to the organization. Security teams can automatically tag assets with business priority based on custom criteria, or manually tag assets as appropriate. While other vulnerability management solutions offer asset tagging, only Nexpose allows security teams to adjust the risk associated with each asset based on business context. RealRisk™ for each asset is automatically calculated with knowledge of that asset's business context, saving valuable time for security professionals while allowing them to focus on the highest-priority risks.
Coming soon in the second quarter, Nexpose will make it easier to discover and assess the risk of cloud assets by automatically scanning Amazon Web Services (AWS) deployments in Nexpose Scans. Organizations are rapidly adopting cloud deployments, such as AWS, to gain scale and performance efficiencies, meaning security teams need to consider risk management beyond the firewall. This can be complicated since individual machine instances can be added, removed, moved, or the IP or DNS names changed.
The new functionality from Rapid7 Nexpose enables companies to create more secure AWS environments by scanning Amazon Machine Instances (AMIs) for vulnerabilities and misconfigurations. Through integration directly with AWS, Nexpose continuously checks for AMIs that need to be included in the security assessment. This eliminates the need to manually track the assets in the AWS environment, saving valuable time for security professionals and ensuring there are no gaps in the security assessment.
Detect and Investigate User-Based Attacks
According to the Verizon Data Breach Investigation Report, compromised credentials are involved in more than 75% of all network intrusions, highlighting the importance of monitoring user behavior. Rapid7 UserInsight addresses this with a focus on detecting and investigating attacks through users and indications of compromised credentials across on-premise, cloud and mobile environments. With the latest release, UserInsight provides the ability to immediately determine which users may have been impacted by a phishing attack, so the attack can be contained quickly.
The latest version also enables security professionals to detect attackers as they move around within the environment. This is a huge challenge with increasingly common infiltration-style attacks, where perpetrators sneak onto the network and then spend a considerable amount of time undetected while identifying the means to access the information they want. UserInsight baselines and analyzes a user's common behaviors in order to detect anomalies that may indicate an attacker moving laterally. With the latest release, security professionals will be alerted about malicious lateral movement activities including: impersonation of users through techniques like pass-the-hash, abnormal user access to critical assets, elevated user privileges, re-enablement of disabled accounts, and improper use of service accounts.
Additionally, UserInsight is now able to monitor administrative access to AWS. With an increasing number of critical assets being moved to AWS, organizations need to ensure that only authorized users have administrative access to the AWS deployment. UserInsight enables an organization to get full visibility into administrator activity within its AWS resources, enabling the detection of compromised AWS accounts. This extends the integrations that UserInsight already has with other leading cloud services including SalesForce, Box, Okta, and Google Apps. Visibility into network, mobile, and cloud environments enables UserInsight to provide more complete detection to the enterprise. UserInsight detects and alerts on abnormal user behaviors that are likely indications of a compromise, such as user authentication to AWS and to a VPN from two geo-locations over a geographically impossible period of time.
Test the Effectiveness of Security Controls
One of the challenges that penetration testers face is avoiding the basic controls in place on the network such as anti-virus (AV) solutions. Traditional Metasploit Framework exploits are often detected by anti-virus solutions when conducting a penetration test. This can cause penetration tests to be significantly delayed or even fail. Rapid7 Metasploit Pro 4.9 addresses this, enabling users to create dynamic payloads that evade AV solutions, making it more efficient to penetrate the network in the way that attackers would and to test defenses. For example, in a lab containing ten widely deployed AV solutions, Metasploit Pro's new features evade AV solutions over 90% of the time, with no AV vendor detecting all available types of attack. These features significantly increase productivity of a penetration tester by saving many hours of trial and error to evade detection.
The new version of Metasploit Pro also introduces the ability to test the effectiveness of network segmentation. This is the act of splitting a network into subnetworks, each being a network segment. Network segmentation is a security best practice that consistently makes the top 20 list of critical security controls suggested by SANS. One of the advantages of network segmentation is that it can help contain the impact of a breach to one part of the network. Building on the MetaModule framework that greatly increases the efficiency of repetitive tasks, Metasploit Pro can now test the connection between any two network segments, validating whether the controls in place are effective. By testing the connection between any two network segments, the security team can help to keep intruders contained, and meet PCI DSS 3.0 audit requirements that allow organizations to limit the scope of an audit for segmented networks.
For information on pricing of Rapid7's IT security data and analytics portfolio, please email info@rapid7.com.
Rapid7 security analytics software and services reduce threat exposure and detect compromise for 3,000 organizations across 78 countries, including over 250 of the Fortune 1000. We understand the attacker better than anyone and build that insight into our solutions to improve risk management and stop threats faster. We offer advanced capabilities for vulnerability management, penetration testing, controls assessment, incident detection and investigation across your assets and users for virtual, mobile, private and public cloud networks. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com.