LONDON—We are pleased to announce that two Rapid7 solutions were recognized on Tuesday, June 21, at the prestigious SC Awards Europe, which were presented at the London Marriott, Grosvenor Square. InsightIDR took the top spot in the Best SIEM Solution category, and Threat Command brought home the award for Best Threat Intelligence Technology for the second year in a row.
The SC Awards Europe recognize and reward products and services that stand out from the crowd and exceed customer expectations. This year’s awards, which come at a time of rapid digital transformation and technology innovation, were assessed by a panel of highly experienced judges from a variety of industries. SC Media UK, which hosts the awards, is a leading information resource for cybersecurity professionals across Europe.
InsightIDR named “Best SIEM”
Security practitioners are using Rapid7 InsightIDR to address the challenges most everyone shares: Digital transformation is driving constant change, the attack surface continues to sprawl, and the skills gap drags on.
Traditional security information and event management (SIEM) solutions put the burden of heavy rule configuration, detection telemetry integration, dashboard and reporting content curation, and incident response on the customer. But industry-leading InsightIDR has always been different. It ties together disparate data from across a customer’s environment, including user activity, logs, cloud, endpoints, network traffic, and more into one place, ending tab-hopping and multi-tasking. Security teams get curated out-of-the box detections, high-context actionable insights, and built-in automation.
With easy SaaS deployment and lightning fast time-to-value, 72% of users report greatly improved team efficiency, 71% report accelerated detection of compromised assets, and most report reducing time to address an incident by 25-50%.
Threat Command named “Best Threat Intelligence Technology”
Rapid7 Threat Command is an external threat protection solution that proactively monitors thousands of sources across the clear, deep, and dark web. It enables security practitioners to anticipate threats, mitigate business risk, increase efficiency, and make informed decisions.
Threat Command delivers industry-leading AI/ML threat intelligence technology along with expert human intelligence analysis to continuously discover threats and map intelligence to organizations’ digital assets and vulnerabilities. This includes:
Patented technology and techniques for the detection, removal, and/or blocking of malicious threats
Dark web monitoring from analysts with unique access to invitation-only hacker forums and criminal marketplaces
The industry’s only 24/7/365 intelligence support from experts for deeper investigation into critical alerts
Single-click remediation including takedowns, facilitated by our in-house team of experts
100% of Threat Command users surveyed said the tool delivered faster time to value than other threat intelligence solutions they’d used, and 85% said adopting Threat Command improved their detection and response capabilities.
InsightIDR + Threat Command
Using InsightIDR and Threat Command together can further increase security teams’ efficiency and reduce risk. Users get a 360-degree view of internal and external threats, enabling them to avert attacks, accelerate investigations with comprehensive threat context, and flag the most relevant information — minimizing the time it takes to respond. With InsightIDR and Threat Command, customers are able to more effectively and efficiently see relevant threat data across their attack surface and quickly pivot to take immediate action – in the earliest stages of attack, even before a threat has fully evolved.
In this episode of Security Nation, Jen and Tod chat with Steve Micallef about SpiderFoot, the open-source intelligence tool of which he is the creator and founder. He tells us how the platform went from a passion project to a fully fledged open-source offering, with a SaaS option to boot, and how it can help security engineers automate tasks and focus on finding the major threats in their data.
Stick around for our Rapid Rundown, where Tod chats with producer Jesse about a new paper that reveals all is not as it seems with CVSS scores.
Steve Micallef is the author of SpiderFoot (www.spiderfoot.net), an open-source OSINT automation platform. You can follow him @binarypool on Twitter.
The digital economy is being disrupted by data. An estimated 79 zettabytes of data was created and consumed in 2021— a staggering amount that is reshaping how we do business. But as the volume and value of data increases, so does the motivation for hackers to steal it. As such, cybersecurity is a growing concern for organisations across all industries, and budget requests are increasing as a result.
But if we’re spending more, why are organisations still getting hacked at an increasing rate?
In the first webinar of Cybersecurity Series: Hackers ‘re Gonna Hack, Jason Hart, Chief Technology Officer, EMEA, Rapid7, shared his experience on why executives need to reconsider their current operating model and ensure their cybersecurity budgets are working as hard as possible.
84% of our webinar audience agreed that doubling their cybersecurity budget would not halve the risk or impact for their business.
Cybersecurity departments are finding it extremely challenging to justify increases to their budget when they are not seen as directly contributing to revenue. There was also a time when cyber insurance was regarded as a safeguard and magic wand to protect us from risks. But now, these providers are placing more onus on organisations to ensure preventative measures are in place, including risk assessment, controls, and cybersecurity operations.
In an ever-evolving landscape, it is essential to take a step back and consider how you can improve your approach. The key question remains, “How do you do more with less?” You can’t protect everything – you need to understand what matters most and be able to manage, mitigate, and transfer risks by working with a range of stakeholders throughout your organisation. Here are four strategies that can help.
1. Embrace the evolution of profit and loss for cybersecurity
A profit-and-loss framework for cybersecurity enables organisations to identify their current level of risk, prioritise their efforts based on those risks, and then set benchmarks for improvements over time. The goal is to create an environment where you can proactively manage your cybersecurity risks rather than reactively mitigate them after they’ve occurred.
61% of our audience agreed they need to approach cybersecurity from a profit-and-loss perspective.
2. Become situation-aware
Awareness is the ability to look at all the information available, recognise what’s important, and act accordingly. It’s a skill that can be learned, practised, and improved over time.
You can’t fix what you don’t know, so it’s essential to have a clear understanding of the risks in your organisation and those that might arise in the future. We believe there are three levels of awareness:
Situation awareness: When an organisation understands the critical (people, data and process) and operational elements for executing information security strategy.
Situation ignorance: When organisations assume everything is OK without considering the impact of people, data, and processes. They may be implementing security control and awareness training, but there is no straightforward process. The strategy does not align to risk reduction and mitigation, and budgets continue to increase.
Situation arrogance: Organisations that continue to spend huge amounts of budget, while still getting compromised and breached. They might consider people, data, and process, but they fail to act.
57% of our audience believed they were situation-aware. 31% percent said they were situation-ignorant, and 11% felt their organisations were situation-arrogant.
Try to identify your organisation’s cyber maturity to make improvements. To test impact and likelihood, ask your peers – in the event of a breach, what data would you be most concerned about if hackers applied ransomware to it? To test risk versus control effectiveness, consider where that data is located. When understanding impact and level of risk, find out what business functions would be affected.
3. Adapt or become irrelevant
Cybersecurity operations should be tailored to your organisation’s unique needs; there’s no one-size-fits-all approach. The move away from traditional operation models to a more targeted one requires a strong foundation for transformation and change. This includes:
Only 27% of our audience believed they have the foundations for a targeted operations model to carry over to cybersecurity.
4. Implement protection-level agreements
To eradicate and remove a critical vulnerability, you might need to reboot, consider patch management, or bring systems down. This can be hard to assign a value, but it will inevitably increase your budget.
For example, to reduce a critical vulnerability, the average annual cost for the business is £1 million per year. But what if we set up a protection-level agreement (PLA) so that any critical vulnerabilities are eradicated and managed within 30 days? That would reduce operational costs to approximately £250,000 per year.
But what if you are hacked on day 25? That isn’t not a control failure – it results from a business decision that has been agreed upon. PLAs enable you to track and monitor threat activity so the business and leadership team can understand why you were breached. The approach also highlights gaps in your foundation, enabling you to address them before they become serious problems. For example, it might highlight potential challenges in handoff, process, or accountability. Additionally, a PLA is a language your stakeholders understand.
Everyone is on the same journey
Each stakeholder in your organisation is at a different stage of their journey. They have different expectations about how cybersecurity will impact them or their department. They also have different levels of technical knowledge. When planning communications, consider these differences to get them on board with your vision, working with them to ensure everyone’s expectations can be met.
Register for Part 2 Cybersecurity: Hackers ‘re Gonna Hack to find out more about getting your executive team on board. Jason Hart, Chief Technology Officer, EMEA, Rapid7, will show you how to implement new ideas to build your target operating model to drive effectiveness and change.
Ransomware is one of the most pressing and diabolical threats faced by cybersecurity teams today. Gaining access to a network and holding that data for ransom has caused billions in losses across nearly every industry and around the world. It has stopped critical infrastructure like healthcare services in its tracks, putting the lives and livelihoods of many at risk.
In recent years, threat actors have upped the ante by using “double extortion” as a way to inflict maximum pain on an organization. Through this method, not only are threat actors holding data hostage for money – they also threaten to release that data (either publicly or for sale on dark web outlets) to extract even more money from companies.
At Rapid7, we often say that when it comes to ransomware, we may all be targets, but we don’t all have to be victims. We have means and tools to mitigate the impact of ransomware — and one of the most important assets we have on our side is data about ransomware attackers themselves.
Reports about trends in ransomware are pretty common these days. But what isn’t common is information about what kinds of data threat actors prefer to collect and release.
A new report from Rapid7’s Paul Prudhomme uses proprietary data collection tools to analyze the disclosure layer of double-extortion ransomware attacks. He identified the types of data attackers initially disclose to coerce victims into paying ransom, determining trends across industry, and released it in a first-of-its-kind analysis.
“Pain Points: Ransomware Data Disclosure Trends” reveals a story of how ransomware attackers think, what they value, and how they approach applying the most pressure on victims to get them to pay.
The report looks at all ransomware data disclosure incidents reported to customers through our Threat Command threat intelligence platform (TIP). It also incorporates threat intelligence coverage and Rapid7’s institutional knowledge of ransomware threat actors.
From this, we were able to determine:
The most common types of data attackers disclosed in some of the most highly affected industries, and how they differ
How leaked data differs by threat actor group and target industry
The current state of the ransomware market share among threat actors, and how that has changed over time
Finance, pharma, and healthcare
Overall, trends in ransomware data disclosures pertaining to double extortion varied slightly, except in a few key verticals: pharmaceuticals, financial services, and healthcare. In general, financial data was leaked most often (63%), followed by customer/patient data (48%).
However, in the financial services sector, customer data was leaked most of all, rather than financial data from the firms themselves. Some 82% of disclosures linked to the financial services sector were of customer data. Internal company financial data, which was the most exposed data in the overall sample, made up just 50% of data disclosures in the financial services sector. Employees’ personally identifiable information (PII) and HR data were more prevalent, at 59%.
In the healthcare and pharmaceutical sectors, internal financial data was leaked some 71% of the time, more than any other industry — even the financial services sector itself. Customer/patient data also appeared with high frequency, having been released in 58% of disclosures from the combined sectors.
One thing that stood out about the pharmaceutical industry was the prevalence of threat actors to release intellectual property (IP) files. In the overall sample, just 12% of disclosures included IP files, but in the pharma industry, 43% of all disclosures included IP. This is likely due to the high value placed on research and development within this industry.
The state of ransomware actors
One of the more interesting results of the analysis was a clearer understanding of the state of ransomware threat actors. It’s always critical to know your enemy, and with this analysis, we can pinpoint the evolution of ransomware groups, what data the individual groups value for initial disclosures, and their prevalence in the “market.”
For instance, between April and December 2020, the now-defunct Maze Ransomware group was responsible for 30%. This “market share” was only slightly lower than that of the next two most prevalent groups combined (REvil/Sodinokibi at 19% and Conti at 14%). However, the demise of Maze in November of 2020 saw many smaller actors stepping in to take its place. Conti and REvil/Sodinokibi swapped places respectively (19% and 15%), barely making up for the shortfall left by Maze. The top five groups in 2021 made up just 56% of all attacks with a variety of smaller, lesser-known groups being responsible for the rest.
Recommendations for security operations
While there is no silver bullet to the ransomware problem, there are silver linings in the form of best practices that can help to protect against ransomware threat actors and minimize the damage, should they strike. This report offers several that are aimed around double extortion, including:
Going beyond backing up data and including strong encryption and network segmentation
Prioritizing certain types of data for extra protection, particularly for those in fields where threat actors seek out that data in particular to put the hammer to those organizations the hardest
Understanding that certain industries are going to be targets of certain types of leaks and ensuring that customers, partners, and employees understand the heightened risk of disclosures of those types of data and to be prepared for them
In this episode of Security Nation, Jen and Tod chat with Phillip Maddux about his project HoneyDB, a site that pulls data together from honeypots around the world in a handy, open-source format for security pros and researchers. He details how his motivations for creating HoneyDB derived from his time in application security and why he thinks open source is such a great format for this kind of project.
No Rapid Rundown this week, since RSAC 2022 has Tod tied up (and several time zones farther from Jen than usual). If you’re in San Francisco for the conference, stop by the Rapid7 booth and say hi!
Phillip Maddux is a staff engineer on the Detection and Response Engineering team at Compass. He has over 15 years of experience in information security, with the majority of that time focused on application security in the financial services sector. Throughout his career, Phillip has been a honeypot enthusiast and is the creator of HoneyDB.io.
On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability is unpatched as of June 2 and is being exploited in the wild.
Affected versions include Confluence Server version 7.18.0. According to Atlassian’s advisory, subsequent testing indicates that versions of Confluence Server and Data Center >= 7.4.0 are potentially vulnerable. There may also be other vulnerable versions not yet tested.
In the absence of a patch, organizations should restrict or disable Confluence Server and Confluence Data Center instances on an emergency basis. They should also consider implementing IP address safelisting rules to restrict access to Confluence.
For those unable to apply safelist IP rules to their Confluence server installations, consider adding WAF protection. Based on the details published so far, which admittedly are sparse, we recommend adding Java Deserialization rules that defend against RCE injection vulnerabilities, such as CVE-2021-26084. You can find an example here.
We are investigating options for a vulnerability check to allow InsightVM and Nexpose customers to assess their exposure to CVE-2022-26134. We will update this blog as new information becomes available.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
On May 30, 2022, Microsoft Security Response Center (MSRC) published a blog on CVE-2022-30190, an unpatched vulnerability in the Microsoft Support Diagnostic Tool (msdt) in Windows. Microsoft’s advisory on CVE-2022-30190 indicates that exploitation has been detected in the wild.
According to Microsoft, CVE-2022-30190 is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Workarounds are available in Microsoft’s blog.
Rapid7 research teams are investigating this vulnerability and will post updates to this blog as they are available. Notably, the flaw requires user interaction to exploit, looks similar to many other vulnerabilities that necessitate a user opening an attachment, and appears to leverage a vector described in 2020. Despite the description, it is not a typical remote code execution vulnerability.
Our teams have begun working on a vulnerability check for InsightVM and Nexpose customers.
InsightIDR customers have a new detection rule added to their library to identify attacks related to this vulnerability:
Suspicious Process – Microsoft Office App Spawns MSDT.exe
Sales roles are all about people. That holds true not only when you’re building relationships with prospects but also in your day-to-day experience on the team. Having the right culture and people around you can make or break your success, satisfaction, and long-term growth. If you’re a job seeker looking for a technology sales role, getting to know the people you’d be working with can help you understand if that company is a place you can flourish and advance your career to the next level.
We asked two experienced sales leaders — Dan Bidwell, Regional Vice President – Central; and Jason Doris, Regional Vice President – East — who recently joined Rapid7 to tell us a little bit about themselves, what’s most exciting about being on their teams, and why they chose Rapid7 as the next step in their professional journeys.
What was your background prior to coming to Rapid7?
Dan: I have had a lengthy career selling enterprise technology solutions for both large high-tech providers and startups. My career started with companies like NCR, Sun Microsystems, and Oracle. I left Oracle to pursue a path of working with early-stage startup companies such as Portal Software, Arcsight, Veracode, and Illumio. I enjoyed the cybersecurity space, and once I started, I never looked back.
Jason: After 25 years in the document capture and workflow industry, I transitioned to cybersecurity. I have an eclectic background, having sold in virtually every segment (enterprise, mid-market, consumer) and in every route to market (eCommerce, B2B direct and through the channel, OEM) including 14 years in global roles.
I am coming from Fastly, an edge computing cloud services company focused on website acceleration and web application and API protection. While there, I started a Financial Services vertical where we closed large deals with the likes of Goldman Sachs and PayPal. Most recently, as the RVP for the East, Fastly’s “Security First” strategy has helped take customers like HCA, Metlife, Foot Locker, and Assurant away from competitors like Akamai and Cloudflare.
How did you first find yourself in a sales role?
Dan: My first sales role was with NCR out of college. NCR provided two benefits — one, they had an extensive training program for people who had not sold high tech solutions. The second was that I worked for their Computer Systems Group, so I started selling both mini computers and manufacturing software from the beginning.
Jason: In college, I grew disenchanted as a Psychology major and changed my major to Business Administration late in the process. Directly out of college, I returned to the supermarkets that I worked in since I was 15 and entered the management trainee program. After rising to a department manager and experiencing 60-hour workweeks for 5 years, I took a chance on myself by entering a sales career. I believed that with my work ethic and lessons learned in a false start in grocery, and given a chance and a fair set of rules, that betting on myself would pay off — and it has.
How would others on your team describe you as a leader?
Dan: I strive to be a leader who is hands-on and works closely with his team. This is not code for micro management but rather being another member of the team who is there to assist and add value in any way possible to advance the cause. No job is too big or too small to help with.
Jason: I believe that my team would say that I lead from the front and by example, that I take the profession of sales seriously, that I am grounded and transparent, and that I am a positive, optimistic influence.
How do you define and measure success?
Dan: In sales, success is ultimately defined by quota achievement. But quota achievement cannot be attained unless you build and enable a team of sellers who have a passion and a belief in both the solution they are selling, and their customer’s success and satisfaction with that solution.
Jason: I see success as achieving goals on one’s career arc and personal financial goals arc, while positively contributing to a company’s team selling culture.
What has surprised you or changed your ideas about what it means to be in sales?
Dan: If you observe sales from the outside, you may feel it’s about the individual, but the reality is that it’s about the team.
Jason: Mature athletes at the highest levels often refer to the game “slowing down” for them as they gained experience and became more successful. Despite what I would have initially believed, this is exactly what I have experienced: I started out selling on adrenalin and threw myself at my customers and prospects. Since then, I’ve planned my attack, listened more, had more opportunities sought the advice of others, practiced conversations, surrounded myself with smart people, and focused on the needs of customers.
What do you think are the most important elements of a successful, thriving sales team
Dan: The team needs to understand that you cannot go it alone. It can take a village to land a deal. Don’t be afraid to ask for help. Ask early, and ask often. And be willing to offer help to your teammates, as well.
Jason: Curiosity, creativity, energy, resourcefulness, resilience, and a willingness to bet on oneself.
What made you choose Rapid7 for this chapter in your career?
Dan: I have admired what Rapid7 has done and I am excited about where they are going in the future. I believe they have the right solutions at the right time. Rapid7 has a great culture, strong executive leadership and the company is financially strong.
Jason: I was looking for an important role at a growing security software provider with deep enterprise aspirations and a great culture. At Rapid7, what I found is an expanding portfolio with a high cross-sell ceiling and engaging conversation with everyone I’ve met. In our transition — largely from a mid-market, one- to two-product selling motion to that of an enterprise portfolio or platform company — the need for developing deep relationships with customers and the channel is key, and that’s something I enjoy and can help with.
What’s ahead for your sales teams at Rapid7? What kinds of opportunities and experiences can those who join expect?
Dan: What is ahead is an exciting ride. There will be plenty of challenges, victories, and fun. I expect we will build relationships that will last a lifetime.
Jason: Rapid7 is growing rapidly while learning to be more efficient at scale. We are not opportunity-constrained in the market, and we rely on a balanced approach — both landing new customers and expanding the ones we have. Sellers can expect to learn a diverse strategic approach from peers while given the freedom to develop and apply their best ideas.
Why should those looking to start or grow in sales roles bring their talents to Rapid7?
Dan: Rapid7 is a great place to learn, grow, and flourish. I can’t think of a better company to start and evolve your technology career.
Jason: Diversity in experiences, an excellent selling culture, and great technology. We also have stakeholders who are willing and able to help, as well as generous awards for those who succeed.
As you think about the year ahead in your role and at Rapid7, what are you most excited for?
Dan: Success!! As mentioned before, I believe we have the right products for us to meet and exceed our customer’s needs, and this is an exciting time where cybersecurity has become more of a “must have” than a “nice to have” for companies across all industries. I look forward to leading my team through the many wins and inevitable learning opportunities that are before us.
Jason: Learning, growing, and digging deep. Learning how to apply the benefits of our technology on the most important customer needs and challenges. Growing as a leader by surrounding myself with smart and ambitious sellers and applying the best suggestions early and often. Digging deep by immersing myself in customer and partner relationships.
In this episode of Security Nation, Jen and Tod chat with academics Omer Akgul and Richard Roberts about their recent paper, “Investigating Influencer VPN Ads on YouTube.” They talk about the over-promising and obfuscation that’s commonplace in advertisements for commercial VPN services on the video streaming platform and what these tactics reveal about communication around security tools and ideas to laypeople.
Stick around for our Rapid Rundown, where our hosts talk with Rapid7’s public policy guru Harley Geiger about the recent news that the US Department of Justice will stop prosecuting ethical hackers.
Omer Akgul is a fifth-year Computer Science Ph.D. student at the University of Maryland, College Park. Advised by Michelle Mazurek, Omer works on several human factors in security and privacy problems. Most recently, he has been investigating harmful mental models of secure communication tools. His research regularly appears in prominent security and privacy venues and can be found here.
Richard Roberts is a Ph.D. student at the University of Maryland studying computer science with Dr. Dave Levin. There is often a disconnect between technical specification and lay user perception. Richard is interested in how those cracks form, how they are leveraged by malicious actors, and how to design technical solutions that meet users where they are. Richard’s other research interests include authentication and impersonation on the internet, measurements and unintended consequences of the web’s PKI, and how security is depicted in media.
You can find links to his publications and more information about his work here.
In this episode of Security Nation, Jen and Tod sit down with Jim O’Gorman and Ben “g0tmi1k” Wilson of Offensive Security to chat about Kali Linux. They walk our hosts through the vision behind Kali and how they understand the uses, advantages, and challenges of open-source security tools.
Stick around for our Rapid Rundown, where producer Jesse joins Tod to talk about an upcoming change in security protocols across the internet that might make passwords obsolete (eventually).
Jim O’Gorman (Elwood) began his tech career as a network administrator with a particular talent for network intrusion simulation, digital investigations, and malware analysis. Jim started teaching for OffSec in 2009 as an instructor for the Penetration Testing with Kali (PWK) course — a role he still enjoys. He went on to co-author Metasploit: The Penetration Tester’s Guide and Kali Linux: Revealed, and has developed and curated a number of OffSec courses. As the Chief Content and Strategy officer, he currently oversees the open source Kali Linux development project and participates with OffSec’s Penetration Testing Team.
Ben “g0tmi1k” Wilson
Ben “g0tmi1k” Wilson has been in the information security world for nearly two decades. Since joining Offensive Security nine years ago, he has applied his experience in a number of roles including live instructor, content developer, and security administrator. He is currently managing the day-to-day activity as well as developing Kali Linux, pushing it forward. He has worked on various vulnerabilities, which are published on Exploit-DB that he also works on. Furthermore he created and still runs VulnHub, allowing for hands-on experience.
No one wants their company to be named in the latest headline-grabbing data breach. Luckily, there are steps you can take to keep your organization from becoming another security incident statistic — chief among them, avoiding misconfigurations in the cloud.
Our 2022 Cloud Misconfigurations Report found some key commonalities across publicly reported data exposure incidents last year. Check out some of the highlights here, in our latest infographic.
In this episode of Security Nation, Jen and Tod chat with Whitney Merrill, Data Protection Officer at Asana, about her work on the Crypto & Privacy Village and data privacy more broadly. She talks about how she keeps up with both the excitement and the effort of running the village, a mainstay at DEF CON each year – including the curveballs thrown by COVID-19. Whitney also takes Jen and Tod’s questions about the major data privacy topics of the day, touching on everything from vaccine passports to new legislation in California, targeted advertising, and the overlap between security and privacy.
Stick around for our Rapid Rundown, where Tod and Jen talk about psychic signatures in Java – which doesn’t involve ghosts, but does involve Dr. Who.
Whitney Merrill is Asana’s Data Protection Officer and heads up the growing privacy team. Previously she was Privacy, eCommerce & Consumer Protection Counsel at Electronic Arts (EA) and an attorney at the Federal Trade Commission. In her spare time, she runs the Crypto & Privacy Village, a nonprofit, which appears at DEF CON & BSidesSF each year.
In this episode of Security Nation, Jen and Tod chat with Kate Stewart, VP of Dependable Embedded Systems at the Linux Foundation, about the open-source security projects she’s working on, including the Zephyr project. They chat about strategies for dealing with bugs and vulnerabilities in today’s complex tech landscape, including the much talked-about software bill of materials (SBOM), so we can reap the benefits of open source while avoiding the downsides as much as possible.
Stick around for our Rapid Rundown, where Tod and Jen talk about a recent piece of news in the open-source community: A developer used the “event-source-polyfill” npm package to write a piece of “protestware” decrying Russia’s aggression in Ukraine. They also pay homage to healthcare cybersecurity stalwart Mike Murray, who recently passed away.
Kate Stewart works with the safety, security, and license compliance communities to advance the adoption of best practices into embedded open-source projects. With over 30 years of experience in the software industry, she has held a variety of roles and worked as a developer in Canada, Australia, and the US and for the last 20 years has managed international software development teams and activities. Kate was one of the founders of SPDX and is currently the specification coordinator. She is also the co-lead for the NTIA SBOM formats and tooling working group. Since joining The Linux Foundation, she has launched the ELISA and Zephyr Projects among others, as well as supporting other embedded projects.
How have you grown professionally since joining Rapid7?
The majority of my career has been as an individual contributor, which is where I’ve felt most comfortable. I’m now becoming more involved with the people management side, and at Rapid7, I’ve been lucky enough to work for some amazing leaders. I’ve really learned a lot, and Rapid7 as an organization has also been incredibly proactive for my career progression and continued learning.
What 3 words would you use to describe the culture at Rapid7?
Inclusive, supportive, and surprising. Every organization should strive to be inclusive and supportive, but Rapid7 nails it. Whatever is happening in your day to day, whatever inevitable misunderstandings occur when communication might not be optimal, Rapid7 and the herd have your back, always and without question. I’ve been around long enough to know this is the exception, not the rule. My expectations are constantly exceeded when Rapid7 puts the herd first.
What advice would you give a candidate to stand out in the interview process?
Know your audience. Research on the company executives, products, and locations is a start but not what makes Rapid7 an amazing place to work. Look at the Rapid7 core values and ask how your own values align, because that is where the win-win will come from.
When (or where) are you most productive?
In the office, without a doubt. One chat is worth a thousand Slack conversations.
Which of our core values do you embody the most?
Challenge Convention is the most obvious one. I am constantly asking, “Why is it like this, and how could it be better?” The key is to take a breath and listen to the answers.
What is it that makes cybersecurity such an exciting field?
There are a couple of things to call out, the first being the steep learning curve. It’s impossible to stagnate or become bored as the world realizes why cybersecurity is actually important. The second is, we actually help people. I don’t do this job purely for altruism – I do get paid as well – but knowing that helping our customers protect themselves and their customers is incredibly important for me as a person.
What did you want to be when you grew up?
A pilot, but my colorblindness put paid to that. Weirdly, believe it or not, my second choice was programmer, which was almost as unlikely as pilot because this was in the pre-internet days.
Want to join Adrian and his team? We’re hiring! Browse our open roles at Rapid7 here.
We have been continuously monitoring for Spring4Shell exploit attempts in our environment and have been urgently investigating the implications for our corporate and production systems. We are actively remediating vulnerabilities as we find them and monitoring for any anomalous activity in our environment.
We will update this page as we learn more. At this time, customers do not need to take any action.
Further reading and recommendations
Our Emergent Threat Response team has put together a detailed blog post with general guidance about how to mitigate and remediate Spring4Shell. We will continue updating that post as we learn more about Spring4Shell and new remediation and mitigation approaches.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
In this episode of Security Nation, Jen and Tod chat with David Rogers, CEO at Copper Horse Ltd., about the Product Security and Telecommunications Infrastructure (PSTI) bill, a new piece of IoT security legislation in the UK. He runs through the new regulations that the bill includes for manufacturers of connected smart devices – including everything from home products to health devices – and details all the many steps it takes to get legislation like this signed into law.
Stick around for our Rapid Rundown, where Tod and Jen talk about the latest edition of Rapid7’s Vulnerability Intelligence Report, which covers all the need-to-know vulnerabilities from 2021, a year that began with SolarWinds and ended with Log4j (i.e. a VERY busy year for this sort of thing).
David is a mobile phone and IoT security specialist who runs Copper Horse Ltd, a software and security company based in Windsor, UK. His company is currently focusing on product security for the Internet of Things, as well as future automotive cybersecurity.
David chairs the Fraud and Security Group at the GSMA and sits on the Executive Board of the Internet of Things Security Foundation. He authored the UK’s Code of Practice for Consumer IoT Security, in collaboration with UK government and industry colleagues, and is a member of the UK’s Telecoms Supply Chain Diversification Advisory Council.
He has worked in the mobile industry for over 20 years in security and engineering roles. Prior to this, he worked in the semiconductor industry. David holds an MSc in Software Engineering from the University of Oxford and a HND in Mechatronics from the University of Teesside. He lectured in Mobile Systems Security at the University of Oxford from 2012-2019 and served as a Visiting Professor in Cyber Security and Digital Forensics at York St John University.
He was awarded an MBE for services to Cyber Security in the Queen’s Birthday Honours 2019.
Listen to Caitlin Condon, lead author of the report, on Duo’s Decipher podcast.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.
Want More Inspiring Stories From the Security Community?
It’s with immense pleasure that we announce today the winners of the Rapid7 Partner of the Year Awards 2022. All our category winners have achieved exceptional growth, demonstrating dedication and collaboration to the Rapid7 Partner Program throughout the year.
We’re very proud to share our complete list of winners. Please join us in congratulating them all.
Rapid7 APAC Partner of the Year: Cythera Pty Ltd
APAC Distributor of the Year: Netpoleon Solutions Pte Ltd
APAC Emerging Partner of the Year: Murdoch Webster Technology Group Pty Ltd
APAC Fastest Growth Partner of the Year: Blue Apache Information Systems
APAC Best Customer Retention of the Year: Content Security Pty Ltd
APAC Detection & Response Partner of the Year: DGplex Pty Ltd
APAC Vulnerability Management Partner of the Year: The Missing Link
EMEA Partner of the Year: Softcat Plc
EMEA Distributor of the Year: Infinigate Deutschland GmbH
EMEA Emerging Partner of the Year: Telonic GmbH
EMEA Fastest Growth Partner of the Year: Caretower Limited
EMEA Best Customer Retention of the Year: Saepio Solutions Ltd
EMEA MSSP Partner of the Year: Tesorion
EMEA Detection & Response Partner of the Year: Orange CyberDefense
EMEA Threat Intelligence Partner of the Year: Sorint.SEC
EMEA Vulnerability Management Partner of the Year: Tieto
North America Awards
Rapid7 North America Partner of the Year: SHI International Corp.
North America Distribution Partner of the Year: Liquid PC
North America Emerging Partner of the Year: AccessIT Group, Inc.
“We are pleased to be recognized as North America Emerging Partner of the Year, and we value our evolving partnership with Rapid7,” said Bob Reilly, Vice President of Sales at AccessIT Group. “Rapid7 is a great partner that allows us to deliver shared visibility, analytics, and automation to unite our customers’ security, IT, and DevOps teams.”
North America Fastest Growth Partner of the Year: CDW Corporation
North America Best Customer Retention of the Year: Carahsoft Technology Corp.
“We are pleased to be recognized as the 2022 North America Best Customer Retention Partner,” said Alex Whitworth, Sales Director, who leads the Rapid7 Team at Carahsoft. “Carahsoft and our reseller partners enable customers to unlock more value from their Rapid7 investments through our proactive customer onboarding, nurture, and support process. We combine dedicated Rapid7 expertise, customer success technology and automation, and a constant communication approach to build valuable relationships with customers. We thank Rapid7 and our reseller partners for this amazing award.”
North America MSSP Partner of the Year: RKON Technologies
“RKON is honored and grateful to receive the MSSP of the Year for North America award from Rapid7. This award is a testament that the RKON and Rapid7 teams’ shared vision, strong working partnership, and endless determination have been fruitful in driving aggressive growth and adding value to our client’s security programs.”
– Chris Hueneke, Chief Information Security Officer at RKON Technologies
North America Detection & Response Partner of the Year: CyberWatch Systems
North America Threat Intelligence Partner of the Year: Deepwatch, Inc.
North America Vulnerability Management Partner of the Year: GuidePoint Security LLC
North America AppSec Partner of the Year: GuidePoint Security LLC
North America Cloud Security Partner of the Year: SHI International Corp.
Rapid7 Canadian Partner of the Year: Forecight
“This is a big honor for our entire team, who supported the company to attain its overwhelming success over the past few years. Our mutual achievements are truly a testament to our partnership and our ability to work together to give our clients the best cybersecurity solutions. We look forward to continuing our robust and fruitful partnership with Rapid7.”
– Arezou Marzara, LL.M., Director, Strategy & Operations at Forecight
Congratulations again to all our winners!
More about our partner program
The Rapid7 PACT Program is built to inspire our partners to grow with us and achieve mutual success through accountability, consistency, and transparency. By participating in the program, partners can offer powerful, industry-leading solutions to our joint customers, resulting in mutual success for all. If you’re interested in becoming a Rapid7 partner, you can learn more here.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
During Women’s History Month, we invited some of our team members to share their best advice for other women in technology, celebrate their strengths, and reflect on how they’ve challenged convention within their roles and built their networks.
What is the best advice that someone has given you in your career?
Nino Nardize, Director, Technical Customer Success: One piece of advice that resonated with me early on was that you have to be comfortable making decisions with only 80% of the information available. That stuck with me because I think, as women, sometimes we feel we need to have all of the information, be 100% qualified for a role, or be able to achieve perfection. In reality, things don’t always work out that way. I’ve found it’s important to ask ourselves, “Have we done our best to gather the right information in relation to this decision?” Even if that means we still have things outstanding, that’s OK. We have to be comfortable with taking risks and feeling good about moving forward with what we have in front of us.
Jane Man, Director, Product Management – VRM: The most important advice I got early on was to be open and always look for opportunities to grow. If you are at a point in your career where you think to yourself, “I’ve got this,” and you know exactly what you are doing every day, you probably aren’t being challenged enough. This perspective has always pushed me to look for areas where I don’t feel comfortable and to seek out areas to grow my career — and myself as a person.
Jessica Reinne, Account Executive, Large: As a sales executive, the best advice I received was that buying is emotional, and people buy products most often from people they trust and have a relationship with. I’ve found firsthand that once you establish that rapport, people will want to engage with you and either communicate what they need in order to move forward or — just as valuable — tell you why they aren’t moving forward or why something isn’t actually working. When you have that open dialogue, you can really be a better partner to them, versus trying to sell them something they aren’t bought into.
Noreen Camelo, VP Enterprise Applications: One piece of advice I heard was to be brave, be brilliant, but be brief. I think this is important because sometimes we can get caught up in explaining our ideas or spend too much time setting the stage. As you progress in your career and are working with executives, it’s important that your key message comes across very clearly, as everyone is pressed for time. Be brave and speak up when you see opportunities, be brilliant and always keep challenging convention, but be brief and make sure to get your thoughts across in a succinct way.
Sarah Sidford, Manager, Commercial Sales: In life, and especially for women, it sometimes can feel like you’re trying to juggle a bunch of different balls in the air. You have your career as one ball, your travel plans as another, your family as another, your social life, and so on. It’s important to remember that most of those balls are rubber, if you drop them, they will bounce right back and be OK. But family and health are two that are glass — and you can never, ever drop them. Keeping perspective about what’s really important with a focus on family and health being most important can help you prioritize and know when you need to let go of another one of those rubber balls.
Paola Chadwell, VP, Customer Success Management: Always advocate for yourself — especially when negotiating your salary. I think, as women, we hesitate to ask for more because we’re afraid we will lose the offer that’s already on the table. In reality, the worst someone can say is no, or maybe they don’t go as high as you ask but are able to meet you in the middle somewhere. I’ve negotiated every salary throughout my career, and I think it’s helped me to own my voice and advocate for my worth.
Turning that around, what advice would you give to women who are early in their career and looking to challenge convention?
Jane Man: I would say to be confident in your own voice. At the end of the day, the goal is to create a better solution and work more effectively, and that means that when you have something to add, it’s your responsibility to speak up and you shouldn’t be afraid to do that — because it makes all of us better and stronger.
Paola Chadwell: When I was younger, I moved around a lot. The process of putting myself out there and making friends throughout childhood has translated into my ability to build strong relationships in my career. I’m in customer success, so I have to not only build strong relationships with our customers, but I also be able to have internal and cross-functional relationships so that I can be a better advocate for our customer needs and deliver the right solutions for their needs.
Nino Nardize: In the workplace, there are a number of different ways that each individual can contribute at a given time. Whether it’s in meetings or through a one-to-one conversation, each person’s ability to influence others can be a little bit different. Find where you are most comfortable and can create impact in a meaningful way and lean into that — don’t fight it to be something you are not.
How are you challenging convention in your role at Rapid7?
Sarah Sidford: I think one way that I challenge convention is that I am very vocal about the need to hire more women in sales. There are still so many double standards for women in sales — we might describe a male as being assertive and have a positive association with that behavior, but when a woman is assertive, we’re quick to judge her as being pushy. The more we can prioritize diversifying our teams, the more we can start to challenge these stereotypes. I think a lot of times, people hire people who remind them of themselves — so if we have more men in leadership positions doing the hiring, how does it hurt those efforts if they are carrying that internal bias? I’m working closely with our talent acquisition team to really change the traditional landscape of sales and prioritize bringing a more balanced workforce into the field.
Jessica Rennie: I’m someone who is really open-minded and willing to try new things. One example is that when I joined the company, I saw an opportunity and went out on a limb to create a new program. At first, it can be challenging to get something like this that is new up and running, but we were able to create this network of give and get with our prospects that has ultimately benefited our business and our sales organization. It was great to be able to formulate a vision and strategy and be supported along the way by my manager and peers.
Nino Nardize: I challenge convention by encouraging different perspectives. Diversity of thought and experiences is a crucial component to any team. I can only be one voice, and my voice is reflective of my own personal journey. Whenever we are having a crucial conversation, we need to have the representation of multiple perspectives in order to make educated decisions. Asking ourselves, “What else are we missing? Are there too many voices from one business group and not enough from another?” can lead to a better decision and product in the end.
What strengths do you believe your identity and personal experiences bring to your role?
Jane Man: I come from an immigrant family. My parents immigrated from the big city of Hong Kong to the tiny island nation of New Zealand. Through my experiences, I’ve become interested in what makes people think a certain way, and I often find myself asking questions that dig into what we are doing and the purpose or “why” behind it. That natural curiosity is something that comes from being part of that small island community.
Jessica Reinne: I didn’t come from a cybersecurity background prior to Rapid7, but I was in the startup world. Some of the places I worked earlier in my career were so new that on some days the heat didn’t even work or the lights wouldn’t turn on — so I experienced the early growth grind that happens in the technology world where you have this pressure to prove yourself and everyone’s work has such a direct impact on the company. I developed almost this chip on my shoulder where I really want to push myself and always have that grit and determination. Doing it at Rapid7, where we are so established and have not only a great team and product but great amenities and support systems, really just puts it on a whole new level.
Noreen Camelo: I bring a lot of optimism to my team, and I think some of that comes from my past roles and being able to put things into perspective. Earlier in my career I worked in Oncology, so there was a lot of pressure around our decisions because of the impact it had on patients’ lives. When we feel stressed out or a task seems too big for us to tackle, I try to help my team keep things in perspective so they can prioritize, while encouraging them to find creative solutions. I really do believe that there is no challenge we cannot solve as long as we are willing to take the right amount of time and work together.
It’s often said that an important part of being successful is building a supportive network around you. How have you built your own personal network, and how has it helped you be successful?
Paola Chadwell: I think, first off, women sometimes have a tendency to look at other women as competition rather than allies. That’s not a mindset I ever want to have or that I want to encourage people to challenge, because we all have so much to add and to contribute to one another. I’ve been so lucky to have been surrounded by such strong and powerful women at Rapid7 and at previous companies. I’ve been monitored by them and have also been able to be a mentor to them at times. The beautiful thing about building a network and having a mentor is that it becomes a two-way street. We have so much to learn from one another and can really help each other grow.
Noreen Camelo: I’ve built my network through the different roles and companies I’ve been at. It’s been a proactive experience of reaching out and staying in touch, and the result is a diverse network of people to lean on where we can all give guidance to each other at different points. What I’ve experienced is that your network is a huge part of advancing your career, as well as rounding you out as the leader you are.
Sarah Sidford: I’m grateful to have been able to create such a great network of women around me. In sales, it’s important to have relationships where you can be honest about what you’re going through and can talk about when you are having a hard day or when things are also going well. As women, we don’t want to share our struggles and appear weak, but then at the same time, you don’t want to celebrate or you will be seen as braggadocious — so you need to have a safe space to share that vulnerability and the highs and the lows, especially when it’s people who have also been through it and who can share their experiences with you, too. Whether it’s asking about what to wear to a client onsite or working through a unique challenge with a customer, having that safe space can help you feel so much more prepared and empowered. As a leader, that’s the kind of space I want to create with my team.
Want join our team? We’re hiring! Browse our open roles at Rapid7 here.
In this episode of Security Nation, Jen and Tod chat with Bob Lord, recently the Chief Security Officer for the Democratic National Committee, about the unique challenges of overseeing cybersecurity at a high-profile political entity. Bob talks about becoming the Marie Condo of cybersecurity, the importance of people and process, and getting peers and leaders alike to buy into major habit changes designed to improve security.
Stick around for our Rapid Rundown, where Tod and Jen talk about a recent academic paper on influencer VPN ads on YouTube and its implications for how laypeople learn about security.
Bob Lord most recently served as the first Chief Security Officer at the Democratic National Committee. In that role he worked to secure the Committee, as well as helping state parties and campaigns with their security programs. Previous roles include CISO at Yahoo, CISO in Residence at Rapid 7, and before that he headed up Twitter’s information security program as its first security hire. You can see some of his hobbies at https://www.ilord.com.
Welcome back to 7Rapid Questions, our blog series where we hear about the great work happening at Rapid7 from the people who are doing it across our global offices. For this installment, we sat down with Maria Loughrey, Commercial Sales Manager for the UK and Ireland at our Reading, UK office.
What did you want to be when you grew up?
After a brief stint of wanting to go to America to study law at Harvard (thank you, “Legally Blonde”), I ended up studying psychology and wanted to become a forensic psychologist.
So, how did you end up in cybersecurity?
I was approached by a recruitment partner of Rapid7, which prompted me to research what cybersecurity was all about. I found that not only is it a super interesting topic, but people are really passionate about it. It was evident how much Rapid7 cared about their customers’ security and, in turn, how much customers respected them as a vendor. It took a bit of a leap of faith to step away from my career plan and start working for a company I knew very little about, but I’m so glad I did!
What has your career journey been like at Rapid7?
Since the aforementioned leap of faith, Rapid7 haven’t stopped putting their faith in me in return. I started in the business development team and then got promoted into a sales overlay role supporting the Account Executive team. I’ve been in sales ever since — starting with SMB customers, then mid-market accounts, and more recently covering the Enterprise market in the UK.
Last year, I became a team lead alongside my Enterprise AE role, and then at the beginning of this year, I was promoted into a management position to support the Commercial Sales team. The support and belief I have received from Rapid7 and my management team over the last 8 years have been truly humbling.
What has been your proudest moment?
It was bittersweet moving into a management position this year, as it meant not working directly with customers as much, but when I introduced new team members who would be stepping into my role, so many customers had such lovely things to say and let me know that I’d be missed. It’s amazing to hear that you’ve had such a positive impact.
What is a fun fact some people might not know about you?
I have a very mild form of Tourette syndrome, which causes people to have “tics.”
Which of Rapid7’s core values do you embody the most?
Bring You. This is SUCH a difficult question, but I chose Bring You because not only do I strive to be my most authentic self at work, but I also think it’s incredibly important for everyone to bring their own perspectives and style. Businesses thrive on diversity of mindset. Without this, creativity becomes stagnant and growth slows. So, Bring You.
What three words would you use to describe the culture at Rapid7?
Understanding, inclusive, genuine.
Want to join Maria and her team? We’re hiring! Browse our open roles at Rapid7 here.